Add pgbouncer for backup

[perso/Immae/Projets/Puppet.git] / modules / role / manifests / cryptoportfolio / postgresql.pp

diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
index cc4d2a932aa9c669e5247368bb87e2c0e51bdfe9..776b30f5776bd2c5871ffe8f73b437c8235c1256 100644 (file)
--- a/modules/role/manifests/cryptoportfolio/postgresql.pp
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -30,6 +30,10 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
     require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
   }
 
+  postgresql_replication_slot { $pg_user_replication:
+    ensure => present
+  }
+
   postgresql::server::config_entry { "wal_level":
     value   => "logical",
   }
@@ -104,13 +108,88 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
     order       => "05-01",
   }
 
+  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
+    type        => 'hostssl',
+    database    => 'replication',
+    user        => $pg_user_replication,
+    address     => 'immae.eu',
+    auth_method => 'md5',
+    order       => "05-01",
+  }
+
   postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
     type        => 'hostssl',
     database    => $pg_db,
     user        => $pg_user_replication,
     address     => 'immae.eu',
     auth_method => 'md5',
-    order       => "05-01",
+    order       => "05-02",
+  }
+
+  $backup_host = "backup-1"
+
+  unless empty($backup_host) {
+    ensure_packages(["pam_ldap"])
+
+    $facts["ldapvar"]["other"].each |$host| {
+      if ($host["cn"][0] == $backup_host) {
+        $host["ipHostNumber"].each |$ip| {
+          $infos = split($ip, "/")
+          $ipaddress = $infos[0]
+          if (length($infos) == 1 and $ipaddress =~ /:/) {
+            $mask = "128"
+          } elsif (length($infos) == 1) {
+            $mask = "32"
+          } else {
+            $mask = $infos[1]
+          }
+
+          postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
+            type        => 'hostssl',
+            database    => 'replication',
+            user        => 'all',
+            address     => "$ipaddress/$mask",
+            auth_method => 'pam',
+            order       => "06-01",
+          }
+        }
+
+        postgresql::server::role { $backup_host:
+          replication => true,
+        }
+
+        postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
+          ensure => present
+        }
+      }
+    }
+
+    $ldap_server = lookup("base_installation::ldap_server")
+    $ldap_base   = lookup("base_installation::ldap_base")
+    $ldap_dn     = lookup("base_installation::ldap_dn")
+    $ldap_password = generate_password(24, $password_seed, "ldap")
+    $ldap_attribute = "cn"
+
+    file { "/etc/pam_ldap.d":
+      ensure => directory,
+      mode   => "0755",
+      owner  => "root",
+      group  => "root",
+    } ->
+    file { "/etc/pam_ldap.d/postgresql.conf":
+      ensure  => "present",
+      mode    => "0600",
+      owner   => $::profile::postgresql::pg_user,
+      group   => "root",
+      content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
+    } ->
+    file { "/etc/pam.d/postgresql":
+      ensure => "present",
+      mode   => "0644",
+      owner  => "root",
+      group  => "root",
+      source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
+    }
   }
 
 }