1 class role::backup::postgresql inherits role::backup {
2 # This manifest is supposed to be part of the backup server
4 $password_seed = lookup("base_installation::puppet_pass_seed")
6 $user = lookup("role::backup::user")
7 $group = lookup("role::backup::group")
11 $ldap_cn = lookup("base_installation::ldap_cn")
12 $ldap_password = generate_password(24, $password_seed, "ldap")
13 $ldap_server = lookup("base_installation::ldap_server")
14 $ldap_base = lookup("base_installation::ldap_base")
15 $ldap_dn = lookup("base_installation::ldap_dn")
16 $pgbouncer_ldap_attribute = "uid"
18 $pg_slot = regsubst($ldap_cn, '-', "_", "G")
20 ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
22 $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
23 $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
25 unless empty($pg_backup_hosts) {
26 file { "/etc/systemd/system/postgresql_backup@.service":
30 content => template("role/backup/postgresql_backup@.service.erb"),
33 unless empty($ldap_filter) {
34 concat { "/etc/pgbouncer/pgbouncer.ini":
38 ensure_newline => true,
39 notify => Service["pgbouncer"],
42 concat::fragment { "pgbouncer_head":
43 target => "/etc/pgbouncer/pgbouncer.ini",
45 content => template("role/backup/pgbouncer.ini.erb"),
48 file { "/etc/systemd/system/pgbouncer.service.d":
49 ensure => "directory",
55 file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
60 content => "[Service]\nUser=\nUser=$pg_user\n",
61 notify => Service["pgbouncer"],
64 service { "pgbouncer":
69 File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
70 Concat["/etc/pgbouncer/pgbouncer.ini"]
74 file { "/etc/pam_ldap.d/pgbouncer.conf":
79 content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
80 require => File["/etc/pam_ldap.d"],
82 file { "/etc/pam.d/pgbouncer":
87 source => "puppet:///modules/role/backup/pam_pgbouncer"
92 $ldap_attribute = "cn"
94 file { "/etc/pam_ldap.d":
100 file { "/etc/pam_ldap.d/postgresql.conf":
105 content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
107 file { "/etc/pam.d/postgresql":
112 source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
115 $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
116 $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
118 $pg_backup_host = $backup_host_cn
119 } elsif has_key($host["vars"], "host") {
120 $pg_backup_host = $host["vars"]["host"][0]
122 $pg_backup_host = $host["vars"]["real_hostname"][0]
124 $pg_path = "$mountpoint/$pg_backup_host/postgresql"
125 $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
126 $pg_host = "$pg_backup_host"
127 $pg_port = $pg_infos["dbport"]
129 unless empty($host) {
130 $host["ipHostNumber"].each |$ip| {
131 $infos = split($ip, "/")
132 $ipaddress = $infos[0]
133 if (length($infos) == 1 and $ipaddress =~ /:/) {
135 } elsif (length($infos) == 1) {
141 postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
143 database => 'replication',
144 user => $backup_host_cn,
145 address => "$ipaddress/$mask",
146 auth_method => 'pam',
148 target => "$pg_path/pg_hba.conf",
149 postgresql_version => "10",
154 if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
155 concat::fragment { "pgbouncer_$pg_backup_host":
156 target => "/etc/pgbouncer/pgbouncer.ini",
158 content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
161 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
162 description => "Allow local access to ${pg_infos[dbuser]} user",
164 database => $pg_infos["dbname"],
165 user => $pg_infos["dbuser"],
166 auth_method => 'trust',
168 target => "$pg_path/pg_hba.conf",
169 postgresql_version => "10",
173 file { "$mountpoint/$pg_backup_host":
184 require => File["$mountpoint/$pg_backup_host"],
187 file { $pg_backup_path:
192 require => File["$mountpoint/$pg_backup_host"],
195 cron::job::multiple { "backup_psql_$pg_host":
197 require => [File[$pg_backup_path], File[$pg_path]],
200 command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
202 hour => "22,4,10,16",
204 description => "Backup the database",
207 command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
211 description => "Cleanup the database backups",
214 command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
218 description => "Cleanup the database backups exponentially",
223 exec { "pg_basebackup $pg_path":
226 creates => "$pg_path/PG_VERSION",
227 environment => ["PGPASSWORD=$ldap_password"],
228 command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
230 Concat["$pg_path/pg_hba.conf"],
231 Concat["$pg_path/recovery.conf"],
232 File["$pg_path/postgresql.conf"],
236 concat { "$pg_path/pg_hba.conf":
242 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
243 description => 'Allow local access to postgres user',
247 auth_method => 'ident',
249 target => "$pg_path/pg_hba.conf",
250 postgresql_version => "10",
252 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
253 description => 'Allow localhost access to postgres user',
257 address => "127.0.0.1/32",
258 auth_method => 'md5',
260 target => "$pg_path/pg_hba.conf",
261 postgresql_version => "10",
263 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
264 description => 'Allow localhost access to postgres user',
268 address => "::1/128",
269 auth_method => 'md5',
271 target => "$pg_path/pg_hba.conf",
272 postgresql_version => "10",
274 postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
275 description => 'Deny remote access to postgres user',
279 address => "0.0.0.0/0",
280 auth_method => 'reject',
282 target => "$pg_path/pg_hba.conf",
283 postgresql_version => "10",
286 postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
287 description => 'Allow local access with password',
291 auth_method => 'md5',
293 target => "$pg_path/pg_hba.conf",
294 postgresql_version => "10",
297 postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
298 description => 'Allow local access with same name',
302 auth_method => 'ident',
304 target => "$pg_path/pg_hba.conf",
305 postgresql_version => "10",
308 $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
309 $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
312 concat { "$pg_path/recovery.conf":
318 concat::fragment { "$pg_path/recovery.conf":
319 target => "$pg_path/recovery.conf",
320 content => template('postgresql/recovery.conf.erb'),
323 file { "$pg_path/postgresql.conf":
327 content => template("role/backup/postgresql.conf.erb"),
330 service { "postgresql_backup@$pg_backup_host":
334 File["/etc/systemd/system/postgresql_backup@.service"],
335 Concat["$pg_path/pg_hba.conf"],
336 Concat["$pg_path/recovery.conf"],
337 File["$pg_path/postgresql.conf"],
340 Concat["$pg_path/pg_hba.conf"],
341 Concat["$pg_path/recovery.conf"],
342 File["$pg_path/postgresql.conf"],