aboutsummaryrefslogblamecommitdiff
path: root/modules/role/manifests/cryptoportfolio/postgresql.pp
blob: 776b30f5776bd2c5871ffe8f73b437c8235c1256 (plain) (tree)































                                                                                                          



                                                     









































































                                                                                               








                                                                                                         





                                                                                         
                           

   



















































                                                                                                                                     

                                                 











                                                                               
 
class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
  $password_seed = lookup("base_installation::puppet_pass_seed")

  $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
  $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")

  file { "/var/lib/postgres/data/certs":
    ensure  => directory,
    mode    => "0700",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => File["/var/lib/postgres"],
  }

  file { "/var/lib/postgres/data/certs/cert.pem":
    source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
    mode    => "0600",
    links   => "follow",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
  }

  file { "/var/lib/postgres/data/certs/privkey.pem":
    source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
    mode    => "0600",
    links   => "follow",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
  }

  postgresql_replication_slot { $pg_user_replication:
    ensure => present
  }

  postgresql::server::config_entry { "wal_level":
    value   => "logical",
  }

  postgresql::server::config_entry { "ssl":
    value   => "on",
    require => Letsencrypt::Certonly[$web_host],
  }

  postgresql::server::config_entry { "ssl_cert_file":
    value   => "/var/lib/postgres/data/certs/cert.pem",
    require => Letsencrypt::Certonly[$web_host],
  }

  postgresql::server::config_entry { "ssl_key_file":
    value   => "/var/lib/postgres/data/certs/privkey.pem",
    require => Letsencrypt::Certonly[$web_host],
  }

  postgresql::server::db { $pg_db:
    user     =>  $pg_user,
    password =>  postgresql_password($pg_user, $pg_password),
  }
  ->
  postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
    db     => $pg_db,
    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
  }
  ->
  postgresql::server::role { $pg_user_replication:
    db            => $pg_db,
    replication   => true,
    password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
  }
  ->
  postgresql::server::database_grant { $pg_user_replication:
    db        => $pg_db,
    privilege => "CONNECT",
    role      => $pg_user_replication,
  }
  ->
  postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
    db          => $pg_db,
    role        => $pg_user_replication,
    privilege   => "SELECT",
    object_type => "ALL TABLES IN SCHEMA",
    object_name => "public",
  }
  ->
  postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
    db          => $pg_db,
    role        => $pg_user_replication,
    privilege   => "SELECT",
    object_type => "ALL SEQUENCES IN SCHEMA",
    object_name => "public",
  }

  postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
    type        => 'host',
    database    => $pg_db,
    user        => $pg_user,
    address     => '127.0.0.1/32',
    auth_method => 'md5',
    order       => "05-01",
  }
  postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
    type        => 'host',
    database    => $pg_db,
    user        => $pg_user,
    address     => '::1/128',
    auth_method => 'md5',
    order       => "05-01",
  }

  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
    type        => 'hostssl',
    database    => 'replication',
    user        => $pg_user_replication,
    address     => 'immae.eu',
    auth_method => 'md5',
    order       => "05-01",
  }

  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
    type        => 'hostssl',
    database    => $pg_db,
    user        => $pg_user_replication,
    address     => 'immae.eu',
    auth_method => 'md5',
    order       => "05-02",
  }

  $backup_host = "backup-1"

  unless empty($backup_host) {
    ensure_packages(["pam_ldap"])

    $facts["ldapvar"]["other"].each |$host| {
      if ($host["cn"][0] == $backup_host) {
        $host["ipHostNumber"].each |$ip| {
          $infos = split($ip, "/")
          $ipaddress = $infos[0]
          if (length($infos) == 1 and $ipaddress =~ /:/) {
            $mask = "128"
          } elsif (length($infos) == 1) {
            $mask = "32"
          } else {
            $mask = $infos[1]
          }

          postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
            type        => 'hostssl',
            database    => 'replication',
            user        => 'all',
            address     => "$ipaddress/$mask",
            auth_method => 'pam',
            order       => "06-01",
          }
        }

        postgresql::server::role { $backup_host:
          replication => true,
        }

        postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
          ensure => present
        }
      }
    }

    $ldap_server = lookup("base_installation::ldap_server")
    $ldap_base   = lookup("base_installation::ldap_base")
    $ldap_dn     = lookup("base_installation::ldap_dn")
    $ldap_password = generate_password(24, $password_seed, "ldap")
    $ldap_attribute = "cn"

    file { "/etc/pam_ldap.d":
      ensure => directory,
      mode   => "0755",
      owner  => "root",
      group  => "root",
    } ->
    file { "/etc/pam_ldap.d/postgresql.conf":
      ensure  => "present",
      mode    => "0600",
      owner   => $::profile::postgresql::pg_user,
      group   => "root",
      content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
    } ->
    file { "/etc/pam.d/postgresql":
      ensure => "present",
      mode   => "0644",
      owner  => "root",
      group  => "root",
      source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
    }
  }

}