]>
Commit | Line | Data |
---|---|---|
39e05b4e IB |
1 | class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { |
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | |
3 | ||
4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | |
5 | $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | |
6 | ||
7 | file { "/var/lib/postgres/data/certs": | |
8 | ensure => directory, | |
9 | mode => "0700", | |
10 | owner => $::profile::postgresql::pg_user, | |
11 | group => $::profile::postgresql::pg_user, | |
12 | require => File["/var/lib/postgres"], | |
13 | } | |
14 | ||
15 | file { "/var/lib/postgres/data/certs/cert.pem": | |
16 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | |
17 | mode => "0600", | |
18 | links => "follow", | |
19 | owner => $::profile::postgresql::pg_user, | |
20 | group => $::profile::postgresql::pg_user, | |
21 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | |
22 | } | |
23 | ||
24 | file { "/var/lib/postgres/data/certs/privkey.pem": | |
25 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | |
26 | mode => "0600", | |
27 | links => "follow", | |
28 | owner => $::profile::postgresql::pg_user, | |
29 | group => $::profile::postgresql::pg_user, | |
30 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | |
31 | } | |
32 | ||
acd2cd43 IB |
33 | postgresql_replication_slot { $pg_user_replication: |
34 | ensure => present | |
35 | } | |
36 | ||
39e05b4e IB |
37 | postgresql::server::config_entry { "wal_level": |
38 | value => "logical", | |
39 | } | |
40 | ||
41 | postgresql::server::config_entry { "ssl": | |
42 | value => "on", | |
43 | require => Letsencrypt::Certonly[$web_host], | |
44 | } | |
45 | ||
46 | postgresql::server::config_entry { "ssl_cert_file": | |
47 | value => "/var/lib/postgres/data/certs/cert.pem", | |
48 | require => Letsencrypt::Certonly[$web_host], | |
49 | } | |
50 | ||
51 | postgresql::server::config_entry { "ssl_key_file": | |
52 | value => "/var/lib/postgres/data/certs/privkey.pem", | |
53 | require => Letsencrypt::Certonly[$web_host], | |
54 | } | |
55 | ||
56 | postgresql::server::db { $pg_db: | |
57 | user => $pg_user, | |
58 | password => postgresql_password($pg_user, $pg_password), | |
59 | } | |
60 | -> | |
61 | postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": | |
62 | db => $pg_db, | |
63 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", | |
64 | } | |
65 | -> | |
66 | postgresql::server::role { $pg_user_replication: | |
67 | db => $pg_db, | |
68 | replication => true, | |
69 | password_hash => postgresql_password($pg_user_replication, $pg_replication_password), | |
70 | } | |
71 | -> | |
72 | postgresql::server::database_grant { $pg_user_replication: | |
73 | db => $pg_db, | |
74 | privilege => "CONNECT", | |
75 | role => $pg_user_replication, | |
76 | } | |
77 | -> | |
78 | postgresql::server::grant { "all tables in schema:public:$pg_user_replication": | |
79 | db => $pg_db, | |
80 | role => $pg_user_replication, | |
81 | privilege => "SELECT", | |
82 | object_type => "ALL TABLES IN SCHEMA", | |
83 | object_name => "public", | |
84 | } | |
85 | -> | |
86 | postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": | |
87 | db => $pg_db, | |
88 | role => $pg_user_replication, | |
89 | privilege => "SELECT", | |
90 | object_type => "ALL SEQUENCES IN SCHEMA", | |
91 | object_name => "public", | |
92 | } | |
93 | ||
94 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | |
95 | type => 'host', | |
96 | database => $pg_db, | |
97 | user => $pg_user, | |
98 | address => '127.0.0.1/32', | |
99 | auth_method => 'md5', | |
100 | order => "05-01", | |
101 | } | |
102 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | |
103 | type => 'host', | |
104 | database => $pg_db, | |
105 | user => $pg_user, | |
106 | address => '::1/128', | |
107 | auth_method => 'md5', | |
108 | order => "05-01", | |
109 | } | |
110 | ||
0958ccf3 IB |
111 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication': |
112 | type => 'hostssl', | |
113 | database => 'replication', | |
114 | user => $pg_user_replication, | |
115 | address => 'immae.eu', | |
116 | auth_method => 'md5', | |
117 | order => "05-01", | |
118 | } | |
119 | ||
39e05b4e IB |
120 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': |
121 | type => 'hostssl', | |
122 | database => $pg_db, | |
123 | user => $pg_user_replication, | |
124 | address => 'immae.eu', | |
125 | auth_method => 'md5', | |
0958ccf3 | 126 | order => "05-02", |
39e05b4e IB |
127 | } |
128 | ||
129 | } |