modules/role/manifests/backup/postgresql.pp

   1 class role::backup::postgresql inherits role::backup {
   2   # This manifest is supposed to be part of the backup server
   3
   4   $password_seed = lookup("base_installation::puppet_pass_seed")
   5
   6   $user = lookup("role::backup::user")
   7   $group = lookup("role::backup::group")
   8   $pg_user = "postgres"
   9   $pg_group = "postgres"
  10
  11   $ldap_cn = lookup("base_installation::ldap_cn")
  12   $ldap_password = generate_password(24, $password_seed, "ldap")
  13   $ldap_server = lookup("base_installation::ldap_server")
  14   $ldap_base   = lookup("base_installation::ldap_base")
  15   $ldap_dn     = lookup("base_installation::ldap_dn")
  16   $pgbouncer_ldap_attribute = "uid"
  17
  18   $pg_slot = regsubst($ldap_cn, '-', "_", "G")
  19
  20   ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
  21
  22   $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
  23   $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
  24
  25   unless empty($pg_backup_hosts) {
  26     file { "/etc/systemd/system/postgresql_backup@.service":
  27       mode    => "0644",
  28       owner   => "root",
  29       group   => "root",
  30       content => template("role/backup/postgresql_backup@.service.erb"),
  31     }
  32
  33     unless empty($ldap_filter) {
  34       concat { "/etc/pgbouncer/pgbouncer.ini":
  35         mode           => "0644",
  36         owner          => "root",
  37         group          => "root",
  38         ensure_newline => true,
  39         notify         => Service["pgbouncer"],
  40       }
  41
  42       concat::fragment { "pgbouncer_head":
  43         target  => "/etc/pgbouncer/pgbouncer.ini",
  44         order   => "01",
  45         content => template("role/backup/pgbouncer.ini.erb"),
  46       }
  47
  48       file { "/etc/systemd/system/pgbouncer.service.d":
  49         ensure => "directory",
  50         mode   => "0644",
  51         owner  => "root",
  52         group  => "root",
  53       }
  54
  55       file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
  56         ensure  => "present",
  57         mode    => "0644",
  58         owner   => "root",
  59         group   => "root",
  60         content => "[Service]\nUser=\nUser=$pg_user\n",
  61         notify  => Service["pgbouncer"],
  62       }
  63
  64       service { "pgbouncer":
  65         ensure  => "running",
  66         enable  => true,
  67         require => [
  68           Package["pgbouncer"],
  69           File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
  70           Concat["/etc/pgbouncer/pgbouncer.ini"]
  71         ],
  72       }
  73
  74       file { "/etc/pam_ldap.d/pgbouncer.conf":
  75         ensure  => "present",
  76         mode    => "0600",
  77         owner   => $pg_user,
  78         group   => "root",
  79         content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
  80         require => File["/etc/pam_ldap.d"],
  81       } ->
  82       file { "/etc/pam.d/pgbouncer":
  83         ensure => "present",
  84         mode   => "0644",
  85         owner  => "root",
  86         group  => "root",
  87         source => "puppet:///modules/role/backup/pam_pgbouncer"
  88       }
  89     }
  90   }
  91
  92   $ldap_attribute = "cn"
  93
  94   file { "/etc/pam_ldap.d":
  95     ensure => directory,
  96     mode   => "0755",
  97     owner  => "root",
  98     group  => "root",
  99   } ->
 100   file { "/etc/pam_ldap.d/postgresql.conf":
 101     ensure  => "present",
 102     mode    => "0600",
 103     owner   => $pg_user,
 104     group   => "root",
 105     content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
 106   } ->
 107   file { "/etc/pam.d/postgresql":
 108     ensure => "present",
 109     mode   => "0644",
 110     owner  => "root",
 111     group  => "root",
 112     source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
 113   }
 114
 115   $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
 116     $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
 117     if empty($host) {
 118       $pg_backup_host = $backup_host_cn
 119     } elsif has_key($host["vars"], "host") {
 120       $pg_backup_host = $host["vars"]["host"][0]
