]>
Commit | Line | Data |
---|---|---|
f568173a IB |
1 | define profile::postgresql_master ( |
2 | $letsencrypt_host = undef, | |
3 | $backup_hosts = [], | |
4 | ) { | |
5 | $password_seed = lookup("base_installation::puppet_pass_seed") | |
6 | ||
7 | ensure_resource("file", "/var/lib/postgres/data/certs", { | |
8 | ensure => directory, | |
9 | mode => "0700", | |
10 | owner => $::profile::postgresql::pg_user, | |
11 | group => $::profile::postgresql::pg_user, | |
12 | require => File["/var/lib/postgres"], | |
13 | }) | |
14 | ||
15 | ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", { | |
16 | source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem", | |
17 | mode => "0600", | |
18 | links => "follow", | |
19 | owner => $::profile::postgresql::pg_user, | |
20 | group => $::profile::postgresql::pg_user, | |
21 | require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] | |
22 | }) | |
23 | ||
24 | ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", { | |
25 | source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem", | |
26 | mode => "0600", | |
27 | links => "follow", | |
28 | owner => $::profile::postgresql::pg_user, | |
29 | group => $::profile::postgresql::pg_user, | |
30 | require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] | |
31 | }) | |
32 | ||
33 | ensure_resource("postgresql::server::config_entry", "wal_level", { | |
34 | value => "logical", | |
35 | }) | |
36 | ||
37 | ensure_resource("postgresql::server::config_entry", "ssl", { | |
38 | value => "on", | |
39 | require => Letsencrypt::Certonly[$letsencrypt_host], | |
40 | }) | |
41 | ||
42 | ensure_resource("postgresql::server::config_entry", "ssl_cert_file", { | |
43 | value => "/var/lib/postgres/data/certs/cert.pem", | |
44 | require => Letsencrypt::Certonly[$letsencrypt_host], | |
45 | }) | |
46 | ||
47 | ensure_resource("postgresql::server::config_entry", "ssl_key_file", { | |
48 | value => "/var/lib/postgres/data/certs/privkey.pem", | |
49 | require => Letsencrypt::Certonly[$letsencrypt_host], | |
50 | }) | |
51 | ||
52 | $backup_hosts.each |$backup_host| { | |
53 | ensure_packages(["pam_ldap"]) | |
54 | ||
9313fa2e IB |
55 | $host = find_host($facts["ldapvar"]["other"], $backup_host) |
56 | unless empty($host) { | |
57 | $host["ipHostNumber"].each |$ip| { | |
58 | $infos = split($ip, "/") | |
59 | $ipaddress = $infos[0] | |
60 | if (length($infos) == 1 and $ipaddress =~ /:/) { | |
61 | $mask = "128" | |
62 | } elsif (length($infos) == 1) { | |
63 | $mask = "32" | |
64 | } else { | |
65 | $mask = $infos[1] | |
f568173a IB |
66 | } |
67 | ||
9313fa2e IB |
68 | postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": |
69 | type => 'hostssl', | |
70 | database => 'replication', | |
71 | user => $backup_host, | |
72 | address => "$ipaddress/$mask", | |
73 | auth_method => 'pam', | |
74 | order => "06-01", | |
f568173a | 75 | } |
9313fa2e | 76 | } |
f568173a | 77 | |
9313fa2e IB |
78 | postgresql::server::role { $backup_host: |
79 | replication => true, | |
80 | } | |
81 | ||
82 | postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): | |
83 | ensure => present | |
f568173a IB |
84 | } |
85 | } | |
5feedbb4 | 86 | } |
f568173a | 87 | |
5feedbb4 IB |
88 | $ldap_server = lookup("base_installation::ldap_server") |
89 | $ldap_base = lookup("base_installation::ldap_base") | |
90 | $ldap_dn = lookup("base_installation::ldap_dn") | |
91 | $ldap_password = generate_password(24, $password_seed, "ldap") | |
92 | $ldap_attribute = "cn" | |
f568173a | 93 | |
5feedbb4 IB |
94 | file { "/etc/pam_ldap.d": |
95 | ensure => directory, | |
96 | mode => "0755", | |
97 | owner => "root", | |
98 | group => "root", | |
99 | } -> | |
100 | file { "/etc/pam_ldap.d/postgresql.conf": | |
101 | ensure => "present", | |
102 | mode => "0600", | |
103 | owner => $::profile::postgresql::pg_user, | |
104 | group => "root", | |
105 | content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), | |
106 | } -> | |
107 | file { "/etc/pam.d/postgresql": | |
108 | ensure => "present", | |
109 | mode => "0644", | |
110 | owner => "root", | |
111 | group => "root", | |
112 | source => "puppet:///modules/profile/postgresql_master/pam_postgresql" | |
f568173a IB |
113 | } |
114 | ||
115 | } |