modules/role/manifests/backup/postgresql.pp

   1 class role::backup::postgresql inherits role::backup {
   2   # This manifest is supposed to be part of the backup server
   3
   4   $password_seed = lookup("base_installation::puppet_pass_seed")
   5
   6   $user = lookup("role::backup::user")
   7   $group = lookup("role::backup::group")
   8   $pg_user = "postgres"
   9   $pg_group = "postgres"
  10
  11   $ldap_cn = lookup("base_installation::ldap_cn")
  12   $ldap_password = generate_password(24, $password_seed, "ldap")
  13   $ldap_server = lookup("base_installation::ldap_server")
  14   $ldap_base   = lookup("base_installation::ldap_base")
  15   $ldap_dn     = lookup("base_installation::ldap_dn")
  16   $ldap_attribute = "uid"
  17
  18   $pg_slot = regsubst($ldap_cn, '-', "_", "G")
  19
  20   ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
  21
  22   $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
  23   $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
  24
  25   unless empty($pg_backup_hosts) {
  26     file { "/etc/systemd/system/postgresql_backup@.service":
  27       mode    => "0644",
  28       owner   => "root",
  29       group   => "root",
  30       content => template("role/backup/postgresql_backup@.service.erb"),
  31     }
  32
  33     unless empty($ldap_filter) {
  34       concat { "/etc/pgbouncer/pgbouncer.ini":
  35         mode           => "0644",
  36         owner          => "root",
  37         group          => "root",
  38         ensure_newline => true,
  39         notify         => Service["pgbouncer"],
  40       }
  41
  42       concat::fragment { "pgbouncer_head":
  43         target  => "/etc/pgbouncer/pgbouncer.ini",
  44         order   => "01",
  45         content => template("role/backup/pgbouncer.ini.erb"),
  46       }
  47
  48       file { "/etc/systemd/system/pgbouncer.service.d":
  49         ensure => "directory",
  50         mode   => "0644",
  51         owner  => "root",
  52         group  => "root",
  53       }
  54
  55       file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
  56         ensure  => "present",
  57         mode    => "0644",
  58         owner   => "root",
  59         group   => "root",
  60         content => "[Service]\nUser=\nUser=$pg_user\n",
  61         notify  => Service["pgbouncer"],
  62       }
  63
  64       service { "pgbouncer":
  65         ensure  => "running",
  66         enable  => true,
  67         require => [
  68           Package["pgbouncer"],
  69           File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
  70           Concat["/etc/pgbouncer/pgbouncer.ini"]
  71         ],
  72       }
  73
  74       file { "/etc/pam_ldap.d":
  75         ensure => directory,
  76         mode   => "0755",
  77         owner  => "root",
  78         group  => "root",
  79       } ->
  80       file { "/etc/pam_ldap.d/pgbouncer.conf":
  81         ensure  => "present",
  82         mode    => "0600",
  83         owner   => $pg_user,
  84         group   => "root",
  85         content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
  86       } ->
  87       file { "/etc/pam.d/pgbouncer":
  88         ensure => "present",
  89         mode   => "0644",
  90         owner  => "root",
  91         group  => "root",
  92         source => "puppet:///modules/role/backup/pam_pgbouncer"
  93       }
  94     }
  95   }
  96
  97   $pg_backup_hosts.each |$pg_backup_host, $pg_infos| {
  98     $pg_path = "$mountpoint/$pg_backup_host/postgresql"
  99     $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
 100     $pg_host = "$pg_backup_host"
 101     $pg_port = $pg_infos["dbport"]
 102
 103     if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
 104       concat::fragment { "pgbouncer_$pg_backup_host":
 105         target  => "/etc/pgbouncer/pgbouncer.ini",
 106         order   => 02,
 107         content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
 108       }
 109
 110       postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
 111         description => "Allow local access to ${pg_infos[dbuser]} user",
 112         type        => 'local',
 113         database    => $pg_infos["dbname"],
 114         user        => $pg_infos["dbuser"],
 115         auth_method => 'trust',
 116         order       => "01-00",
 117         target      => "$pg_path/pg_hba.conf",
 118         postgresql_version => "10",
 119       }
 120     }
 121
 122     file { "$mountpoint/$pg_backup_host":
 123       ensure => directory,
 124       owner  => $user,
 125       group  => $group,
 126     }
 127
 128     file { $pg_path:
 129       ensure  => directory,
 130       owner   => $pg_user,
 131       group   => $pg_group,
 132       mode    => "0700",
 133       require => File["$mountpoint/$pg_backup_host"],
 134     }
 135
 136     file { $pg_backup_path:
 137       ensure  => directory,
 138       owner   => $pg_user,
 139       group   => $pg_group,
 140       mode    => "0700",
 141       require => File["$mountpoint/$pg_backup_host"],
 142     }
 143
 144     cron::job::multiple { "backup_psql_$pg_host":
