]>
Commit | Line | Data |
---|---|---|
808f8225 | 1 | class role::backup::postgresql inherits role::backup { |
6d1c9c43 IB |
2 | # This manifest is supposed to be part of the backup server |
3 | ||
4 | $password_seed = lookup("base_installation::puppet_pass_seed") | |
5 | ||
6 | $user = lookup("role::backup::user") | |
7 | $group = lookup("role::backup::group") | |
8 | $pg_user = "postgres" | |
9 | $pg_group = "postgres" | |
10 | ||
11 | $ldap_cn = lookup("base_installation::ldap_cn") | |
12 | $ldap_password = generate_password(24, $password_seed, "ldap") | |
1c90c691 IB |
13 | $ldap_server = lookup("base_installation::ldap_server") |
14 | $ldap_base = lookup("base_installation::ldap_base") | |
15 | $ldap_dn = lookup("base_installation::ldap_dn") | |
16 | $ldap_attribute = "uid" | |
17 | ||
6d1c9c43 IB |
18 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") |
19 | ||
1c90c691 IB |
20 | ensure_packages(["postgresql", "pgbouncer", "pam_ldap"]) |
21 | ||
22 | $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} }) | |
23 | $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef }) | |
24 | ||
25 | unless empty($pg_backup_hosts) { | |
26 | file { "/etc/systemd/system/postgresql_backup@.service": | |
27 | mode => "0644", | |
28 | owner => "root", | |
29 | group => "root", | |
30 | content => template("role/backup/postgresql_backup@.service.erb"), | |
31 | } | |
6d1c9c43 | 32 | |
1c90c691 IB |
33 | unless empty($ldap_filter) { |
34 | concat { "/etc/pgbouncer/pgbouncer.ini": | |
35 | mode => "0644", | |
36 | owner => "root", | |
37 | group => "root", | |
38 | ensure_newline => true, | |
39 | notify => Service["pgbouncer"], | |
40 | } | |
41 | ||
42 | concat::fragment { "pgbouncer_head": | |
43 | target => "/etc/pgbouncer/pgbouncer.ini", | |
44 | order => "01", | |
45 | content => template("role/backup/pgbouncer.ini.erb"), | |
46 | } | |
47 | ||
48 | file { "/etc/systemd/system/pgbouncer.service.d": | |
49 | ensure => "directory", | |
50 | mode => "0644", | |
51 | owner => "root", | |
52 | group => "root", | |
53 | } | |
54 | ||
55 | file { "/etc/systemd/system/pgbouncer.service.d/override.conf": | |
56 | ensure => "present", | |
57 | mode => "0644", | |
58 | owner => "root", | |
59 | group => "root", | |
60 | content => "[Service]\nUser=\nUser=$pg_user\n", | |
61 | notify => Service["pgbouncer"], | |
62 | } | |
63 | ||
64 | service { "pgbouncer": | |
65 | ensure => "running", | |
66 | enable => true, | |
67 | require => [ | |
68 | Package["pgbouncer"], | |
69 | File["/etc/systemd/system/pgbouncer.service.d/override.conf"], | |
70 | Concat["/etc/pgbouncer/pgbouncer.ini"] | |
71 | ], | |
72 | } | |
73 | ||
74 | file { "/etc/pam_ldap.d": | |
75 | ensure => directory, | |
76 | mode => "0755", | |
77 | owner => "root", | |
78 | group => "root", | |
79 | } -> | |
80 | file { "/etc/pam_ldap.d/pgbouncer.conf": | |
81 | ensure => "present", | |
82 | mode => "0600", | |
83 | owner => $pg_user, | |
84 | group => "root", | |
85 | content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), | |
86 | } -> | |
87 | file { "/etc/pam.d/pgbouncer": | |
88 | ensure => "present", | |
89 | mode => "0644", | |
90 | owner => "root", | |
91 | group => "root", | |
92 | source => "puppet:///modules/role/backup/pam_pgbouncer" | |
93 | } | |
94 | } | |
95 | } | |
6d1c9c43 | 96 | |
1c90c691 | 97 | $pg_backup_hosts.each |$pg_backup_host, $pg_infos| { |
6d1c9c43 | 98 | $pg_path = "$mountpoint/$pg_backup_host/postgresql" |
e4a2c172 | 99 | $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup" |
6d1c9c43 | 100 | $pg_host = "$pg_backup_host" |
1c90c691 IB |
101 | $pg_port = $pg_infos["dbport"] |
102 | ||
103 | if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { | |
104 | concat::fragment { "pgbouncer_$pg_backup_host": | |
105 | target => "/etc/pgbouncer/pgbouncer.ini", | |
106 | order => 02, | |
107 | content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", | |
108 | } | |
109 | ||
110 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": | |
111 | description => "Allow local access to ${pg_infos[dbuser]} user", | |
112 | type => 'local', | |
113 | database => $pg_infos["dbname"], | |
114 | user => $pg_infos["dbuser"], | |
115 | auth_method => 'trust', | |
116 | order => "01-00", | |
117 | target => "$pg_path/pg_hba.conf", | |
118 | postgresql_version => "10", | |
119 | } | |
120 | } | |
6d1c9c43 IB |
121 | |
122 | file { "$mountpoint/$pg_backup_host": | |
123 | ensure => directory, | |
124 | owner => $user, | |
125 | group => $group, | |
126 | } | |
127 | ||
128 | file { $pg_path: | |
129 | ensure => directory, | |
130 | owner => $pg_user, | |
131 | group => $pg_group, | |
132 | mode => "0700", | |
133 | require => File["$mountpoint/$pg_backup_host"], | |
134 | } | |
135 | ||
e4a2c172 IB |
136 | file { $pg_backup_path: |
137 | ensure => directory, | |
138 | owner => $pg_user, | |
139 | group => $pg_group, | |
140 | mode => "0700", | |
141 | require => File["$mountpoint/$pg_backup_host"], | |
142 | } | |
143 | ||
144 | cron::job::multiple { "backup_psql_$pg_host": | |
