1 class role::backup::postgresql inherits role::backup {
2 # This manifest is supposed to be part of the backup server
4 $password_seed = lookup("base_installation::puppet_pass_seed")
6 $user = lookup("role::backup::user")
7 $group = lookup("role::backup::group")
11 $ldap_cn = lookup("base_installation::ldap_cn")
12 $ldap_password = generate_password(24, $password_seed, "ldap")
13 $ldap_server = lookup("base_installation::ldap_server")
14 $ldap_base = lookup("base_installation::ldap_base")
15 $ldap_dn = lookup("base_installation::ldap_dn")
16 $ldap_attribute = "uid"
18 $pg_slot = regsubst($ldap_cn, '-', "_", "G")
20 ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
22 $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
23 $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
25 unless empty($pg_backup_hosts) {
26 file { "/etc/systemd/system/postgresql_backup@.service":
30 content => template("role/backup/postgresql_backup@.service.erb"),
33 unless empty($ldap_filter) {
34 concat { "/etc/pgbouncer/pgbouncer.ini":
38 ensure_newline => true,
39 notify => Service["pgbouncer"],
42 concat::fragment { "pgbouncer_head":
43 target => "/etc/pgbouncer/pgbouncer.ini",
45 content => template("role/backup/pgbouncer.ini.erb"),
48 file { "/etc/systemd/system/pgbouncer.service.d":
49 ensure => "directory",
55 file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
60 content => "[Service]\nUser=\nUser=$pg_user\n",
61 notify => Service["pgbouncer"],
64 service { "pgbouncer":
69 File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
70 Concat["/etc/pgbouncer/pgbouncer.ini"]
74 file { "/etc/pam_ldap.d":
80 file { "/etc/pam_ldap.d/pgbouncer.conf":
85 content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
87 file { "/etc/pam.d/pgbouncer":
92 source => "puppet:///modules/role/backup/pam_pgbouncer"
97 $pg_backup_hosts.each |$pg_backup_host, $pg_infos| {
98 $pg_path = "$mountpoint/$pg_backup_host/postgresql"
99 $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
100 $pg_host = "$pg_backup_host"
101 $pg_port = $pg_infos["dbport"]
103 if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
104 concat::fragment { "pgbouncer_$pg_backup_host":
105 target => "/etc/pgbouncer/pgbouncer.ini",
107 content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
110 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
111 description => "Allow local access to ${pg_infos[dbuser]} user",
113 database => $pg_infos["dbname"],
114 user => $pg_infos["dbuser"],
115 auth_method => 'trust',
117 target => "$pg_path/pg_hba.conf",
118 postgresql_version => "10",
122 file { "$mountpoint/$pg_backup_host":
133 require => File["$mountpoint/$pg_backup_host"],
136 file { $pg_backup_path:
141 require => File["$mountpoint/$pg_backup_host"],
144 cron::job::multiple { "backup_psql_$pg_host":
146 require => [File[$pg_backup_path], File[$pg_path]],
149 command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
151 hour => "22,4,10,16",
153 description => "Backup the database",
156 command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | sort -r | sed -e '1,16d')",
160 description => "Cleanup the database backups",
165 exec { "pg_basebackup $pg_path":
168 creates => "$pg_path/PG_VERSION",
169 environment => ["PGPASSWORD=$ldap_password"],
170 command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
172 Concat["$pg_path/pg_hba.conf"],
173 Concat["$pg_path/recovery.conf"],
174 File["$pg_path/postgresql.conf"],
178 concat { "$pg_path/pg_hba.conf":
184 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
185 description => 'Allow local access to postgres user',
189 auth_method => 'ident',
191 target => "$pg_path/pg_hba.conf",
192 postgresql_version => "10",
194 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
195 description => 'Allow localhost access to postgres user',
199 address => "127.0.0.1/32",
200 auth_method => 'md5',
202 target => "$pg_path/pg_hba.conf",
203 postgresql_version => "10",
205 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
206 description => 'Allow localhost access to postgres user',
210 address => "::1/128",
211 auth_method => 'md5',
213 target => "$pg_path/pg_hba.conf",
214 postgresql_version => "10",
216 postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
217 description => 'Deny remote access to postgres user',
221 address => "0.0.0.0/0",
222 auth_method => 'reject',
224 target => "$pg_path/pg_hba.conf",
225 postgresql_version => "10",
228 postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
229 description => 'Allow local access with password',
233 auth_method => 'md5',
235 target => "$pg_path/pg_hba.conf",
236 postgresql_version => "10",
239 postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
240 description => 'Allow local access with same name',
244 auth_method => 'ident',
246 target => "$pg_path/pg_hba.conf",
247 postgresql_version => "10",
250 $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
251 $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
254 concat { "$pg_path/recovery.conf":
260 concat::fragment { "$pg_path/recovery.conf":
261 target => "$pg_path/recovery.conf",
262 content => template('postgresql/recovery.conf.erb'),
265 file { "$pg_path/postgresql.conf":
269 content => template("role/backup/postgresql.conf.erb"),
272 service { "postgresql_backup@$pg_backup_host":
276 File["/etc/systemd/system/postgresql_backup@.service"],
277 Concat["$pg_path/pg_hba.conf"],
278 Concat["$pg_path/recovery.conf"],
279 File["$pg_path/postgresql.conf"],