]>
Commit | Line | Data |
---|---|---|
808f8225 | 1 | class role::backup::postgresql inherits role::backup { |
6d1c9c43 IB |
2 | # This manifest is supposed to be part of the backup server |
3 | ||
4 | $password_seed = lookup("base_installation::puppet_pass_seed") | |
5 | ||
6 | $user = lookup("role::backup::user") | |
7 | $group = lookup("role::backup::group") | |
8 | $pg_user = "postgres" | |
9 | $pg_group = "postgres" | |
10 | ||
11 | $ldap_cn = lookup("base_installation::ldap_cn") | |
12 | $ldap_password = generate_password(24, $password_seed, "ldap") | |
1c90c691 IB |
13 | $ldap_server = lookup("base_installation::ldap_server") |
14 | $ldap_base = lookup("base_installation::ldap_base") | |
15 | $ldap_dn = lookup("base_installation::ldap_dn") | |
16 | $ldap_attribute = "uid" | |
17 | ||
6d1c9c43 IB |
18 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") |
19 | ||
1c90c691 IB |
20 | ensure_packages(["postgresql", "pgbouncer", "pam_ldap"]) |
21 | ||
22 | $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} }) | |
23 | $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef }) | |
24 | ||
25 | unless empty($pg_backup_hosts) { | |
26 | file { "/etc/systemd/system/postgresql_backup@.service": | |
27 | mode => "0644", | |
28 | owner => "root", | |
29 | group => "root", | |
30 | content => template("role/backup/postgresql_backup@.service.erb"), | |
31 | } | |
6d1c9c43 | 32 | |
1c90c691 IB |
33 | unless empty($ldap_filter) { |
34 | concat { "/etc/pgbouncer/pgbouncer.ini": | |
35 | mode => "0644", | |
36 | owner => "root", | |
37 | group => "root", | |
38 | ensure_newline => true, | |
39 | notify => Service["pgbouncer"], | |
40 | } | |
41 | ||
42 | concat::fragment { "pgbouncer_head": | |
43 | target => "/etc/pgbouncer/pgbouncer.ini", | |
44 | order => "01", | |
45 | content => template("role/backup/pgbouncer.ini.erb"), | |
46 | } | |
47 | ||
48 | file { "/etc/systemd/system/pgbouncer.service.d": | |
49 | ensure => "directory", | |
50 | mode => "0644", | |
51 | owner => "root", | |
52 | group => "root", | |
53 | } | |
54 | ||
55 | file { "/etc/systemd/system/pgbouncer.service.d/override.conf": | |
56 | ensure => "present", | |
57 | mode => "0644", | |
58 | owner => "root", | |
59 | group => "root", | |
60 | content => "[Service]\nUser=\nUser=$pg_user\n", | |
61 | notify => Service["pgbouncer"], | |
62 | } | |
63 | ||
64 | service { "pgbouncer": | |
65 | ensure => "running", | |
66 | enable => true, | |
67 | require => [ | |
68 | Package["pgbouncer"], | |
69 | File["/etc/systemd/system/pgbouncer.service.d/override.conf"], | |
70 | Concat["/etc/pgbouncer/pgbouncer.ini"] | |
71 | ], | |
72 | } | |
73 | ||
74 | file { "/etc/pam_ldap.d": | |
75 | ensure => directory, | |
76 | mode => "0755", | |
77 | owner => "root", | |
78 | group => "root", | |
79 | } -> | |
80 | file { "/etc/pam_ldap.d/pgbouncer.conf": | |
81 | ensure => "present", | |
82 | mode => "0600", | |
83 | owner => $pg_user, | |
84 | group => "root", | |
85 | content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), | |
86 | } -> | |
87 | file { "/etc/pam.d/pgbouncer": | |
88 | ensure => "present", | |
89 | mode => "0644", | |
90 | owner => "root", | |
91 | group => "root", | |
92 | source => "puppet:///modules/role/backup/pam_pgbouncer" | |
93 | } | |
94 | } | |
95 | } | |
6d1c9c43 | 96 | |
1c90c691 | 97 | $pg_backup_hosts.each |$pg_backup_host, $pg_infos| { |
6d1c9c43 IB |
98 | $pg_path = "$mountpoint/$pg_backup_host/postgresql" |
99 | $pg_host = "$pg_backup_host" | |
1c90c691 IB |
100 | $pg_port = $pg_infos["dbport"] |
101 | ||
102 | if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { | |
103 | concat::fragment { "pgbouncer_$pg_backup_host": | |
104 | target => "/etc/pgbouncer/pgbouncer.ini", | |
105 | order => 02, | |
106 | content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", | |
107 | } | |
108 | ||
109 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": | |
110 | description => "Allow local access to ${pg_infos[dbuser]} user", | |
111 | type => 'local', | |
112 | database => $pg_infos["dbname"], | |
113 | user => $pg_infos["dbuser"], | |
114 | auth_method => 'trust', | |
115 | order => "01-00", | |
116 | target => "$pg_path/pg_hba.conf", | |
117 | postgresql_version => "10", | |
118 | } | |
119 | } | |
6d1c9c43 IB |
120 | |
121 | file { "$mountpoint/$pg_backup_host": | |
122 | ensure => directory, | |
123 | owner => $user, | |
124 | group => $group, | |