 121     } else {
 122       $pg_backup_host = $host["vars"]["real_hostname"][0]
 123     }
 124     if has_key($host["vars"], "postgresql_backup_port") {
 125       $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
 126     } else {
 127       $pg_listen_port = undef
 128     }
 129
 130     $pg_path = "$mountpoint/$pg_backup_host/postgresql"
 131     $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
 132     $pg_host = "$pg_backup_host"
 133     $pg_port = $pg_infos["dbport"]
 134
 135     unless empty($host) {
 136       $host["ipHostNumber"].each |$ip| {
 137         $infos = split($ip, "/")
 138         $ipaddress = $infos[0]
 139         if (length($infos) == 1 and $ipaddress =~ /:/) {
 140           $mask = "128"
 141         } elsif (length($infos) == 1) {
 142           $mask = "32"
 143         } else {
 144           $mask = $infos[1]
 145         }
 146
 147         postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
 148           type        => 'hostssl',
 149           database    => 'replication',
 150           user        => $backup_host_cn,
 151           address     => "$ipaddress/$mask",
 152           auth_method => 'pam',
 153           order       => "06-01",
 154           target      => "$pg_path/pg_hba.conf",
 155           postgresql_version => "10",
 156         }
 157       }
 158     }
 159
 160     if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
 161       if empty($pg_listen_port) {
 162         $pg_listen_port_key = ""
 163       } else {
 164         $pg_listen_port_key = "port=$pg_listen_port"
 165       }
 166
 167       concat::fragment { "pgbouncer_$pg_backup_host":
 168         target  => "/etc/pgbouncer/pgbouncer.ini",
 169         order   => 02,
 170         content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
 171       }
 172
 173       postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
 174         description => "Allow local access to ${pg_infos[dbuser]} user",
 175         type        => 'local',
 176         database    => $pg_infos["dbname"],
 177         user        => $pg_infos["dbuser"],
 178         auth_method => 'trust',
 179         order       => "01-00",
 180         target      => "$pg_path/pg_hba.conf",
 181         postgresql_version => "10",
 182       }
 183     }
 184
 185     file { "$mountpoint/$pg_backup_host":
 186       ensure => directory,
 187       owner  => $user,
 188       group  => $group,
 189     }
 190
 191     file { $pg_path:
 192       ensure  => directory,
 193       owner   => $pg_user,
 194       group   => $pg_group,
 195       mode    => "0700",
 196       require => File["$mountpoint/$pg_backup_host"],
 197     }
 198
 199     file { $pg_backup_path:
 200       ensure  => directory,
 201       owner   => $pg_user,
 202       group   => $pg_group,
 203       mode    => "0700",
 204       require => File["$mountpoint/$pg_backup_host"],
 205     }
 206
 207     cron::job::multiple { "backup_psql_$pg_host":
 208       ensure  => "present",
 209       require => [File[$pg_backup_path], File[$pg_path]],
 210       jobs    => [
 211         {
 212           command     => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
 213           user        => $pg_user,
 214           hour        => "22,4,10,16",
 215           minute      => 0,
 216           description => "Backup the database",
 217         },
 218         {
 219           command     => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
 220           user        => $pg_user,
 221           hour        => 3,
 222           minute      => 0,
 223           description => "Cleanup the database backups",
 224         },
 225         {
 226           command     => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
 227           user        => $pg_user,
 228           hour        => 3,
 229           minute      => 1,
 230           description => "Cleanup the database backups exponentially",
 231         },
 232       ]
 233     }
 234
 235     exec { "pg_basebackup $pg_path":
 236       cwd         => $pg_path,
 237       user        => $pg_user,
 238       creates     => "$pg_path/PG_VERSION",
 239       environment => ["PGPASSWORD=$ldap_password"],
 240       command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
