class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
$password_seed = lookup("base_installation::puppet_pass_seed")
$pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
$pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
file { "/var/lib/postgres/data/certs":
ensure => directory,
mode => "0700",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => File["/var/lib/postgres"],
}
file { "/var/lib/postgres/data/certs/cert.pem":
source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
mode => "0600",
links => "follow",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
}
file { "/var/lib/postgres/data/certs/privkey.pem":
source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
mode => "0600",
links => "follow",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
}
postgresql_replication_slot { $pg_user_replication:
ensure => present
}
postgresql::server::config_entry { "wal_level":
value => "logical",
}
postgresql::server::config_entry { "ssl":
value => "on",
require => Letsencrypt::Certonly[$web_host],
}
postgresql::server::config_entry { "ssl_cert_file":
value => "/var/lib/postgres/data/certs/cert.pem",
require => Letsencrypt::Certonly[$web_host],
}
postgresql::server::config_entry { "ssl_key_file":
value => "/var/lib/postgres/data/certs/privkey.pem",
require => Letsencrypt::Certonly[$web_host],
}
postgresql::server::db { $pg_db:
user => $pg_user,
password => postgresql_password($pg_user, $pg_password),
}
->
postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
db => $pg_db,
unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
}
->
postgresql::server::role { $pg_user_replication:
db => $pg_db,
replication => true,
password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
}
->
postgresql::server::database_grant { $pg_user_replication:
db => $pg_db,
privilege => "CONNECT",
role => $pg_user_replication,
}
->
postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
db => $pg_db,
role => $pg_user_replication,
privilege => "SELECT",
object_type => "ALL TABLES IN SCHEMA",
object_name => "public",
}
->
postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
db => $pg_db,
role => $pg_user_replication,
privilege => "SELECT",
object_type => "ALL SEQUENCES IN SCHEMA",
object_name => "public",
}
postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
type => 'host',
database => $pg_db,
user => $pg_user,
address => '127.0.0.1/32',
auth_method => 'md5',
order => "05-01",
}
postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
type => 'host',
database => $pg_db,
user => $pg_user,
address => '::1/128',
auth_method => 'md5',
order => "05-01",
}
postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
type => 'hostssl',
database => 'replication',
user => $pg_user_replication,
address => 'immae.eu',
auth_method => 'md5',
order => "05-01",
}
postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
type => 'hostssl',
database => $pg_db,
user => $pg_user_replication,
address => 'immae.eu',
auth_method => 'md5',
order => "05-02",
}
$backup_host = "backup-1"
unless empty($backup_host) {
ensure_packages(["pam_ldap"])
$facts["ldapvar"]["other"].each |$host| {
if ($host["cn"][0] == $backup_host) {
$host["ipHostNumber"].each |$ip| {
$infos = split($ip, "/")
$ipaddress = $infos[0]
if (length($infos) == 1 and $ipaddress =~ /:/) {
$mask = "128"
} elsif (length($infos) == 1) {
$mask = "32"
} else {
$mask = $infos[1]
}
postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
type => 'hostssl',
database => 'replication',
user => 'all',
address => "$ipaddress/$mask",
auth_method => 'pam',
order => "06-01",
}
}
postgresql::server::role { $backup_host:
replication => true,
}
postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
ensure => present
}
}
}
$ldap_server = lookup("base_installation::ldap_server")
$ldap_base = lookup("base_installation::ldap_base")
$ldap_dn = lookup("base_installation::ldap_dn")
$ldap_password = generate_password(24, $password_seed, "ldap")
$ldap_attribute = "cn"
file { "/etc/pam_ldap.d":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
} ->
file { "/etc/pam_ldap.d/postgresql.conf":
ensure => "present",
mode => "0644",
owner => "root",
group => "root",
content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
} ->
file { "/etc/pam.d/postgresql":
ensure => "present",
mode => "0644",
owner => "root",
group => "root",
source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
}
}
}
