Refactor postgresql configuration

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-27 20:45:15 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-28 02:33:05 +0200
commit: c53ac3f84852a42aa8b7341ee7fe0a629d2e3579 (patch)
tree: 694c4790a8382fe7c5ed5a2033042c377999760b
parent: f1d583bfdaf881116e5f9ca9e050307e7acdc28e (diff)
download: Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.tar.gz
Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.tar.zst
Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.zip
8 files changed, 191 insertions, 113 deletions
diff --git a/modules/profile/files/postgresql/pam_postgresql b/modules/profile/files/postgresql/pam_postgresql
new file mode 100644
index 0000000..70a90ae
--- /dev/null
+++ b/modules/profile/files/postgresql/pam_postgresql
@@ -0,0 +1,3 @@
+auth            required        pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
+account         required        pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
diff --git a/modules/profile/manifests/pam_ldap.pp b/modules/profile/manifests/pam_ldap.pp
new file mode 100644
index 0000000..956a7cd
--- /dev/null
+++ b/modules/profile/manifests/pam_ldap.pp
@@ -0,0 +1,13 @@
+class profile::pam_ldap (
+) {
+  ensure_packages(["pam_ldap"])
+  file { "/etc/pam_ldap.d":
+    ensure  => directory,
+    mode    => "0755",
+    owner   => "root",
+    group   => "root",
+    require => Package["pam_ldap"],
+  }
+}
diff --git a/modules/profile/manifests/postgresql/pam_ldap.pp b/modules/profile/manifests/postgresql/pam_ldap.pp
new file mode 100644
index 0000000..f068245
--- /dev/null
+++ b/modules/profile/manifests/postgresql/pam_ldap.pp
@@ -0,0 +1,28 @@
+class profile::postgresql::pam_ldap (
+  String $pg_user = "postgres"
+) {
+  include "profile::pam_ldap"
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  $ldap_server = lookup("base_installation::ldap_server")
+  $ldap_base   = lookup("base_installation::ldap_base")
+  $ldap_dn     = lookup("base_installation::ldap_dn")
+  $ldap_password = generate_password(24, $password_seed, "ldap")
+  $ldap_attribute = "cn"
+  file { "/etc/pam_ldap.d/postgresql.conf":
+    ensure  => "present",
+    mode    => "0400",
+    owner   => $pg_user,
+    group   => "root",
+    content => template("profile/postgresql/pam_ldap_postgresql.conf.erb"),
+    require => File["/etc/pam_ldap.d"],
+  } ->
+  file { "/etc/pam.d/postgresql":
+    ensure => "present",
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/postgresql/pam_postgresql"
+  }
+}
diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp
new file mode 100644
index 0000000..33b147f
--- /dev/null
+++ b/modules/profile/manifests/postgresql/replication.pp
@@ -0,0 +1,60 @@
+define profile::postgresql::replication (
+  Boolean $handle_role = false,
+  Boolean $add_self_role = false,
+  Boolean $handle_slot = false,
+) {
+  include "profile::postgresql::pam_ldap"
+  $host_cn = $title
+  $host_infos = find_host($facts["ldapvar"]["other"], $host_cn)
+  if empty($host_infos) {
+    fail("Unable to find host for replication")
+  }
+  ensure_resource("postgresql::server::config_entry", "wal_level", {
+    value => "logical",
+  })
+  $host_infos["ipHostNumber"].each |$ip| {
+    $infos = split($ip, "/")
+    $ipaddress = $infos[0]
+    if (length($infos) == 1 and $ipaddress =~ /:/) {
+      $mask = "128"
+    } elsif (length($infos) == 1) {
+      $mask = "32"
+    } else {
+      $mask = $infos[1]
+    }
+    postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask":
+      type        => 'hostssl',
+      database    => 'replication',
+      user        => $host_cn,
+      address     => "$ipaddress/$mask",
+      auth_method => 'pam',
+      order       => "06-01",
+    }
+  }
