From 3925777d9715d271c0643faef9f520e7816dba89 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 28 Jun 2018 10:32:57 +0200 Subject: [PATCH] Refactor cryptoportfolio postgresql --- modules/profile/manifests/postgresql.pp | 64 +----- .../manifests/postgresql/base_pg_hba_rules.pp | 2 - .../manifests/cryptoportfolio/postgresql.pp | 194 ++---------------- 3 files changed, 26 insertions(+), 234 deletions(-) diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 2cd1bcc..97ce572 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp @@ -1,4 +1,7 @@ -class profile::postgresql { +class profile::postgresql ( + Optional[String] $pg_user = "postgres", + Optional[String] $pg_group = "postgres", +) { $password_seed = lookup("base_installation::puppet_pass_seed") class { '::postgresql::globals': @@ -7,16 +10,13 @@ class profile::postgresql { pg_hba_conf_defaults => false, } - # FIXME: get it from the postgresql module? - $pg_user = "postgres" - class { '::postgresql::client': } # FIXME: postgresql module is buggy and doesn't create dir? file { "/var/lib/postgres": ensure => directory, owner => $pg_user, - group => $pg_user, + group => $pg_group, before => File["/var/lib/postgres/data"], require => Package["postgresql-server"], } @@ -26,59 +26,7 @@ class profile::postgresql { listen_addresses => "*", } - postgresql::server::pg_hba_rule { 'local access as postgres user': - description => 'Allow local access to postgres user', - type => 'local', - database => 'all', - user => $pg_user, - auth_method => 'ident', - order => "00-01", - } - postgresql::server::pg_hba_rule { 'localhost access as postgres user': - description => 'Allow localhost access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "127.0.0.1/32", - auth_method => 'md5', - order => "00-02", - } - postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': - description => 'Allow localhost access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "::1/128", - auth_method => 'md5', - order => "00-03", - } - postgresql::server::pg_hba_rule { 'deny access to postgresql user': - description => 'Deny remote access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "0.0.0.0/0", - auth_method => 'reject', - order => "00-04", - } - - postgresql::server::pg_hba_rule { 'local access': - description => 'Allow local access with password', - type => 'local', - database => 'all', - user => 'all', - auth_method => 'md5', - order => "10-01", - } - - postgresql::server::pg_hba_rule { 'local access with same name': - description => 'Allow local access with same name', - type => 'local', - database => 'all', - user => 'all', - auth_method => 'ident', - order => "10-02", - } + profile::postgresql::base_pg_hba_rules { "default": } } diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp index 13ab4ff..07c4bb6 100644 --- a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp +++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp @@ -43,8 +43,6 @@ define profile::postgresql::base_pg_hba_rules ( address => "::1/128", auth_method => 'md5', order => "00-03", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", } postgresql::server::pg_hba_rule { "$title - deny access to postgresql user": description => 'Deny remote access to postgres user', diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index 776b30f..addad67 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp @@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { $password_seed = lookup("base_installation::puppet_pass_seed") $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") - $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") - file { "/var/lib/postgres/data/certs": - ensure => directory, - mode => "0700", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => File["/var/lib/postgres"], - } - - file { "/var/lib/postgres/data/certs/cert.pem": - source => "file:///etc/letsencrypt/live/$web_host/cert.pem", - mode => "0600", - links => "follow", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] - } - - file { "/var/lib/postgres/data/certs/privkey.pem": - source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", - mode => "0600", - links => "follow", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] - } - - postgresql_replication_slot { $pg_user_replication: - ensure => present - } - - postgresql::server::config_entry { "wal_level": - value => "logical", - } - - postgresql::server::config_entry { "ssl": - value => "on", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::config_entry { "ssl_cert_file": - value => "/var/lib/postgres/data/certs/cert.pem", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::config_entry { "ssl_key_file": - value => "/var/lib/postgres/data/certs/privkey.pem", - require => Letsencrypt::Certonly[$web_host], + profile::postgresql::master { "postgresql master for cryptoportfolio": + letsencrypt_host => $web_host, + backup_hosts => ["backup-1"], } postgresql::server::db { $pg_db: user => $pg_user, password => postgresql_password($pg_user, $pg_password), } - -> - postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": - db => $pg_db, - unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", - } - -> - postgresql::server::role { $pg_user_replication: - db => $pg_db, - replication => true, - password_hash => postgresql_password($pg_user_replication, $pg_replication_password), - } - -> - postgresql::server::database_grant { $pg_user_replication: - db => $pg_db, - privilege => "CONNECT", - role => $pg_user_replication, - } - -> - postgresql::server::grant { "all tables in schema:public:$pg_user_replication": - db => $pg_db, - role => $pg_user_replication, - privilege => "SELECT", - object_type => "ALL TABLES IN SCHEMA", - object_name => "public", - } - -> - postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": - db => $pg_db, - role => $pg_user_replication, - privilege => "SELECT", - object_type => "ALL SEQUENCES IN SCHEMA", - object_name => "public", - } postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': - type => 'host', + type => 'local', database => $pg_db, user => $pg_user, - address => '127.0.0.1/32', - auth_method => 'md5', + auth_method => 'ident', order => "05-01", } - postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': - type => 'host', - database => $pg_db, - user => $pg_user, - address => '::1/128', - auth_method => 'md5', - order => "05-01", - } - - postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication': - type => 'hostssl', - database => 'replication', - user => $pg_user_replication, - address => 'immae.eu', - auth_method => 'md5', - order => "05-01", - } - - postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': - type => 'hostssl', - database => $pg_db, - user => $pg_user_replication, - address => 'immae.eu', - auth_method => 'md5', - order => "05-02", - } - - $backup_host = "backup-1" - unless empty($backup_host) { - ensure_packages(["pam_ldap"]) - - $facts["ldapvar"]["other"].each |$host| { - if ($host["cn"][0] == $backup_host) { - $host["ipHostNumber"].each |$ip| { - $infos = split($ip, "/") - $ipaddress = $infos[0] - if (length($infos) == 1 and $ipaddress =~ /:/) { - $mask = "128" - } elsif (length($infos) == 1) { - $mask = "32" - } else { - $mask = $infos[1] - } - - postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": - type => 'hostssl', - database => 'replication', - user => 'all', - address => "$ipaddress/$mask", - auth_method => 'pam', - order => "06-01", - } - } - - postgresql::server::role { $backup_host: - replication => true, - } - - postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): - ensure => present - } - } - } - - $ldap_server = lookup("base_installation::ldap_server") - $ldap_base = lookup("base_installation::ldap_base") - $ldap_dn = lookup("base_installation::ldap_dn") - $ldap_password = generate_password(24, $password_seed, "ldap") - $ldap_attribute = "cn" - - file { "/etc/pam_ldap.d": - ensure => directory, - mode => "0755", - owner => "root", - group => "root", - } -> - file { "/etc/pam_ldap.d/postgresql.conf": - ensure => "present", - mode => "0600", - owner => $::profile::postgresql::pg_user, - group => "root", - content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), - } -> - file { "/etc/pam.d/postgresql": - ensure => "present", - mode => "0644", - owner => "root", - group => "root", - source => "puppet:///modules/role/cryptoportfolio/pam_postgresql" - } + # cleanup + postgresql_psql { "DROP PUBLICATION ${pg_db}_publication": + db => $pg_db, + onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", + } -> + postgresql_replication_slot { $pg_user_replication: + ensure => absent + } -> + postgresql_psql { "DROP OWNED BY $pg_user_replication": + db => $pg_db, + onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'" + } -> + postgresql::server::role { $pg_user_replication: + ensure => absent, } + # /cleanup } -- 2.41.0