modules/role/manifests/cryptoportfolio/postgresql.pp

   1 class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
   2   $password_seed = lookup("base_installation::puppet_pass_seed")
   3
   4   $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
   5   $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
   6
   7   file { "/var/lib/postgres/data/certs":
   8     ensure  => directory,
   9     mode    => "0700",
  10     owner   => $::profile::postgresql::pg_user,
  11     group   => $::profile::postgresql::pg_user,
  12     require => File["/var/lib/postgres"],
  13   }
  14
  15   file { "/var/lib/postgres/data/certs/cert.pem":
  16     source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
  17     mode    => "0600",
  18     links   => "follow",
  19     owner   => $::profile::postgresql::pg_user,
  20     group   => $::profile::postgresql::pg_user,
  21     require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
  22   }
  23
  24   file { "/var/lib/postgres/data/certs/privkey.pem":
  25     source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
  26     mode    => "0600",
  27     links   => "follow",
  28     owner   => $::profile::postgresql::pg_user,
  29     group   => $::profile::postgresql::pg_user,
  30     require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
  31   }
  32
  33   postgresql_replication_slot { $pg_user_replication:
  34     ensure => present
  35   }
  36
  37   postgresql::server::config_entry { "wal_level":
  38     value   => "logical",
  39   }
  40
  41   postgresql::server::config_entry { "ssl":
  42     value   => "on",
  43     require => Letsencrypt::Certonly[$web_host],
  44   }
  45
  46   postgresql::server::config_entry { "ssl_cert_file":
  47     value   => "/var/lib/postgres/data/certs/cert.pem",
  48     require => Letsencrypt::Certonly[$web_host],
  49   }
  50
  51   postgresql::server::config_entry { "ssl_key_file":
  52     value   => "/var/lib/postgres/data/certs/privkey.pem",
  53     require => Letsencrypt::Certonly[$web_host],
  54   }
  55
  56   postgresql::server::db { $pg_db:
  57     user     =>  $pg_user,
  58     password =>  postgresql_password($pg_user, $pg_password),
  59   }
  60   ->
  61   postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
  62     db     => $pg_db,
  63     unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
  64   }
  65   ->
  66   postgresql::server::role { $pg_user_replication:
  67     db            => $pg_db,
  68     replication   => true,
  69     password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
  70   }
  71   ->
  72   postgresql::server::database_grant { $pg_user_replication:
  73     db        => $pg_db,
  74     privilege => "CONNECT",
  75     role      => $pg_user_replication,
  76   }
  77   ->
  78   postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
  79     db          => $pg_db,
  80     role        => $pg_user_replication,
  81     privilege   => "SELECT",
  82     object_type => "ALL TABLES IN SCHEMA",
  83     object_name => "public",
  84   }
  85   ->
  86   postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
  87     db          => $pg_db,
  88     role        => $pg_user_replication,
  89     privilege   => "SELECT",
  90     object_type => "ALL SEQUENCES IN SCHEMA",
  91     object_name => "public",
  92   }
  93
  94   postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
  95     type        => 'host',
  96     database    => $pg_db,
  97     user        => $pg_user,
  98     address     => '127.0.0.1/32',
  99     auth_method => 'md5',
 100     order       => "05-01",
 101   }
 102   postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
 103     type        => 'host',
 104     database    => $pg_db,
 105     user        => $pg_user,
 106     address     => '::1/128',
 107     auth_method => 'md5',
 108     order       => "05-01",
 109   }
 110
 111   postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
 112     type        => 'hostssl',
 113     database    => 'replication',
 114     user        => $pg_user_replication,
 115     address     => 'immae.eu',
 116     auth_method => 'md5',
 117     order       => "05-01",
 118   }
 119
 120   postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
 121     type        => 'hostssl',
 122     database    => $pg_db,
 123     user        => $pg_user_replication,
 124     address     => 'immae.eu',
 125     auth_method => 'md5',
 126     order       => "05-02",
 127   }
 128
 129   $backup_host = "backup-1"
 130
 131   unless empty($backup_host) {
 132     ensure_packages(["pam_ldap"])
 133
 134     $facts["ldapvar"]["other"].each |$host| {
 135       if ($host["cn"][0] == $backup_host) {
 136         $host["ipHostNumber"].each |$ip| {
 137           $infos = split($ip, "/")
 138           $ipaddress = $infos[0]
 139           if (length($infos) == 1 and $ipaddress =~ /:/) {
 140             $mask = "128"
 141           } elsif (length($infos) == 1) {
 142             $mask = "32"
 143           } else {
 144             $mask = $infos[1]
 145           }
 146
 147           postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
 148             type        => 'hostssl',
 149             database    => 'replication',
 150             user        => 'all',
 151             address     => "$ipaddress/$mask",
 152             auth_method => 'pam',
 153             order       => "06-01",
 154           }
 155         }
 156
 157         postgresql::server::role { $backup_host:
 158           replication => true,
 159         }
 160
 161         postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
 162           ensure => present
 163         }
 164       }
 165     }
 166
 167     $ldap_server = lookup("base_installation::ldap_server")
 168     $ldap_base   = lookup("base_installation::ldap_base")
 169     $ldap_dn     = lookup("base_installation::ldap_dn")
 170     $ldap_password = generate_password(24, $password_seed, "ldap")
 171     $ldap_attribute = "cn"
 172
 173     file { "/etc/pam_ldap.d":
 174       ensure => directory,
 175       mode   => "0755",
 176       owner  => "root",
 177       group  => "root",
 178     } ->
 179     file { "/etc/pam_ldap.d/postgresql.conf":
 180       ensure  => "present",
 181       mode    => "0644",
 182       owner   => "root",
 183       group   => "root",
 184       content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
 185     } ->
 186     file { "/etc/pam.d/postgresql":
 187       ensure => "present",
 188       mode   => "0644",
 189       owner  => "root",
 190       group  => "root",
 191       source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
 192     }
 193   }
 194
 195 }