Merge branch 'pg_replication'

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-02-21 15:51:11 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-02-21 15:51:11 +0100
commit: b859262351650df3368d4f3fa49a487a7d9b35b7 (patch)
tree: 71b5d9f6d10616409606d2126cfafb7491a8353a
parent: e17078be2c92c88e0fc8ecc88a626cdb99d0d09a (diff)
parent: 43c4ee4e2fd1c7ed992a420d6d478375475194dd (diff)
download: Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.tar.gz
Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.tar.zst
Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.zip
3 files changed, 114 insertions, 7 deletions
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
index 8dcc4cb..1024c66 100644
--- a/modules/profile/manifests/postgresql.pp
+++ b/modules/profile/manifests/postgresql.pp
@@ -22,7 +22,8 @@ class profile::postgresql {
  }
  class { '::postgresql::server':
-    postgres_password => generate_password(24, $password_seed, "postgres")
+    postgres_password => generate_password(24, $password_seed, "postgres"),
+    listen_addresses  => "*",
  }
  postgresql::server::pg_hba_rule { 'local access as postgres user':
diff --git a/modules/profile/manifests/tools.pp b/modules/profile/manifests/tools.pp
index 52e3cea..0b0ab46 100644
--- a/modules/profile/manifests/tools.pp
+++ b/modules/profile/manifests/tools.pp
@@ -1,3 +1,3 @@
 class profile::tools {
-  ensure_packages(['vim', 'bash-completion'])
+  ensure_packages(['vim', 'bash-completion', 'net-tools'])
 }
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index 05f2c59..9a2bfd2 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -8,8 +8,10 @@ class role::cryptoportfolio {
  $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
  $cf_pg_user = "cryptoportfolio"
+  $cf_pg_user_replication = "cryptoportfolio_replication"
  $cf_pg_db = "cryptoportfolio"
  $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+  $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
  $cf_pg_host = "localhost:5432"
  $cf_user = "cryptoportfolio"
@@ -27,9 +29,87 @@ class role::cryptoportfolio {
  $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
+  file { "/var/lib/postgres/data/certs":
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => File["/var/lib/postgres"],
+  }
+  file { "/var/lib/postgres/data/certs/cert.pem":
+    source  => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+  }
+  file { "/var/lib/postgres/data/certs/privkey.pem":
+    source  => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+  }
+  postgresql::server::config_entry { "wal_level":
+    value   => "logical",
+  }
+  postgresql::server::config_entry { "ssl":
+    value   => "on",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
+  postgresql::server::config_entry { "ssl_cert_file":
+    value   => "/var/lib/postgres/data/certs/cert.pem",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
+  postgresql::server::config_entry { "ssl_key_file":
+    value   => "/var/lib/postgres/data/certs/privkey.pem",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
  postgresql::server::db { $cf_pg_db:
    user     =>  $cf_pg_user,
-    password =>  postgresql_password($cf_pg_user, $cf_pg_password)
+    password =>  postgresql_password($cf_pg_user, $cf_pg_password),
+  }
+  ->
+  postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
+    db     => $cf_pg_db,
+    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
+  }
+  ->
+  postgresql::server::role { $cf_pg_user_replication:
+    db            => $cf_pg_db,
+    replication   => true,
+    password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
+  }
+  ->
+  postgresql::server::database_grant { $cf_pg_user_replication:
+    db        => $cf_pg_db,
+    privilege => "CONNECT",
+    role      => $cf_pg_user_replication,
+  }
+  ->
+  postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
+    db          => $cf_pg_db,
+    role        => $cf_pg_user_replication,
+    privilege   => "SELECT",
+    object_type => "ALL TABLES IN SCHEMA",
+    object_name => "public",
+  }
+  ->
+  postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
+    db          => $cf_pg_db,
+    role        => $cf_pg_user_replication,
+    privilege   => "SELECT",
+    object_type => "ALL SEQUENCES IN SCHEMA",
+    object_name => "public",
  }
  postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
@@ -49,6 +129,15 @@ class role::cryptoportfolio {
    order       => "b0",
  }
+  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
+    type        => 'hostssl',
+    database    => $cf_pg_db,
+    user        => $cf_pg_user_replication,
