]> git.immae.eu Git - perso/Immae/Projets/Puppet.git/blob - modules/role/manifests/backup/postgresql.pp
projects / perso / Immae / Projets / Puppet.git / blob
? search:


b26773c39ed51e69980c1c0bb0ba48bedf48f8d3
[perso/Immae/Projets/Puppet.git] / modules / role / manifests / backup / postgresql.pp
1 class role::backup::postgresql inherits role::backup {
2 # This manifest is supposed to be part of the backup server
3
4 $password_seed = lookup("base_installation::puppet_pass_seed")
5
6 $user = lookup("role::backup::user")
7 $group = lookup("role::backup::group")
8 $pg_user = "postgres"
9 $pg_group = "postgres"
10
11 $ldap_cn = lookup("base_installation::ldap_cn")
12 $ldap_password = generate_password(24, $password_seed, "ldap")
13 $ldap_server = lookup("base_installation::ldap_server")
14 $ldap_base = lookup("base_installation::ldap_base")
15 $ldap_dn = lookup("base_installation::ldap_dn")
16 $ldap_attribute = "uid"
17
18 $pg_slot = regsubst($ldap_cn, '-', "_", "G")
19
20 ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
21
22 $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
23 $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
24
25 unless empty($pg_backup_hosts) {
26 file { "/etc/systemd/system/postgresql_backup@.service":
27 mode => "0644",
28 owner => "root",
29 group => "root",
30 content => template("role/backup/postgresql_backup@.service.erb"),
31 }
32
33 unless empty($ldap_filter) {
34 concat { "/etc/pgbouncer/pgbouncer.ini":
35 mode => "0644",
36 owner => "root",
37 group => "root",
38 ensure_newline => true,
39 notify => Service["pgbouncer"],
40 }
41
42 concat::fragment { "pgbouncer_head":
43 target => "/etc/pgbouncer/pgbouncer.ini",
44 order => "01",
45 content => template("role/backup/pgbouncer.ini.erb"),
46 }
47
48 file { "/etc/systemd/system/pgbouncer.service.d":
49 ensure => "directory",
50 mode => "0644",
51 owner => "root",
52 group => "root",
53 }
54
55 file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
56 ensure => "present",
57 mode => "0644",
58 owner => "root",
59 group => "root",
60 content => "[Service]\nUser=\nUser=$pg_user\n",
61 notify => Service["pgbouncer"],
62 }
63
64 service { "pgbouncer":
65 ensure => "running",
66 enable => true,
67 require => [
68 Package["pgbouncer"],
69 File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
70 Concat["/etc/pgbouncer/pgbouncer.ini"]
71 ],
72 }
73
74 file { "/etc/pam_ldap.d":
75 ensure => directory,
76 mode => "0755",
77 owner => "root",
78 group => "root",
79 } ->
80 file { "/etc/pam_ldap.d/pgbouncer.conf":
81 ensure => "present",
82 mode => "0600",
83 owner => $pg_user,
84 group => "root",
85 content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
86 } ->
87 file { "/etc/pam.d/pgbouncer":
88 ensure => "present",
89 mode => "0644",
90 owner => "root",
91 group => "root",
92 source => "puppet:///modules/role/backup/pam_pgbouncer"
93 }
94 }
95 }
96
97 $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
98 $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
99 if empty($host) {
100 $pg_backup_host = $backup_host_cn
101 } elsif has_key($host["vars"], "host") {
102 $pg_backup_host = $host["vars"]["host"][0]
103 } else {
104 $pg_backup_host = $host["vars"]["real_hostname"][0]
105 }
106 $pg_path = "$mountpoint/$pg_backup_host/postgresql"
107 $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
108 $pg_host = "$pg_backup_host"
109 $pg_port = $pg_infos["dbport"]
110
111 if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
112 concat::fragment { "pgbouncer_$pg_backup_host":
113 target => "/etc/pgbouncer/pgbouncer.ini",
114 order => 02,
115 content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
116 }
117
118 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
119 description => "Allow local access to ${pg_infos[dbuser]} user",
120 type => 'local',
121 database => $pg_infos["dbname"],
122 user => $pg_infos["dbuser"],
123 auth_method => 'trust',
124 order => "01-00",
125 target => "$pg_path/pg_hba.conf",
126 postgresql_version => "10",
127 }
128 }
129
130 file { "$mountpoint/$pg_backup_host":
131 ensure => directory,
132 owner => $user,
133 group => $group,
134 }
135
136 file { $pg_path:
137 ensure => directory,
138 owner => $pg_user,
139 group => $pg_group,
140 mode => "0700",
141 require => File["$mountpoint/$pg_backup_host"],
142 }
143
