]>
Commit | Line | Data |
---|---|---|
1 | class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | |
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | |
3 | ||
4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | |
5 | $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | |
6 | ||
7 | file { "/var/lib/postgres/data/certs": | |
8 | ensure => directory, | |
9 | mode => "0700", | |
10 | owner => $::profile::postgresql::pg_user, | |
11 | group => $::profile::postgresql::pg_user, | |
12 | require => File["/var/lib/postgres"], | |
13 | } | |
14 | ||
15 | file { "/var/lib/postgres/data/certs/cert.pem": | |
16 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | |
17 | mode => "0600", | |
18 | links => "follow", | |
19 | owner => $::profile::postgresql::pg_user, | |
20 | group => $::profile::postgresql::pg_user, | |
21 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | |
22 | } | |
23 | ||
24 | file { "/var/lib/postgres/data/certs/privkey.pem": | |
25 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | |
26 | mode => "0600", | |
27 | links => "follow", | |
28 | owner => $::profile::postgresql::pg_user, | |
29 | group => $::profile::postgresql::pg_user, | |
30 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | |
31 | } | |
32 | ||
33 | postgresql_replication_slot { $pg_user_replication: | |
34 | ensure => present | |
35 | } | |
36 | ||
37 | postgresql::server::config_entry { "wal_level": | |
38 | value => "logical", | |
39 | } | |
40 | ||
41 | postgresql::server::config_entry { "ssl": | |
42 | value => "on", | |
43 | require => Letsencrypt::Certonly[$web_host], | |
44 | } | |
45 | ||
46 | postgresql::server::config_entry { "ssl_cert_file": | |
47 | value => "/var/lib/postgres/data/certs/cert.pem", | |
48 | require => Letsencrypt::Certonly[$web_host], | |
49 | } | |
50 | ||
51 | postgresql::server::config_entry { "ssl_key_file": | |
52 | value => "/var/lib/postgres/data/certs/privkey.pem", | |
53 | require => Letsencrypt::Certonly[$web_host], | |
54 | } | |
55 | ||
56 | postgresql::server::db { $pg_db: | |
57 | user => $pg_user, | |
58 | password => postgresql_password($pg_user, $pg_password), | |
59 | } | |
60 | -> | |
61 | postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": | |
62 | db => $pg_db, | |
63 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", | |
64 | } | |
65 | -> | |
66 | postgresql::server::role { $pg_user_replication: | |
67 | db => $pg_db, | |
68 | replication => true, | |
69 | password_hash => postgresql_password($pg_user_replication, $pg_replication_password), | |
70 | } | |
71 | -> | |
72 | postgresql::server::database_grant { $pg_user_replication: | |
73 | db => $pg_db, | |
74 | privilege => "CONNECT", | |
75 | role => $pg_user_replication, | |
76 | } | |
77 | -> | |
78 | postgresql::server::grant { "all tables in schema:public:$pg_user_replication": | |
79 | db => $pg_db, | |
80 | role => $pg_user_replication, | |
81 | privilege => "SELECT", | |
82 | object_type => "ALL TABLES IN SCHEMA", | |
83 | object_name => "public", | |
84 | } | |
85 | -> | |
86 | postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": | |
87 | db => $pg_db, | |
88 | role => $pg_user_replication, | |
89 | privilege => "SELECT", | |
90 | object_type => "ALL SEQUENCES IN SCHEMA", | |
91 | object_name => "public", | |
92 | } | |
93 | ||
94 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | |
95 | type => 'host', | |
96 | database => $pg_db, | |
97 | user => $pg_user, | |
98 | address => '127.0.0.1/32', | |
99 | auth_method => 'md5', | |
100 | order => "05-01", | |
101 | } | |
102 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | |
103 | type => 'host', | |
104 | database => $pg_db, | |
105 | user => $pg_user, | |
106 | address => '::1/128', | |
107 | auth_method => 'md5', | |
108 | order => "05-01", | |
109 | } | |
110 | ||
111 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication': | |
112 | type => 'hostssl', | |
113 | database => 'replication', | |
114 | user => $pg_user_replication, | |
115 | address => 'immae.eu', | |
116 | auth_method => 'md5', | |
117 | order => "05-01", | |
118 | } | |
119 | ||
120 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | |
121 | type => 'hostssl', | |
122 | database => $pg_db, | |
123 | user => $pg_user_replication, | |
124 | address => 'immae.eu', | |
125 | auth_method => 'md5', | |
126 | order => "05-02", | |
127 | } | |
128 | ||
129 | $backup_host = "backup-1" | |
130 | ||
131 | unless empty($backup_host) { | |
132 | ensure_packages(["pam_ldap"]) | |
133 | ||
134 | $facts["ldapvar"]["other"].each |$host| { | |
135 | if ($host["cn"][0] == $backup_host) { | |
136 | $host["ipHostNumber"].each |$ip| { | |
137 | $infos = split($ip, "/") | |
138 | $ipaddress = $infos[0] | |
139 | if (length($infos) == 1 and $ipaddress =~ /:/) { | |
140 | $mask = "128" | |
141 | } elsif (length($infos) == 1) { | |
142 | $mask = "32" | |
143 | } else { | |
144 | $mask = $infos[1] | |
145 | } | |
146 | ||
147 | postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": | |
148 | type => 'hostssl', | |
149 | database => 'replication', | |
150 | user => 'all', | |
151 | address => "$ipaddress/$mask", | |
152 | auth_method => 'pam', | |
153 | order => "06-01", | |
154 | } | |
155 | } | |
156 | ||
157 | postgresql::server::role { $backup_host: | |
158 | replication => true, | |
159 | } | |
160 | ||
161 | postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): | |
162 | ensure => present | |
163 | } | |
164 | } | |
165 | } | |
166 | ||
167 | $ldap_server = lookup("base_installation::ldap_server") | |
168 | $ldap_base = lookup("base_installation::ldap_base") | |
169 | $ldap_dn = lookup("base_installation::ldap_dn") | |
170 | $ldap_password = generate_password(24, $password_seed, "ldap") | |
171 | $ldap_attribute = "cn" | |
172 | ||
173 | file { "/etc/pam_ldap.d": | |
174 | ensure => directory, | |
175 | mode => "0755", | |
176 | owner => "root", | |
177 | group => "root", | |
178 | } -> | |
179 | file { "/etc/pam_ldap.d/postgresql.conf": | |
180 | ensure => "present", | |
181 | mode => "0644", | |
182 | owner => "root", | |
183 | group => "root", | |
184 | content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), | |
185 | } -> | |
186 | file { "/etc/pam.d/postgresql": | |
187 | ensure => "present", | |
188 | mode => "0644", | |
189 | owner => "root", | |
190 | group => "root", | |
191 | source => "puppet:///modules/role/cryptoportfolio/pam_postgresql" | |
192 | } | |
193 | } | |
194 | ||
195 | } |