X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Frole%2Fmanifests%2Fbackup%2Fpostgresql.pp;h=8a65dec6802c7ebf45728be037f2bded7a0b29ce;hb=da0f686b366140aab3d01c95f37eb655f07f81ef;hp=51ce37efbd14b394f7692fa47cc9edad38eb0c54;hpb=1c90c6913652e0ec7489ed22941e4e6a31d55912;p=perso%2FImmae%2FProjets%2FPuppet.git diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index 51ce37e..8a65dec 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp @@ -1,254 +1,21 @@ class role::backup::postgresql inherits role::backup { - # This manifest is supposed to be part of the backup server - - $password_seed = lookup("base_installation::puppet_pass_seed") - - $user = lookup("role::backup::user") - $group = lookup("role::backup::group") - $pg_user = "postgres" - $pg_group = "postgres" - - $ldap_cn = lookup("base_installation::ldap_cn") - $ldap_password = generate_password(24, $password_seed, "ldap") - $ldap_server = lookup("base_installation::ldap_server") - $ldap_base = lookup("base_installation::ldap_base") - $ldap_dn = lookup("base_installation::ldap_dn") - $ldap_attribute = "uid" - - $pg_slot = regsubst($ldap_cn, '-', "_", "G") - - ensure_packages(["postgresql", "pgbouncer", "pam_ldap"]) + ensure_packages(["postgresql"]) $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} }) - $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef }) - unless empty($pg_backup_hosts) { - file { "/etc/systemd/system/postgresql_backup@.service": - mode => "0644", - owner => "root", - group => "root", - content => template("role/backup/postgresql_backup@.service.erb"), + $pg_backup_hosts.each |$backup_host_cn, $pg_infos| { + profile::postgresql::backup_replication { $backup_host_cn: + base_path => $mountpoint, + pg_infos => $pg_infos, } - unless empty($ldap_filter) { - concat { "/etc/pgbouncer/pgbouncer.ini": - mode => "0644", - owner => "root", - group => "root", - ensure_newline => true, - notify => Service["pgbouncer"], - } - - concat::fragment { "pgbouncer_head": - target => "/etc/pgbouncer/pgbouncer.ini", - order => "01", - content => template("role/backup/pgbouncer.ini.erb"), - } - - file { "/etc/systemd/system/pgbouncer.service.d": - ensure => "directory", - mode => "0644", - owner => "root", - group => "root", - } - - file { "/etc/systemd/system/pgbouncer.service.d/override.conf": - ensure => "present", - mode => "0644", - owner => "root", - group => "root", - content => "[Service]\nUser=\nUser=$pg_user\n", - notify => Service["pgbouncer"], - } - - service { "pgbouncer": - ensure => "running", - enable => true, - require => [ - Package["pgbouncer"], - File["/etc/systemd/system/pgbouncer.service.d/override.conf"], - Concat["/etc/pgbouncer/pgbouncer.ini"] - ], - } - - file { "/etc/pam_ldap.d": - ensure => directory, - mode => "0755", - owner => "root", - group => "root", - } -> - file { "/etc/pam_ldap.d/pgbouncer.conf": - ensure => "present", - mode => "0600", - owner => $pg_user, - group => "root", - content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), - } -> - file { "/etc/pam.d/pgbouncer": - ensure => "present", - mode => "0644", - owner => "root", - group => "root", - source => "puppet:///modules/role/backup/pam_pgbouncer" + if $pg_infos["pgbouncer"] { + profile::postgresql::backup_pgbouncer { $backup_host_cn: + base_path => $mountpoint, + pg_infos => $pg_infos, } } - } - - $pg_backup_hosts.each |$pg_backup_host, $pg_infos| { - $pg_path = "$mountpoint/$pg_backup_host/postgresql" - $pg_host = "$pg_backup_host" - $pg_port = $pg_infos["dbport"] - if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { - concat::fragment { "pgbouncer_$pg_backup_host": - target => "/etc/pgbouncer/pgbouncer.ini", - order => 02, - content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", - } - - postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": - description => "Allow local access to ${pg_infos[dbuser]} user", - type => 'local', - database => $pg_infos["dbname"], - user => $pg_infos["dbuser"], - auth_method => 'trust', - order => "01-00", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - } - - file { "$mountpoint/$pg_backup_host": - ensure => directory, - owner => $user, - group => $group, - } - - file { $pg_path: - ensure => directory, - owner => $pg_user, - group => $pg_group, - mode => "0700", - require => File["$mountpoint/$pg_backup_host"], - } - - exec { "pg_basebackup $pg_path": - cwd => $pg_path, - user => $pg_user, - creates => "$pg_path/PG_VERSION", - environment => ["PGPASSWORD=$ldap_password"], - command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", - before => [ - Concat["$pg_path/pg_hba.conf"], - Concat["$pg_path/recovery.conf"], - File["$pg_path/postgresql.conf"], - ] - } - - concat { "$pg_path/pg_hba.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - warn => true, - } - postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": - description => 'Allow local access to postgres user', - type => 'local', - database => 'all', - user => $pg_user, - auth_method => 'ident', - order => "00-01", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": - description => 'Allow localhost access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "127.0.0.1/32", - auth_method => 'md5', - order => "00-02", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": - description => 'Allow localhost access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "::1/128", - auth_method => 'md5', - order => "00-03", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": - description => 'Deny remote access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "0.0.0.0/0", - auth_method => 'reject', - order => "00-04", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - postgresql::server::pg_hba_rule { "$pg_backup_host - local access": - description => 'Allow local access with password', - type => 'local', - database => 'all', - user => 'all', - auth_method => 'md5', - order => "10-01", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": - description => 'Allow local access with same name', - type => 'local', - database => 'all', - user => 'all', - auth_method => 'ident', - order => "10-02", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" - $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") - $standby_mode = "on" - - concat { "$pg_path/recovery.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - warn => true, - } - concat::fragment { "$pg_path/recovery.conf": - target => "$pg_path/recovery.conf", - content => template('postgresql/recovery.conf.erb'), - } - - file { "$pg_path/postgresql.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - content => template("role/backup/postgresql.conf.erb"), - } - - service { "postgresql_backup@$pg_backup_host": - enable => true, - ensure => "running", - require => [ - File["/etc/systemd/system/postgresql_backup@.service"], - Concat["$pg_path/pg_hba.conf"], - Concat["$pg_path/recovery.conf"], - File["$pg_path/postgresql.conf"], - ] - } } }