From f568173a3d8a43ac30fa9294a75c260042b9e415 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 18 Jun 2018 14:09:05 +0200 Subject: [PATCH] Add postgresql_master profile --- .../files/postgresql_master/pam_postgresql | 3 + .../profile/manifests/postgresql_master.pp | 116 ++++++++++++++++++ .../pam_ldap_postgresql.conf.erb | 6 + modules/role/manifests/etherpad.pp | 52 +------- 4 files changed, 131 insertions(+), 46 deletions(-) create mode 100644 modules/profile/files/postgresql_master/pam_postgresql create mode 100644 modules/profile/manifests/postgresql_master.pp create mode 100644 modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql new file mode 100644 index 0000000..70a90ae --- /dev/null +++ b/modules/profile/files/postgresql_master/pam_postgresql @@ -0,0 +1,3 @@ +auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf +account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf + diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp new file mode 100644 index 0000000..3f68890 --- /dev/null +++ b/modules/profile/manifests/postgresql_master.pp @@ -0,0 +1,116 @@ +define profile::postgresql_master ( + $letsencrypt_host = undef, + $backup_hosts = [], +) { + $password_seed = lookup("base_installation::puppet_pass_seed") + + ensure_resource("file", "/var/lib/postgres/data/certs", { + ensure => directory, + mode => "0700", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => File["/var/lib/postgres"], + }) + + ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", { + source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] + }) + + ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", { + source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] + }) + + ensure_resource("postgresql::server::config_entry", "wal_level", { + value => "logical", + }) + + ensure_resource("postgresql::server::config_entry", "ssl", { + value => "on", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + ensure_resource("postgresql::server::config_entry", "ssl_cert_file", { + value => "/var/lib/postgres/data/certs/cert.pem", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + ensure_resource("postgresql::server::config_entry", "ssl_key_file", { + value => "/var/lib/postgres/data/certs/privkey.pem", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + $backup_hosts.each |$backup_host| { + ensure_packages(["pam_ldap"]) + + $facts["ldapvar"]["other"].each |$host| { + if ($host["cn"][0] == $backup_host) { + $host["ipHostNumber"].each |$ip| { + $infos = split($ip, "/") + $ipaddress = $infos[0] + if (length($infos) == 1 and $ipaddress =~ /:/) { + $mask = "128" + } elsif (length($infos) == 1) { + $mask = "32" + } else { + $mask = $infos[1] + } + + postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": + type => 'hostssl', + database => 'replication', + user => $backup_host, + address => "$ipaddress/$mask", + auth_method => 'pam', + order => "06-01", + } + } + + postgresql::server::role { $backup_host: + replication => true, + } + + postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): + ensure => present + } + } + } + + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_attribute = "cn" + + file { "/etc/pam_ldap.d": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } -> + file { "/etc/pam_ldap.d/postgresql.conf": + ensure => "present", + mode => "0600", + owner => $::profile::postgresql::pg_user, + group => "root", + content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), + } -> + file { "/etc/pam.d/postgresql": + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/postgresql_master/pam_postgresql" + } + } + +} diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb new file mode 100644 index 0000000..f3d9674 --- /dev/null +++ b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb @@ -0,0 +1,6 @@ +host <%= @ldap_server %> + +base <%= @ldap_base %> +binddn <%= @ldap_dn %> +bindpw <%= @ldap_password %> +pam_login_attribute <%= @ldap_attribute %> diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index 476a210..a43f146 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp @@ -66,54 +66,14 @@ class role::etherpad ( subscribe => Aur::Package["etherpad-lite"], } - $web_host = "outils-1.v.immae.eu" - $pg_db = "etherpad-lite" - $pg_user = "etherpad-lite" + $web_host = "outils-1.v.immae.eu" + $pg_db = "etherpad-lite" + $pg_user = "etherpad-lite" $pg_password = generate_password(24, $password_seed, "postgres_etherpad") - file { "/var/lib/postgres/data/certs": - ensure => directory, - mode => "0700", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => File["/var/lib/postgres"], - } - - file { "/var/lib/postgres/data/certs/cert.pem": - source => "file:///etc/letsencrypt/live/$web_host/cert.pem", - mode => "0600", - links => "follow", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] - } - - file { "/var/lib/postgres/data/certs/privkey.pem": - source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", - mode => "0600", - links => "follow", - owner => $::profile::postgresql::pg_user, - group => $::profile::postgresql::pg_user, - require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] - } - - postgresql::server::config_entry { "wal_level": - value => "logical", - } - - postgresql::server::config_entry { "ssl": - value => "on", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::config_entry { "ssl_cert_file": - value => "/var/lib/postgres/data/certs/cert.pem", - require => Letsencrypt::Certonly[$web_host], - } - - postgresql::server::config_entry { "ssl_key_file": - value => "/var/lib/postgres/data/certs/privkey.pem", - require => Letsencrypt::Certonly[$web_host], + profile::postgresql_master { "postgresql master for etherpad": + letsencrypt_host => $web_host, + backup_hosts => ["backup-1"], } postgresql::server::db { $pg_db: -- 2.41.0