]> git.immae.eu Git - perso/Immae/Projets/Puppet.git/blob - modules/role/manifests/cryptoportfolio/postgresql.pp
projects / perso / Immae / Projets / Puppet.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'dev'
[perso/Immae/Projets/Puppet.git] / modules / role / manifests / cryptoportfolio / postgresql.pp
1 class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
2 $password_seed = lookup("base_installation::puppet_pass_seed")
3
4 $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
5 $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
6
7 file { "/var/lib/postgres/data/certs":
8 ensure => directory,
9 mode => "0700",
10 owner => $::profile::postgresql::pg_user,
11 group => $::profile::postgresql::pg_user,
12 require => File["/var/lib/postgres"],
13 }
14
15 file { "/var/lib/postgres/data/certs/cert.pem":
16 source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
17 mode => "0600",
18 links => "follow",
19 owner => $::profile::postgresql::pg_user,
20 group => $::profile::postgresql::pg_user,
21 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
22 }
23
24 file { "/var/lib/postgres/data/certs/privkey.pem":
25 source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
26 mode => "0600",
27 links => "follow",
28 owner => $::profile::postgresql::pg_user,
29 group => $::profile::postgresql::pg_user,
30 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
31 }
32
33 postgresql::server::config_entry { "wal_level":
34 value => "logical",
35 }
36
37 postgresql::server::config_entry { "ssl":
38 value => "on",
39 require => Letsencrypt::Certonly[$web_host],
40 }
41
42 postgresql::server::config_entry { "ssl_cert_file":
43 value => "/var/lib/postgres/data/certs/cert.pem",
44 require => Letsencrypt::Certonly[$web_host],
45 }
46
47 postgresql::server::config_entry { "ssl_key_file":
48 value => "/var/lib/postgres/data/certs/privkey.pem",
49 require => Letsencrypt::Certonly[$web_host],
50 }
51
52 postgresql::server::db { $pg_db:
53 user => $pg_user,
54 password => postgresql_password($pg_user, $pg_password),
55 }
56 ->
57 postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
58 db => $pg_db,
59 unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
60 }
61 ->
62 postgresql::server::role { $pg_user_replication:
63 db => $pg_db,
64 replication => true,
65 password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
66 }
67 ->
68 postgresql::server::database_grant { $pg_user_replication:
69 db => $pg_db,
70 privilege => "CONNECT",
71 role => $pg_user_replication,
72 }
73 ->
74 postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
75 db => $pg_db,
76 role => $pg_user_replication,
77 privilege => "SELECT",
78 object_type => "ALL TABLES IN SCHEMA",
79 object_name => "public",
80 }
81 ->
82 postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
83 db => $pg_db,
84 role => $pg_user_replication,
85 privilege => "SELECT",
86 object_type => "ALL SEQUENCES IN SCHEMA",
87 object_name => "public",
88 }
89
90 postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
91 type => 'host',
92 database => $pg_db,
93 user => $pg_user,
94 address => '127.0.0.1/32',
95 auth_method => 'md5',
96 order => "05-01",
97 }
98 postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
99 type => 'host',
100 database => $pg_db,
101 user => $pg_user,
102 address => '::1/128',
103 auth_method => 'md5',
104 order => "05-01",
105 }
106
107 postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
108 type => 'hostssl',
109 database => $pg_db,
110 user => $pg_user_replication,
111 address => 'immae.eu',
112 auth_method => 'md5',
113 order => "05-01",
114 }
115
116 }
My infrastructure configuration - Deprecated, replaced with Nix