diff --git a/install/valkey-install.sh b/install/valkey-install.sh index d855eac5bb7..22714e305fe 100644 --- a/install/valkey-install.sh +++ b/install/valkey-install.sh @@ -32,10 +32,53 @@ echo "# Memory-optimized settings for small-scale deployments" >> /etc/valkey/va echo "maxmemory ${MAXMEMORY_MB}mb" >> /etc/valkey/valkey.conf echo "maxmemory-policy allkeys-lru" >> /etc/valkey/valkey.conf echo "maxmemory-samples 10" >> /etc/valkey/valkey.conf +msg_ok "Installed Valkey" + +read -r -p "${TAB3}Would you like to enable TLS for Valkey (Note: sentinel mode does not support TLS)? [y/N]: " prompt +if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then + read -r -p "${TAB3}Would you like Valkey to listen only on TLS (disable TCP port 6379)? [y/N]: " tls_only + msg_info "Configuring TLS for Valkey..." + TLS_DIR="/etc/valkey/tls" + mkdir -p "$TLS_DIR" + chown valkey:valkey "$TLS_DIR" + chmod 750 "$TLS_DIR" + + openssl req -x509 -nodes -newkey rsa:2048 -days 3650 \ + -subj "/CN=$(hostname)" \ + -keyout "$TLS_DIR/valkey.key" \ + -out "$TLS_DIR/valkey.crt" \ + >/dev/null 2>&1 + + chown valkey:valkey "$TLS_DIR"/valkey.{crt,key} + chmod 640 "$TLS_DIR/valkey.crt" + chmod 600 "$TLS_DIR/valkey.key" + + if [[ ${tls_only,,} =~ ^(y|yes)$ ]]; then + { + echo "" + echo "# TLS configuration generated by Proxmox VE Valkey helper-script" + echo "port 0" + echo "tls-port 6379" + echo "tls-cert-file $TLS_DIR/valkey.crt" + echo "tls-key-file $TLS_DIR/valkey.key" + echo "tls-auth-clients no" + } >> /etc/valkey/valkey.conf + msg_ok "Enabled TLS-only mode on port 6379" + else + { + echo "" + echo "# TLS configuration generated by Proxmox VE Valkey helper-script" + echo "tls-port 6380" + echo "tls-cert-file $TLS_DIR/valkey.crt" + echo "tls-key-file $TLS_DIR/valkey.key" + echo "tls-auth-clients no" + } >> /etc/valkey/valkey.conf + msg_ok "Enabled TLS on port 6380 and TCP on 6379" + fi +fi systemctl enable -q --now valkey-server systemctl restart valkey-server -msg_ok "Installed Valkey" motd_ssh customize