[perso/Immae/Projets/Puppet.git] / modules / role / manifests / cryptoportfolio / postgresql.pp

class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
  $password_seed = lookup("base_installation::puppet_pass_seed")

  $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
  $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")

  file { "/var/lib/postgres/data/certs":
    ensure  => directory,
    mode    => "0700",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => File["/var/lib/postgres"],
  }

  file { "/var/lib/postgres/data/certs/cert.pem":
    source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
    mode    => "0600",
    links   => "follow",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
  }

  file { "/var/lib/postgres/data/certs/privkey.pem":
    source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
    mode    => "0600",
    links   => "follow",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
  }

  postgresql::server::config_entry { "wal_level":
    value   => "logical",
  }

  postgresql::server::config_entry { "ssl":
    value   => "on",
    require => Letsencrypt::Certonly[$web_host],
  }

  postgresql::server::config_entry { "ssl_cert_file":
    value   => "/var/lib/postgres/data/certs/cert.pem",
    require => Letsencrypt::Certonly[$web_host],
  }

  postgresql::server::config_entry { "ssl_key_file":
    value   => "/var/lib/postgres/data/certs/privkey.pem",
    require => Letsencrypt::Certonly[$web_host],
  }

  postgresql::server::db { $pg_db:
    user     =>  $pg_user,
    password =>  postgresql_password($pg_user, $pg_password),
  }
  ->
  postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
    db     => $pg_db,
    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
  }
  ->
  postgresql::server::role { $pg_user_replication:
    db            => $pg_db,
    replication   => true,
    password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
  }
  ->
  postgresql::server::database_grant { $pg_user_replication:
    db        => $pg_db,
    privilege => "CONNECT",
    role      => $pg_user_replication,
  }
  ->
  postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
    db          => $pg_db,
    role        => $pg_user_replication,
    privilege   => "SELECT",
    object_type => "ALL TABLES IN SCHEMA",
    object_name => "public",
  }
  ->
  postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
    db          => $pg_db,
    role        => $pg_user_replication,
    privilege   => "SELECT",
    object_type => "ALL SEQUENCES IN SCHEMA",
    object_name => "public",
  }

  postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
    type        => 'host',
    database    => $pg_db,
    user        => $pg_user,
    address     => '127.0.0.1/32',
    auth_method => 'md5',
    order       => "05-01",
  }
  postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
    type        => 'host',
    database    => $pg_db,
    user        => $pg_user,
    address     => '::1/128',
    auth_method => 'md5',
    order       => "05-01",
  }

  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
    type        => 'hostssl',
    database    => $pg_db,
    user        => $pg_user_replication,
    address     => 'immae.eu',
    auth_method => 'md5',
    order       => "05-01",
  }

}
Commit	Line	Data
39e05b4e IB	1	class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
	2	$password_seed = lookup("base_installation::puppet_pass_seed")
	3
	4	$pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
	5	$pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
	6
	7	file { "/var/lib/postgres/data/certs":
	8	ensure => directory,
	9	mode => "0700",
	10	owner => $::profile::postgresql::pg_user,
	11	group => $::profile::postgresql::pg_user,
	12	require => File["/var/lib/postgres"],
	13	}
	14
	15	file { "/var/lib/postgres/data/certs/cert.pem":
	16	source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
	17	mode => "0600",
	18	links => "follow",
	19	owner => $::profile::postgresql::pg_user,
	20	group => $::profile::postgresql::pg_user,
	21	require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
	22	}
	23
	24	file { "/var/lib/postgres/data/certs/privkey.pem":
	25	source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
	26	mode => "0600",
	27	links => "follow",
	28	owner => $::profile::postgresql::pg_user,
	29	group => $::profile::postgresql::pg_user,
	30	require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
	31	}
	32
	33	postgresql::server::config_entry { "wal_level":
	34	value => "logical",
	35	}
	36
	37	postgresql::server::config_entry { "ssl":
	38	value => "on",
	39	require => Letsencrypt::Certonly[$web_host],
	40	}
	41
	42	postgresql::server::config_entry { "ssl_cert_file":
	43	value => "/var/lib/postgres/data/certs/cert.pem",
	44	require => Letsencrypt::Certonly[$web_host],
	45	}
	46
	47	postgresql::server::config_entry { "ssl_key_file":
	48	value => "/var/lib/postgres/data/certs/privkey.pem",
	49	require => Letsencrypt::Certonly[$web_host],
	50	}
	51
	52	postgresql::server::db { $pg_db:
	53	user => $pg_user,
	54	password => postgresql_password($pg_user, $pg_password),
	55	}
	56	->
	57	postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
	58	db => $pg_db,
	59	unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
	60	}
	61	->
	62	postgresql::server::role { $pg_user_replication:
	63	db => $pg_db,
	64	replication => true,
65	password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
66	}
67	->
68	postgresql::server::database_grant { $pg_user_replication:
69	db => $pg_db,
70	privilege => "CONNECT",
71	role => $pg_user_replication,
72	}
73	->
74	postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
75	db => $pg_db,
76	role => $pg_user_replication,
77	privilege => "SELECT",
78	object_type => "ALL TABLES IN SCHEMA",
79	object_name => "public",
80	}
81	->
82	postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
83	db => $pg_db,
84	role => $pg_user_replication,
85	privilege => "SELECT",
86	object_type => "ALL SEQUENCES IN SCHEMA",
87	object_name => "public",
88	}
89
90	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
91	type => 'host',
92	database => $pg_db,
93	user => $pg_user,
94	address => '127.0.0.1/32',
95	auth_method => 'md5',
96	order => "05-01",
97	}
98	postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
99	type => 'host',
100	database => $pg_db,
101	user => $pg_user,
102	address => '::1/128',
103	auth_method => 'md5',
104	order => "05-01",
105	}
106
107	postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
108	type => 'hostssl',
109	database => $pg_db,
110	user => $pg_user_replication,
111	address => 'immae.eu',
112	auth_method => 'md5',
113	order => "05-01",
114	}
115
116	}