125 | } | |
126 | ||
127 | file { $pg_path: | |
128 | ensure => directory, | |
129 | owner => $pg_user, | |
130 | group => $pg_group, | |
131 | mode => "0700", | |
132 | require => File["$mountpoint/$pg_backup_host"], | |
133 | } | |
134 | ||
135 | exec { "pg_basebackup $pg_path": | |
136 | cwd => $pg_path, | |
137 | user => $pg_user, | |
138 | creates => "$pg_path/PG_VERSION", | |
139 | environment => ["PGPASSWORD=$ldap_password"], | |
140 | command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", | |
141 | before => [ | |
142 | Concat["$pg_path/pg_hba.conf"], | |
143 | Concat["$pg_path/recovery.conf"], | |
144 | File["$pg_path/postgresql.conf"], | |
145 | ] | |
146 | } | |
147 | ||
148 | concat { "$pg_path/pg_hba.conf": | |
149 | owner => $pg_user, | |
150 | group => $pg_group, | |
151 | mode => '0640', | |
152 | warn => true, | |
153 | } | |
154 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": | |
155 | description => 'Allow local access to postgres user', | |
156 | type => 'local', | |
157 | database => 'all', | |
158 | user => $pg_user, | |
159 | auth_method => 'ident', | |
160 | order => "00-01", | |
161 | target => "$pg_path/pg_hba.conf", | |
162 | postgresql_version => "10", | |
163 | } | |
164 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": | |
165 | description => 'Allow localhost access to postgres user', | |
166 | type => 'host', | |
167 | database => 'all', | |
168 | user => $pg_user, | |
169 | address => "127.0.0.1/32", | |
170 | auth_method => 'md5', | |
171 | order => "00-02", | |
172 | target => "$pg_path/pg_hba.conf", | |
173 | postgresql_version => "10", | |
174 | } | |
175 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": | |
176 | description => 'Allow localhost access to postgres user', | |
177 | type => 'host', | |
178 | database => 'all', | |
179 | user => $pg_user, | |
180 | address => "::1/128", | |
181 | auth_method => 'md5', | |
182 | order => "00-03", | |
183 | target => "$pg_path/pg_hba.conf", | |
184 | postgresql_version => "10", | |
185 | } | |
186 | postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": | |
187 | description => 'Deny remote access to postgres user', | |
188 | type => 'host', | |
189 | database => 'all', | |
190 | user => $pg_user, | |
191 | address => "0.0.0.0/0", | |
192 | auth_method => 'reject', | |
193 | order => "00-04", | |
194 | target => "$pg_path/pg_hba.conf", | |
195 | postgresql_version => "10", | |
196 | } | |
197 | ||
198 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access": | |
199 | description => 'Allow local access with password', | |
200 | type => 'local', | |
201 | database => 'all', | |
202 | user => 'all', | |
203 | auth_method => 'md5', | |
204 | order => "10-01", | |
205 | target => "$pg_path/pg_hba.conf", | |
206 | postgresql_version => "10", | |
207 | } | |
208 | ||
209 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": | |
210 | description => 'Allow local access with same name', | |
211 | type => 'local', | |
212 | database => 'all', | |
213 | user => 'all', | |
214 | auth_method => 'ident', | |
215 | order => "10-02", | |
216 | target => "$pg_path/pg_hba.conf", | |
217 | postgresql_version => "10", | |
218 | } | |
219 | ||
b0439bf9 IB |
220 | $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" |
221 | $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") | |
222 | $standby_mode = "on" | |
223 | ||
6d1c9c43 IB |
224 | concat { "$pg_path/recovery.conf": |
225 | owner => $pg_user, | |
226 | group => $pg_group, | |
227 | mode => '0640', | |
228 | warn => true, | |
229 | } | |
b0439bf9 IB |
230 | concat::fragment { "$pg_path/recovery.conf": |
231 | target => "$pg_path/recovery.conf", | |
232 | content => template('postgresql/recovery.conf.erb'), | |
6d1c9c43 IB |
233 | } |
234 | ||
235 | file { "$pg_path/postgresql.conf": | |
236 | owner => $pg_user, | |
237 | group => $pg_group, | |
238 | mode => '0640', | |
808f8225 | 239 | content => template("role/backup/postgresql.conf.erb"), |
6d1c9c43 IB |
240 | } |
241 | ||
242 | service { "postgresql_backup@$pg_backup_host": | |
243 | enable => true, | |
244 | ensure => "running", | |
245 | require => [ | |
246 | File["/etc/systemd/system/postgresql_backup@.service"], | |
247 | Concat["$pg_path/pg_hba.conf"], | |
248 | Concat["$pg_path/recovery.conf"], | |
249 | File["$pg_path/postgresql.conf"], | |
250 | ] | |
251 | } | |
252 | } | |
253 | ||
6d1c9c43 | 254 | } |