- name: postgresql SSL - create database
  become_user: '{{ pg_user }}'
  become: true
  postgresql_db:
    name: '{{ ssl_db }}'

- name: postgresql SSL - create role
  become_user: '{{ pg_user }}'
  become: true
  postgresql_user:
    name: '{{ ssl_user }}'
    role_attr_flags: SUPERUSER
    password: '{{ ssl_pass }}'

- name: postgresql SSL - install openssl
  become: true
  package: name=openssl state=present

- name: postgresql SSL - create certs 1
  become_user: root
  become: true
  shell: openssl req -new -nodes -text -out ~{{ pg_user }}/root.csr \ -keyout ~{{ pg_user }}/root.key -subj "/CN=localhost.local"

- name: postgresql SSL - create certs 2
  become_user: root
  become: true
  shell: openssl x509 -req -in ~{{ pg_user }}/root.csr -text -days 3650 \ -extensions v3_ca -signkey ~{{ pg_user }}/root.key -out ~{{ pg_user }}/root.crt

- name: postgresql SSL - create certs 3
  become_user: root
  become: true
  shell: openssl req -new -nodes -text -out ~{{ pg_user }}/server.csr \ -keyout ~{{ pg_user }}/server.key -subj "/CN=localhost.local"

- name: postgresql SSL - create certs 4
  become_user: root
  become: true
  shell: openssl x509 -req -in ~{{ pg_user }}/server.csr -text -days 365 \ -CA ~{{ pg_user }}/root.crt -CAkey ~{{ pg_user }}/root.key -CAcreateserial -out server.crt

- name: postgresql SSL - set right permissions to files
  become_user: root
  become: true
  file:
    path: '{{ item }}'
    mode: '0600'
    owner: '{{ pg_user }}'
    group: '{{ pg_user }}'
  with_items:
  - ~{{ pg_user }}/root.key
  - ~{{ pg_user }}/server.key
  - ~{{ pg_user }}/root.crt
  - ~{{ pg_user }}/server.csr

- name: postgresql SSL - enable SSL
  become_user: '{{ pg_user }}'
  become: true
  postgresql_set:
    login_user: '{{ pg_user }}'
    db: postgres
    name: ssl
    value: true

- name: postgresql SSL - reload PostgreSQL to enable ssl on
  become: true
  service:
    name: '{{ postgresql_service }}'
    state: reloaded