1 class role::backup::postgresql inherits role::backup {
2 $password_seed = lookup("base_installation::puppet_pass_seed")
4 $user = lookup("role::backup::user")
5 $group = lookup("role::backup::group")
9 $ldap_cn = lookup("base_installation::ldap_cn")
10 $ldap_password = generate_password(24, $password_seed, "ldap")
11 $ldap_server = lookup("base_installation::ldap_server")
12 $ldap_base = lookup("base_installation::ldap_base")
13 $ldap_dn = lookup("base_installation::ldap_dn")
14 $pgbouncer_ldap_attribute = "uid"
16 $pg_slot = regsubst($ldap_cn, '-', "_", "G")
18 ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
20 $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
21 $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
23 unless empty($pg_backup_hosts) {
24 file { "/etc/systemd/system/postgresql_backup@.service":
28 content => template("role/backup/postgresql_backup@.service.erb"),
31 unless empty($ldap_filter) {
32 concat { "/etc/pgbouncer/pgbouncer.ini":
36 ensure_newline => true,
37 notify => Service["pgbouncer"],
40 concat::fragment { "pgbouncer_head":
41 target => "/etc/pgbouncer/pgbouncer.ini",
43 content => template("role/backup/pgbouncer.ini.erb"),
46 file { "/etc/systemd/system/pgbouncer.service.d":
47 ensure => "directory",
53 file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
58 content => "[Service]\nUser=\nUser=$pg_user\n",
59 notify => Service["pgbouncer"],
62 service { "pgbouncer":
67 File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
68 Concat["/etc/pgbouncer/pgbouncer.ini"]
72 file { "/etc/pam_ldap.d/pgbouncer.conf":
77 content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
78 require => File["/etc/pam_ldap.d"],
80 file { "/etc/pam.d/pgbouncer":
85 source => "puppet:///modules/role/backup/pam_pgbouncer"
90 $ldap_attribute = "cn"
92 file { "/etc/pam_ldap.d":
98 file { "/etc/pam_ldap.d/postgresql.conf":
103 content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
105 file { "/etc/pam.d/postgresql":
110 source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
113 $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
114 $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
116 $pg_backup_host = $backup_host_cn
117 } elsif has_key($host["vars"], "host") {
118 $pg_backup_host = $host["vars"]["host"][0]
120 $pg_backup_host = $host["vars"]["real_hostname"][0]
123 $pg_path = "$mountpoint/$pg_backup_host/postgresql"
124 $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
125 $pg_host = "$pg_backup_host"
126 $pg_port = $pg_infos["dbport"]
128 if has_key($host["vars"], "postgresql_backup_port") {
129 $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
130 file { "$pg_path/certs":
136 ssl::self_signed_certificate { $backup_host_cn:
137 common_name => $backup_host_cn,
140 organization => "Immae",
143 directory => "$pg_path/certs",
144 before => File["$pg_path/postgresql.conf"],
146 $ssl_key = "$pg_path/certs/$backup_host_cn.key"
147 $ssl_cert = "$pg_path/certs/$backup_host_cn.crt"
149 $pg_listen_port = undef
155 unless empty($host) {
156 $host["ipHostNumber"].each |$ip| {
157 $infos = split($ip, "/")
158 $ipaddress = $infos[0]
159 if (length($infos) == 1 and $ipaddress =~ /:/) {
161 } elsif (length($infos) == 1) {
167 postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
169 database => 'replication',
170 user => $backup_host_cn,
171 address => "$ipaddress/$mask",
172 auth_method => 'pam',
174 target => "$pg_path/pg_hba.conf",
175 postgresql_version => "10",
180 if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
181 if empty($pg_listen_port) {
182 $pg_listen_port_key = ""
184 $pg_listen_port_key = "port=$pg_listen_port"
187 concat::fragment { "pgbouncer_$pg_backup_host":
188 target => "/etc/pgbouncer/pgbouncer.ini",
190 content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
193 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
194 description => "Allow local access to ${pg_infos[dbuser]} user",
196 database => $pg_infos["dbname"],
197 user => $pg_infos["dbuser"],
198 auth_method => 'trust',
200 target => "$pg_path/pg_hba.conf",
201 postgresql_version => "10",
205 file { "$mountpoint/$pg_backup_host":
216 require => File["$mountpoint/$pg_backup_host"],
219 file { $pg_backup_path:
224 require => File["$mountpoint/$pg_backup_host"],
227 cron::job::multiple { "backup_psql_$pg_host":
229 require => [File[$pg_backup_path], File[$pg_path]],
232 command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
234 hour => "22,4,10,16",
236 description => "Backup the database",
239 command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
243 description => "Cleanup the database backups",
246 command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
250 description => "Cleanup the database backups exponentially",
255 exec { "pg_basebackup $pg_path":
258 creates => "$pg_path/PG_VERSION",
259 environment => ["PGPASSWORD=$ldap_password"],
260 command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
262 Concat["$pg_path/pg_hba.conf"],
263 Concat["$pg_path/recovery.conf"],
264 File["$pg_path/postgresql.conf"],
268 concat { "$pg_path/pg_hba.conf":
274 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
275 description => 'Allow local access to postgres user',
279 auth_method => 'ident',
281 target => "$pg_path/pg_hba.conf",
282 postgresql_version => "10",
284 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
285 description => 'Allow localhost access to postgres user',
289 address => "127.0.0.1/32",
290 auth_method => 'md5',
292 target => "$pg_path/pg_hba.conf",
293 postgresql_version => "10",
295 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
296 description => 'Allow localhost access to postgres user',
300 address => "::1/128",
301 auth_method => 'md5',
303 target => "$pg_path/pg_hba.conf",
304 postgresql_version => "10",
306 postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
307 description => 'Deny remote access to postgres user',
311 address => "0.0.0.0/0",
312 auth_method => 'reject',
314 target => "$pg_path/pg_hba.conf",
315 postgresql_version => "10",
318 postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
319 description => 'Allow local access with password',
323 auth_method => 'md5',
325 target => "$pg_path/pg_hba.conf",
326 postgresql_version => "10",
329 postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
330 description => 'Allow local access with same name',
334 auth_method => 'ident',
336 target => "$pg_path/pg_hba.conf",
337 postgresql_version => "10",
340 $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
341 $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
344 concat { "$pg_path/recovery.conf":
350 concat::fragment { "$pg_path/recovery.conf":
351 target => "$pg_path/recovery.conf",
352 content => template('postgresql/recovery.conf.erb'),
355 file { "$pg_path/postgresql.conf":
359 content => template("role/backup/postgresql.conf.erb"),
362 service { "postgresql_backup@$pg_backup_host":
366 File["/etc/systemd/system/postgresql_backup@.service"],
367 Concat["$pg_path/pg_hba.conf"],
368 Concat["$pg_path/recovery.conf"],
369 File["$pg_path/postgresql.conf"],
372 Concat["$pg_path/pg_hba.conf"],
373 Concat["$pg_path/recovery.conf"],
374 File["$pg_path/postgresql.conf"],