modules/role/manifests/backup/postgresql.pp

   1 class role::backup::postgresql inherits role::backup {
   2   # This manifest is supposed to be part of the backup server
   3
   4   $password_seed = lookup("base_installation::puppet_pass_seed")
   5
   6   $user = lookup("role::backup::user")
   7   $group = lookup("role::backup::group")
   8   $pg_user = "postgres"
   9   $pg_group = "postgres"
  10
  11   $ldap_cn = lookup("base_installation::ldap_cn")
  12   $ldap_password = generate_password(24, $password_seed, "ldap")
  13   $ldap_server = lookup("base_installation::ldap_server")
  14   $ldap_base   = lookup("base_installation::ldap_base")
  15   $ldap_dn     = lookup("base_installation::ldap_dn")
  16   $pgbouncer_ldap_attribute = "uid"
  17
  18   $pg_slot = regsubst($ldap_cn, '-', "_", "G")
  19
  20   ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
  21
  22   $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
  23   $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
  24
  25   unless empty($pg_backup_hosts) {
  26     file { "/etc/systemd/system/postgresql_backup@.service":
  27       mode    => "0644",
  28       owner   => "root",
  29       group   => "root",
  30       content => template("role/backup/postgresql_backup@.service.erb"),
  31     }
  32
  33     unless empty($ldap_filter) {
  34       concat { "/etc/pgbouncer/pgbouncer.ini":
  35         mode           => "0644",
  36         owner          => "root",
  37         group          => "root",
  38         ensure_newline => true,
  39         notify         => Service["pgbouncer"],
  40       }
  41
  42       concat::fragment { "pgbouncer_head":
  43         target  => "/etc/pgbouncer/pgbouncer.ini",
  44         order   => "01",
  45         content => template("role/backup/pgbouncer.ini.erb"),
  46       }
  47
  48       file { "/etc/systemd/system/pgbouncer.service.d":
  49         ensure => "directory",
  50         mode   => "0644",
  51         owner  => "root",
  52         group  => "root",
  53       }
  54
  55       file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
  56         ensure  => "present",
  57         mode    => "0644",
  58         owner   => "root",
  59         group   => "root",
  60         content => "[Service]\nUser=\nUser=$pg_user\n",
  61         notify  => Service["pgbouncer"],
  62       }
  63
  64       service { "pgbouncer":
  65         ensure  => "running",
  66         enable  => true,
  67         require => [
  68           Package["pgbouncer"],
  69           File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
  70           Concat["/etc/pgbouncer/pgbouncer.ini"]
  71         ],
  72       }
  73
  74       file { "/etc/pam_ldap.d/pgbouncer.conf":
  75         ensure  => "present",
  76         mode    => "0600",
  77         owner   => $pg_user,
  78         group   => "root",
  79         content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
  80         require => File["/etc/pam_ldap.d"],
  81       } ->
  82       file { "/etc/pam.d/pgbouncer":
  83         ensure => "present",
  84         mode   => "0644",
  85         owner  => "root",
  86         group  => "root",
  87         source => "puppet:///modules/role/backup/pam_pgbouncer"
  88       }
  89     }
  90   }
  91
  92   $ldap_attribute = "cn"
  93
  94   file { "/etc/pam_ldap.d":
  95     ensure => directory,
  96     mode   => "0755",
  97     owner  => "root",
  98     group  => "root",
  99   } ->
 100   file { "/etc/pam_ldap.d/postgresql.conf":
 101     ensure  => "present",
 102     mode    => "0600",
 103     owner   => $pg_user,
 104     group   => "root",
 105     content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
 106   } ->
 107   file { "/etc/pam.d/postgresql":
 108     ensure => "present",
 109     mode   => "0644",
 110     owner  => "root",
 111     group  => "root",
 112     source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
 113   }
 114
 115   $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
 116     $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
 117     if empty($host) {
 118       $pg_backup_host = $backup_host_cn
 119     } elsif has_key($host["vars"], "host") {
 120       $pg_backup_host = $host["vars"]["host"][0]
 121     } else {
 122       $pg_backup_host = $host["vars"]["real_hostname"][0]
 123     }
 124     $pg_path = "$mountpoint/$pg_backup_host/postgresql"
 125     $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
 126     $pg_host = "$pg_backup_host"
 127     $pg_port = $pg_infos["dbport"]
 128
 129     unless empty($host) {
 130       $host["ipHostNumber"].each |$ip| {
 131         $infos = split($ip, "/")
 132         $ipaddress = $infos[0]
 133         if (length($infos) == 1 and $ipaddress =~ /:/) {
 134           $mask = "128"
 135         } elsif (length($infos) == 1) {
 136           $mask = "32"
 137         } else {
 138           $mask = $infos[1]
 139         }
 140
 141         postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
 142           type        => 'hostssl',
 143           database    => 'replication',
 144           user        => $backup_host_cn,
 145           address     => "$ipaddress/$mask",
 146           auth_method => 'pam',
 147           order       => "06-01",
 148           target      => "$pg_path/pg_hba.conf",
 149           postgresql_version => "10",
 150         }
 151       }
 152     }
 153
 154     if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
 155       concat::fragment { "pgbouncer_$pg_backup_host":
 156         target  => "/etc/pgbouncer/pgbouncer.ini",
 157         order   => 02,
 158         content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
 159       }
 160
 161       postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
 162         description => "Allow local access to ${pg_infos[dbuser]} user",
 163         type        => 'local',
 164         database    => $pg_infos["dbname"],
 165         user        => $pg_infos["dbuser"],
 166         auth_method => 'trust',
 167         order       => "01-00",
 168         target      => "$pg_path/pg_hba.conf",
 169         postgresql_version => "10",
 170       }
 171     }
 172