+  if $handle_role {
+    postgresql::server::role { $host_cn:
+      replication => true,
+    }
+    if $add_self_role {
+      $ldap_cn = lookup("base_installation::ldap_cn")
+      # Needed to be replicated to the backup and be able to recover later
+      ensure_resource("postgresql::server::role", $ldap_cn, {
+        replication => true,
+      })
+    }
+  }
+  if $handle_slot {
+    postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
+      ensure => present
+    }
+  }
+}
diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp
new file mode 100644
index 0000000..e4da8af
--- /dev/null
+++ b/modules/profile/manifests/postgresql/ssl.pp
@@ -0,0 +1,73 @@
+define profile::postgresql::ssl (
+  Optional[String] $cert       = undef,
+  Optional[String] $key        = undef,
+  Optional[String] $certname   = undef,
+  Optional[Boolean] $copy_keys = true,
+  Optional[String] $pg_user    = $profile::postgresql::pg_user,
+  Optional[String] $pg_group   = $profile::postgresql::pg_user
+) {
+  $pg_dir  = $title
+  $datadir = "$pg_dir/data"
+  file { "$datadir/certs":
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $pg_user,
+    group   => $pg_group,
+    require => File[$pg_dir],
+  }
+  if empty($cert) or empty($key) {
+    if empty($certname) {
+      fail("A certificate name is necessary to generate ssl certificate")
+    }
+    ssl::self_signed_certificate { $certname:
+      common_name  => $certname,
+      country      => "FR",
+      days         => "3650",
+      organization => "Immae",
+      owner        => $pg_user,
+      group        => $pg_group,
+      directory    => "$datadir/certs",
+    }
+    $ssl_key  = "$datadir/certs/$backup_host_cn.key"
+    $ssl_cert = "$datadir/certs/$backup_host_cn.crt"
+  } elsif $copy_keys {
+    $ssl_key  = "$datadir/certs/privkey.pem"
+    $ssl_cert = "$datadir/certs/cert.pem"
+    file { $ssl_cert:
+      source  => "file://$cert",
+      mode    => "0600",
+      links   => "follow",
+      owner   => $pg_user,
+      group   => $pg_group,
+      require => File["$datadir/certs"],
+    }
+    file { $ssl_key:
+      source  => "file://$key",
+      mode    => "0600",
+      links   => "follow",
+      owner   => $pg_user,
+      group   => $pg_group,
+      require => File["$datadir/certs"],
+    }
+  } else {
+    $ssl_key  = $key
+    $ssl_cert = $cert
+  }
+  postgresql::server::config_entry { "ssl":
+    value => "on",
+  }
+  postgresql::server::config_entry { "ssl_cert_file":
+    value => $ssl_cert,
+  }
+  postgresql::server::config_entry { "ssl_key_file":
+    value => $ssl_key,
+  }
+}
diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp
index 067345a..e28c1b0 100644
--- a/modules/profile/manifests/postgresql_master.pp
+++ b/modules/profile/manifests/postgresql_master.pp
@@ -2,120 +2,17 @@ define profile::postgresql_master (
  $letsencrypt_host = undef,
  $backup_hosts     = [],
 ) {
-  $password_seed = lookup("base_installation::puppet_pass_seed")
+  profile::postgresql::ssl { "/var/lib/postgres":
+    cert    => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
-  ensure_resource("file", "/var/lib/postgres/data/certs", {
+    key     => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
-    ensure  => directory,
-    mode    => "0700",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => File["/var/lib/postgres"],
-  })
-  ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
-    source  => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
-  })
-  ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
-    source  => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
-  })
-  ensure_resource("postgresql::server::config_entry", "wal_level", {
-    value => "logical",
-  })