 145       ensure  => "present",
 146       require => [File[$pg_backup_path], File[$pg_path]],
 147       jobs    => [
 148         {
 149           command     => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
 150           user        => $pg_user,
 151           hour        => "22,4,10,16",
 152           minute      => 0,
 153           description => "Backup the database",
 154         },
 155         {
 156           command     => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | sort -r | sed -e '1,16d')",
 157           user        => $pg_user,
 158           hour        => 3,
 159           minute      => 0,
 160           description => "Cleanup the database backups",
 161         },
 162       ]
 163     }
 164
 165     exec { "pg_basebackup $pg_path":
 166       cwd         => $pg_path,
 167       user        => $pg_user,
 168       creates     => "$pg_path/PG_VERSION",
 169       environment => ["PGPASSWORD=$ldap_password"],
 170       command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
 171       before      => [
 172         Concat["$pg_path/pg_hba.conf"],
 173         Concat["$pg_path/recovery.conf"],
 174         File["$pg_path/postgresql.conf"],
 175       ]
 176     }
 177
 178     concat { "$pg_path/pg_hba.conf":
 179       owner   => $pg_user,
 180       group   => $pg_group,
 181       mode    => '0640',
 182       warn    => true,
 183     }
 184     postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
 185       description => 'Allow local access to postgres user',
 186       type        => 'local',
 187       database    => 'all',
 188       user        => $pg_user,
 189       auth_method => 'ident',
 190       order       => "00-01",
 191       target      => "$pg_path/pg_hba.conf",
 192       postgresql_version => "10",
 193     }
 194     postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
 195       description => 'Allow localhost access to postgres user',
 196       type        => 'host',
 197       database    => 'all',
 198       user        => $pg_user,
 199       address     => "127.0.0.1/32",
 200       auth_method => 'md5',
 201       order       => "00-02",
 202       target      => "$pg_path/pg_hba.conf",
 203       postgresql_version => "10",
 204     }
 205     postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
 206       description => 'Allow localhost access to postgres user',
 207       type        => 'host',
 208       database    => 'all',
 209       user        => $pg_user,
 210       address     => "::1/128",
 211       auth_method => 'md5',
 212       order       => "00-03",
 213       target      => "$pg_path/pg_hba.conf",
 214       postgresql_version => "10",
 215     }
 216     postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
 217       description => 'Deny remote access to postgres user',
 218       type        => 'host',
 219       database    => 'all',
 220       user        => $pg_user,
 221       address     => "0.0.0.0/0",
 222       auth_method => 'reject',
 223       order       => "00-04",
 224       target      => "$pg_path/pg_hba.conf",
 225       postgresql_version => "10",
 226     }
 227
 228     postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
 229       description => 'Allow local access with password',
 230       type        => 'local',
 231       database    => 'all',
 232       user        => 'all',
 233       auth_method => 'md5',
 234       order       => "10-01",
 235       target      => "$pg_path/pg_hba.conf",
 236       postgresql_version => "10",
 237     }
 238
 239     postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
 240       description => 'Allow local access with same name',
 241       type        => 'local',
 242       database    => 'all',
 243       user        => 'all',
 244       auth_method => 'ident',
 245       order       => "10-02",
 246       target      => "$pg_path/pg_hba.conf",
 247       postgresql_version => "10",
 248     }
 249
 250     $primary_conninfo  = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
 251     $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
 252     $standby_mode      = "on"
 253
 254     concat { "$pg_path/recovery.conf":
 255       owner  => $pg_user,
 256       group  => $pg_group,
 257       mode   => '0640',
 258       warn   => true,
 259     }
 260     concat::fragment { "$pg_path/recovery.conf":
 261       target  => "$pg_path/recovery.conf",
 262       content => template('postgresql/recovery.conf.erb'),
 263     }
 264
 265     file { "$pg_path/postgresql.conf":
 266       owner   => $pg_user,
 267       group   => $pg_group,
 268       mode    => '0640',
 269       content => template("role/backup/postgresql.conf.erb"),
 270     }
 271
 272     service { "postgresql_backup@$pg_backup_host":
 273       enable  => true,
 274       ensure  => "running",
 275       require => [
 276         File["/etc/systemd/system/postgresql_backup@.service"],
 277         Concat["$pg_path/pg_hba.conf"],
 278         Concat["$pg_path/recovery.conf"],
 279         File["$pg_path/postgresql.conf"],
 280       ]
 281     }
 282   }
 283
 284 }