From: Ismaƫl Bouya Date: Wed, 27 Jun 2018 19:52:02 +0000 (+0200) Subject: Refactor backup postgresql X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=d2f031ece106ed2dc37283b194edfa94718a6306;hp=c53ac3f84852a42aa8b7341ee7fe0a629d2e3579;p=perso%2FImmae%2FProjets%2FPuppet.git Refactor backup postgresql --- diff --git a/modules/role/files/backup/pam_pgbouncer b/modules/profile/files/postgresql/pam_pgbouncer similarity index 100% rename from modules/role/files/backup/pam_pgbouncer rename to modules/profile/files/postgresql/pam_pgbouncer diff --git a/modules/role/templates/backup/pgbouncer.ini.erb b/modules/profile/files/postgresql/pgbouncer_head.ini similarity index 100% rename from modules/role/templates/backup/pgbouncer.ini.erb rename to modules/profile/files/postgresql/pgbouncer_head.ini diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql deleted file mode 100644 index 70a90ae..0000000 --- a/modules/profile/files/postgresql_master/pam_postgresql +++ /dev/null @@ -1,3 +0,0 @@ -auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf -account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf - diff --git a/modules/profile/manifests/postgresql/backup_dump.pp b/modules/profile/manifests/postgresql/backup_dump.pp new file mode 100644 index 0000000..10e349a --- /dev/null +++ b/modules/profile/manifests/postgresql/backup_dump.pp @@ -0,0 +1,53 @@ +define profile::postgresql::backup_dump ( + String $pg_user = "postgres", + String $pg_group = "postgres", +) { + $base_path = $title + $pg_path = "$base_path/postgresql" + $pg_backup_path = "$base_path/postgresql_backup" + $pg_host = split($base_path, "/")[-1] + + ensure_packages(["python", "python-pip"]) + ensure_resource("package", "pylog2rotate", { + source => "git+https://github.com/avian2/pylog2rotate", + ensure => present, + provider => "pip3", + require => Package["python-pip"], + }) + + file { $pg_backup_path: + ensure => directory, + owner => $pg_user, + group => $pg_group, + mode => "0700", + require => File[$base_path], + } + + cron::job::multiple { "backup_psql_$pg_host": + ensure => "present", + require => [File[$pg_backup_path], File[$pg_path]], + jobs => [ + { + command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql", + user => $pg_user, + hour => "22,4,10,16", + minute => 0, + description => "Backup the database", + }, + { + command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')", + user => $pg_user, + hour => 3, + minute => 0, + description => "Cleanup the database backups", + }, + { + command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')", + user => $pg_user, + hour => 3, + minute => 1, + description => "Cleanup the database backups exponentially", + }, + ] + } +} diff --git a/modules/profile/manifests/postgresql/backup_pgbouncer.pp b/modules/profile/manifests/postgresql/backup_pgbouncer.pp new file mode 100644 index 0000000..45b8ed5 --- /dev/null +++ b/modules/profile/manifests/postgresql/backup_pgbouncer.pp @@ -0,0 +1,92 @@ +define profile::postgresql::backup_pgbouncer ( + String $base_path, + Hash $pg_infos, + String $pg_user = "postgres", + String $pg_group = "postgres", +) { + include "profile::postgresql::pam_ldap_pgbouncer" + ensure_packages(["pgbouncer"]) + + $host_cn = $title + + $host = find_host($facts["ldapvar"]["other"], $host_cn) + if empty($host) { + fail("No host found for pgbouncer") + } elsif has_key($host["vars"], "host") { + $pg_backup_host = $host["vars"]["host"][0] + } else { + $pg_backup_host = $host["vars"]["real_hostname"][0] + } + + $pg_path = "$base_path/$pg_backup_host/postgresql" + + if has_key($host["vars"], "postgresql_backup_port") { + $pg_port = " port=${host[vars][postgresql_backup_port][0]}" + } else { + $pg_port = "" + } + + # Config + ensure_resource("concat", "/etc/pgbouncer/pgbouncer.ini", { + mode => "0644", + owner => "root", + group => "root", + ensure_newline => true, + notify => Service["pgbouncer"], + before => Service["pgbouncer"], + }) + + ensure_resource("concat::fragment", "pgbouncer_head", { + target => "/etc/pgbouncer/pgbouncer.ini", + order => 01, + source => "puppet:///modules/profile/postgresql/pgbouncer_head.ini", + }) + + concat::fragment { "pgbouncer_$pg_backup_host": + target => "/etc/pgbouncer/pgbouncer.ini", + order => 02, + content => "${pg_infos[pgbouncer_dbname]} = host=$pg_path$pg_port user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", + } + + # pg_hba for accessed cluster + postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": + description => "Allow local access to ${pg_infos[dbuser]} user", + type => 'local', + database => $pg_infos["dbname"], + user => $pg_infos["dbuser"], + auth_method => 'trust', + order => "01-00", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + + # service + ensure_resource("file", "/etc/systemd/system/pgbouncer.service.d", { + ensure => "directory", + mode => "0644", + owner => "root", + group => "root", + }) + + ensure_resource("file", "/etc/systemd/system/pgbouncer.service.d/override.conf", { + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + content => "[Service]\nUser=\nUser=$pg_user\n", + notify => Service["pgbouncer"], + before => Service["pgbouncer"], + }) + + ensure_resource("service", "pgbouncer", { + ensure => "running", + enable => true, + require => [ + Package["pgbouncer"], + File["/etc/systemd/system/pgbouncer.service.d/override.conf"], + Concat["/etc/pgbouncer/pgbouncer.ini"] + ], + }) + + +} diff --git a/modules/profile/manifests/postgresql/backup_replication.pp b/modules/profile/manifests/postgresql/backup_replication.pp new file mode 100644 index 0000000..a4edb8f --- /dev/null +++ b/modules/profile/manifests/postgresql/backup_replication.pp @@ -0,0 +1,135 @@ +define profile::postgresql::backup_replication ( + String $base_path, + Hash $pg_infos, + String $pg_user = "postgres", + String $pg_group = "postgres", +) { + $host_cn = $title + + $host = find_host($facts["ldapvar"]["other"], $host_cn) + if empty($host) { + $pg_backup_host = $host_cn + } elsif has_key($host["vars"], "host") { + $pg_backup_host = $host["vars"]["host"][0] + } else { + $pg_backup_host = $host["vars"]["real_hostname"][0] + } + + $pg_path = "$base_path/$pg_backup_host/postgresql" + + # Replication folder + ensure_resource("file", "$base_path/$pg_backup_host", { + ensure => directory, + }) + + file { $pg_path: + ensure => directory, + owner => $pg_user, + group => $pg_group, + mode => "0700", + require => File["$base_path/$pg_backup_host"], + } + + # pg_hba.conf + profile::postgresql::base_pg_hba_rules { $pg_backup_host: + pg_path => $pg_path + } + + # postgresql.conf file and ssl + concat { "$pg_path/postgresql.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + warn => true, + } + + if !empty($host) and has_key($host["vars"], "postgresql_backup_port") { + $pg_listen_port = $host["vars"]["postgresql_backup_port"][0] + + profile::postgresql::ssl { $pg_path: + certname => $host_cn, + handle_concat_config => true, + before => Service["postgresql_backup@$pg_backup_host"] + } + + concat::fragment { "$pg_path/postgresql.conf listen": + target => "$pg_path/postgresql.conf", + content => "listen_addresses = '*'\nport = $pg_listen_port\n", + } + + profile::postgresql::replication { $host_cn: + target => "$pg_path/pg_hba.conf", + } + } else { + concat::fragment { "$pg_path/postgresql.conf listen": + target => "$pg_path/postgresql.conf", + content => "listen_addresses = ''\n", + } + } + + concat::fragment { "$pg_path/postgresql.conf paths": + target => "$pg_path/postgresql.conf", + content => "unix_socket_directories = '$pg_path'\ndata_directory = '$pg_path'\nwal_level = logical\n", + } + + $password_seed = lookup("base_installation::puppet_pass_seed") + $pg_host = $pg_backup_host + $pg_port = $pg_infos["dbport"] + $ldap_cn = lookup("base_installation::ldap_cn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $pg_slot = regsubst($ldap_cn, '-', "_", "G") + + # recovery.conf file + $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" + $primary_slot_name = $pg_slot + $standby_mode = "on" + + file { "$pg_path/recovery.