145 | ensure => "present", | |
146 | require => [File[$pg_backup_path], File[$pg_path]], | |
147 | jobs => [ | |
148 | { | |
149 | command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql", | |
150 | user => $pg_user, | |
151 | hour => "22,4,10,16", | |
152 | minute => 0, | |
153 | description => "Backup the database", | |
154 | }, | |
155 | { | |
80225f19 | 156 | command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')", |
e4a2c172 IB |
157 | user => $pg_user, |
158 | hour => 3, | |
159 | minute => 0, | |
160 | description => "Cleanup the database backups", | |
161 | }, | |
80225f19 IB |
162 | { |
163 | command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')", | |
164 | user => $pg_user, | |
165 | hour => 3, | |
166 | minute => 1, | |
167 | description => "Cleanup the database backups exponentially", | |
168 | }, | |
e4a2c172 IB |
169 | ] |
170 | } | |
171 | ||
6d1c9c43 IB |
172 | exec { "pg_basebackup $pg_path": |
173 | cwd => $pg_path, | |
174 | user => $pg_user, | |
175 | creates => "$pg_path/PG_VERSION", | |
176 | environment => ["PGPASSWORD=$ldap_password"], | |
177 | command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", | |
178 | before => [ | |
179 | Concat["$pg_path/pg_hba.conf"], | |
180 | Concat["$pg_path/recovery.conf"], | |
181 | File["$pg_path/postgresql.conf"], | |
182 | ] | |
183 | } | |
184 | ||
185 | concat { "$pg_path/pg_hba.conf": | |
186 | owner => $pg_user, | |
187 | group => $pg_group, | |
188 | mode => '0640', | |
189 | warn => true, | |
190 | } | |
191 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": | |
192 | description => 'Allow local access to postgres user', | |
193 | type => 'local', | |
194 | database => 'all', | |
195 | user => $pg_user, | |
196 | auth_method => 'ident', | |
197 | order => "00-01", | |
198 | target => "$pg_path/pg_hba.conf", | |
199 | postgresql_version => "10", | |
200 | } | |
201 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": | |
202 | description => 'Allow localhost access to postgres user', | |
203 | type => 'host', | |
204 | database => 'all', | |
205 | user => $pg_user, | |
206 | address => "127.0.0.1/32", | |
207 | auth_method => 'md5', | |
208 | order => "00-02", | |
209 | target => "$pg_path/pg_hba.conf", | |
210 | postgresql_version => "10", | |
211 | } | |
212 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": | |
213 | description => 'Allow localhost access to postgres user', | |
214 | type => 'host', | |
215 | database => 'all', | |
216 | user => $pg_user, | |
217 | address => "::1/128", | |
218 | auth_method => 'md5', | |
219 | order => "00-03", | |
220 | target => "$pg_path/pg_hba.conf", | |
221 | postgresql_version => "10", | |
222 | } | |
223 | postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": | |
224 | description => 'Deny remote access to postgres user', | |
225 | type => 'host', | |
226 | database => 'all', | |
227 | user => $pg_user, | |
228 | address => "0.0.0.0/0", | |
229 | auth_method => 'reject', | |
230 | order => "00-04", | |
231 | target => "$pg_path/pg_hba.conf", | |
232 | postgresql_version => "10", | |
233 | } | |
234 | ||
235 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access": | |
236 | description => 'Allow local access with password', | |
237 | type => 'local', | |
238 | database => 'all', | |
239 | user => 'all', | |
240 | auth_method => 'md5', | |
241 | order => "10-01", | |
242 | target => "$pg_path/pg_hba.conf", | |
243 | postgresql_version => "10", | |
244 | } | |
245 | ||
246 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": | |
247 | description => 'Allow local access with same name', | |
248 | type => 'local', | |
249 | database => 'all', | |
250 | user => 'all', | |
251 | auth_method => 'ident', | |
252 | order => "10-02", | |
253 | target => "$pg_path/pg_hba.conf", | |
254 | postgresql_version => "10", | |
255 | } | |
256 | ||
b0439bf9 IB |
257 | $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" |
258 | $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") | |
259 | $standby_mode = "on" | |
260 | ||
6d1c9c43 IB |
261 | concat { "$pg_path/recovery.conf": |
262 | owner => $pg_user, | |
263 | group => $pg_group, | |
264 | mode => '0640', | |
265 | warn => true, | |
266 | } | |
b0439bf9 IB |
267 | concat::fragment { "$pg_path/recovery.conf": |
268 | target => "$pg_path/recovery.conf", | |
269 | content => template('postgresql/recovery.conf.erb'), | |
6d1c9c43 IB |
270 | } |
271 | ||
272 | file { "$pg_path/postgresql.conf": | |
273 | owner => $pg_user, | |
274 | group => $pg_group, | |
275 | mode => '0640', | |
808f8225 | 276 | content => template("role/backup/postgresql.conf.erb"), |
6d1c9c43 IB |
277 | } |
278 | ||
279 | service { "postgresql_backup@$pg_backup_host": | |
280 | enable => true, | |
281 | ensure => "running", | |
282 | require => [ | |
283 | File["/etc/systemd/system/postgresql_backup@.service"], | |
284 | Concat["$pg_path/pg_hba.conf"], | |
285 | Concat["$pg_path/recovery.conf"], | |
286 | File["$pg_path/postgresql.conf"], | |
287 | ] | |
288 | } | |
289 | } | |
290 | ||
6d1c9c43 | 291 | } |