1 class role::backup::postgresql inherits role::backup {
2 # This manifest is supposed to be part of the backup server
4 $password_seed = lookup("base_installation::puppet_pass_seed")
6 $user = lookup("role::backup::user")
7 $group = lookup("role::backup::group")
11 $ldap_cn = lookup("base_installation::ldap_cn")
12 $ldap_password = generate_password(24, $password_seed, "ldap")
13 $ldap_server = lookup("base_installation::ldap_server")
14 $ldap_base = lookup("base_installation::ldap_base")
15 $ldap_dn = lookup("base_installation::ldap_dn")
16 $pgbouncer_ldap_attribute = "uid"
18 $pg_slot = regsubst($ldap_cn, '-', "_", "G")
20 ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
22 $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
23 $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
25 unless empty($pg_backup_hosts) {
26 file { "/etc/systemd/system/postgresql_backup@.service":
30 content => template("role/backup/postgresql_backup@.service.erb"),
33 unless empty($ldap_filter) {
34 concat { "/etc/pgbouncer/pgbouncer.ini":
38 ensure_newline => true,
39 notify => Service["pgbouncer"],
42 concat::fragment { "pgbouncer_head":
43 target => "/etc/pgbouncer/pgbouncer.ini",
45 content => template("role/backup/pgbouncer.ini.erb"),
48 file { "/etc/systemd/system/pgbouncer.service.d":
49 ensure => "directory",
55 file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
60 content => "[Service]\nUser=\nUser=$pg_user\n",
61 notify => Service["pgbouncer"],
64 service { "pgbouncer":
69 File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
70 Concat["/etc/pgbouncer/pgbouncer.ini"]
74 file { "/etc/pam_ldap.d/pgbouncer.conf":
79 content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
80 require => File["/etc/pam_ldap.d"],
82 file { "/etc/pam.d/pgbouncer":
87 source => "puppet:///modules/role/backup/pam_pgbouncer"
92 $ldap_attribute = "cn"
94 file { "/etc/pam_ldap.d":
100 file { "/etc/pam_ldap.d/postgresql.conf":
105 content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
107 file { "/etc/pam.d/postgresql":
112 source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
115 $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
116 $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
118 $pg_backup_host = $backup_host_cn
119 } elsif has_key($host["vars"], "host") {
120 $pg_backup_host = $host["vars"]["host"][0]
122 $pg_backup_host = $host["vars"]["real_hostname"][0]
124 if has_key($host["vars"], "postgresql_backup_port") {
125 $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
127 $pg_listen_port = undef
130 $pg_path = "$mountpoint/$pg_backup_host/postgresql"
131 $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
132 $pg_host = "$pg_backup_host"
133 $pg_port = $pg_infos["dbport"]
135 unless empty($host) {
136 $host["ipHostNumber"].each |$ip| {
137 $infos = split($ip, "/")
138 $ipaddress = $infos[0]
139 if (length($infos) == 1 and $ipaddress =~ /:/) {
141 } elsif (length($infos) == 1) {
147 postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
149 database => 'replication',
150 user => $backup_host_cn,
151 address => "$ipaddress/$mask",
152 auth_method => 'pam',
154 target => "$pg_path/pg_hba.conf",
155 postgresql_version => "10",
160 if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
161 if empty($pg_listen_port) {
162 $pg_listen_port_key = ""
164 $pg_listen_port_key = "port=$pg_listen_port"
167 concat::fragment { "pgbouncer_$pg_backup_host":
168 target => "/etc/pgbouncer/pgbouncer.ini",
170 content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
173 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
174 description => "Allow local access to ${pg_infos[dbuser]} user",
176 database => $pg_infos["dbname"],
177 user => $pg_infos["dbuser"],
178 auth_method => 'trust',
180 target => "$pg_path/pg_hba.conf",
181 postgresql_version => "10",
185 file { "$mountpoint/$pg_backup_host":
196 require => File["$mountpoint/$pg_backup_host"],
199 file { $pg_backup_path:
204 require => File["$mountpoint/$pg_backup_host"],
207 cron::job::multiple { "backup_psql_$pg_host":
209 require => [File[$pg_backup_path], File[$pg_path]],
212 command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
214 hour => "22,4,10,16",
216 description => "Backup the database",
219 command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
223 description => "Cleanup the database backups",
226 command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
230 description => "Cleanup the database backups exponentially",
235 exec { "pg_basebackup $pg_path":
238 creates => "$pg_path/PG_VERSION",
239 environment => ["PGPASSWORD=$ldap_password"],
240 command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
242 Concat["$pg_path/pg_hba.conf"],
243 Concat["$pg_path/recovery.conf"],
244 File["$pg_path/postgresql.conf"],
248 concat { "$pg_path/pg_hba.conf":
254 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
255 description => 'Allow local access to postgres user',
259 auth_method => 'ident',
261 target => "$pg_path/pg_hba.conf",
262 postgresql_version => "10",
264 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
265 description => 'Allow localhost access to postgres user',
269 address => "127.0.0.1/32",
270 auth_method => 'md5',
272 target => "$pg_path/pg_hba.conf",
273 postgresql_version => "10",
275 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
276 description => 'Allow localhost access to postgres user',
280 address => "::1/128",
281 auth_method => 'md5',
283 target => "$pg_path/pg_hba.conf",
284 postgresql_version => "10",
286 postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
287 description => 'Deny remote access to postgres user',
291 address => "0.0.0.0/0",
292 auth_method => 'reject',
294 target => "$pg_path/pg_hba.conf",
295 postgresql_version => "10",
298 postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
299 description => 'Allow local access with password',
303 auth_method => 'md5',
305 target => "$pg_path/pg_hba.conf",
306 postgresql_version => "10",
309 postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
310 description => 'Allow local access with same name',
314 auth_method => 'ident',
316 target => "$pg_path/pg_hba.conf",
317 postgresql_version => "10",
320 $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
321 $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
324 concat { "$pg_path/recovery.conf":
330 concat::fragment { "$pg_path/recovery.conf":
331 target => "$pg_path/recovery.conf",
332 content => template('postgresql/recovery.conf.erb'),
335 file { "$pg_path/postgresql.conf":
339 content => template("role/backup/postgresql.conf.erb"),
342 service { "postgresql_backup@$pg_backup_host":
346 File["/etc/systemd/system/postgresql_backup@.service"],
347 Concat["$pg_path/pg_hba.conf"],
348 Concat["$pg_path/recovery.conf"],
349 File["$pg_path/postgresql.conf"],
352 Concat["$pg_path/pg_hba.conf"],
353 Concat["$pg_path/recovery.conf"],
354 File["$pg_path/postgresql.conf"],