class role::cryptoportfolio::postgresql_backup inherits role::backup {
# This manifest is supposed to be part of the backup server
$password_seed = lookup("base_installation::puppet_pass_seed")
$user = lookup("role::backup::user")
$group = lookup("role::backup::group")
$pg_user = "postgres"
$pg_group = "postgres"
$ldap_cn = lookup("base_installation::ldap_cn")
$ldap_password = generate_password(24, $password_seed, "ldap")
$pg_slot = regsubst($ldap_cn, '-', "_", "G")
ensure_packages(["postgresql"])
$pg_backup_hosts = ["cryptoportfolio-dev.immae.eu"]
$pg_backup_hosts.each |$pg_backup_host| {
$pg_path = "$mountpoint/$pg_backup_host/postgresql"
$pg_host = "$pg_backup_host"
$pg_port = "5432"
file { "$mountpoint/$pg_backup_host":
ensure => directory,
owner => $user,
group => $group,
}
file { $pg_path:
ensure => directory,
owner => $pg_user,
group => $pg_group,
mode => "0700",
require => File["$mountpoint/$pg_backup_host"],
}
exec { "pg_basebackup $pg_path":
cwd => $pg_path,
user => $pg_user,
creates => "$pg_path/PG_VERSION",
environment => ["PGPASSWORD=$ldap_password"],
command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
before => [
Concat["$pg_path/pg_hba.conf"],
Concat["$pg_path/recovery.conf"],
File["$pg_path/postgresql.conf"],
]
}
concat { "$pg_path/pg_hba.conf":
owner => $pg_user,
group => $pg_group,
mode => '0640',
warn => true,
}
postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
description => 'Allow local access to postgres user',
type => 'local',
database => 'all',
user => $pg_user,
auth_method => 'ident',
order => "00-01",
target => "$pg_path/pg_hba.conf",
postgresql_version => "10",
}
postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
description => 'Allow localhost access to postgres user',
type => 'host',
database => 'all',
user => $pg_user,
address => "127.0.0.1/32",
auth_method => 'md5',
order => "00-02",
target => "$pg_path/pg_hba.conf",
postgresql_version => "10",
}
postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
description => 'Allow localhost access to postgres user',
type => 'host',
database => 'all',
user => $pg_user,
address => "::1/128",
auth_method => 'md5',
order => "00-03",
target => "$pg_path/pg_hba.conf",
postgresql_version => "10",
}
postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
description => 'Deny remote access to postgres user',
type => 'host',
database => 'all',
user => $pg_user,
address => "0.0.0.0/0",
auth_method => 'reject',
order => "00-04",
target => "$pg_path/pg_hba.conf",
postgresql_version => "10",
}
postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
description => 'Allow local access with password',
type => 'local',
database => 'all',
user => 'all',
auth_method => 'md5',
order => "10-01",
target => "$pg_path/pg_hba.conf",
postgresql_version => "10",
}
postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
description => 'Allow local access with same name',
type => 'local',
database => 'all',
user => 'all',
auth_method => 'ident',
order => "10-02",
target => "$pg_path/pg_hba.conf",
postgresql_version => "10",
}
concat { "$pg_path/recovery.conf":
owner => $pg_user,
group => $pg_group,
mode => '0640',
warn => true,
}
postgresql::server::recovery { "$pg_backup_host recovery":
primary_conninfo => "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require",
primary_slot_name => regsubst($ldap_cn, '-', "_", "G"),
standby_mode => "on",
target => "$pg_path/recovery.conf",
}
file { "$pg_path/postgresql.conf":
owner => $pg_user,
group => $pg_group,
mode => '0640',
content => template("role/cryptoportfolio/postgresql_backup.conf.erb"),
}
service { "postgresql_backup@$pg_backup_host":
enable => true,
ensure => "running",
require => [
File["/etc/systemd/system/postgresql_backup@.service"],
Concat["$pg_path/pg_hba.conf"],
Concat["$pg_path/recovery.conf"],
File["$pg_path/postgresql.conf"],
]
}
}
file { "/etc/systemd/system/postgresql_backup@.service":
mode => "0644",
owner => "root",
group => "root",
content => template("role/cryptoportfolio/postgresql_backup@.service.erb"),
}
}