X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Frole%2Fmanifests%2Fbackup%2Fpostgresql.pp;h=51ce37efbd14b394f7692fa47cc9edad38eb0c54;hb=1c90c6913652e0ec7489ed22941e4e6a31d55912;hp=59e4669296e44f0509a44568b79d59627a49107e;hpb=cc54396280acf37ee5bd5b2ddf75c6cc97ed1c05;p=perso%2FImmae%2FProjets%2FPuppet.git

diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
index 59e4669..51ce37e 100644
--- a/modules/role/manifests/backup/postgresql.pp
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -10,16 +10,113 @@ class role::backup::postgresql inherits role::backup {
 
   $ldap_cn = lookup("base_installation::ldap_cn")
   $ldap_password = generate_password(24, $password_seed, "ldap")
+  $ldap_server = lookup("base_installation::ldap_server")
+  $ldap_base   = lookup("base_installation::ldap_base")
+  $ldap_dn     = lookup("base_installation::ldap_dn")
+  $ldap_attribute = "uid"
+
   $pg_slot = regsubst($ldap_cn, '-', "_", "G")
 
-  ensure_packages(["postgresql"])
+  ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
+
+  $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
+  $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
+
+  unless empty($pg_backup_hosts) {
+    file { "/etc/systemd/system/postgresql_backup@.service":
+      mode    => "0644",
+      owner   => "root",
+      group   => "root",
+      content => template("role/backup/postgresql_backup@.service.erb"),
+    }
 
-  $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] })
+    unless empty($ldap_filter) {
+      concat { "/etc/pgbouncer/pgbouncer.ini":
+        mode           => "0644",
+        owner          => "root",
+        group          => "root",
+        ensure_newline => true,
+        notify         => Service["pgbouncer"],
+      }
+
+      concat::fragment { "pgbouncer_head":
+        target  => "/etc/pgbouncer/pgbouncer.ini",
+        order   => "01",
+        content => template("role/backup/pgbouncer.ini.erb"),
+      }
+
+      file { "/etc/systemd/system/pgbouncer.service.d":
+        ensure => "directory",
+        mode   => "0644",
+        owner  => "root",
+        group  => "root",
+      }
+
+      file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
+        ensure  => "present",
+        mode    => "0644",
+        owner   => "root",
+        group   => "root",
+        content => "[Service]\nUser=\nUser=$pg_user\n",
+        notify  => Service["pgbouncer"],
+      }
+
+      service { "pgbouncer":
+        ensure  => "running",
+        enable  => true,
+        require => [
+          Package["pgbouncer"],
+          File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
+          Concat["/etc/pgbouncer/pgbouncer.ini"]
+        ],
+      }
+
+      file { "/etc/pam_ldap.d":
+        ensure => directory,
+        mode   => "0755",
+        owner  => "root",
+        group  => "root",
+      } ->
+      file { "/etc/pam_ldap.d/pgbouncer.conf":
+        ensure  => "present",
+        mode    => "0600",
+        owner   => $pg_user,
+        group   => "root",
+        content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
+      } ->
+      file { "/etc/pam.d/pgbouncer":
+        ensure => "present",
+        mode   => "0644",
+        owner  => "root",
+        group  => "root",
+        source => "puppet:///modules/role/backup/pam_pgbouncer"
+      }
+    }
+  }
 
-  $pg_backup_hosts.each |$pg_backup_host| {
+  $pg_backup_hosts.each |$pg_backup_host, $pg_infos| {
     $pg_path = "$mountpoint/$pg_backup_host/postgresql"
     $pg_host = "$pg_backup_host"
-    $pg_port = "5432"
+    $pg_port = $pg_infos["dbport"]
+
+    if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
+      concat::fragment { "pgbouncer_$pg_backup_host":
+        target  => "/etc/pgbouncer/pgbouncer.ini",
+        order   => 02,
+        content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
+      }
+
+      postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
+        description => "Allow local access to ${pg_infos[dbuser]} user",
+        type        => 'local',
+        database    => $pg_infos["dbname"],
+        user        => $pg_infos["dbuser"],
+        auth_method => 'trust',
+        order       => "01-00",
+        target      => "$pg_path/pg_hba.conf",
+        postgresql_version => "10",
+      }
+    }
 
     file { "$mountpoint/$pg_backup_host":
       ensure => directory,
@@ -154,10 +251,4 @@ class role::backup::postgresql inherits role::backup {
     }
   }
 
-  file { "/etc/systemd/system/postgresql_backup@.service":
-    mode    => "0644",
-    owner   => "root",
-    group   => "root",
-    content => template("role/backup/postgresql_backup@.service.erb"),
-  }
 }