From: Ismaƫl Bouya Date: Tue, 20 Feb 2018 14:54:25 +0000 (+0100) Subject: Replication X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=b3015828f95acd3f239ab7a614418918f21fb8d1;p=perso%2FImmae%2FProjets%2FPuppet.git Replication --- diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 8dcc4cb..1024c66 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp @@ -22,7 +22,8 @@ class profile::postgresql { } class { '::postgresql::server': - postgres_password => generate_password(24, $password_seed, "postgres") + postgres_password => generate_password(24, $password_seed, "postgres"), + listen_addresses => "*", } postgresql::server::pg_hba_rule { 'local access as postgres user': diff --git a/modules/profile/manifests/tools.pp b/modules/profile/manifests/tools.pp index 52e3cea..0b0ab46 100644 --- a/modules/profile/manifests/tools.pp +++ b/modules/profile/manifests/tools.pp @@ -1,3 +1,3 @@ class profile::tools { - ensure_packages(['vim', 'bash-completion']) + ensure_packages(['vim', 'bash-completion', 'net-tools']) } diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 05f2c59..e14d43d 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp @@ -8,8 +8,10 @@ class role::cryptoportfolio { $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } $cf_pg_user = "cryptoportfolio" + $cf_pg_user_replication = "cryptoportfolio_replication" $cf_pg_db = "cryptoportfolio" $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") + $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") $cf_pg_host = "localhost:5432" $cf_user = "cryptoportfolio" @@ -27,9 +29,87 @@ class role::cryptoportfolio { $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" + file { "/var/lib/postgres/data/certs": + ensure => directory, + mode => "0700", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => File["/var/lib/postgres"], + } + + file { "/var/lib/postgres/data/certs/cert.pem": + source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] + } + + file { "/var/lib/postgres/data/certs/privkey.pem": + source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] + } + + postgresql::server::config_entry { "wal_level": + value => "logical", + } + + postgresql::server::config_entry { "ssl": + value => "on", + require => Letsencrypt::Certonly[$cf_front_app_host], + } + + postgresql::server::config_entry { "ssl_cert_file": + value => "/var/lib/postgres/data/certs/cert.pem", + require => Letsencrypt::Certonly[$cf_front_app_host], + } + + postgresql::server::config_entry { "ssl_key_file": + value => "/var/lib/postgres/data/certs/privkey.pem", + require => Letsencrypt::Certonly[$cf_front_app_host], + } + postgresql::server::db { $cf_pg_db: user => $cf_pg_user, - password => postgresql_password($cf_pg_user, $cf_pg_password) + password => postgresql_password($cf_pg_user, $cf_pg_password), + } + -> + postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": + db => $cf_pg_db, + unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", + } + -> + postgresql::server::role { $cf_pg_user_replication: + db => $cf_pg_db, + replication => true, + password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), + } + -> + postgresql::server::database_grant { $cf_pg_user_replication: + db => $cf_pg_db, + privilege => "CONNECT", + role => $cf_pg_user_replication, + } + -> + postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": + db => $cf_pg_db, + role => $cf_pg_user_replication, + privilege => "SELECT", + object_type => "ALL TABLES IN SCHEMA", + object_name => "public", + } + -> + postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": + db => $cf_pg_db, + role => $cf_pg_user_replication, + privilege => "SELECT", + object_type => "ALL SEQUENCES IN SCHEMA", + object_name => "public", } postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': @@ -49,6 +129,15 @@ class role::cryptoportfolio { order => "b0", } + postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': + type => 'hostssl', + database => $cf_pg_db, + user => $cf_pg_user_replication, + address => 'immae.eu', + auth_method => 'md5', + order => "b0", + } + letsencrypt::certonly { $cf_front_app_host: ; default: * => $::profile::apache::letsencrypt_certonly_default; } @@ -157,7 +246,10 @@ class role::cryptoportfolio { service { 'cryptoportfolio-app': enable => true, ensure => "running", - require => [File["/etc/systemd/system/cryptoportfolio-app.service"]], + require => [ + File["/etc/systemd/system/cryptoportfolio-app.service"], + Postgresql::Server::Db[$cf_pg_db] + ], } file { $cf_front_app_api_conf: @@ -199,4 +291,5 @@ class role::cryptoportfolio { } } + # TODO: xmr_stack }