define profile::postgresql::master (
- $letsencrypt_host = undef,
- $backup_hosts = [],
+ $letsencrypt_host = undef,
+ $backup_hosts = [],
+ Optional[String] $pg_user = "postgres",
+ Optional[String] $pg_group = "postgres",
) {
- profile::postgresql::ssl { "/var/lib/postgres/data":
+ $pg_path = "/var/lib/postgres"
+ $pg_data_path = "$pg_path/data"
+
+ $postgresql_backup_port = $facts.dig("ldapvar", "self", "vars", "postgresql_backup_port", 0)
+ if ($postgresql_backup_port and !empty($backup_hosts)) {
+ $password_seed = lookup("base_installation::puppet_pass_seed")
+ $ldap_cn = lookup("base_installation::ldap_cn")
+ $ldap_password = generate_password(24, $password_seed, "ldap")
+
+ $host = find_host($facts["ldapvar"]["other"], $backup_hosts[0])
+ if empty($host) {
+ fail("No backup host to recover from")
+ } elsif has_key($host["vars"], "host") {
+ $pg_backup_host = $host["vars"]["host"][0]
+ } else {
+ $pg_backup_host = $host["vars"]["real_hostname"][0]
+ }
+
+ exec { "pg_basebackup $pg_data_path":
+ cwd => $pg_path,
+ user => $pg_user,
+ creates => "$pg_data_path/PG_VERSION",
+ environment => ["PGPASSWORD=$ldap_password"],
+ command => "/usr/bin/pg_basebackup -w -h $pg_backup_host -p $postgresql_backup_port -U $ldap_cn -D $pg_data_path",
+ before => File[$pg_data_path],
+ require => File[$pg_path],
+ notify => Exec["cleanup pg_basebackup $pg_data_path"],
+ } -> file { "$pg_data_path/recovery.conf":
+ before => Concat["$pg_data_path/pg_hba.conf"],
+ ensure => absent,
+ }
+
+ exec { "cleanup pg_basebackup $pg_data_path":
+ refreshonly => true,
+ cwd => $pg_path,
+ user => $pg_user,
+ before => Class["postgresql::server::config"],
+ command => "/usr/bin/rm -f $pg_data_path/postgresql.conf && touch $pg_data_path/postgresql.conf",
+ }
+ }
+
+ profile::postgresql::ssl { $pg_data_path:
cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
require => Letsencrypt::Certonly[$letsencrypt_host],
if $handle_role {
postgresql::server::role { $host_cn:
replication => true,
+ require => Service["postgresql"],
}
if $add_self_role {
# Needed to be replicated to the backup and be able to recover later
ensure_resource("postgresql::server::role", $ldap_cn, {
replication => true,
+ require => Service["postgresql"],
})
}
}
if $handle_slot {
postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
- ensure => present
+ ensure => present,
+ require => Service["postgresql"],
}
}
}
class role::etherpad (
+ String $web_host,
) {
$password_seed = lookup("base_installation::puppet_pass_seed")
- $web_host = lookup("base_installation::real_hostname")
- $web_listen = "0.0.0.0"
+ $real_host = lookup("base_installation::real_hostname")
+ $web_listen = "127.0.0.1"
$web_port = 18000
$pg_db = "etherpad-lite"
$pg_user = "etherpad-lite"
service { "etherpad-lite":
enable => true,
ensure => "running",
- require => Aur::Package["etherpad-lite"],
+ require => [Aur::Package["etherpad-lite"], Service["postgresql"]],
subscribe => Aur::Package["etherpad-lite"],
}
profile::postgresql::master { "postgresql master for etherpad":
- letsencrypt_host => $web_host,
+ letsencrypt_host => $real_host,
backup_hosts => ["backup-1"],
}
order => "05-01",
}
+ class { 'apache::mod::headers': }
+ apache::vhost { $web_host:
+ port => '443',
+ docroot => false,
+ manage_docroot => false,
+ proxy_dest => "http://localhost:18000",
+ request_headers => 'set X-Forwarded-Proto "https"',
+ ssl => true,
+ ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem",
+ ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem",
+ ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem",
+ require => Letsencrypt::Certonly[$web_host],
+ proxy_preserve_host => true;
+ default: * => $::profile::apache::apache_vhost_default;
+ }
}