+    address     => 'immae.eu',
+    auth_method => 'md5',
+    order       => "b0",
+  }
  letsencrypt::certonly { $cf_front_app_host: ;
    default: * => $::profile::apache::letsencrypt_certonly_default;
  }
@@ -115,7 +204,13 @@ class role::cryptoportfolio {
    file { "${cf_home}/front":
      ensure  => "link",
      target  => $cf_front_app,
-      require => Archive["/opt/cryptoportfolio/${front_version}.tar.gz"]
+      before => File[$cf_front_app],
+    } ~>
+    exec { "remove old ${cf_front_app} directory":
+      refreshonly => true,
+      user        => $cf_user,
+      command     => "/usr/bin/rm -rf ${cf_front_app}",
+      before      => File[$cf_front_app],
    }
    exec { "go-get-dep":
@@ -155,9 +250,19 @@ class role::cryptoportfolio {
    }
    service { 'cryptoportfolio-app':
-      enable  => true,
+      enable    => true,
-      ensure  => "running",
+      ensure    => "running",
-      require => [File["/etc/systemd/system/cryptoportfolio-app.service"]],
+      subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
+      require   => [
+        File["/etc/systemd/system/cryptoportfolio-app.service"],
+        Postgresql::Server::Db[$cf_pg_db]
+      ],
+    } ~>
+    exec { "dump $cf_pg_db structure":
+      refreshonly => true,
+      user        => $::profile::postgresql::pg_user,
+      group       => $::profile::postgresql::pg_user,
+      command     => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema",
    }
    file { $cf_front_app_api_conf:
@@ -199,4 +304,5 @@ class role::cryptoportfolio {
    }
  }
+  # TODO: xmr_stack
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-02-21 15:51:11 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-02-21 15:51:11 +0100
commit	b859262351650df3368d4f3fa49a487a7d9b35b7 (patch)
tree	71b5d9f6d10616409606d2126cfafb7491a8353a
parent	e17078be2c92c88e0fc8ecc88a626cdb99d0d09a (diff)
parent	43c4ee4e2fd1c7ed992a420d6d478375475194dd (diff)
download	Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.tar.gz Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.tar.zst Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.zip

diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 8dcc4cb..1024c66 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp
@@ -22,7 +22,8 @@ class profile::postgresql {
22	}	22	}
23		23
24	class { '::postgresql::server':	24	class { '::postgresql::server':
25	postgres_password => generate_password(24, $password_seed, "postgres")	25	postgres_password => generate_password(24, $password_seed, "postgres"),
		26	listen_addresses => "*",
26	}	27	}
27		28
28	postgresql::server::pg_hba_rule { 'local access as postgres user':	29	postgresql::server::pg_hba_rule { 'local access as postgres user':


diff --git a/modules/profile/manifests/tools.pp b/modules/profile/manifests/tools.pp index 52e3cea..0b0ab46 100644 --- a/modules/profile/manifests/tools.pp +++ b/modules/profile/manifests/tools.pp
@@ -1,3 +1,3 @@
1	class profile::tools {	1	class profile::tools {
2	ensure_packages(['vim', 'bash-completion'])	2	ensure_packages(['vim', 'bash-completion', 'net-tools'])
3	}	3	}


diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 05f2c59..9a2bfd2 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp
@@ -8,8 +8,10 @@ class role::cryptoportfolio {
8	$password_seed = lookup("base_installation::puppet_pass_seed") \|$key\| { {} }	8	$password_seed = lookup("base_installation::puppet_pass_seed") \|$key\| { {} }
9		9
10	$cf_pg_user = "cryptoportfolio"	10	$cf_pg_user = "cryptoportfolio"
		11	$cf_pg_user_replication = "cryptoportfolio_replication"
11	$cf_pg_db = "cryptoportfolio"	12	$cf_pg_db = "cryptoportfolio"
12	$cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")	13	$cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
		14	$cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
13	$cf_pg_host = "localhost:5432"	15	$cf_pg_host = "localhost:5432"
14		16
15	$cf_user = "cryptoportfolio"	17	$cf_user = "cryptoportfolio"
@@ -27,9 +29,87 @@ class role::cryptoportfolio {
27		29
28	$cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"	30	$cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
29		31
		32	file { "/var/lib/postgres/data/certs":
		33	ensure => directory,
		34	mode => "0700",
		35	owner => $::profile::postgresql::pg_user,
		36	group => $::profile::postgresql::pg_user,
		37	require => File["/var/lib/postgres"],
		38	}
		39
		40	file { "/var/lib/postgres/data/certs/cert.pem":
		41	source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
		42	mode => "0600",
		43	links => "follow",
		44	owner => $::profile::postgresql::pg_user,
