diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-06-28 10:32:57 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-06-28 12:14:44 +0200 |
commit | 3925777d9715d271c0643faef9f520e7816dba89 (patch) | |
tree | c6e3832098d19917b0ba0bcbe119103c632c7d29 | |
parent | 436cae5ebfd889b1bf625b757939a57842b564da (diff) | |
download | Puppet-3925777d9715d271c0643faef9f520e7816dba89.tar.gz Puppet-3925777d9715d271c0643faef9f520e7816dba89.tar.zst Puppet-3925777d9715d271c0643faef9f520e7816dba89.zip |
Refactor cryptoportfolio postgresql
-rw-r--r-- | modules/profile/manifests/postgresql.pp | 64 | ||||
-rw-r--r-- | modules/profile/manifests/postgresql/base_pg_hba_rules.pp | 2 | ||||
-rw-r--r-- | modules/role/manifests/cryptoportfolio/postgresql.pp | 194 |
3 files changed, 26 insertions, 234 deletions
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 2cd1bcc..97ce572 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp | |||
@@ -1,4 +1,7 @@ | |||
1 | class profile::postgresql { | 1 | class profile::postgresql ( |
2 | Optional[String] $pg_user = "postgres", | ||
3 | Optional[String] $pg_group = "postgres", | ||
4 | ) { | ||
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | 5 | $password_seed = lookup("base_installation::puppet_pass_seed") |
3 | 6 | ||
4 | class { '::postgresql::globals': | 7 | class { '::postgresql::globals': |
@@ -7,16 +10,13 @@ class profile::postgresql { | |||
7 | pg_hba_conf_defaults => false, | 10 | pg_hba_conf_defaults => false, |
8 | } | 11 | } |
9 | 12 | ||
10 | # FIXME: get it from the postgresql module? | ||
11 | $pg_user = "postgres" | ||
12 | |||
13 | class { '::postgresql::client': } | 13 | class { '::postgresql::client': } |
14 | 14 | ||
15 | # FIXME: postgresql module is buggy and doesn't create dir? | 15 | # FIXME: postgresql module is buggy and doesn't create dir? |
16 | file { "/var/lib/postgres": | 16 | file { "/var/lib/postgres": |
17 | ensure => directory, | 17 | ensure => directory, |
18 | owner => $pg_user, | 18 | owner => $pg_user, |
19 | group => $pg_user, | 19 | group => $pg_group, |
20 | before => File["/var/lib/postgres/data"], | 20 | before => File["/var/lib/postgres/data"], |
21 | require => Package["postgresql-server"], | 21 | require => Package["postgresql-server"], |
22 | } | 22 | } |
@@ -26,59 +26,7 @@ class profile::postgresql { | |||
26 | listen_addresses => "*", | 26 | listen_addresses => "*", |
27 | } | 27 | } |
28 | 28 | ||
29 | postgresql::server::pg_hba_rule { 'local access as postgres user': | 29 | profile::postgresql::base_pg_hba_rules { "default": } |
30 | description => 'Allow local access to postgres user', | ||
31 | type => 'local', | ||
32 | database => 'all', | ||
33 | user => $pg_user, | ||
34 | auth_method => 'ident', | ||
35 | order => "00-01", | ||
36 | } | ||
37 | postgresql::server::pg_hba_rule { 'localhost access as postgres user': | ||
38 | description => 'Allow localhost access to postgres user', | ||
39 | type => 'host', | ||
40 | database => 'all', | ||
41 | user => $pg_user, | ||
42 | address => "127.0.0.1/32", | ||
43 | auth_method => 'md5', | ||
44 | order => "00-02", | ||
45 | } | ||
46 | postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user': | ||
47 | description => 'Allow localhost access to postgres user', | ||
48 | type => 'host', | ||
49 | database => 'all', | ||
50 | user => $pg_user, | ||
51 | address => "::1/128", | ||
52 | auth_method => 'md5', | ||
53 | order => "00-03", | ||
54 | } | ||
55 | postgresql::server::pg_hba_rule { 'deny access to postgresql user': | ||
56 | description => 'Deny remote access to postgres user', | ||
57 | type => 'host', | ||
58 | database => 'all', | ||
59 | user => $pg_user, | ||
60 | address => "0.0.0.0/0", | ||
61 | auth_method => 'reject', | ||
62 | order => "00-04", | ||
63 | } | ||
64 | |||
65 | postgresql::server::pg_hba_rule { 'local access': | ||
66 | description => 'Allow local access with password', | ||
67 | type => 'local', | ||
68 | database => 'all', | ||
69 | user => 'all', | ||
70 | auth_method => 'md5', | ||
71 | order => "10-01", | ||
72 | } | ||
73 | |||
74 | postgresql::server::pg_hba_rule { 'local access with same name': | ||
75 | description => 'Allow local access with same name', | ||
76 | type => 'local', | ||
77 | database => 'all', | ||
78 | user => 'all', | ||
79 | auth_method => 'ident', | ||
80 | order => "10-02", | ||
81 | } | ||
82 | 30 | ||
83 | } | 31 | } |
84 | 32 | ||
diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp index 13ab4ff..07c4bb6 100644 --- a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp +++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp | |||
@@ -43,8 +43,6 @@ define profile::postgresql::base_pg_hba_rules ( | |||
