From af2f3f397c955ee3212a598fe388a06256235008 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Tue, 21 Nov 2017 18:06:23 +0100
Subject: [PATCH] postgresql: Fix the letsencrypt and ssl tasks so that ssl can
 be disabled.

---
 postgresql/defaults/main.yml                  | 17 +++++++++-----
 postgresql/files/pgpool-letsencrypt-acme.sh   |  2 --
 .../files/postgresql-letsencrypt-acme.sh      |  2 --
 postgresql/tasks/main.yml                     |  2 --
 .../tasks/pgpool-letsencrypt-acmetool.yml     | 20 +++++++++++------
 .../tasks/postgresql-letsencrypt-acmetool.yml | 22 ++++++++++++-------
 postgresql/tasks/postgresql-ssl-config.yml    | 18 ++++++++++++---
 7 files changed, 54 insertions(+), 29 deletions(-)

diff --git a/postgresql/defaults/main.yml b/postgresql/defaults/main.yml
index 2c46becf..cde0ff4f 100644
--- a/postgresql/defaults/main.yml
+++ b/postgresql/defaults/main.yml
@@ -62,12 +62,19 @@ psql_autovacuum_configuration:
 # SSL as a special case
 psql_enable_ssl: False
 psql_force_ssl_client_connection: False
-postgresql_letsencrypt_managed: True
-psql_conf_ssl_parameters:
+postgresql_letsencrypt_managed: '{{ psql_enable_ssl }}'
+psql_ssl_privkey_global_file: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
+psql_ssl_privkey_file: /etc/pki/postgresql/postgresql.key
+psql_ssl_cert_file: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
+psql_ssl_ca_file: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
+psql_conf_ssl_parameters: 
   - { name: 'ssl', value: 'true' }
-  - { name: 'ssl_cert_file', value: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' }
-  - { name: 'ssl_key_file', value: '/etc/pki/postgresql/postgresql.key' }
-  - { name: 'ssl_ca_file', value: '/var/lib/acme/live/{{ ansible_fqdn }}/chain' }
+  - { name: 'ssl_cert_file', value: '{{ psql_ssl_cert_file }}' }
+  - { name: 'ssl_key_file', value: '{{ psql_ssl_privkey_path }}' }
+  - { name: 'ssl_ca_file', value: '{{ psql_ssl_ca_file }}' }
+
+psql_conf_disable_ssl_parameters: 
+  - { name: 'ssl', value: 'false' }
 
 psql_set_shared_memory: False
 psql_sysctl_file: 30-postgresql-shm.conf
diff --git a/postgresql/files/pgpool-letsencrypt-acme.sh b/postgresql/files/pgpool-letsencrypt-acme.sh
index 3409f27e..38ac48b9 100644
--- a/postgresql/files/pgpool-letsencrypt-acme.sh
+++ b/postgresql/files/pgpool-letsencrypt-acme.sh
@@ -26,10 +26,8 @@ chgrp postgres ${PGPOOL2_KEYFILE}
 
 echo "Reload the pgpool2 service" >> $LE_LOG_DIR/pgpool2.log
 if [ -x /bin/systemctl ] ; then
-    sleep $RANDOM
     systemctl reload pgpool2 >> $LE_LOG_DIR/pgpool2.log 2>&1
 else
-    sleep $RANDOM
     service pgpool2 reload >> $LE_LOG_DIR/pgpool2.log 2>&1
 fi
 
diff --git a/postgresql/files/postgresql-letsencrypt-acme.sh b/postgresql/files/postgresql-letsencrypt-acme.sh
index bfacd724..a3c227ea 100644
--- a/postgresql/files/postgresql-letsencrypt-acme.sh
+++ b/postgresql/files/postgresql-letsencrypt-acme.sh
@@ -26,10 +26,8 @@ chgrp postgres ${POSTGRESQL_KEYFILE}
 
 echo "Restart the postgresql service" >> $LE_LOG_DIR/postgresql.log
 if [ -x /bin/systemctl ] ; then
-    sleep $RANDOM
     systemctl restart postgresql >> $LE_LOG_DIR/postgresql.log 2>&1
 else
-    sleep $RANDOM
     service postgresql restart >> $LE_LOG_DIR/postgresql.log 2>&1
 fi
 
diff --git a/postgresql/tasks/main.yml b/postgresql/tasks/main.yml
index 91a94b02..f44fba2c 100644
--- a/postgresql/tasks/main.yml
+++ b/postgresql/tasks/main.yml
@@ -32,11 +32,9 @@
   when: psql_pgpool_service_install
 - include: postgresql-letsencrypt-acmetool.yml
   when:
-    - postgresql_letsencrypt_managed
     - letsencrypt_acme_install is defined
 - include: pgpool-letsencrypt-acmetool.yml
   when:
-    - pgpool_letsencrypt_managed
     - letsencrypt_acme_install is defined
 
