modules/role/manifests/cryptoportfolio/postgresql.pp

   1 class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
   2   $password_seed = lookup("base_installation::puppet_pass_seed")
   3
   4   $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
   5   $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
   6
   7   file { "/var/lib/postgres/data/certs":
   8     ensure  => directory,
   9     mode    => "0700",
  10     owner   => $::profile::postgresql::pg_user,
  11     group   => $::profile::postgresql::pg_user,
  12     require => File["/var/lib/postgres"],
  13   }
  14
  15   file { "/var/lib/postgres/data/certs/cert.pem":
  16     source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
  17     mode    => "0600",
  18     links   => "follow",
  19     owner   => $::profile::postgresql::pg_user,
  20     group   => $::profile::postgresql::pg_user,
  21     require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
  22   }
  23
  24   file { "/var/lib/postgres/data/certs/privkey.pem":
  25     source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
  26     mode    => "0600",
  27     links   => "follow",
  28     owner   => $::profile::postgresql::pg_user,
  29     group   => $::profile::postgresql::pg_user,
  30     require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
  31   }
  32
  33   postgresql::server::config_entry { "wal_level":
  34     value   => "logical",
  35   }
  36
  37   postgresql::server::config_entry { "ssl":
  38     value   => "on",
  39     require => Letsencrypt::Certonly[$web_host],
  40   }
  41
  42   postgresql::server::config_entry { "ssl_cert_file":
  43     value   => "/var/lib/postgres/data/certs/cert.pem",
  44     require => Letsencrypt::Certonly[$web_host],
  45   }
  46
  47   postgresql::server::config_entry { "ssl_key_file":
  48     value   => "/var/lib/postgres/data/certs/privkey.pem",
  49     require => Letsencrypt::Certonly[$web_host],
  50   }
  51
  52   postgresql::server::db { $pg_db:
  53     user     =>  $pg_user,
  54     password =>  postgresql_password($pg_user, $pg_password),
  55   }
  56   ->
  57   postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
  58     db     => $pg_db,
  59     unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
  60   }
  61   ->
  62   postgresql::server::role { $pg_user_replication:
  63     db            => $pg_db,
  64     replication   => true,
  65     password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
  66   }
  67   ->
  68   postgresql::server::database_grant { $pg_user_replication:
  69     db        => $pg_db,
  70     privilege => "CONNECT",
  71     role      => $pg_user_replication,
  72   }
  73   ->
  74   postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
  75     db          => $pg_db,
  76     role        => $pg_user_replication,
  77     privilege   => "SELECT",
  78     object_type => "ALL TABLES IN SCHEMA",
  79     object_name => "public",
  80   }
  81   ->
  82   postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
  83     db          => $pg_db,
  84     role        => $pg_user_replication,
  85     privilege   => "SELECT",
  86     object_type => "ALL SEQUENCES IN SCHEMA",
  87     object_name => "public",
  88   }
  89
  90   postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
  91     type        => 'host',
  92     database    => $pg_db,
  93     user        => $pg_user,
  94     address     => '127.0.0.1/32',
  95     auth_method => 'md5',
  96     order       => "05-01",
  97   }
  98   postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
  99     type        => 'host',
 100     database    => $pg_db,
 101     user        => $pg_user,
 102     address     => '::1/128',
 103     auth_method => 'md5',
 104     order       => "05-01",
 105   }
 106
 107   postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
 108     type        => 'hostssl',
 109     database    => 'replication',
 110     user        => $pg_user_replication,
 111     address     => 'immae.eu',
 112     auth_method => 'md5',
 113     order       => "05-01",
 114   }
 115
 116   postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
 117     type        => 'hostssl',
 118     database    => $pg_db,
 119     user        => $pg_user_replication,
 120     address     => 'immae.eu',
 121     auth_method => 'md5',
 122     order       => "05-02",
 123   }
 124
 125 }