puppet: Support setting an ssl_mode verification level.

docs/production/deployment.md

@@ -712,6 +712,15 @@ client connections.
 Set to the path to the PEM-encoded private key used to secure client
 connections.
 
+#### `ssl_mode`
+
+The mode that should be used to verify the server certificate. The
+PostgreSQL default is `prefer`, which provides no security benefit; we
+strongly suggest setting this to `require` or better if you are using
+certificate authentication. See the [PostgreSQL
+documentation](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS)
+for potential values.
+
 #### `version`
 
 The version of PostgreSQL that is in use. Do not set by hand; use the

puppet/zulip/manifests/profile/postgresql.pp

@@ -21,6 +21,7 @@ class zulip::profile::postgresql {
   $ssl_cert_file = zulipconf('postgresql', 'ssl_cert_file', undef)
   $ssl_key_file = zulipconf('postgresql', 'ssl_key_file', undef)
   $ssl_ca_file = zulipconf('postgresql', 'ssl_ca_file', undef)
+  $ssl_mode = zulipconf('postgresql', 'ssl_mode', undef)
 
   file { $zulip::postgresql_base::postgresql_confdirs:
     ensure => directory,

puppet/zulip/templates/postgresql/12/postgresql.conf.template.erb

@@ -796,6 +796,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>

puppet/zulip/templates/postgresql/13/postgresql.conf.template.erb

@@ -827,6 +827,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>

puppet/zulip/templates/postgresql/14/postgresql.conf.template.erb

@@ -848,6 +848,7 @@ restore_command = '/usr/local/bin/env-wal-g wal-fetch "%f" "%p"'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>
 <% end -%>

puppet/zulip/templates/postgresql/recovery.conf.template.erb

@@ -4,5 +4,6 @@ recovery_target_timeline = 'latest'
 <% if @replication_primary != '' && @replication_user != '' -%>
 primary_conninfo = 'host=<%= @replication_primary %> user=<%= @replication_user -%>
 <% if @replication_password != '' %> password=<%= @replication_password %><% end -%>
+<% if @ssl_mode != '' %> sslmode=<%= @ssl_mode %><% end -%>
 '
 <% end -%>