 
diff --git a/postgresql/tasks/pgpool-letsencrypt-acmetool.yml b/postgresql/tasks/pgpool-letsencrypt-acmetool.yml
index f19b99b5..627e6e67 100644
--- a/postgresql/tasks/pgpool-letsencrypt-acmetool.yml
+++ b/postgresql/tasks/pgpool-letsencrypt-acmetool.yml
@@ -1,17 +1,23 @@
 ---
-- name: Create the acme hooks directory if it does not yet exist
-  file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+- block:
+    - name: Create the acme hooks directory if it does not yet exist
+      file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+
+    - name: Install a script that fix the letsencrypt certificate for pgpool and then reloads the service
+      copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
+
   when:
     - psql_pgpool_service_install
     - pgpool_letsencrypt_managed
     - letsencrypt_acme_install
   tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
 
-- name: Install a script that fix the letsencrypt certificate for pgpool and then reloads the service
-  copy: src=pgpool-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/pgpool owner=root group=root mode=4555
+
+- block:
+    - name: Remove the letsencrypt hook for pgpool
+      file: dest=/usr/lib/acme/hooks/pgpool state=absent
+
   when:
     - psql_pgpool_service_install
-    - pgpool_letsencrypt_managed
-    - letsencrypt_acme_install
+    - not pgpool_letsencrypt_managed
   tags: [ 'postgresql', 'postgres', 'pgpool', 'letsencrypt' ]
-
diff --git a/postgresql/tasks/postgresql-letsencrypt-acmetool.yml b/postgresql/tasks/postgresql-letsencrypt-acmetool.yml
index 2f9a3ac2..8531a461 100644
--- a/postgresql/tasks/postgresql-letsencrypt-acmetool.yml
+++ b/postgresql/tasks/postgresql-letsencrypt-acmetool.yml
@@ -1,15 +1,21 @@
 ---
-- name: Create the acme hooks directory if it does not yet exist
-  file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+- block:
+    - name: Create the acme hooks directory if it does not yet exist
+      file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+
+    - name: Install a script that fix the letsencrypt certificate for postgresql and then restarts the service
+      copy: src=postgresql-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/postgresql owner=root group=root mode=4555
+
   when:
     - postgresql_letsencrypt_managed
     - letsencrypt_acme_install
   tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
 
-- name: Install a script that fix the letsencrypt certificate for postgresql and then restarts the service
-  copy: src=postgresql-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/postgresql owner=root group=root mode=4555
-  when:
-    - postgresql_letsencrypt_managed
-    - letsencrypt_acme_install
-  tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
 
+- block:
+    - name: Remove the letsencrypt certificate hook for postgresql
+      file: dest=/usr/lib/acme/hooks/postgresql state=absent
+
+  when:
+    - not postgresql_letsencrypt_managed
+  tags: [ 'postgresql', 'postgres', 'letsencrypt' ]
diff --git a/postgresql/tasks/postgresql-ssl-config.yml b/postgresql/tasks/postgresql-ssl-config.yml
index 4c0fba9e..d7fbfb32 100644
--- a/postgresql/tasks/postgresql-ssl-config.yml
+++ b/postgresql/tasks/postgresql-ssl-config.yml
@@ -1,6 +1,6 @@
 ---
 - block:
-    - name: Setup ssl in the postgresql configuration
+    - name: Setup SSL in the postgresql configuration
       become: True
       become_user: postgres
       action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
@@ -11,7 +11,19 @@
       file: dest=/etc/pki/postgresql state=directory owner=postgres group=postgres mode=0750
 
     - name: Create a postgres accessible ssl key file if it does not exist
-      copy: src=/var/lib/acme/live/{{ ansible_fqdn }}/privkey dest=/etc/pki/postgresql/postgresql.key owner=postgres group=postgres mode=0400 remote_src=True
+      copy: src={{ psql_ssl_privkey_global_file }} dest={{ psql_ssl_privkey_file }} owner=postgres group=postgres mode=0400 remote_src=True
 
   when: psql_enable_ssl
-  tags: [ 'postgresql', 'postgres', 'pg_conf' ]
+  tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]
+
+
+- block:
+    - name: Disable SSL in the postgresql configuration
+      become: True
+      become_user: postgres
+      action: configfile path=/etc/postgresql/{{ psql_version }}/main/postgresql.conf key={{ item.name }} value="'{{ item.value }}'"
+      with_items: '{{ psql_conf_disable_ssl_parameters }}'
+      notify: Restart postgresql
+
+  when: not psql_enable_ssl
+  tags: [ 'postgresql', 'postgres', 'pg_ssl_conf', 'pg_conf' ]