 241       before      => [
 242         Concat["$pg_path/pg_hba.conf"],
 243         Concat["$pg_path/recovery.conf"],
 244         File["$pg_path/postgresql.conf"],
 245       ]
 246     }
 247
 248     concat { "$pg_path/pg_hba.conf":
 249       owner   => $pg_user,
 250       group   => $pg_group,
 251       mode    => '0640',
 252       warn    => true,
 253     }
 254     postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
 255       description => 'Allow local access to postgres user',
 256       type        => 'local',
 257       database    => 'all',
 258       user        => $pg_user,
 259       auth_method => 'ident',
 260       order       => "00-01",
 261       target      => "$pg_path/pg_hba.conf",
 262       postgresql_version => "10",
 263     }
 264     postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
 265       description => 'Allow localhost access to postgres user',
 266       type        => 'host',
 267       database    => 'all',
 268       user        => $pg_user,
 269       address     => "127.0.0.1/32",
 270       auth_method => 'md5',
 271       order       => "00-02",
 272       target      => "$pg_path/pg_hba.conf",
 273       postgresql_version => "10",
 274     }
 275     postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
 276       description => 'Allow localhost access to postgres user',
 277       type        => 'host',
 278       database    => 'all',
 279       user        => $pg_user,
 280       address     => "::1/128",
 281       auth_method => 'md5',
 282       order       => "00-03",
 283       target      => "$pg_path/pg_hba.conf",
 284       postgresql_version => "10",
 285     }
 286     postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
 287       description => 'Deny remote access to postgres user',
 288       type        => 'host',
 289       database    => 'all',
 290       user        => $pg_user,
 291       address     => "0.0.0.0/0",
 292       auth_method => 'reject',
 293       order       => "00-04",
 294       target      => "$pg_path/pg_hba.conf",
 295       postgresql_version => "10",
 296     }
 297
 298     postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
 299       description => 'Allow local access with password',
 300       type        => 'local',
 301       database    => 'all',
 302       user        => 'all',
 303       auth_method => 'md5',
 304       order       => "10-01",
 305       target      => "$pg_path/pg_hba.conf",
 306       postgresql_version => "10",
 307     }
 308
 309     postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
 310       description => 'Allow local access with same name',
 311       type        => 'local',
 312       database    => 'all',
 313       user        => 'all',
 314       auth_method => 'ident',
 315       order       => "10-02",
 316       target      => "$pg_path/pg_hba.conf",
 317       postgresql_version => "10",
 318     }
 319
 320     $primary_conninfo  = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
 321     $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
 322     $standby_mode      = "on"
 323
 324     concat { "$pg_path/recovery.conf":
 325       owner  => $pg_user,
 326       group  => $pg_group,
 327       mode   => '0640',
 328       warn   => true,
 329     }
 330     concat::fragment { "$pg_path/recovery.conf":
 331       target  => "$pg_path/recovery.conf",
 332       content => template('postgresql/recovery.conf.erb'),
 333     }
 334
 335     file { "$pg_path/postgresql.conf":
 336       owner   => $pg_user,
 337       group   => $pg_group,
 338       mode    => '0640',
 339       content => template("role/backup/postgresql.conf.erb"),
 340     }
 341
 342     service { "postgresql_backup@$pg_backup_host":
 343       enable  => true,
 344       ensure  => "running",
 345       require => [
 346         File["/etc/systemd/system/postgresql_backup@.service"],
 347         Concat["$pg_path/pg_hba.conf"],
 348         Concat["$pg_path/recovery.conf"],
 349         File["$pg_path/postgresql.conf"],
 350       ],
 351       subscribe => [
 352         Concat["$pg_path/pg_hba.conf"],
 353         Concat["$pg_path/recovery.conf"],
 354         File["$pg_path/postgresql.conf"],
 355       ]
 356     }
 357   }
 358
 359 }