144 file { $pg_backup_path:
145 ensure => directory,
146 owner => $pg_user,
147 group => $pg_group,
148 mode => "0700",
149 require => File["$mountpoint/$pg_backup_host"],
150 }
151
152 cron::job::multiple { "backup_psql_$pg_host":
153 ensure => "present",
154 require => [File[$pg_backup_path], File[$pg_path]],
155 jobs => [
156 {
157 command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
158 user => $pg_user,
159 hour => "22,4,10,16",
160 minute => 0,
161 description => "Backup the database",
162 },
163 {
164 command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
165 user => $pg_user,
166 hour => 3,
167 minute => 0,
168 description => "Cleanup the database backups",
169 },
170 {
171 command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
172 user => $pg_user,
173 hour => 3,
174 minute => 1,
175 description => "Cleanup the database backups exponentially",
176 },
177 ]
178 }
179
180 exec { "pg_basebackup $pg_path":
181 cwd => $pg_path,
182 user => $pg_user,
183 creates => "$pg_path/PG_VERSION",
184 environment => ["PGPASSWORD=$ldap_password"],
185 command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
186 before => [
187 Concat["$pg_path/pg_hba.conf"],
188 Concat["$pg_path/recovery.conf"],
189 File["$pg_path/postgresql.conf"],
190 ]
191 }
192
193 concat { "$pg_path/pg_hba.conf":
194 owner => $pg_user,
195 group => $pg_group,
196 mode => '0640',
197 warn => true,
198 }
199 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
200 description => 'Allow local access to postgres user',
201 type => 'local',
202 database => 'all',
203 user => $pg_user,
204 auth_method => 'ident',
205 order => "00-01",
206 target => "$pg_path/pg_hba.conf",
207 postgresql_version => "10",
208 }
209 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
210 description => 'Allow localhost access to postgres user',
211 type => 'host',
212 database => 'all',
213 user => $pg_user,
214 address => "127.0.0.1/32",
215 auth_method => 'md5',
216 order => "00-02",
217 target => "$pg_path/pg_hba.conf",
218 postgresql_version => "10",
219 }
220 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
221 description => 'Allow localhost access to postgres user',
222 type => 'host',
223 database => 'all',
224 user => $pg_user,
225 address => "::1/128",
226 auth_method => 'md5',
227 order => "00-03",
228 target => "$pg_path/pg_hba.conf",
229 postgresql_version => "10",
230 }
231 postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
232 description => 'Deny remote access to postgres user',
233 type => 'host',
234 database => 'all',
235 user => $pg_user,
236 address => "0.0.0.0/0",
237 auth_method => 'reject',
238 order => "00-04",
239 target => "$pg_path/pg_hba.conf",
240 postgresql_version => "10",
241 }
242
243 postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
244 description => 'Allow local access with password',
245 type => 'local',
246 database => 'all',
247 user => 'all',
248 auth_method => 'md5',
249 order => "10-01",
250 target => "$pg_path/pg_hba.conf",
251 postgresql_version => "10",
252 }
253
254 postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
255 description => 'Allow local access with same name',
256 type => 'local',
257 database => 'all',
258 user => 'all',
259 auth_method => 'ident',
260 order => "10-02",
261 target => "$pg_path/pg_hba.conf",
262 postgresql_version => "10",
263 }
264
265 $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
266 $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
267 $standby_mode = "on"
268
269 concat { "$pg_path/recovery.conf":
270 owner => $pg_user,
271 group => $pg_group,
272 mode => '0640',
273 warn => true,
274 }
275 concat::fragment { "$pg_path/recovery.conf":
276 target => "$pg_path/recovery.conf",
277 content => template('postgresql/recovery.conf.erb'),
278 }
279
280 file { "$pg_path/postgresql.conf":
281 owner => $pg_user,
282 group => $pg_group,
283 mode => '0640',
284 content => template("role/backup/postgresql.conf.erb"),
285 }
286
287 service { "postgresql_backup@$pg_backup_host":
288 enable => true,
289 ensure => "running",
290 require => [
291 File["/etc/systemd/system/postgresql_backup@.service"],
292 Concat["$pg_path/pg_hba.conf"],
293 Concat["$pg_path/recovery.conf"],
294 File["$pg_path/postgresql.conf"],
295 ]
296 }
297 }
298
299 }
My infrastructure configuration - Deprecated, replaced with Nix