$letsencrypt_host = undef,
$backup_hosts = [],
) {
- $password_seed = lookup("base_installation::puppet_pass_seed")
-
- ensure_resource("file", "/var/lib/postgres/data/certs", {
- ensure => directory,
- mode => "0700",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => File["/var/lib/postgres"],
- })
-
- ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
- source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
- mode => "0600",
- links => "follow",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
- })
-
- ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
- source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
- mode => "0600",
- links => "follow",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
- })
-
- ensure_resource("postgresql::server::config_entry", "wal_level", {
- value => "logical",
- })
-
- ensure_resource("postgresql::server::config_entry", "ssl", {
- value => "on",
+ profile::postgresql::ssl { "/var/lib/postgres":
+ cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
+ key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
require => Letsencrypt::Certonly[$letsencrypt_host],
- })
-
- ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
- value => "/var/lib/postgres/data/certs/cert.pem",
- require => Letsencrypt::Certonly[$letsencrypt_host],
- })
-
- ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
- value => "/var/lib/postgres/data/certs/privkey.pem",
- require => Letsencrypt::Certonly[$letsencrypt_host],
- })
+ }
$backup_hosts.each |$backup_host| {
- ensure_packages(["pam_ldap"])
-
- $host = find_host($facts["ldapvar"]["other"], $backup_host)
- unless empty($host) {
- $host["ipHostNumber"].each |$ip| {
- $infos = split($ip, "/")
- $ipaddress = $infos[0]
- if (length($infos) == 1 and $ipaddress =~ /:/) {
- $mask = "128"
- } elsif (length($infos) == 1) {
- $mask = "32"
- } else {
- $mask = $infos[1]
- }
-
- postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
- type => 'hostssl',
- database => 'replication',
- user => $backup_host,
- address => "$ipaddress/$mask",
- auth_method => 'pam',
- order => "06-01",
- }
- }
-
- postgresql::server::role { $backup_host:
- replication => true,
- }
-
- postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
- ensure => present
- }
+ profile::postgresql::replication { $backup_host:
+ handle_role => true,
+ handle_slot => true,
+ add_self_role => true,
}
}
-
- $ldap_server = lookup("base_installation::ldap_server")
- $ldap_base = lookup("base_installation::ldap_base")
- $ldap_dn = lookup("base_installation::ldap_dn")
- $ldap_cn = lookup("base_installation::ldap_cn")
- $ldap_password = generate_password(24, $password_seed, "ldap")
- $ldap_attribute = "cn"
-
- # This is to be replicated to the backup
- postgresql::server::role { $ldap_cn:
- replication => true,
- }
-
- file { "/etc/pam_ldap.d":
- ensure => directory,
- mode => "0755",
- owner => "root",
- group => "root",
- } ->
- file { "/etc/pam_ldap.d/postgresql.conf":
- ensure => "present",
- mode => "0600",
- owner => $::profile::postgresql::pg_user,
- group => "root",
- content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
- } ->
- file { "/etc/pam.d/postgresql":
- ensure => "present",
- mode => "0644",
- owner => "root",
- group => "root",
- source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
- }
-
}
projects / perso / Immae / Projets / Puppet.git / blobdiff