class profile::postgresql { $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } class { '::postgresql::globals': encoding => 'UTF-8', locale => 'en_US.UTF-8', pg_hba_conf_defaults => false, } # FIXME: get it from the postgresql module? $pg_user = "postgres" class { '::postgresql::client': } # FIXME: postgresql module is buggy and doesn't create dir? file { "/var/lib/postgres": ensure => directory, owner => $pg_user, group => $pg_user, before => File["/var/lib/postgres/data"], require => Package["postgresql-server"], } class { '::postgresql::server': postgres_password => generate_password(24, $password_seed, "postgres") } postgresql::server::pg_hba_rule { 'local access as postgres user': description => 'Allow local access to postgres user', type => 'local', database => 'all', user => $pg_user, auth_method => 'ident', order => "a1", } postgresql::server::pg_hba_rule { 'localhost access as postgres user': description => 'Allow localhost access to postgres user', type => 'host', database => 'all', user => $pg_user, address => "127.0.0.1/32", auth_method => 'md5', order => "a2", } postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': description => 'Allow localhost access to postgres user', type => 'host', database => 'all', user => $pg_user, address => "::1/128", auth_method => 'md5', order => "a3", } postgresql::server::pg_hba_rule { 'deny access to postgresql user': description => 'Deny remote access to postgres user', type => 'host', database => 'all', user => $pg_user, address => "0.0.0.0/0", auth_method => 'reject', order => "a4", } postgresql::server::pg_hba_rule { 'local access': description => 'Allow local access with password', type => 'local', database => 'all', user => 'all', auth_method => 'md5', order => "b1", } postgresql::server::pg_hba_rule { 'local access with same name': description => 'Allow local access with same name', type => 'local', database => 'all', user => 'all', auth_method => 'ident', order => "b2", } }