--- /dev/null
+define profile::postgresql_master (
+ $letsencrypt_host = undef,
+ $backup_hosts = [],
+) {
+ $password_seed = lookup("base_installation::puppet_pass_seed")
+
+ ensure_resource("file", "/var/lib/postgres/data/certs", {
+ ensure => directory,
+ mode => "0700",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => File["/var/lib/postgres"],
+ })
+
+ ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
+ source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
+ mode => "0600",
+ links => "follow",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
+ })
+
+ ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
+ source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
+ mode => "0600",
+ links => "follow",
+ owner => $::profile::postgresql::pg_user,
+ group => $::profile::postgresql::pg_user,
+ require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
+ })
+
+ ensure_resource("postgresql::server::config_entry", "wal_level", {
+ value => "logical",
+ })
+
+ ensure_resource("postgresql::server::config_entry", "ssl", {
+ value => "on",
+ require => Letsencrypt::Certonly[$letsencrypt_host],
+ })
+
+ ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
+ value => "/var/lib/postgres/data/certs/cert.pem",
+ require => Letsencrypt::Certonly[$letsencrypt_host],
+ })
+
+ ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
+ value => "/var/lib/postgres/data/certs/privkey.pem",
+ require => Letsencrypt::Certonly[$letsencrypt_host],
+ })
+
+ $backup_hosts.each |$backup_host| {
+ ensure_packages(["pam_ldap"])
+
+ $facts["ldapvar"]["other"].each |$host| {
+ if ($host["cn"][0] == $backup_host) {
+ $host["ipHostNumber"].each |$ip| {
+ $infos = split($ip, "/")
+ $ipaddress = $infos[0]
+ if (length($infos) == 1 and $ipaddress =~ /:/) {
+ $mask = "128"
+ } elsif (length($infos) == 1) {
+ $mask = "32"
+ } else {
+ $mask = $infos[1]
+ }
+
+ postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
+ type => 'hostssl',
+ database => 'replication',
+ user => $backup_host,
+ address => "$ipaddress/$mask",
+ auth_method => 'pam',
+ order => "06-01",
+ }
+ }
+
+ postgresql::server::role { $backup_host:
+ replication => true,
+ }
+
+ postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
+ ensure => present
+ }
+ }
+ }
+
+ $ldap_server = lookup("base_installation::ldap_server")
+ $ldap_base = lookup("base_installation::ldap_base")
+ $ldap_dn = lookup("base_installation::ldap_dn")
+ $ldap_password = generate_password(24, $password_seed, "ldap")
+ $ldap_attribute = "cn"
+
+ file { "/etc/pam_ldap.d":
+ ensure => directory,
+ mode => "0755",
+ owner => "root",
+ group => "root",
+ } ->
+ file { "/etc/pam_ldap.d/postgresql.conf":
+ ensure => "present",
+ mode => "0600",
+ owner => $::profile::postgresql::pg_user,
+ group => "root",
+ content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
+ } ->
+ file { "/etc/pam.d/postgresql":
+ ensure => "present",
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
+ }
+ }
+
+}
subscribe => Aur::Package["etherpad-lite"],
}
- $web_host = "outils-1.v.immae.eu"
- $pg_db = "etherpad-lite"
- $pg_user = "etherpad-lite"
+ $web_host = "outils-1.v.immae.eu"
+ $pg_db = "etherpad-lite"
+ $pg_user = "etherpad-lite"
$pg_password = generate_password(24, $password_seed, "postgres_etherpad")
- file { "/var/lib/postgres/data/certs":
- ensure => directory,
- mode => "0700",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => File["/var/lib/postgres"],
- }
-
- file { "/var/lib/postgres/data/certs/cert.pem":
- source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
- mode => "0600",
- links => "follow",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
- }
-
- file { "/var/lib/postgres/data/certs/privkey.pem":
- source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
- mode => "0600",
- links => "follow",
- owner => $::profile::postgresql::pg_user,
- group => $::profile::postgresql::pg_user,
- require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
- }
-
- postgresql::server::config_entry { "wal_level":
- value => "logical",
- }
-
- postgresql::server::config_entry { "ssl":
- value => "on",
- require => Letsencrypt::Certonly[$web_host],
- }
-
- postgresql::server::config_entry { "ssl_cert_file":
- value => "/var/lib/postgres/data/certs/cert.pem",
- require => Letsencrypt::Certonly[$web_host],
- }
-
- postgresql::server::config_entry { "ssl_key_file":
- value => "/var/lib/postgres/data/certs/privkey.pem",
- require => Letsencrypt::Certonly[$web_host],
+ profile::postgresql_master { "postgresql master for etherpad":
+ letsencrypt_host => $web_host,
+ backup_hosts => ["backup-1"],
}
postgresql::server::db { $pg_db:
projects / perso / Immae / Projets / Puppet.git / commitdiff