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + content => template('postgresql/recovery.conf.erb'), + } + + # Initial replication + exec { "pg_basebackup $pg_path": + cwd => $pg_path, + user => $pg_user, + creates => "$pg_path/PG_VERSION", + environment => ["PGPASSWORD=$ldap_password"], + command => "/usr/bin/pg_basebackup -w -h $pg_host -p $pg_port -U $ldap_cn -D $pg_path -S $pg_slot", + before => [ + Concat["$pg_path/pg_hba.conf"], + File["$pg_path/recovery.conf"], + Concat["$pg_path/postgresql.conf"], + ] + } + + # Service + ensure_resource("file", "/etc/systemd/system/postgresql_backup@.service", { + mode => "0644", + owner => "root", + group => "root", + content => template("profile/postgresql/postgresql_backup@.service.erb"), + }) + + service { "postgresql_backup@$pg_backup_host": + enable => true, + ensure => "running", + require => [ + File["/etc/systemd/system/postgresql_backup@.service"], + Concat["$pg_path/pg_hba.conf"], + File["$pg_path/recovery.conf"], + Concat["$pg_path/postgresql.conf"], + ], + subscribe => [ + Concat["$pg_path/pg_hba.conf"], + File["$pg_path/recovery.conf"], + Concat["$pg_path/postgresql.conf"], + ] + } + + # Dumps + profile::postgresql::backup_dump { "$base_path/$pg_backup_host": } + +} diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp new file mode 100644 index 0000000..13ab4ff --- /dev/null +++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp @@ -0,0 +1,76 @@ +define profile::postgresql::base_pg_hba_rules ( + Optional[String] $pg_path = undef, + String $pg_user = "postgres", + String $pg_group = "postgres", +) { + unless empty($pg_path) { + concat { "$pg_path/pg_hba.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + warn => true, + require => File[$pg_path], + } + + Postgresql::Server::Pg_hba_rule { + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + } + + postgresql::server::pg_hba_rule { "$title - local access as postgres user": + description => 'Allow local access to postgres user', + type => 'local', + database => 'all', + user => $pg_user, + auth_method => 'ident', + order => "00-01", + } + postgresql::server::pg_hba_rule { "$title - localhost access as postgres user": + description => 'Allow localhost access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "127.0.0.1/32", + auth_method => 'md5', + order => "00-02", + } + postgresql::server::pg_hba_rule { "$title - localhost ip6 access as postgres user": + description => 'Allow localhost access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "::1/128", + auth_method => 'md5', + order => "00-03", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + postgresql::server::pg_hba_rule { "$title - deny access to postgresql user": + description => 'Deny remote access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "0.0.0.0/0", + auth_method => 'reject', + order => "00-04", + } + postgresql::server::pg_hba_rule { "$title - local access": + description => 'Allow local access with password', + type => 'local', + database => 'all', + user => 'all', + auth_method => 'md5', + order => "10-01", + } + + postgresql::server::pg_hba_rule { "$title - local access with same name": + description => 'Allow local access with same name', + type => 'local', + database => 'all', + user => 'all', + auth_method => 'ident', + order => "10-02", + } + +} diff --git a/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp b/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp new file mode 100644 index 0000000..67714f2 --- /dev/null +++ b/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp @@ -0,0 +1,33 @@ +class profile::postgresql::pam_ldap_pgbouncer ( + String $pg_user = "postgres" +) { + include "profile::pam_ldap" + + $password_seed = lookup("base_installation::puppet_pass_seed") + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_attribute = "uid" + $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef }) + + if empty($ldap_filter) { + fail("need ldap filter for pgbouncer") + } + + file { "/etc/pam_ldap.d/pgbouncer.conf": + ensure => "present", + mode => "0600", + owner => $pg_user, + group => "root", + content => template("profile/postgresql/pam_ldap_pgbouncer.conf.erb"), + require => File["/etc/pam_ldap.d"], + } -> + file { "/etc/pam.d/pgbouncer": + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/postgresql/pam_pgbouncer" + } +} diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp index 33b147f..2fcb71c 100644 --- a/modules/profile/manifests/postgresql/replication.pp +++ b/modules/profile/manifests/postgresql/replication.pp @@ -1,7 +1,9 @@ define profile::postgresql::replication ( - Boolean $handle_role = false, - Boolean $add_self_role = false, - Boolean $handle_slot = false, + Boolean $handle_role = false, + Boolean $handle_config = false, + Boolean $add_self_role = false, + Boolean $handle_slot = false, + Optional[String] $target = undef, ) { include "profile::postgresql::pam_ldap" @@ -12,9 +14,11 @@ define profile::postgresql::replication ( fail("Unable to find host for replication") } - ensure_resource("postgresql::server::config_entry", "wal_level", { - value => "logical", - }) + if empty($target) { + $pg_version = undef + } else { + $pg_version = "10" + } $host_infos["ipHostNumber"].each |$ip| { $infos = split($ip, "/") @@ -28,15 +32,23 @@ define profile::postgresql::replication ( } postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask": - type => 'hostssl', - database => 'replication', - user => $host_cn, - address => "$ipaddress/$mask", - auth_method => 'pam', - order => "06-01", + type => 'hostssl', + database => 'replication', + user => $host_cn, + address => "$ipaddress/$mask", + auth_method => 'pam', + order => "06-01", + target => $target, + postgresql_version => $pg_version, } } + if $handle_config { + ensure_resource("postgresql::server::config_entry", "wal_level", { + value => "logical", + }) + } + if $handle_role { postgresql::server::role { $host_cn: replication => true, diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp index e4da8af..dc56c0b 100644 --- a/modules/profile/manifests/postgresql/ssl.pp +++ b/modules/profile/manifests/postgresql/ssl.pp @@ -1,20 +1,21 @@ define profile::postgresql::ssl ( - Optional[String] $cert = undef, - Optional[String] $key = undef, - Optional[String] $certname = undef, - Optional[Boolean] $copy_keys = true, - Optional[String] $pg_user = $profile::postgresql::pg_user, - Optional[String] $pg_group = $profile::postgresql::pg_user + Optional[String] $cert = undef, + Optional[String] $key = undef, + Optional[String] $certname = undef, + Optional[Boolean] $copy_keys = true, + Optional[Boolean] $handle_config_entry = false, + Optional[Boolean] $handle_concat_config = false, + Optional[String] $pg_user = "postgres", + Optional[String] $pg_group = "postgres", ) { - $pg_dir = $title - $datadir = "$pg_dir/data" + $datadir = $title file { "$datadir/certs": ensure => directory, mode => "0700", owner => $pg_user, group => $pg_group, - require => File[$pg_dir], + require => File[$datadir], } if empty($cert) or empty($key) { @@ -32,8 +33,8 @@ define profile::postgresql::ssl ( directory => "$datadir/certs", } - $ssl_key = "$datadir/certs/$backup_host_cn.key" - $ssl_cert = "$datadir/certs/$backup_host_cn.crt" + $ssl_key = "$datadir/certs/$certname.key" + $ssl_cert = "$datadir/certs/$certname.crt" } elsif $copy_keys { $ssl_key = "$datadir/certs/privkey.pem" $ssl_cert = "$datadir/certs/cert.pem" @@ -59,15 +60,23 @@ define profile::postgresql::ssl ( $ssl_cert = $cert } - postgresql::server::config_entry { "ssl": - value => "on", - } + if $handle_config_entry { + postgresql::server::config_entry { "ssl": + value => "on", + } - postgresql::server::config_entry { "ssl_cert_file": - value => $ssl_cert, - } + postgresql::server::config_entry { "ssl_cert_file": + value => $ssl_cert, + } - postgresql::server::config_entry { "ssl_key_file": - value => $ssl_key, + postgresql::server::config_entry { "ssl_key_file": + value => $ssl_key, + } + } elsif $handle_concat_config { + concat::fragment { "$datadir/postgresql.conf ssl config": + target => "$datadir/postgresql.conf", + content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n" + } } + } diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp index e28c1b0..3de4f22 100644 --- a/modules/profile/manifests/postgresql_master.pp +++ b/modules/profile/manifests/postgresql_master.pp @@ -2,14 +2,16 @@ define profile::postgresql_master ( $letsencrypt_host = undef, $backup_hosts = [], ) { - profile::postgresql::ssl { "/var/lib/postgres": - cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem", - key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem", - require => Letsencrypt::Certonly[$letsencrypt_host], + profile::postgresql::ssl { "/var/lib/postgres/data": + cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem", + key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem", + require => Letsencrypt::Certonly[$letsencrypt_host], + handle_config_entry => true, } $backup_hosts.each |$backup_host| { profile::postgresql::replication { $backup_host: + handle_config => true, handle_role => true, handle_slot => true, add_self_role => true, diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql/pam_ldap_pgbouncer.conf.erb similarity index 82% rename from modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb rename to modules/profile/templates/postgresql/pam_ldap_pgbouncer.conf.erb index f3d9674..12fa9bb 100644 --- a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb +++ b/modules/profile/templates/postgresql/pam_ldap_pgbouncer.conf.erb @@ -4,3 +4,4 @@ base <%= @ldap_base %> binddn <%= @ldap_dn %> bindpw <%= @ldap_password %> pam_login_attribute <%= @ldap_attribute %> +pam_filter <%= @ldap_filter %> diff --git a/modules/role/templates/backup/postgresql_backup@.service.erb b/modules/profile/templates/postgresql/postgresql_backup@.service.erb similarity index 87% rename from modules/role/templates/backup/postgresql_backup@.service.erb rename to modules/profile/templates/postgresql/postgresql_backup@.service.erb index 245a1cb..74f5a98 100644 --- a/modules/role/templates/backup/postgresql_backup@.service.erb +++ b/modules/profile/templates/postgresql/postgresql_backup@.service.erb @@ -8,10 +8,10 @@ TimeoutSec=120 User=postgres Group=postgres -Environment=PGROOT=<%= @mountpoint %>/%i/postgresql +Environment=PGROOT=<%= @base_path %>/%i/postgresql SyslogIdentifier=postgres -PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid +PIDFile=<%= @base_path %>/%i/postgresql/postmaster.pid RuntimeDirectory=postgresql RuntimeDirectoryMode=755 diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp index 51b689d..b35c542 100644 --- a/modules/role/manifests/backup.pp +++ b/modules/role/manifests/backup.pp @@ -17,14 +17,6 @@ class role::backup ( include "role::backup::postgresql" - ensure_packages(["python", "python-pip"]) - package { "pylog2rotate": - source => "git+https://github.com/avian2/pylog2rotate", - ensure => present, - provider => "pip3", - require => Package["python-pip"], - } - ensure_packages(["rsync"]) ssh_keygen { $user: diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index 8c7542b..8a65dec 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp @@ -1,379 +1,21 @@ class role::backup::postgresql inherits role::backup { - $password_seed = lookup("base_installation::puppet_pass_seed") - - $user = lookup("role::backup::user") - $group = lookup("role::backup::group") - $pg_user = "postgres" - $pg_group = "postgres" - - $ldap_cn = lookup("base_installation::ldap_cn") - $ldap_password = generate_password(24, $password_seed, "ldap") - $ldap_server = lookup("base_installation::ldap_server") - $ldap_base = lookup("base_installation::ldap_base") - $ldap_dn = lookup("base_installation::ldap_dn") - $pgbouncer_ldap_attribute = "uid" - - $pg_slot = regsubst($ldap_cn, '-', "_", "G") - - ensure_packages(["postgresql", "pgbouncer", "pam_ldap"]) + ensure_packages(["postgresql"]) $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} }) - $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef }) - - unless empty($pg_backup_hosts) { - file { "/etc/systemd/system/postgresql_backup@.service": - mode => "0644", - owner => "root", - group => "root", - content => template("role/backup/postgresql_backup@.service.erb"), - } - - unless empty($ldap_filter) { - concat { "/etc/pgbouncer/pgbouncer.ini": - mode => "0644", - owner => "root", - group => "root", - ensure_newline => true, - notify => Service["pgbouncer"], - } - - concat::fragment { "pgbouncer_head": - target => "/etc/pgbouncer/pgbouncer.ini", - order => "01", - content => template("role/backup/pgbouncer.ini.erb"), - } - - file { "/etc/systemd/system/pgbouncer.service.d": - ensure => "directory", - mode => "0644", - owner => "root", - group => "root", - } - - file { "/etc/systemd/system/pgbouncer.service.d/override.conf": - ensure => "present", - mode => "0644", - owner => "root", - group => "root", - content => "[Service]\nUser=\nUser=$pg_user\n", - notify => Service["pgbouncer"], - } - - service { "pgbouncer": - ensure => "running", - enable => true, - require => [ - Package["pgbouncer"], - File["/etc/systemd/system/pgbouncer.service.d/override.conf"], - Concat["/etc/pgbouncer/pgbouncer.ini"] - ], - } - - file { "/etc/pam_ldap.d/pgbouncer.conf": - ensure => "present", - mode => "0600", - owner => $pg_user, - group => "root", - content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), - require => File["/etc/pam_ldap.d"], - } -> - file { "/etc/pam.d/pgbouncer": - ensure => "present", - mode => "0644", - owner => "root", - group => "root", - source => "puppet:///modules/role/backup/pam_pgbouncer" - } - } - } - - $ldap_attribute = "cn" - - file { "/etc/pam_ldap.d": - ensure => directory, - mode => "0755", - owner => "root", - group => "root", - } -> - file { "/etc/pam_ldap.d/postgresql.conf": - ensure => "present", - mode => "0600", - owner => $pg_user, - group => "root", - content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), - } -> - file { "/etc/pam.d/postgresql": - ensure => "present", - mode => "0644", - owner => "root", - group => "root", - source => "puppet:///modules/profile/postgresql_master/pam_postgresql" - } $pg_backup_hosts.each |$backup_host_cn, $pg_infos| { - $host = find_host($facts["ldapvar"]["other"], $backup_host_cn) - if empty($host) { - $pg_backup_host = $backup_host_cn - } elsif has_key($host["vars"], "host") { - $pg_backup_host = $host["vars"]["host"][0] - } else { - $pg_backup_host = $host["vars"]["real_hostname"][0] - } - - $pg_path = "$mountpoint/$pg_backup_host/postgresql" - $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup" - $pg_host = "$pg_backup_host" - $pg_port = $pg_infos["dbport"] - - if has_key($host["vars"], "postgresql_backup_port") { - $pg_listen_port = $host["vars"]["postgresql_backup_port"][0] - file { "$pg_path/certs": - ensure => directory, - mode => "0700", - owner => $pg_user, - group => $pg_group, - } -> - ssl::self_signed_certificate { $backup_host_cn: - common_name => $backup_host_cn, - country => "FR", - days => "3650", - organization => "Immae", - owner => $pg_user, - group => $pg_group, - directory => "$pg_path/certs", - before => File["$pg_path/postgresql.conf"], - } - $ssl_key = "$pg_path/certs/$backup_host_cn.key" - $ssl_cert = "$pg_path/certs/$backup_host_cn.crt" - } else { - $pg_listen_port = undef - $ssl_key = undef - $ssl_cert = undef + profile::postgresql::backup_replication { $backup_host_cn: + base_path => $mountpoint, + pg_infos => $pg_infos, } - - unless empty($host) { - $host["ipHostNumber"].each |$ip| { - $infos = split($ip, "/") - $ipaddress = $infos[0] - if (length($infos) == 1 and $ipaddress =~ /:/) { - $mask = "128" - } elsif (length($infos) == 1) { - $mask = "32" - } else { - $mask = $infos[1] - } - - postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask": - type => 'hostssl', - database => 'replication', - user => $backup_host_cn, - address => "$ipaddress/$mask", - auth_method => 'pam', - order => "06-01", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } + if $pg_infos["pgbouncer"] { + profile::postgresql::backup_pgbouncer { $backup_host_cn: + base_path => $mountpoint, + pg_infos => $pg_infos, } } - if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { - if empty($pg_listen_port) { - $pg_listen_port_key = "" - } else { - $pg_listen_port_key = "port=$pg_listen_port" - } - - concat::fragment { "pgbouncer_$pg_backup_host": - target => "/etc/pgbouncer/pgbouncer.ini", - order => 02, - content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", - } - - postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": - description => "Allow local access to ${pg_infos[dbuser]} user", - type => 'local', - database => $pg_infos["dbname"], - user => $pg_infos["dbuser"], - auth_method => 'trust', - order => "01-00", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - } - - file { "$mountpoint/$pg_backup_host": - ensure => directory, - owner => $user, - group => $group, - } - - file { $pg_path: - ensure => directory, - owner => $pg_user, - group => $pg_group, - mode => "0700", - require => File["$mountpoint/$pg_backup_host"], - } - - file { $pg_backup_path: - ensure => directory, - owner => $pg_user, - group => $pg_group, - mode => "0700", - require => File["$mountpoint/$pg_backup_host"], - } - - cron::job::multiple { "backup_psql_$pg_host": - ensure => "present", - require => [File[$pg_backup_path], File[$pg_path]], - jobs => [ - { - command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql", - user => $pg_user, - hour => "22,4,10,16", - minute => 0, - description => "Backup the database", - }, - { - command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')", - user => $pg_user, - hour => 3, - minute => 0, - description => "Cleanup the database backups", - }, - { - command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')", - user => $pg_user, - hour => 3, - minute => 1, - description => "Cleanup the database backups exponentially", - }, - ] - } - - exec { "pg_basebackup $pg_path": - cwd => $pg_path, - user => $pg_user, - creates => "$pg_path/PG_VERSION", - environment => ["PGPASSWORD=$ldap_password"], - command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", - before => [ - Concat["$pg_path/pg_hba.conf"], - Concat["$pg_path/recovery.conf"], - File["$pg_path/postgresql.conf"], - ] - } - - concat { "$pg_path/pg_hba.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - warn => true, - } - postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": - description => 'Allow local access to postgres user', - type => 'local', - database => 'all', - user => $pg_user, - auth_method => 'ident', - order => "00-01", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": - description => 'Allow localhost access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "127.0.0.1/32", - auth_method => 'md5', - order => "00-02", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": - description => 'Allow localhost access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "::1/128", - auth_method => 'md5', - order => "00-03", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": - description => 'Deny remote access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "0.0.0.0/0", - auth_method => 'reject', - order => "00-04", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - postgresql::server::pg_hba_rule { "$pg_backup_host - local access": - description => 'Allow local access with password', - type => 'local', - database => 'all', - user => 'all', - auth_method => 'md5', - order => "10-01", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": - description => 'Allow local access with same name', - type => 'local', - database => 'all', - user => 'all', - auth_method => 'ident', - order => "10-02", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" - $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") - $standby_mode = "on" - - concat { "$pg_path/recovery.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - warn => true, - } - concat::fragment { "$pg_path/recovery.conf": - target => "$pg_path/recovery.conf", - content => template('postgresql/recovery.conf.erb'), - } - - file { "$pg_path/postgresql.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - content => template("role/backup/postgresql.conf.erb"), - } - - service { "postgresql_backup@$pg_backup_host": - enable => true, - ensure => "running", - require => [ - File["/etc/systemd/system/postgresql_backup@.service"], - Concat["$pg_path/pg_hba.conf"], - Concat["$pg_path/recovery.conf"], - File["$pg_path/postgresql.conf"], - ], - subscribe => [ - Concat["$pg_path/pg_hba.conf"], - Concat["$pg_path/recovery.conf"], - File["$pg_path/postgresql.conf"], - ] - } } } diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb deleted file mode 100644 index 384a418..0000000 --- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb +++ /dev/null @@ -1,7 +0,0 @@ -host <%= @ldap_server %> - -base <%= @ldap_base %> -binddn <%= @ldap_dn %> -bindpw <%= @ldap_password %> -pam_login_attribute <%= @pgbouncer_ldap_attribute %> -pam_filter <%= @ldap_filter %>