		45	group => $::profile::postgresql::pg_user,
		46	require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
		47	}
		48
		49	file { "/var/lib/postgres/data/certs/privkey.pem":
		50	source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
		51	mode => "0600",
		52	links => "follow",
		53	owner => $::profile::postgresql::pg_user,
		54	group => $::profile::postgresql::pg_user,
		55	require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
		56	}
		57
		58	postgresql::server::config_entry { "wal_level":
		59	value => "logical",
		60	}
		61
		62	postgresql::server::config_entry { "ssl":
		63	value => "on",
		64	require => Letsencrypt::Certonly[$cf_front_app_host],
		65	}
		66
		67	postgresql::server::config_entry { "ssl_cert_file":
		68	value => "/var/lib/postgres/data/certs/cert.pem",
		69	require => Letsencrypt::Certonly[$cf_front_app_host],
		70	}
		71
		72	postgresql::server::config_entry { "ssl_key_file":
		73	value => "/var/lib/postgres/data/certs/privkey.pem",
		74	require => Letsencrypt::Certonly[$cf_front_app_host],
		75	}
		76
30	postgresql::server::db { $cf_pg_db:	77	postgresql::server::db { $cf_pg_db:
31	user => $cf_pg_user,	78	user => $cf_pg_user,
32	password => postgresql_password($cf_pg_user, $cf_pg_password)	79	password => postgresql_password($cf_pg_user, $cf_pg_password),
		80	}
		81	->
		82	postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
		83	db => $cf_pg_db,
		84	unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
		85	}
		86	->
		87	postgresql::server::role { $cf_pg_user_replication:
		88	db => $cf_pg_db,
		89	replication => true,
		90	password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
		91	}
		92	->
		93	postgresql::server::database_grant { $cf_pg_user_replication:
		94	db => $cf_pg_db,
		95	privilege => "CONNECT",
		96	role => $cf_pg_user_replication,
		97	}
		98	->
		99	postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
		100	db => $cf_pg_db,
		101	role => $cf_pg_user_replication,
		102	privilege => "SELECT",
		103	object_type => "ALL TABLES IN SCHEMA",
		104	object_name => "public",
		105	}
		106	->
		107	postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
		108	db => $cf_pg_db,
		109	role => $cf_pg_user_replication,
		110	privilege => "SELECT",
		111	object_type => "ALL SEQUENCES IN SCHEMA",
		112	object_name => "public",
33	}	113	}
34		114
35	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':	115	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
@@ -49,6 +129,15 @@ class role::cryptoportfolio {
49	order => "b0",	129	order => "b0",
50	}	130	}
51		131
		132	postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
		133	type => 'hostssl',
		134	database => $cf_pg_db,
		135	user => $cf_pg_user_replication,
		136	address => 'immae.eu',
		137	auth_method => 'md5',
		138	order => "b0",
		139	}
		140
52	letsencrypt::certonly { $cf_front_app_host: ;	141	letsencrypt::certonly { $cf_front_app_host: ;
53	default: * => $::profile::apache::letsencrypt_certonly_default;	142	default: * => $::profile::apache::letsencrypt_certonly_default;
54	}	143	}
@@ -115,7 +204,13 @@ class role::cryptoportfolio {
115	file { "${cf_home}/front":	204	file { "${cf_home}/front":
116	ensure => "link",	205	ensure => "link",
117	target => $cf_front_app,	206	target => $cf_front_app,
118	require => Archive["/opt/cryptoportfolio/${front_version}.tar.gz"]	207	before => File[$cf_front_app],
		208	} ~>
		209	exec { "remove old ${cf_front_app} directory":
		210	refreshonly => true,
		211	user => $cf_user,
		212	command => "/usr/bin/rm -rf ${cf_front_app}",
		213	before => File[$cf_front_app],
119	}	214	}
120		215
121	exec { "go-get-dep":	216	exec { "go-get-dep":
@@ -155,9 +250,19 @@ class role::cryptoportfolio {
155	}	250	}
156		251
157	service { 'cryptoportfolio-app':	252	service { 'cryptoportfolio-app':
158	enable => true,	253	enable => true,
159	ensure => "running",	254	ensure => "running",
160	require => [File["/etc/systemd/system/cryptoportfolio-app.service"]],	255	subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]],
		256	require => [
		257	File["/etc/systemd/system/cryptoportfolio-app.service"],
		258	Postgresql::Server::Db[$cf_pg_db]
		259	],
		260	} ~>
		261	exec { "dump $cf_pg_db structure":
		262	refreshonly => true,
		263	user => $::profile::postgresql::pg_user,
		264	group => $::profile::postgresql::pg_user,
		265	command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema",
161	}	266	}
162		267
163	file { $cf_front_app_api_conf:	268	file { $cf_front_app_api_conf:
@@ -199,4 +304,5 @@ class role::cryptoportfolio {
199	}	304	}
200	}	305	}
201		306
		307	# TODO: xmr_stack
202	}	308	}