path: root/modules/role/manifests/cryptoportfolio/postgresql_backup.pp

class role::cryptoportfolio::postgresql_backup inherits role::backup {
  # This manifest is supposed to be part of the backup server

  $password_seed = lookup("base_installation::puppet_pass_seed")

  $user = lookup("role::backup::user")
  $group = lookup("role::backup::group")
  $pg_user = "postgres"
  $pg_group = "postgres"

  $ldap_cn = lookup("base_installation::ldap_cn")
  $ldap_password = generate_password(24, $password_seed, "ldap")
  $pg_slot = regsubst($ldap_cn, '-', "_", "G")

  ensure_packages(["postgresql"])

  $pg_backup_hosts = ["cryptoportfolio-dev.immae.eu"]

  $pg_backup_hosts.each |$pg_backup_host| {
    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
    $pg_host = "$pg_backup_host"
    $pg_port = "5432"

    file { "$mountpoint/$pg_backup_host":
      ensure => directory,
      owner  => $user,
      group  => $group,
    }

    file { $pg_path:
      ensure  => directory,
      owner   => $pg_user,
      group   => $pg_group,
      mode    => "0700",
      require => File["$mountpoint/$pg_backup_host"],
    }

    exec { "pg_basebackup $pg_path":
      cwd         => $pg_path,
      user        => $pg_user,
      creates     => "$pg_path/PG_VERSION",
      environment => ["PGPASSWORD=$ldap_password"],
      command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
      before      => [
        Concat["$pg_path/pg_hba.conf"],
        Concat["$pg_path/recovery.conf"],
        File["$pg_path/postgresql.conf"],
      ]
    }

    concat { "$pg_path/pg_hba.conf":
      owner   => $pg_user,
      group   => $pg_group,
      mode    => '0640',
      warn    => true,
    }
    postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
      description => 'Allow local access to postgres user',
      type        => 'local',
      database    => 'all',
      user        => $pg_user,
      auth_method => 'ident',
      order       => "00-01",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }
    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
      description => 'Allow localhost access to postgres user',
      type        => 'host',
      database    => 'all',
      user        => $pg_user,
      address     => "127.0.0.1/32",
      auth_method => 'md5',
      order       => "00-02",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }
    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
      description => 'Allow localhost access to postgres user',
      type        => 'host',
      database    => 'all',
      user        => $pg_user,
      address     => "::1/128",
      auth_method => 'md5',
      order       => "00-03",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }
    postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
      description => 'Deny remote access to postgres user',
      type        => 'host',
      database    => 'all',
      user        => $pg_user,
      address     => "0.0.0.0/0",
      auth_method => 'reject',
      order       => "00-04",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }

    postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
      description => 'Allow local access with password',
      type        => 'local',
      database    => 'all',
      user        => 'all',
      auth_method => 'md5',
      order       => "10-01",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }

    postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
      description => 'Allow local access with same name',
      type        => 'local',
      database    => 'all',
      user        => 'all',
      auth_method => 'ident',
      order       => "10-02",
      target      => "$pg_path/pg_hba.conf",
      postgresql_version => "10",
    }

    concat { "$pg_path/recovery.conf":
      owner  => $pg_user,
      group  => $pg_group,
      mode   => '0640',
      warn   => true,
    }
    postgresql::server::recovery { "$pg_backup_host recovery":
      primary_conninfo  => "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require",
      primary_slot_name => regsubst($ldap_cn, '-', "_", "G"),
      standby_mode      => "on",
      target            => "$pg_path/recovery.conf",
    }

    file { "$pg_path/postgresql.conf":
      owner   => $pg_user,
      group   => $pg_group,
      mode    => '0640',
      content => template("role/cryptoportfolio/postgresql_backup.conf.erb"),
    }

    service { "postgresql_backup@$pg_backup_host":
      enable  => true,
      ensure  => "running",
      require => [
        File["/etc/systemd/system/postgresql_backup@.service"],
        Concat["$pg_path/pg_hba.conf"],
        Concat["$pg_path/recovery.conf"],
        File["$pg_path/postgresql.conf"],
      ]
    }
  }

  file { "/etc/systemd/system/postgresql_backup@.service":
    mode    => "0644",
    owner   => "root",
    group   => "root",
    content => template("role/cryptoportfolio/postgresql_backup@.service.erb"),
  }
}