-  ensure_resource("postgresql::server::config_entry", "ssl", {
-    value   => "on",
    require => Letsencrypt::Certonly[$letsencrypt_host],
-  })
+  }
-  ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
-    value   => "/var/lib/postgres/data/certs/cert.pem",
-    require => Letsencrypt::Certonly[$letsencrypt_host],
-  })
-  ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
-    value   => "/var/lib/postgres/data/certs/privkey.pem",
-    require => Letsencrypt::Certonly[$letsencrypt_host],
-  })
  $backup_hosts.each |$backup_host| {
-    ensure_packages(["pam_ldap"])
+    profile::postgresql::replication { $backup_host:
+      handle_role   => true,
-    $host = find_host($facts["ldapvar"]["other"], $backup_host)
+      handle_slot   => true,
-    unless empty($host) {
+      add_self_role => true,
-      $host["ipHostNumber"].each |$ip| {
-        $infos = split($ip, "/")
-        $ipaddress = $infos[0]
-        if (length($infos) == 1 and $ipaddress =~ /:/) {
-          $mask = "128"
-        } elsif (length($infos) == 1) {
-          $mask = "32"
-        } else {
-          $mask = $infos[1]
-        }
-        postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
-          type        => 'hostssl',
-          database    => 'replication',
-          user        => $backup_host,
-          address     => "$ipaddress/$mask",
-          auth_method => 'pam',
-          order       => "06-01",
-        }
-      }
-      postgresql::server::role { $backup_host:
-        replication => true,
-      }
-      postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
-        ensure => present
-      }
    }
  }
-  $ldap_server = lookup("base_installation::ldap_server")
-  $ldap_base   = lookup("base_installation::ldap_base")
-  $ldap_dn     = lookup("base_installation::ldap_dn")
-  $ldap_cn     = lookup("base_installation::ldap_cn")
-  $ldap_password = generate_password(24, $password_seed, "ldap")
-  $ldap_attribute = "cn"
-  # This is to be replicated to the backup
-  postgresql::server::role { $ldap_cn:
-    replication => true,
-  }
-  file { "/etc/pam_ldap.d":
-    ensure => directory,
-    mode   => "0755",
-    owner  => "root",
-    group  => "root",
-  } ->
-  file { "/etc/pam_ldap.d/postgresql.conf":
-    ensure  => "present",
-    mode    => "0600",
-    owner   => $::profile::postgresql::pg_user,
-    group   => "root",
-    content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
-  } ->
-  file { "/etc/pam.d/postgresql":
-    ensure => "present",
-    mode   => "0644",
-    owner  => "root",
-    group  => "root",
-    source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
-  }
 }
diff --git a/modules/profile/templates/postgresql/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql/pam_ldap_postgresql.conf.erb
new file mode 100644
index 0000000..f3d9674
--- /dev/null
+++ b/modules/profile/templates/postgresql/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
+host <%= @ldap_server %>
+base <%= @ldap_base %>
+binddn <%= @ldap_dn %>
+bindpw <%= @ldap_password %>
+pam_login_attribute <%= @ldap_attribute %>
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
index ee62a00..8c7542b 100644
--- a/modules/role/manifests/backup/postgresql.pp
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -1,6 +1,4 @@
 class role::backup::postgresql inherits role::backup {
-  # This manifest is supposed to be part of the backup server
  $password_seed = lookup("base_installation::puppet_pass_seed")
  $user = lookup("role::backup::user")
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-27 20:45:15 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-28 02:33:05 +0200
commit	c53ac3f84852a42aa8b7341ee7fe0a629d2e3579 (patch)
tree	694c4790a8382fe7c5ed5a2033042c377999760b
