[perso/Immae/Projets/Puppet.git] / modules / role / manifests / backup / postgresql.pp

class role::backup::postgresql inherits role::backup {
  # This manifest is supposed to be part of the backup server

  $password_seed = lookup("base_installation::puppet_pass_seed")

  $user = lookup("role::backup::user")
  $group = lookup("role::backup::group")
  $pg_user = "postgres"
  $pg_group = "postgres"

  $ldap_cn = lookup("base_installation::ldap_cn")
  $ldap_password = generate_password(24, $password_seed, "ldap")
  $ldap_server = lookup("base_installation::ldap_server")
  $ldap_base   = lookup("base_installation::ldap_base")
  $ldap_dn     = lookup("base_installation::ldap_dn")
  $ldap_attribute = "uid"

  $pg_slot = regsubst($ldap_cn, '-', "_", "G")

  ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])

  $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
  $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })

  unless empty($pg_backup_hosts) {
    file { "/etc/systemd/system/postgresql_backup@.service":
      mode    => "0644",
      owner   => "root",
      group   => "root",
      content => template("role/backup/postgresql_backup@.service.erb"),
    }

    unless empty($ldap_filter) {
      concat { "/etc/pgbouncer/pgbouncer.ini":
        mode           => "0644",
        owner          => "root",
        group          => "root",
        ensure_newline => true,
        notify         => Service["pgbouncer"],
      }

      concat::fragment { "pgbouncer_head":
        target  => "/etc/pgbouncer/pgbouncer.ini",
        order   => "01",
        content => template("role/backup/pgbouncer.ini.erb"),
      }

      file { "/etc/systemd/system/pgbouncer.service.d":
        ensure => "directory",
        mode   => "0644",
        owner  => "root",
        group  => "root",
      }

      file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
        ensure  => "present",
        mode    => "0644",
        owner   => "root",
        group   => "root",
        content => "[Service]\nUser=\nUser=$pg_user\n",
        notify  => Service["pgbouncer"],
      }

      service { "pgbouncer":
        ensure  => "running",
        enable  => true,
        require => [
          Package["pgbouncer"],
          File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
          Concat["/etc/pgbouncer/pgbouncer.ini"]
        ],
      }

      file { "/etc/pam_ldap.d":
        ensure => directory,
        mode   => "0755",
        owner  => "root",
        group  => "root",
      } ->
      file { "/etc/pam_ldap.d/pgbouncer.conf":
        ensure  => "present",
        mode    => "0600",
        owner   => $pg_user,
        group   => "root",
        content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
      } ->
      file { "/etc/pam.d/pgbouncer":
        ensure => "present",
        mode   => "0644",
        owner  => "root",
        group  => "root",
        source => "puppet:///modules/role/backup/pam_pgbouncer"
      }
    }
  }

  $pg_backup_hosts.each |$pg_backup_host, $pg_infos| {
    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
    $pg_host = "$pg_backup_host"
    $pg_port = $pg_infos["dbport"]

    if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
      concat::fragment { "pgbouncer_$pg_backup_host":
        target  => "/etc/pgbouncer/pgbouncer.ini",
        order   => 02,
        content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
      }

      postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
        description => "Allow local access to ${pg_infos[dbuser]} user",
        type        => 'local',
        database    => $pg_infos["dbname"],
        user        => $pg_infos["dbuser"],
        auth_method => 'trust',
        order       => "01-00",
        target      => "$pg_path/pg_hba.conf",
        postgresql_version => "10",
      }
    }

    file { "$mountpoint/$pg_backup_host":
      ensure => directory,
      owner  => $user,
      group  => $group,
    }

    file { $pg_path:
      ensure  => directory,
      owner   => $pg_user,
      group   => $pg_group,
      mode    => "0700",
      require => File["$mountpoint/$pg_backup_host"],
    }

    exec { "pg_basebackup $pg_path":
      cwd         => $pg_path,
      user        => $pg_user,
      creates     => "$pg_path/PG_VERSION",
      environment => ["PGPASSWORD=$ldap_password"],
      command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
      before      => [
        Concat["$pg_path/pg_hba.conf"],
        Concat["$pg_path/recovery.conf"],
        File["$pg_path/postgresql.conf"],
      ]
    }

    concat { "$pg_path/pg_hba.conf":
      owner   => $pg_user,
      group   => $pg_group,
      mode    => '0640',
      warn    => true,
    }
    postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
      description => 'Allow local access to postgres user',
      type        => 'local',
      database    => 'all',
      user        => $pg_user,
      auth_method => 'ident',
      order       => "00-01",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }
    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
      description => 'Allow localhost access to postgres user',
      type        => 'host',
      database    => 'all',
      user        => $pg_user,
      address     => "127.0.0.1/32",
      auth_method => 'md5',
      order       => "00-02",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }
    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
      description => 'Allow localhost access to postgres user',
      type        => 'host',
      database    => 'all',
      user        => $pg_user,
      address     => "::1/128",
      auth_method => 'md5',
      order       => "00-03",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }
    postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
      description => 'Deny remote access to postgres user',
      type        => 'host',
      database    => 'all',
      user        => $pg_user,
      address     => "0.0.0.0/0",
      auth_method => 'reject',
      order       => "00-04",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }

    postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
      description => 'Allow local access with password',
      type        => 'local',
      database    => 'all',
      user        => 'all',
      auth_method => 'md5',
      order       => "10-01",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }

    postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
      description => 'Allow local access with same name',
      type        => 'local',
      database    => 'all',
      user        => 'all',
      auth_method => 'ident',
      order       => "10-02",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }

