class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { $password_seed = lookup("base_installation::puppet_pass_seed") $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") file { "/var/lib/postgres/data/certs": ensure => directory, mode => "0700", owner => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, require => File["/var/lib/postgres"], } file { "/var/lib/postgres/data/certs/cert.pem": source => "file:///etc/letsencrypt/live/$web_host/cert.pem", mode => "0600", links => "follow", owner => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] } file { "/var/lib/postgres/data/certs/privkey.pem": source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", mode => "0600", links => "follow", owner => $::profile::postgresql::pg_user, group => $::profile::postgresql::pg_user, require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] } postgresql_replication_slot { $pg_user_replication: ensure => present } postgresql::server::config_entry { "wal_level": value => "logical", } postgresql::server::config_entry { "ssl": value => "on", require => Letsencrypt::Certonly[$web_host], } postgresql::server::config_entry { "ssl_cert_file": value => "/var/lib/postgres/data/certs/cert.pem", require => Letsencrypt::Certonly[$web_host], } postgresql::server::config_entry { "ssl_key_file": value => "/var/lib/postgres/data/certs/privkey.pem", require => Letsencrypt::Certonly[$web_host], } postgresql::server::db { $pg_db: user => $pg_user, password => postgresql_password($pg_user, $pg_password), } -> postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": db => $pg_db, unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", } -> postgresql::server::role { $pg_user_replication: db => $pg_db, replication => true, password_hash => postgresql_password($pg_user_replication, $pg_replication_password), } -> postgresql::server::database_grant { $pg_user_replication: db => $pg_db, privilege => "CONNECT", role => $pg_user_replication, } -> postgresql::server::grant { "all tables in schema:public:$pg_user_replication": db => $pg_db, role => $pg_user_replication, privilege => "SELECT", object_type => "ALL TABLES IN SCHEMA", object_name => "public", } -> postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": db => $pg_db, role => $pg_user_replication, privilege => "SELECT", object_type => "ALL SEQUENCES IN SCHEMA", object_name => "public", } postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': type => 'host', database => $pg_db, user => $pg_user, address => '127.0.0.1/32', auth_method => 'md5', order => "05-01", } postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': type => 'host', database => $pg_db, user => $pg_user, address => '::1/128', auth_method => 'md5', order => "05-01", } postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication': type => 'hostssl', database => 'replication', user => $pg_user_replication, address => 'immae.eu', auth_method => 'md5', order => "05-01", } postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': type => 'hostssl', database => $pg_db, user => $pg_user_replication, address => 'immae.eu', auth_method => 'md5', order => "05-02", } $backup_host = "backup-1" unless empty($backup_host) { ensure_packages(["pam_ldap"]) $facts["ldapvar"]["other"].each |$host| { if ($host["cn"][0] == $backup_host) { $host["ipHostNumber"].each |$ip| { $infos = split($ip, "/") $ipaddress = $infos[0] if (length($infos) == 1 and $ipaddress =~ /:/) { $mask = "128" } elsif (length($infos) == 1) { $mask = "32" } else { $mask = $infos[1] } postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": type => 'hostssl', database => 'replication', user => 'all', address => "$ipaddress/$mask", auth_method => 'pam', order => "06-01", } } postgresql::server::role { $backup_host: replication => true, } postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): ensure => present } } } $ldap_server = lookup("base_installation::ldap_server") $ldap_base = lookup("base_installation::ldap_base") $ldap_dn = lookup("base_installation::ldap_dn") $ldap_password = generate_password(24, $password_seed, "ldap") $ldap_attribute = "cn" file { "/etc/pam_ldap.d": ensure => directory, mode => "0755", owner => "root", group => "root", } -> file { "/etc/pam_ldap.d/postgresql.conf": ensure => "present", mode => "0644", owner => "root", group => "root", content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), } -> file { "/etc/pam.d/postgresql": ensure => "present", mode => "0644", owner => "root", group => "root", source => "puppet:///modules/role/cryptoportfolio/pam_postgresql" } } }