parent	f1d583bfdaf881116e5f9ca9e050307e7acdc28e (diff)
download	Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.tar.gz Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.tar.zst Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.zip

diff --git a/modules/profile/files/postgresql/pam_postgresql b/modules/profile/files/postgresql/pam_postgresql new file mode 100644 index 0000000..70a90ae --- /dev/null +++ b/modules/profile/files/postgresql/pam_postgresql
@@ -0,0 +1,3 @@
		1	auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
		2	account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
		3


diff --git a/modules/profile/manifests/pam_ldap.pp b/modules/profile/manifests/pam_ldap.pp new file mode 100644 index 0000000..956a7cd --- /dev/null +++ b/modules/profile/manifests/pam_ldap.pp
@@ -0,0 +1,13 @@
		1	class profile::pam_ldap (
		2	) {
		3	ensure_packages(["pam_ldap"])
		4
		5	file { "/etc/pam_ldap.d":
		6	ensure => directory,
		7	mode => "0755",
		8	owner => "root",
		9	group => "root",
		10	require => Package["pam_ldap"],
		11	}
		12	}
		13


diff --git a/modules/profile/manifests/postgresql/pam_ldap.pp b/modules/profile/manifests/postgresql/pam_ldap.pp new file mode 100644 index 0000000..f068245 --- /dev/null +++ b/modules/profile/manifests/postgresql/pam_ldap.pp
@@ -0,0 +1,28 @@
		1	class profile::postgresql::pam_ldap (
		2	String $pg_user = "postgres"
		3	) {
		4	include "profile::pam_ldap"
		5
		6	$password_seed = lookup("base_installation::puppet_pass_seed")
		7	$ldap_server = lookup("base_installation::ldap_server")
		8	$ldap_base = lookup("base_installation::ldap_base")
		9	$ldap_dn = lookup("base_installation::ldap_dn")
		10	$ldap_password = generate_password(24, $password_seed, "ldap")
		11	$ldap_attribute = "cn"
		12
		13	file { "/etc/pam_ldap.d/postgresql.conf":
		14	ensure => "present",
		15	mode => "0400",
		16	owner => $pg_user,
		17	group => "root",
		18	content => template("profile/postgresql/pam_ldap_postgresql.conf.erb"),
		19	require => File["/etc/pam_ldap.d"],
		20	} ->
		21	file { "/etc/pam.d/postgresql":
		22	ensure => "present",
		23	mode => "0644",
		24	owner => "root",
		25	group => "root",
		26	source => "puppet:///modules/profile/postgresql/pam_postgresql"
		27	}
		28	}


diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp new file mode 100644 index 0000000..33b147f --- /dev/null +++ b/modules/profile/manifests/postgresql/replication.pp
@@ -0,0 +1,60 @@
		1	define profile::postgresql::replication (
		2	Boolean $handle_role = false,
		3	Boolean $add_self_role = false,
		4	Boolean $handle_slot = false,
		5	) {
		6	include "profile::postgresql::pam_ldap"
		7
		8	$host_cn = $title
		9	$host_infos = find_host($facts["ldapvar"]["other"], $host_cn)
		10
		11	if empty($host_infos) {
		12	fail("Unable to find host for replication")
		13	}
		14
		15	ensure_resource("postgresql::server::config_entry", "wal_level", {
		16	value => "logical",
		17	})
		18
		19	$host_infos["ipHostNumber"].each \|$ip\| {
		20	$infos = split($ip, "/")
		21	$ipaddress = $infos[0]
		22	if (length($infos) == 1 and $ipaddress =~ /:/) {
		23	$mask = "128"
		24	} elsif (length($infos) == 1) {
		25	$mask = "32"
		26	} else {
		27	$mask = $infos[1]
		28	}
		29
		30	postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask":
		31	type => 'hostssl',
		32	database => 'replication',
		33	user => $host_cn,
		34	address => "$ipaddress/$mask",
		35	auth_method => 'pam',
		36	order => "06-01",
		37	}
		38	}
		39
		40	if $handle_role {
		41	postgresql::server::role { $host_cn:
		42	replication => true,
		43	}
		44
		45	if $add_self_role {
		46	$ldap_cn = lookup("base_installation::ldap_cn")
		47
		48	# Needed to be replicated to the backup and be able to recover later
