Add optional TLS setup to Valkey installer (#9789)

2025-12-13 00:35:11 -08:00 · 2025-12-13 00:35:11 -08:00 · 02911dc07c
commit 02911dc07c
parent 1bb3837646
1 changed files with 37 additions and 1 deletions
--- a/install/valkey-install.sh
+++ b/install/valkey-install.sh
@ -32,10 +32,46 @@ echo "# Memory-optimized settings for small-scale deployments" >> /etc/valkey/va
 echo "maxmemory ${MAXMEMORY_MB}mb" >> /etc/valkey/valkey.conf
 echo "maxmemory-policy allkeys-lru" >> /etc/valkey/valkey.conf
 echo "maxmemory-samples 10" >> /etc/valkey/valkey.conf
+msg_ok "Installed Valkey"
+
+echo
+read -r -p "${TAB3}Enable TLS for Valkey (Sentinel mode does not supported)? [y/N]: " prompt
+if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
+    read -r -p "${TAB3}Use TLS-only mode (disable TCP port 6379)? [y/N]: " tls_only
+    msg_info "Configuring TLS for Valkey..."
+
+    create_self_signed_cert "Valkey"
+    TLS_DIR="/etc/ssl/valkey"
+    TLS_CERT="$TLS_DIR/valkey.crt"
+    TLS_KEY="$TLS_DIR/valkey.key"
+    chown valkey:valkey "$TLS_CERT" "$TLS_KEY"
+
+    if [[ ${tls_only,,} =~ ^(y|yes)$ ]]; then
+    {
+      echo ""
+      echo "# TLS configuration generated by Proxmox VE Valkey helper-script"
+      echo "port 0"
+      echo "tls-port 6379"
+      echo "tls-cert-file $TLS_DIR/valkey.crt"
+      echo "tls-key-file $TLS_DIR/valkey.key"
+      echo "tls-auth-clients no"
+    } >> /etc/valkey/valkey.conf
+    msg_ok "Enabled TLS-only mode on port 6379"
+    else
+    {
+      echo ""
+      echo "# TLS configuration generated by Proxmox VE Valkey helper-script"
+      echo "tls-port 6380"
+      echo "tls-cert-file $TLS_DIR/valkey.crt"
+      echo "tls-key-file $TLS_DIR/valkey.key"
+      echo "tls-auth-clients no"
+    } >> /etc/valkey/valkey.conf
+    msg_ok "Enabled TLS on port 6380 and TCP on 6379"
+    fi
+fi

 systemctl enable -q --now valkey-server
 systemctl restart valkey-server
-msg_ok "Installed Valkey"

 motd_ssh
 customize