    $primary_conninfo  = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
    $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
    $standby_mode      = "on"

    concat { "$pg_path/recovery.conf":
      owner  => $pg_user,
      group  => $pg_group,
      mode   => '0640',
      warn   => true,
    }
    concat::fragment { "$pg_path/recovery.conf":
      target  => "$pg_path/recovery.conf",
      content => template('postgresql/recovery.conf.erb'),
    }

    file { "$pg_path/postgresql.conf":
      owner   => $pg_user,
      group   => $pg_group,
      mode    => '0640',
      content => template("role/backup/postgresql.conf.erb"),
    }

    service { "postgresql_backup@$pg_backup_host":
      enable  => true,
      ensure  => "running",
      require => [
        File["/etc/systemd/system/postgresql_backup@.service"],
        Concat["$pg_path/pg_hba.conf"],
        Concat["$pg_path/recovery.conf"],
        File["$pg_path/postgresql.conf"],
      ]
    }
  }

}
Commit	Line	Data
808f8225	1	class role::backup::postgresql inherits role::backup {
6d1c9c43 IB	2	# This manifest is supposed to be part of the backup server
	3
	4	$password_seed = lookup("base_installation::puppet_pass_seed")
	5
	6	$user = lookup("role::backup::user")
	7	$group = lookup("role::backup::group")
	8	$pg_user = "postgres"
	9	$pg_group = "postgres"
	10
	11	$ldap_cn = lookup("base_installation::ldap_cn")
	12	$ldap_password = generate_password(24, $password_seed, "ldap")
1c90c691 IB	13	$ldap_server = lookup("base_installation::ldap_server")
	14	$ldap_base = lookup("base_installation::ldap_base")
	15	$ldap_dn = lookup("base_installation::ldap_dn")
	16	$ldap_attribute = "uid"
	17
6d1c9c43 IB	18	$pg_slot = regsubst($ldap_cn, '-', "_", "G")
6d1c9c43 IB	19
1c90c691 IB	20	ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
	21
	22	$pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
	23	$ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
	24
	25	unless empty($pg_backup_hosts) {
	26	file { "/etc/systemd/system/postgresql_backup@.service":
	27	mode => "0644",
	28	owner => "root",
	29	group => "root",
	30	content => template("role/backup/postgresql_backup@.service.erb"),
	31	}
6d1c9c43	32
1c90c691 IB	33	unless empty($ldap_filter) {
	34	concat { "/etc/pgbouncer/pgbouncer.ini":
	35	mode => "0644",
	36	owner => "root",
	37	group => "root",
	38	ensure_newline => true,
	39	notify => Service["pgbouncer"],
	40	}
	41
	42	concat::fragment { "pgbouncer_head":
	43	target => "/etc/pgbouncer/pgbouncer.ini",
	44	order => "01",
	45	content => template("role/backup/pgbouncer.ini.erb"),
	46	}
	47
	48	file { "/etc/systemd/system/pgbouncer.service.d":
	49	ensure => "directory",
	50	mode => "0644",
	51	owner => "root",
	52	group => "root",
	53	}
	54
	55	file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
	56	ensure => "present",
	57	mode => "0644",
	58	owner => "root",
	59	group => "root",
	60	content => "[Service]\nUser=\nUser=$pg_user\n",
	61	notify => Service["pgbouncer"],
	62	}
	63
	64	service { "pgbouncer":
	65	ensure => "running",
	66	enable => true,
	67	require => [
	68	Package["pgbouncer"],
	69	File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
	70	Concat["/etc/pgbouncer/pgbouncer.ini"]
	71	],
	72	}
	73
	74	file { "/etc/pam_ldap.d":
	75	ensure => directory,
	76	mode => "0755",
	77	owner => "root",
	78	group => "root",
	79	} ->
	80	file { "/etc/pam_ldap.d/pgbouncer.conf":
	81	ensure => "present",
	82	mode => "0600",
	83	owner => $pg_user,
	84	group => "root",
	85	content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
	86	} ->
	87	file { "/etc/pam.d/pgbouncer":
	88	ensure => "present",
	89	mode => "0644",
	90	owner => "root",
	91	group => "root",
	92	source => "puppet:///modules/role/backup/pam_pgbouncer"
	93	}
	94	}
	95	}
6d1c9c43	96
1c90c691	97	$pg_backup_hosts.each \|$pg_backup_host, $pg_infos\| {
6d1c9c43 IB	98	$pg_path = "$mountpoint/$pg_backup_host/postgresql"
6d1c9c43 IB	99	$pg_host = "$pg_backup_host"
1c90c691 IB	100	$pg_port = $pg_infos["dbport"]
	101
	102	if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
	103	concat::fragment { "pgbouncer_$pg_backup_host":
	104	target => "/etc/pgbouncer/pgbouncer.ini",
	105	order => 02,
	106	content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
