modules/role/manifests/cryptoportfolio/postgresql_backup.pp

   1 class role::cryptoportfolio::postgresql_backup inherits role::backup {
   2   # This manifest is supposed to be part of the backup server
   3
   4   $password_seed = lookup("base_installation::puppet_pass_seed")
   5
   6   $user = lookup("role::backup::user")
   7   $group = lookup("role::backup::group")
   8   $pg_user = "postgres"
   9   $pg_group = "postgres"
  10
  11   $ldap_cn = lookup("base_installation::ldap_cn")
  12   $ldap_password = generate_password(24, $password_seed, "ldap")
  13   $pg_slot = regsubst($ldap_cn, '-', "_", "G")
  14
  15   ensure_packages(["postgresql"])
  16
  17   $pg_backup_hosts = ["cryptoportfolio-dev.immae.eu"]
  18
  19   $pg_backup_hosts.each |$pg_backup_host| {
  20     $pg_path = "$mountpoint/$pg_backup_host/postgresql"
  21     $pg_host = "$pg_backup_host"
  22     $pg_port = "5432"
  23
  24     file { "$mountpoint/$pg_backup_host":
  25       ensure => directory,
  26       owner  => $user,
  27       group  => $group,
  28     }
  29
  30     file { $pg_path:
  31       ensure  => directory,
  32       owner   => $pg_user,
  33       group   => $pg_group,
  34       mode    => "0700",
  35       require => File["$mountpoint/$pg_backup_host"],
  36     }
  37
  38     exec { "pg_basebackup $pg_path":
  39       cwd         => $pg_path,
  40       user        => $pg_user,
  41       creates     => "$pg_path/PG_VERSION",
  42       environment => ["PGPASSWORD=$ldap_password"],
  43       command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
  44       before      => [
  45         Concat["$pg_path/pg_hba.conf"],
  46         Concat["$pg_path/recovery.conf"],
  47         File["$pg_path/postgresql.conf"],
  48       ]
  49     }
  50
  51     concat { "$pg_path/pg_hba.conf":
  52       owner   => $pg_user,
  53       group   => $pg_group,
  54       mode    => '0640',
  55       warn    => true,
  56     }
  57     postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
  58       description => 'Allow local access to postgres user',
  59       type        => 'local',
  60       database    => 'all',
  61       user        => $pg_user,
  62       auth_method => 'ident',
  63       order       => "00-01",
  64       target      => "$pg_path/pg_hba.conf",
  65       postgresql_version => "10",
  66     }
  67     postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
  68       description => 'Allow localhost access to postgres user',
  69       type        => 'host',
  70       database    => 'all',
  71       user        => $pg_user,
  72       address     => "127.0.0.1/32",
  73       auth_method => 'md5',
  74       order       => "00-02",
  75       target      => "$pg_path/pg_hba.conf",
  76       postgresql_version => "10",
  77     }
  78     postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
  79       description => 'Allow localhost access to postgres user',
  80       type        => 'host',
  81       database    => 'all',
  82       user        => $pg_user,
  83       address     => "::1/128",
  84       auth_method => 'md5',
  85       order       => "00-03",
  86       target      => "$pg_path/pg_hba.conf",
  87       postgresql_version => "10",
  88     }
  89     postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
  90       description => 'Deny remote access to postgres user',
  91       type        => 'host',
  92       database    => 'all',
  93       user        => $pg_user,
  94       address     => "0.0.0.0/0",
  95       auth_method => 'reject',
  96       order       => "00-04",
  97       target      => "$pg_path/pg_hba.conf",
  98       postgresql_version => "10",
  99     }
 100
 101     postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
 102       description => 'Allow local access with password',
 103       type        => 'local',
 104       database    => 'all',
 105       user        => 'all',
 106       auth_method => 'md5',
 107       order       => "10-01",
 108       target      => "$pg_path/pg_hba.conf",
 109       postgresql_version => "10",
 110     }
 111
 112     postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
 113       description => 'Allow local access with same name',
 114       type        => 'local',
 115       database    => 'all',
 116       user        => 'all',
 117       auth_method => 'ident',
 118       order       => "10-02",
 119       target      => "$pg_path/pg_hba.conf",
 120       postgresql_version => "10",
 121     }
 122
 123     concat { "$pg_path/recovery.conf":
 124       owner  => $pg_user,
 125       group  => $pg_group,
 126       mode   => '0640',
 127       warn   => true,
 128     }
 129     postgresql::server::recovery { "$pg_backup_host recovery":
 130       primary_conninfo  => "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require",
 131       primary_slot_name => regsubst($ldap_cn, '-', "_", "G"),
 132       standby_mode      => "on",
 133       target            => "$pg_path/recovery.conf",
 134     }
 135
 136     file { "$pg_path/postgresql.conf":
 137       owner   => $pg_user,
 138       group   => $pg_group,
 139       mode    => '0640',
 140       content => template("role/cryptoportfolio/postgresql_backup.conf.erb"),
 141     }
 142
 143     service { "postgresql_backup@$pg_backup_host":
 144       enable  => true,
 145       ensure  => "running",
 146       require => [
 147         File["/etc/systemd/system/postgresql_backup@.service"],
 148         Concat["$pg_path/pg_hba.conf"],
 149         Concat["$pg_path/recovery.conf"],
 150         File["$pg_path/postgresql.conf"],
 151       ]
 152     }
 153   }
 154
 155   file { "/etc/systemd/system/postgresql_backup@.service":
 156     mode    => "0644",
 157     owner   => "root",
 158     group   => "root",
 159     content => template("role/cryptoportfolio/postgresql_backup@.service.erb"),
 160   }
 161 }