		49	ensure_resource("postgresql::server::role", $ldap_cn, {
		50	replication => true,
		51	})
		52	}
		53	}
		54
		55	if $handle_slot {
		56	postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
		57	ensure => present
		58	}
		59	}
		60	}


diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp new file mode 100644 index 0000000..e4da8af --- /dev/null +++ b/modules/profile/manifests/postgresql/ssl.pp
@@ -0,0 +1,73 @@
		1	define profile::postgresql::ssl (
		2	Optional[String] $cert = undef,
		3	Optional[String] $key = undef,
		4	Optional[String] $certname = undef,
		5	Optional[Boolean] $copy_keys = true,
		6	Optional[String] $pg_user = $profile::postgresql::pg_user,
		7	Optional[String] $pg_group = $profile::postgresql::pg_user
		8	) {
		9	$pg_dir = $title
		10	$datadir = "$pg_dir/data"
		11
		12	file { "$datadir/certs":
		13	ensure => directory,
		14	mode => "0700",
		15	owner => $pg_user,
		16	group => $pg_group,
		17	require => File[$pg_dir],
		18	}
		19
		20	if empty($cert) or empty($key) {
		21	if empty($certname) {
		22	fail("A certificate name is necessary to generate ssl certificate")
		23	}
		24
		25	ssl::self_signed_certificate { $certname:
		26	common_name => $certname,
		27	country => "FR",
		28	days => "3650",
		29	organization => "Immae",
		30	owner => $pg_user,
		31	group => $pg_group,
		32	directory => "$datadir/certs",
		33	}
		34
		35	$ssl_key = "$datadir/certs/$backup_host_cn.key"
		36	$ssl_cert = "$datadir/certs/$backup_host_cn.crt"
		37	} elsif $copy_keys {
		38	$ssl_key = "$datadir/certs/privkey.pem"
		39	$ssl_cert = "$datadir/certs/cert.pem"
		40
		41	file { $ssl_cert:
		42	source => "file://$cert",
		43	mode => "0600",
		44	links => "follow",
		45	owner => $pg_user,
		46	group => $pg_group,
		47	require => File["$datadir/certs"],
		48	}
		49	file { $ssl_key:
		50	source => "file://$key",
		51	mode => "0600",
		52	links => "follow",
		53	owner => $pg_user,
		54	group => $pg_group,
		55	require => File["$datadir/certs"],
		56	}
		57	} else {
		58	$ssl_key = $key
		59	$ssl_cert = $cert
		60	}
		61
		62	postgresql::server::config_entry { "ssl":
		63	value => "on",
		64	}
		65
		66	postgresql::server::config_entry { "ssl_cert_file":
		67	value => $ssl_cert,
		68	}
		69
		70	postgresql::server::config_entry { "ssl_key_file":
		71	value => $ssl_key,
		72	}
		73	}


diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp index 067345a..e28c1b0 100644 --- a/modules/profile/manifests/postgresql_master.pp +++ b/modules/profile/manifests/postgresql_master.pp
@@ -2,120 +2,17 @@ define profile::postgresql_master (
2	$letsencrypt_host = undef,	2	$letsencrypt_host = undef,
3	$backup_hosts = [],	3	$backup_hosts = [],
4	) {	4	) {
5	$password_seed = lookup("base_installation::puppet_pass_seed")	5	profile::postgresql::ssl { "/var/lib/postgres":
6		6	cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
7	ensure_resource("file", "/var/lib/postgres/data/certs", {	7	key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
8	ensure => directory,
9	mode => "0700",
10	owner => $::profile::postgresql::pg_user,
11	group => $::profile::postgresql::pg_user,
12	require => File["/var/lib/postgres"],
13	})
14
15	ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
16	source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
17	mode => "0600",
18	links => "follow",
19	owner => $::profile::postgresql::pg_user,
20	group => $::profile::postgresql::pg_user,
21	require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
22	})
23
24	ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
25	source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
26	mode => "0600",
27	links => "follow",
28	owner => $::profile::postgresql::pg_user,
29	group => $::profile::postgresql::pg_user,
