OP-25 Implement Lego to create ACME certificates for PostgreSQL #36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jonathanio
added
priority/normal
There was a problem hiding this comment.
Pull request overview
This PR implements Lego as an ACME client service to automate certificate generation and renewal for PostgreSQL and other services, with support for both standalone and Caddy-based HTTP-01 challenge handling. The implementation includes full TLS/SSL configuration for PostgreSQL connections and replication, as well as updates to Authentik to use encrypted database connections.
Key Changes
- New
legoAnsible role providing ACME certificate management with systemd timer-based renewals - PostgreSQL role updated to support TLS with ACME certificates, including encrypted replication connections
- Authentik configured to use SSL/TLS for PostgreSQL connections with certificate validation
Reviewed changes
Copilot reviewed 35 out of 35 changed files in this pull request and generated 21 comments.
Show a summary per file
| File | Description |
|---|---|
roles/lego/* |
New role implementing Lego ACME client with configurable standalone/Caddy modes, systemd service/timer units, and firewall rules |
roles/postgresql/templates/postgresql.conf.jinja |
Added conditional TLS configuration with certificate paths and minimum TLS 1.3 protocol |
roles/postgresql/templates/pg_hba.conf.jinja |
Updated replication host entries to use hostssl when TLS is enabled |
roles/postgresql/templates/lego.sh.jinja |
New hook script to deploy certificates to PostgreSQL data directory and reload service |
roles/postgresql/templates/lego.conf.jinja |
Configuration file specifying domains (FQDN + IP addresses) for certificate generation |
roles/postgresql/tasks/configure.yaml |
Added tasks to create Lego directories and deploy configuration files |
roles/postgresql/tasks/service.yaml |
Enabled Lego timer for automatic certificate renewal |
roles/postgresql/tasks/firewall.yaml |
Fixed syntax error in firewall rule label |
roles/postgresql/handlers/main.yaml |
Added handler to trigger Lego certificate renewal |
roles/postgresql/defaults/main.yaml |
Added TLS configuration variables |
roles/postgresql/files/postgresql |
Unused/redundant file that should be removed |
roles/postgresql/README.md |
Documented new postgresql_tls_enabled variable |
roles/caddy/templates/Caddyfile.jinja |
Added safety check for undefined caddy_auto_https variable |
roles/caddy/defaults/main.yaml |
Removed default empty value for caddy_auto_https (breaking change) |
roles/authentik/templates/environment.jinja |
Added SSL mode and root certificate configuration for PostgreSQL connections |
roles/authentik/templates/authentik-*.service.jinja |
Added conditional volume mount for SSL certificates |
roles/authentik/defaults/main.yaml |
Added authentik_ssl_path variable and updated SSL certificate documentation |
plays/authentik.yaml |
Added fact gathering from CA hosts and reordered roles to install Lego before PostgreSQL |
plays/group_vars/authentik.yaml |
Configured Lego and PostgreSQL TLS settings with hostssl entries |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jonathanio
force-pushed
the
op-25-encrypt-postgresql-traffic
branch
2 times, most recently
from
8959fcf to
8abe9ba
Compare
Implement Lego as a service (with support for standalone or Caddy-based operations) to send requests to the internal Certificate Authority to generate certificates matching the host's name and IP addresses. The lego role will manage the creation and renewal of the certificates, while the postgresql role will create the configuration for lego and set up the trigger for checks and renewals. Lego was chosen for support for RFC8738, which allows IP addresses to be validated against by the ACME server, and it's simpler dependencies, and recommended install process.
jonathanio
force-pushed
the
op-25-encrypt-postgresql-traffic
branch
from
8abe9ba to
94b96bf
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement Lego as a service (with support for standalone or Caddy-based operations) to submit requests to the internal Certificate Authority to generate certificates that match the host name and IP addresses.
The
legorole will manage the creation and renewal of the certificates, while thepostgresqlrole will create the configuration for LEGO and set up the trigger for checks and renewals.Lego was chosen for support for RFC8738, which allows IP addresses to be validated against by the ACME server, and its simpler dependencies, and recommended install process.
Also, update all relevant PostgreSQL and Authentik configurations to use encrypted connections to the databases, both for access and replication.
Checklist
Before raising this Pull Request, please review the
CONTRIBUTING.mddocument for guidance on how best to work with this repository and its code. Additionally, please review and confirm the following items have been performed, where possible:release/...and{update,type}/...labels to this PR