-class profile::postgresql {
+class profile::postgresql (
+ Optional[String] $pg_user = "postgres",
+ Optional[String] $pg_group = "postgres",
+) {
$password_seed = lookup("base_installation::puppet_pass_seed")
class { '::postgresql::globals':
pg_hba_conf_defaults => false,
}
- # FIXME: get it from the postgresql module?
- $pg_user = "postgres"
-
class { '::postgresql::client': }
# FIXME: postgresql module is buggy and doesn't create dir?
file { "/var/lib/postgres":
ensure => directory,
owner => $pg_user,
- group => $pg_user,
+ group => $pg_group,
before => File["/var/lib/postgres/data"],
require => Package["postgresql-server"],
}
listen_addresses => "*",
}
- postgresql::server::pg_hba_rule { 'local access as postgres user':
- description => 'Allow local access to postgres user',
- type => 'local',
- database => 'all',
- user => $pg_user,
- auth_method => 'ident',
- order => "00-01",
- }
- postgresql::server::pg_hba_rule { 'localhost access as postgres user':
- description => 'Allow localhost access to postgres user',
- type => 'host',
- database => 'all',
- user => $pg_user,
- address => "127.0.0.1/32",
- auth_method => 'md5',
- order => "00-02",
- }
- postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
- description => 'Allow localhost access to postgres user',
- type => 'host',
- database => 'all',
- user => $pg_user,
- address => "::1/128",
- auth_method => 'md5',
- order => "00-03",
- }
- postgresql::server::pg_hba_rule { 'deny access to postgresql user':
- description => 'Deny remote access to postgres user',
- type => 'host',
- database => 'all',
- user => $pg_user,
- address => "0.0.0.0/0",
- auth_method => 'reject',
- order => "00-04",
- }
-
- postgresql::server::pg_hba_rule { 'local access':
- description => 'Allow local access with password',
- type => 'local',
- database => 'all',
- user => 'all',
- auth_method => 'md5',
- order => "10-01",
- }
-
- postgresql::server::pg_hba_rule { 'local access with same name':
- description => 'Allow local access with same name',
- type => 'local',
- database => 'all',
- user => 'all',
- auth_method => 'ident',
- order => "10-02",
- }
+ profile::postgresql::base_pg_hba_rules { "default": }
}
$password_seed = lookup("base_installation::puppet_pass_seed")
$pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
- $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
- file { "/var/lib/postgres/data/certs":
- ensure => directory,
- mode => "0700",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => File["/var/lib/postgres"],
- }
-
- file { "/var/lib/postgres/data/certs/cert.pem":
- source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
- mode => "0600",
- links => "follow",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
- }
-
- file { "/var/lib/postgres/data/certs/privkey.pem":
- source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
- mode => "0600",
- links => "follow",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
- }
-
- postgresql_replication_slot { $pg_user_replication:
- ensure => present
- }
-
- postgresql::server::config_entry { "wal_level":
- value => "logical",
- }
-
- postgresql::server::config_entry { "ssl":
- value => "on",
- require => Letsencrypt::Certonly[$web_host],
- }
-
- postgresql::server::config_entry { "ssl_cert_file":
- value => "/var/lib/postgres/data/certs/cert.pem",
- require => Letsencrypt::Certonly[$web_host],
- }
-
- postgresql::server::config_entry { "ssl_key_file":
- value => "/var/lib/postgres/data/certs/privkey.pem",
- require => Letsencrypt::Certonly[$web_host],
+ profile::postgresql::master { "postgresql master for cryptoportfolio":
+ letsencrypt_host => $web_host,
+ backup_hosts => ["backup-1"],
}
postgresql::server::db { $pg_db:
user => $pg_user,
password => postgresql_password($pg_user, $pg_password),
}
- ->
- postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
- db => $pg_db,
- unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
- }
- ->
- postgresql::server::role { $pg_user_replication:
- db => $pg_db,
- replication => true,
- password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
- }
- ->
- postgresql::server::database_grant { $pg_user_replication:
- db => $pg_db,
- privilege => "CONNECT",
- role => $pg_user_replication,
- }
- ->
- postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
- db => $pg_db,
- role => $pg_user_replication,
- privilege => "SELECT",
- object_type => "ALL TABLES IN SCHEMA",
- object_name => "public",
- }
- ->
- postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
- db => $pg_db,
- role => $pg_user_replication,
- privilege => "SELECT",
- object_type => "ALL SEQUENCES IN SCHEMA",
- object_name => "public",
- }
postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
- type => 'host',
+ type => 'local',
database => $pg_db,
user => $pg_user,
- address => '127.0.0.1/32',
- auth_method => 'md5',
+ auth_method => 'ident',
order => "05-01",
}
- postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
- type => 'host',
- database => $pg_db,
- user => $pg_user,
- address => '::1/128',
- auth_method => 'md5',
- order => "05-01",
- }
-
- postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
- type => 'hostssl',
- database => 'replication',
- user => $pg_user_replication,
- address => 'immae.eu',
- auth_method => 'md5',
- order => "05-01",
- }
-
- postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
- type => 'hostssl',
- database => $pg_db,
- user => $pg_user_replication,
- address => 'immae.eu',
- auth_method => 'md5',
- order => "05-02",
- }
-
- $backup_host = "backup-1"
- unless empty($backup_host) {
- ensure_packages(["pam_ldap"])
-
- $facts["ldapvar"]["other"].each |$host| {
- if ($host["cn"][0] == $backup_host) {
- $host["ipHostNumber"].each |$ip| {
- $infos = split($ip, "/")
- $ipaddress = $infos[0]
- if (length($infos) == 1 and $ipaddress =~ /:/) {
- $mask = "128"
- } elsif (length($infos) == 1) {
- $mask = "32"
- } else {
- $mask = $infos[1]
- }
-
- postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
- type => 'hostssl',
- database => 'replication',
- user => 'all',
- address => "$ipaddress/$mask",
- auth_method => 'pam',
- order => "06-01",
- }
- }
-
- postgresql::server::role { $backup_host:
- replication => true,
- }
-
- postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
- ensure => present
- }
- }
- }
-
- $ldap_server = lookup("base_installation::ldap_server")
- $ldap_base = lookup("base_installation::ldap_base")
- $ldap_dn = lookup("base_installation::ldap_dn")
- $ldap_password = generate_password(24, $password_seed, "ldap")
- $ldap_attribute = "cn"
-
- file { "/etc/pam_ldap.d":
- ensure => directory,
- mode => "0755",
- owner => "root",
- group => "root",
- } ->
- file { "/etc/pam_ldap.d/postgresql.conf":
- ensure => "present",
- mode => "0600",
- owner => $::profile::postgresql::pg_user,
- group => "root",
- content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
- } ->
- file { "/etc/pam.d/postgresql":
- ensure => "present",
- mode => "0644",
- owner => "root",
- group => "root",
- source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
- }
+ # cleanup
+ postgresql_psql { "DROP PUBLICATION ${pg_db}_publication":
+ db => $pg_db,
+ onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
+ } ->
+ postgresql_replication_slot { $pg_user_replication:
+ ensure => absent
+ } ->
+ postgresql_psql { "DROP OWNED BY $pg_user_replication":
+ db => $pg_db,
+ onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'"
+ } ->
+ postgresql::server::role { $pg_user_replication:
+ ensure => absent,
}
+ # /cleanup
}