30	require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
31	})
32
33	ensure_resource("postgresql::server::config_entry", "wal_level", {
34	value => "logical",
35	})
36
37	ensure_resource("postgresql::server::config_entry", "ssl", {
38	value => "on",
39	require => Letsencrypt::Certonly[$letsencrypt_host],	8	require => Letsencrypt::Certonly[$letsencrypt_host],
40	})	9	}
41
42	ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
43	value => "/var/lib/postgres/data/certs/cert.pem",
44	require => Letsencrypt::Certonly[$letsencrypt_host],
45	})
46
47	ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
48	value => "/var/lib/postgres/data/certs/privkey.pem",
49	require => Letsencrypt::Certonly[$letsencrypt_host],
50	})
51		10
52	$backup_hosts.each \|$backup_host\| {	11	$backup_hosts.each \|$backup_host\| {
53	ensure_packages(["pam_ldap"])	12	profile::postgresql::replication { $backup_host:
54		13	handle_role => true,
55	$host = find_host($facts["ldapvar"]["other"], $backup_host)	14	handle_slot => true,
56	unless empty($host) {	15	add_self_role => true,
57	$host["ipHostNumber"].each \|$ip\| {
58	$infos = split($ip, "/")
59	$ipaddress = $infos[0]
60	if (length($infos) == 1 and $ipaddress =~ /:/) {
61	$mask = "128"
62	} elsif (length($infos) == 1) {
63	$mask = "32"
64	} else {
65	$mask = $infos[1]
66	}
67
68	postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
69	type => 'hostssl',
70	database => 'replication',
71	user => $backup_host,
72	address => "$ipaddress/$mask",
73	auth_method => 'pam',
74	order => "06-01",
75	}
76	}
77
78	postgresql::server::role { $backup_host:
79	replication => true,
80	}
81
82	postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
83	ensure => present
84	}
85	}	16	}
86	}	17	}
87
88	$ldap_server = lookup("base_installation::ldap_server")
89	$ldap_base = lookup("base_installation::ldap_base")
90	$ldap_dn = lookup("base_installation::ldap_dn")
91	$ldap_cn = lookup("base_installation::ldap_cn")
92	$ldap_password = generate_password(24, $password_seed, "ldap")
93	$ldap_attribute = "cn"
94
95	# This is to be replicated to the backup
96	postgresql::server::role { $ldap_cn:
97	replication => true,
98	}
99
100	file { "/etc/pam_ldap.d":
101	ensure => directory,
102	mode => "0755",
103	owner => "root",
104	group => "root",
105	} ->
106	file { "/etc/pam_ldap.d/postgresql.conf":
107	ensure => "present",
108	mode => "0600",
109	owner => $::profile::postgresql::pg_user,
110	group => "root",
111	content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
112	} ->
113	file { "/etc/pam.d/postgresql":
114	ensure => "present",
115	mode => "0644",
116	owner => "root",
117	group => "root",
118	source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
119	}
120
121	}	18	}


diff --git a/modules/profile/templates/postgresql/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql/pam_ldap_postgresql.conf.erb new file mode 100644 index 0000000..f3d9674 --- /dev/null +++ b/modules/profile/templates/postgresql/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
		1	host <%= @ldap_server %>
		2
		3	base <%= @ldap_base %>
		4	binddn <%= @ldap_dn %>
		5	bindpw <%= @ldap_password %>
		6	pam_login_attribute <%= @ldap_attribute %>


diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index ee62a00..8c7542b 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp
@@ -1,6 +1,4 @@
1	class role::backup::postgresql inherits role::backup {	1	class role::backup::postgresql inherits role::backup {
2	# This manifest is supposed to be part of the backup server
3
4	$password_seed = lookup("base_installation::puppet_pass_seed")	2	$password_seed = lookup("base_installation::puppet_pass_seed")
5		3
6	$user = lookup("role::backup::user")	4	$user = lookup("role::backup::user")