- name: include optional tls config in default postgres config
  lineinfile:
    path: "{{ postgresql_conf_dir }}/postgresql.conf"
    line: "include_if_exists 'tls.conf'"
    create: no
  notify: restart postgresql


- name: create tls directory for holding certs
  file:
    path: "{{ postgresql_tls_dir }}"
    state: directory
    mode: 0700
    owner: "{{ postgresql_user }}"
    group: "{{ postgresql_group }}"


- name: deploy ecc384 cert
  include_role:
    name: certs
  vars:
    certs:
      cert: "{{ postgresql_tls_dir }}/ecc384.crt"
      key: "{{ postgresql_tls_dir }}/ecc384.key"
      chain: "{{ postgresql_tls_dir }}/root.crt"
      ecc: yes
      post_hook: service postgresql restart
      owner: "{{ postgresql_user }}"
      group: "{{ postgresql_group }}"
    

- name: generate dh params
  include_role:
    name: ca
  vars:
    function: dhparams
    dh_params:
      path: "{{ postgresql_tls_dir }}/{{ postgresql_dhparam_file }}"
      mode: '0400'
      owner: "{{ postgresql_user }}"
      group: "{{ postgresql_group }}"
      remote_gen: no


- name: template tls config
  template:
    src: postgresql.j2
    dest: "{{ postgresql_conf_dir }}/tls.conf"
    force: yes
    mode: 0400
    owner: "{{ postgresql_user }}"
    group: "{{ postgresql_group }}"
    lstrip_blocks: yes
  notify: restart postgresql
  vars:
    config: "{{ postgresql_tls_config }}"