	107	}
	108
	109	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
	110	description => "Allow local access to ${pg_infos[dbuser]} user",
	111	type => 'local',
	112	database => $pg_infos["dbname"],
	113	user => $pg_infos["dbuser"],
	114	auth_method => 'trust',
	115	order => "01-00",
	116	target => "$pg_path/pg_hba.conf",
	117	postgresql_version => "10",
	118	}
	119	}
6d1c9c43 IB	120
	121	file { "$mountpoint/$pg_backup_host":
	122	ensure => directory,
	123	owner => $user,
	124	group => $group,
	125	}
	126
	127	file { $pg_path:
	128	ensure => directory,
	129	owner => $pg_user,
	130	group => $pg_group,
	131	mode => "0700",
	132	require => File["$mountpoint/$pg_backup_host"],
	133	}
	134
	135	exec { "pg_basebackup $pg_path":
	136	cwd => $pg_path,
	137	user => $pg_user,
	138	creates => "$pg_path/PG_VERSION",
	139	environment => ["PGPASSWORD=$ldap_password"],
	140	command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
	141	before => [
	142	Concat["$pg_path/pg_hba.conf"],
	143	Concat["$pg_path/recovery.conf"],
	144	File["$pg_path/postgresql.conf"],
	145	]
	146	}
	147
	148	concat { "$pg_path/pg_hba.conf":
	149	owner => $pg_user,
	150	group => $pg_group,
	151	mode => '0640',
	152	warn => true,
	153	}
	154	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
	155	description => 'Allow local access to postgres user',
	156	type => 'local',
	157	database => 'all',
	158	user => $pg_user,
	159	auth_method => 'ident',
	160	order => "00-01",
	161	target => "$pg_path/pg_hba.conf",
	162	postgresql_version => "10",
	163	}
	164	postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
	165	description => 'Allow localhost access to postgres user',
	166	type => 'host',
	167	database => 'all',
	168	user => $pg_user,
	169	address => "127.0.0.1/32",
	170	auth_method => 'md5',
	171	order => "00-02",
	172	target => "$pg_path/pg_hba.conf",
	173	postgresql_version => "10",
	174	}
	175	postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
	176	description => 'Allow localhost access to postgres user',
	177	type => 'host',
	178	database => 'all',
	179	user => $pg_user,
	180	address => "::1/128",
	181	auth_method => 'md5',
	182	order => "00-03",
	183	target => "$pg_path/pg_hba.conf",
184	postgresql_version => "10",
185	}
186	postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
187	description => 'Deny remote access to postgres user',
188	type => 'host',
189	database => 'all',
190	user => $pg_user,
191	address => "0.0.0.0/0",
192	auth_method => 'reject',
193	order => "00-04",
194	target => "$pg_path/pg_hba.conf",
195	postgresql_version => "10",
196	}
197
198	postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
199	description => 'Allow local access with password',
200	type => 'local',
201	database => 'all',
202	user => 'all',
203	auth_method => 'md5',
204	order => "10-01",
205	target => "$pg_path/pg_hba.conf",
206	postgresql_version => "10",
207	}
208
209	postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
210	description => 'Allow local access with same name',
211	type => 'local',
212	database => 'all',
213	user => 'all',
214	auth_method => 'ident',
215	order => "10-02",
216	target => "$pg_path/pg_hba.conf",
217	postgresql_version => "10",
218	}
219
b0439bf9 IB	220	$primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
	221	$primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
	222	$standby_mode = "on"
	223
6d1c9c43 IB	224	concat { "$pg_path/recovery.conf":
	225	owner => $pg_user,
	226	group => $pg_group,
	227	mode => '0640',
	228	warn => true,
	229	}
b0439bf9 IB	230	concat::fragment { "$pg_path/recovery.conf":
	231	target => "$pg_path/recovery.conf",
	232	content => template('postgresql/recovery.conf.erb'),
6d1c9c43 IB	233	}
	234
	235	file { "$pg_path/postgresql.conf":
	236	owner => $pg_user,
	237	group => $pg_group,
	238	mode => '0640',
808f8225	239	content => template("role/backup/postgresql.conf.erb"),
6d1c9c43 IB	240	}
	241
	242	service { "postgresql_backup@$pg_backup_host":
	243	enable => true,
	244	ensure => "running",
	245	require => [
	246	File["/etc/systemd/system/postgresql_backup@.service"],
	247	Concat["$pg_path/pg_hba.conf"],
	248	Concat["$pg_path/recovery.conf"],
	249	File["$pg_path/postgresql.conf"],
	250	]
	251	}
	252	}
	253
6d1c9c43	254	}