]>
Commit | Line | Data |
---|---|---|
808f8225 | 1 | class role::backup::postgresql inherits role::backup { |
6d1c9c43 IB |
2 | # This manifest is supposed to be part of the backup server |
3 | ||
4 | $password_seed = lookup("base_installation::puppet_pass_seed") | |
5 | ||
6 | $user = lookup("role::backup::user") | |
7 | $group = lookup("role::backup::group") | |
8 | $pg_user = "postgres" | |
9 | $pg_group = "postgres" | |
10 | ||
11 | $ldap_cn = lookup("base_installation::ldap_cn") | |
12 | $ldap_password = generate_password(24, $password_seed, "ldap") | |
13 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") | |
14 | ||
15 | ensure_packages(["postgresql"]) | |
16 | ||
808f8225 | 17 | $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] }) |
6d1c9c43 IB |
18 | |
19 | $pg_backup_hosts.each |$pg_backup_host| { | |
20 | $pg_path = "$mountpoint/$pg_backup_host/postgresql" | |
21 | $pg_host = "$pg_backup_host" | |
22 | $pg_port = "5432" | |
23 | ||
24 | file { "$mountpoint/$pg_backup_host": | |
25 | ensure => directory, | |
26 | owner => $user, | |
27 | group => $group, | |
28 | } | |
29 | ||
30 | file { $pg_path: | |
31 | ensure => directory, | |
32 | owner => $pg_user, | |
33 | group => $pg_group, | |
34 | mode => "0700", | |
35 | require => File["$mountpoint/$pg_backup_host"], | |
36 | } | |
37 | ||
38 | exec { "pg_basebackup $pg_path": | |
39 | cwd => $pg_path, | |
40 | user => $pg_user, | |
41 | creates => "$pg_path/PG_VERSION", | |
42 | environment => ["PGPASSWORD=$ldap_password"], | |
43 | command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", | |
44 | before => [ | |
45 | Concat["$pg_path/pg_hba.conf"], | |
46 | Concat["$pg_path/recovery.conf"], | |
47 | File["$pg_path/postgresql.conf"], | |
48 | ] | |
49 | } | |
50 | ||
51 | concat { "$pg_path/pg_hba.conf": | |
52 | owner => $pg_user, | |
53 | group => $pg_group, | |
54 | mode => '0640', | |
55 | warn => true, | |
56 | } | |
57 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": | |
58 | description => 'Allow local access to postgres user', | |
59 | type => 'local', | |
60 | database => 'all', | |
61 | user => $pg_user, | |
62 | auth_method => 'ident', | |
63 | order => "00-01", | |
64 | target => "$pg_path/pg_hba.conf", | |
65 | postgresql_version => "10", | |
66 | } | |
67 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": | |
68 | description => 'Allow localhost access to postgres user', | |
69 | type => 'host', | |
70 | database => 'all', | |
71 | user => $pg_user, | |
72 | address => "127.0.0.1/32", | |
73 | auth_method => 'md5', | |
74 | order => "00-02", | |
75 | target => "$pg_path/pg_hba.conf", | |
76 | postgresql_version => "10", | |
77 | } | |
78 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": | |
79 | description => 'Allow localhost access to postgres user', | |
80 | type => 'host', | |
81 | database => 'all', | |
82 | user => $pg_user, | |
83 | address => "::1/128", | |
84 | auth_method => 'md5', | |
85 | order => "00-03", | |
86 | target => "$pg_path/pg_hba.conf", | |
87 | postgresql_version => "10", | |
88 | } | |
89 | postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": | |
90 | description => 'Deny remote access to postgres user', | |
91 | type => 'host', | |
92 | database => 'all', | |
93 | user => $pg_user, | |
94 | address => "0.0.0.0/0", | |
95 | auth_method => 'reject', | |
96 | order => "00-04", | |
97 | target => "$pg_path/pg_hba.conf", | |
98 | postgresql_version => "10", | |
99 | } | |
100 | ||
101 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access": | |
102 | description => 'Allow local access with password', | |
103 | type => 'local', | |
104 | database => 'all', | |
105 | user => 'all', | |
106 | auth_method => 'md5', | |
107 | order => "10-01", | |
108 | target => "$pg_path/pg_hba.conf", | |
109 | postgresql_version => "10", | |
110 | } | |
111 | ||
112 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": | |
113 | description => 'Allow local access with same name', | |
114 | type => 'local', | |
115 | database => 'all', | |
116 | user => 'all', | |
117 | auth_method => 'ident', | |
118 | order => "10-02", | |
119 | target => "$pg_path/pg_hba.conf", | |
120 | postgresql_version => "10", | |
121 | } | |
122 | ||
b0439bf9 IB |
123 | $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" |
124 | $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") | |
125 | $standby_mode = "on" | |
126 | ||
6d1c9c43 IB |
127 | concat { "$pg_path/recovery.conf": |
128 | owner => $pg_user, | |
129 | group => $pg_group, | |
130 | mode => '0640', | |
131 | warn => true, | |
132 | } | |
b0439bf9 IB |
133 | concat::fragment { "$pg_path/recovery.conf": |
134 | target => "$pg_path/recovery.conf", | |
135 | content => template('postgresql/recovery.conf.erb'), | |
6d1c9c43 IB |
136 | } |
137 | ||
138 | file { "$pg_path/postgresql.conf": | |
139 | owner => $pg_user, | |
140 | group => $pg_group, | |
141 | mode => '0640', | |
808f8225 | 142 | content => template("role/backup/postgresql.conf.erb"), |
6d1c9c43 IB |
143 | } |
144 | ||
145 | service { "postgresql_backup@$pg_backup_host": | |
146 | enable => true, | |
147 | ensure => "running", | |
148 | require => [ | |
149 | File["/etc/systemd/system/postgresql_backup@.service"], | |
150 | Concat["$pg_path/pg_hba.conf"], | |
151 | Concat["$pg_path/recovery.conf"], | |
152 | File["$pg_path/postgresql.conf"], | |
153 | ] | |
154 | } | |
155 | } | |
156 | ||
157 | file { "/etc/systemd/system/postgresql_backup@.service": | |
158 | mode => "0644", | |
159 | owner => "root", | |
160 | group => "root", | |
808f8225 | 161 | content => template("role/backup/postgresql_backup@.service.erb"), |
6d1c9c43 IB |
162 | } |
163 | } |