 173     file { "$mountpoint/$pg_backup_host":
 174       ensure => directory,
 175       owner  => $user,
 176       group  => $group,
 177     }
 178
 179     file { $pg_path:
 180       ensure  => directory,
 181       owner   => $pg_user,
 182       group   => $pg_group,
 183       mode    => "0700",
 184       require => File["$mountpoint/$pg_backup_host"],
 185     }
 186
 187     file { $pg_backup_path:
 188       ensure  => directory,
 189       owner   => $pg_user,
 190       group   => $pg_group,
 191       mode    => "0700",
 192       require => File["$mountpoint/$pg_backup_host"],
 193     }
 194
 195     cron::job::multiple { "backup_psql_$pg_host":
 196       ensure  => "present",
 197       require => [File[$pg_backup_path], File[$pg_path]],
 198       jobs    => [
 199         {
 200           command     => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
 201           user        => $pg_user,
 202           hour        => "22,4,10,16",
 203           minute      => 0,
 204           description => "Backup the database",
 205         },
 206         {
 207           command     => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
 208           user        => $pg_user,
 209           hour        => 3,
 210           minute      => 0,
 211           description => "Cleanup the database backups",
 212         },
 213         {
 214           command     => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
 215           user        => $pg_user,
 216           hour        => 3,
 217           minute      => 1,
 218           description => "Cleanup the database backups exponentially",
 219         },
 220       ]
 221     }
 222
 223     exec { "pg_basebackup $pg_path":
 224       cwd         => $pg_path,
 225       user        => $pg_user,
 226       creates     => "$pg_path/PG_VERSION",
 227       environment => ["PGPASSWORD=$ldap_password"],
 228       command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
 229       before      => [
 230         Concat["$pg_path/pg_hba.conf"],
 231         Concat["$pg_path/recovery.conf"],
 232         File["$pg_path/postgresql.conf"],
 233       ]
 234     }
 235
 236     concat { "$pg_path/pg_hba.conf":
 237       owner   => $pg_user,
 238       group   => $pg_group,
 239       mode    => '0640',
 240       warn    => true,
 241     }
 242     postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
 243       description => 'Allow local access to postgres user',
 244       type        => 'local',
 245       database    => 'all',
 246       user        => $pg_user,
 247       auth_method => 'ident',
 248       order       => "00-01",
 249       target      => "$pg_path/pg_hba.conf",
 250       postgresql_version => "10",
 251     }
 252     postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
 253       description => 'Allow localhost access to postgres user',
 254       type        => 'host',
 255       database    => 'all',
 256       user        => $pg_user,
 257       address     => "127.0.0.1/32",
 258       auth_method => 'md5',
 259       order       => "00-02",
 260       target      => "$pg_path/pg_hba.conf",
 261       postgresql_version => "10",
 262     }
 263     postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
 264       description => 'Allow localhost access to postgres user',
 265       type        => 'host',
 266       database    => 'all',
 267       user        => $pg_user,
 268       address     => "::1/128",
 269       auth_method => 'md5',
 270       order       => "00-03",
 271       target      => "$pg_path/pg_hba.conf",
 272       postgresql_version => "10",
 273     }
 274     postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
 275       description => 'Deny remote access to postgres user',
 276       type        => 'host',
 277       database    => 'all',
 278       user        => $pg_user,
 279       address     => "0.0.0.0/0",
 280       auth_method => 'reject',
 281       order       => "00-04",
 282       target      => "$pg_path/pg_hba.conf",
 283       postgresql_version => "10",
 284     }
 285
 286     postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
 287       description => 'Allow local access with password',
 288       type        => 'local',
 289       database    => 'all',
 290       user        => 'all',
 291       auth_method => 'md5',
 292       order       => "10-01",
 293       target      => "$pg_path/pg_hba.conf",
 294       postgresql_version => "10",
 295     }
 296
 297     postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
 298       description => 'Allow local access with same name',
 299       type        => 'local',
 300       database    => 'all',
 301       user        => 'all',
 302       auth_method => 'ident',
 303       order       => "10-02",
 304       target      => "$pg_path/pg_hba.conf",
 305       postgresql_version => "10",
 306     }
 307
 308     $primary_conninfo  = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
 309     $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
 310     $standby_mode      = "on"
 311
 312     concat { "$pg_path/recovery.conf":
 313       owner  => $pg_user,
 314       group  => $pg_group,
 315       mode   => '0640',
 316       warn   => true,
 317     }
 318     concat::fragment { "$pg_path/recovery.conf":
 319       target  => "$pg_path/recovery.conf",
 320       content => template('postgresql/recovery.conf.erb'),
 321     }
 322
 323     file { "$pg_path/postgresql.conf":
 324       owner   => $pg_user,
 325       group   => $pg_group,
 326       mode    => '0640',
 327       content => template("role/backup/postgresql.conf.erb"),
 328     }
 329
 330     service { "postgresql_backup@$pg_backup_host":
 331       enable  => true,
 332       ensure  => "running",
 333       require => [
 334         File["/etc/systemd/system/postgresql_backup@.service"],
 335         Concat["$pg_path/pg_hba.conf"],
 336         Concat["$pg_path/recovery.conf"],
 337         File["$pg_path/postgresql.conf"],
 338       ],
 339       subscribe => [
 340         Concat["$pg_path/pg_hba.conf"],
 341         Concat["$pg_path/recovery.conf"],
 342         File["$pg_path/postgresql.conf"],
 343       ]
 344     }
 345   }
 346
 347 }