1 class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
2 $password_seed = lookup("base_installation::puppet_pass_seed")
4 $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
5 $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
7 file { "/var/lib/postgres/data/certs":
10 owner => $::profile::postgresql::pg_user,
11 group => $::profile::postgresql::pg_user,
12 require => File["/var/lib/postgres"],
15 file { "/var/lib/postgres/data/certs/cert.pem":
16 source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
19 owner => $::profile::postgresql::pg_user,
20 group => $::profile::postgresql::pg_user,
21 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
24 file { "/var/lib/postgres/data/certs/privkey.pem":
25 source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
28 owner => $::profile::postgresql::pg_user,
29 group => $::profile::postgresql::pg_user,
30 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
33 postgresql_replication_slot { $pg_user_replication:
37 postgresql::server::config_entry { "wal_level":
41 postgresql::server::config_entry { "ssl":
43 require => Letsencrypt::Certonly[$web_host],
46 postgresql::server::config_entry { "ssl_cert_file":
47 value => "/var/lib/postgres/data/certs/cert.pem",
48 require => Letsencrypt::Certonly[$web_host],
51 postgresql::server::config_entry { "ssl_key_file":
52 value => "/var/lib/postgres/data/certs/privkey.pem",
53 require => Letsencrypt::Certonly[$web_host],
56 postgresql::server::db { $pg_db:
58 password => postgresql_password($pg_user, $pg_password),
61 postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
63 unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
66 postgresql::server::role { $pg_user_replication:
69 password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
72 postgresql::server::database_grant { $pg_user_replication:
74 privilege => "CONNECT",
75 role => $pg_user_replication,
78 postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
80 role => $pg_user_replication,
81 privilege => "SELECT",
82 object_type => "ALL TABLES IN SCHEMA",
83 object_name => "public",
86 postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
88 role => $pg_user_replication,
89 privilege => "SELECT",
90 object_type => "ALL SEQUENCES IN SCHEMA",
91 object_name => "public",
94 postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
98 address => '127.0.0.1/32',
102 postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
106 address => '::1/128',
107 auth_method => 'md5',
111 postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
113 database => 'replication',
114 user => $pg_user_replication,
115 address => 'immae.eu',
116 auth_method => 'md5',
120 postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
123 user => $pg_user_replication,
124 address => 'immae.eu',
125 auth_method => 'md5',
129 $backup_host = "backup-1"
131 unless empty($backup_host) {
132 ensure_packages(["pam_ldap"])
134 $facts["ldapvar"]["other"].each |$host| {
135 if ($host["cn"][0] == $backup_host) {
136 $host["ipHostNumber"].each |$ip| {
137 $infos = split($ip, "/")
138 $ipaddress = $infos[0]
139 if (length($infos) == 1 and $ipaddress =~ /:/) {
141 } elsif (length($infos) == 1) {
147 postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
149 database => 'replication',
151 address => "$ipaddress/$mask",
152 auth_method => 'pam',
157 postgresql::server::role { $backup_host:
161 postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
167 $ldap_server = lookup("base_installation::ldap_server")
168 $ldap_base = lookup("base_installation::ldap_base")
169 $ldap_dn = lookup("base_installation::ldap_dn")
170 $ldap_password = generate_password(24, $password_seed, "ldap")
171 $ldap_attribute = "cn"
173 file { "/etc/pam_ldap.d":
179 file { "/etc/pam_ldap.d/postgresql.conf":
182 owner => $::profile::postgresql::pg_user,
184 content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
186 file { "/etc/pam.d/postgresql":
191 source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"