$password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
$cf_pg_user = "cryptoportfolio"
+ $cf_pg_user_replication = "cryptoportfolio_replication"
$cf_pg_db = "cryptoportfolio"
$cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+ $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
$cf_pg_host = "localhost:5432"
$cf_user = "cryptoportfolio"
$cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
+ file { "/var/lib/postgres/data/certs":
+ ensure => directory,
+ mode => "0700",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => File["/var/lib/postgres"],
+ }
+
+ file { "/var/lib/postgres/data/certs/cert.pem":
+ source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+ mode => "0600",
+ links => "follow",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+ }
+
+ file { "/var/lib/postgres/data/certs/privkey.pem":
+ source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+ mode => "0600",
+ links => "follow",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+ }
+
+ postgresql::server::config_entry { "wal_level":
+ value => "logical",
+ }
+
+ postgresql::server::config_entry { "ssl":
+ value => "on",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ }
+
+ postgresql::server::config_entry { "ssl_cert_file":
+ value => "/var/lib/postgres/data/certs/cert.pem",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ }
+
+ postgresql::server::config_entry { "ssl_key_file":
+ value => "/var/lib/postgres/data/certs/privkey.pem",
+ require => Letsencrypt::Certonly[$cf_front_app_host],
+ }
+
postgresql::server::db { $cf_pg_db:
user => $cf_pg_user,
- password => postgresql_password($cf_pg_user, $cf_pg_password)
+ password => postgresql_password($cf_pg_user, $cf_pg_password),
+ }
+ ->
+ postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
+ db => $cf_pg_db,
+ unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
+ }
+ ->
+ postgresql::server::role { $cf_pg_user_replication:
+ db => $cf_pg_db,
+ replication => true,
+ password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
+ }
+ ->
+ postgresql::server::database_grant { $cf_pg_user_replication:
+ db => $cf_pg_db,
+ privilege => "CONNECT",
+ role => $cf_pg_user_replication,
+ }
+ ->
+ postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
+ db => $cf_pg_db,
+ role => $cf_pg_user_replication,
+ privilege => "SELECT",
+ object_type => "ALL TABLES IN SCHEMA",
+ object_name => "public",
+ }
+ ->
+ postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
+ db => $cf_pg_db,
+ role => $cf_pg_user_replication,
+ privilege => "SELECT",
+ object_type => "ALL SEQUENCES IN SCHEMA",
+ object_name => "public",
}
postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
order => "b0",
}
+ postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
+ type => 'hostssl',
+ database => $cf_pg_db,
+ user => $cf_pg_user_replication,
+ address => 'immae.eu',
+ auth_method => 'md5',
+ order => "b0",
+ }
+
letsencrypt::certonly { $cf_front_app_host: ;
default: * => $::profile::apache::letsencrypt_certonly_default;
}
service { 'cryptoportfolio-app':
enable => true,
ensure => "running",
- require => [File["/etc/systemd/system/cryptoportfolio-app.service"]],
+ require => [
+ File["/etc/systemd/system/cryptoportfolio-app.service"],
+ Postgresql::Server::Db[$cf_pg_db]
+ ],
}
file { $cf_front_app_api_conf:
}
}
+ # TODO: xmr_stack
}
projects / perso / Immae / Projets / Puppet.git / commitdiff