43 | address => "::1/128", | 43 | address => "::1/128", |
44 | auth_method => 'md5', | 44 | auth_method => 'md5', |
45 | order => "00-03", | 45 | order => "00-03", |
46 | target => "$pg_path/pg_hba.conf", | ||
47 | postgresql_version => "10", | ||
48 | } | 46 | } |
49 | postgresql::server::pg_hba_rule { "$title - deny access to postgresql user": | 47 | postgresql::server::pg_hba_rule { "$title - deny access to postgresql user": |
50 | description => 'Deny remote access to postgres user', | 48 | description => 'Deny remote access to postgres user', |
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index 776b30f..addad67 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp | |||
@@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | |||
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | 2 | $password_seed = lookup("base_installation::puppet_pass_seed") |
3 | 3 | ||
4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | 4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") |
5 | $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
6 | 5 | ||
7 | file { "/var/lib/postgres/data/certs": | 6 | profile::postgresql::master { "postgresql master for cryptoportfolio": |
8 | ensure => directory, | 7 | letsencrypt_host => $web_host, |
9 | mode => "0700", | 8 | backup_hosts => ["backup-1"], |
10 | owner => $::profile::postgresql::pg_user, | ||
11 | group => $::profile::postgresql::pg_user, | ||
12 | require => File["/var/lib/postgres"], | ||
13 | } | ||
14 | |||
15 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
16 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | ||
17 | mode => "0600", | ||
18 | links => "follow", | ||
19 | owner => $::profile::postgresql::pg_user, | ||
20 | group => $::profile::postgresql::pg_user, | ||
21 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
22 | } | ||
23 | |||
24 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
25 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | ||
26 | mode => "0600", | ||
27 | links => "follow", | ||
28 | owner => $::profile::postgresql::pg_user, | ||
29 | group => $::profile::postgresql::pg_user, | ||
30 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
31 | } | ||
32 | |||
33 | postgresql_replication_slot { $pg_user_replication: | ||
34 | ensure => present | ||
35 | } | ||
36 | |||
37 | postgresql::server::config_entry { "wal_level": | ||
38 | value => "logical", | ||
39 | } | ||
40 | |||
41 | postgresql::server::config_entry { "ssl": | ||
42 | value => "on", | ||
43 | require => Letsencrypt::Certonly[$web_host], | ||
44 | } | ||
45 | |||
46 | postgresql::server::config_entry { "ssl_cert_file": | ||
47 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
48 | require => Letsencrypt::Certonly[$web_host], | ||
49 | } | ||
50 | |||
51 | postgresql::server::config_entry { "ssl_key_file": | ||
52 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
53 | require => Letsencrypt::Certonly[$web_host], | ||
54 | } | 9 | } |
55 | 10 | ||
56 | postgresql::server::db { $pg_db: | 11 | postgresql::server::db { $pg_db: |
57 | user => $pg_user, | 12 | user => $pg_user, |
58 | password => postgresql_password($pg_user, $pg_password), | 13 | password => postgresql_password($pg_user, $pg_password), |
59 | } | 14 | } |
60 | -> | ||
61 | postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": | ||
62 | db => $pg_db, | ||
63 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", | ||
64 | } | ||
65 | -> | ||
66 | postgresql::server::role { $pg_user_replication: | ||
67 | db => $pg_db, | ||
68 | replication => true, | ||
69 | password_hash => postgresql_password($pg_user_replication, $pg_replication_password), | ||
70 | } | ||
71 | -> | ||
72 | postgresql::server::database_grant { $pg_user_replication: | ||
73 | db => $pg_db, | ||
74 | privilege => "CONNECT", | ||
75 | role => $pg_user_replication, | ||
76 | } | ||
77 | -> | ||
78 | postgresql::server::grant { "all tables in schema:public:$pg_user_replication": | ||
79 | db => $pg_db, | ||
80 | role => $pg_user_replication, | ||
81 | privilege => "SELECT", | ||
82 | object_type => "ALL TABLES IN SCHEMA", | ||
83 | object_name => "public", | ||
84 | } | ||
85 | -> | ||
86 | postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": | ||
87 | db => $pg_db, | ||
88 | role => $pg_user_replication, | ||
89 | privilege => "SELECT", | ||
90 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
91 | object_name => "public", | ||
92 | } | ||
93 | 15 | ||
94 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | 16 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': |
95 | type => 'host', | 17 | type => 'local', |
96 | database => $pg_db, | 18 | database => $pg_db, |
97 | user => $pg_user, | 19 | user => $pg_user, |
98 | address => '127.0.0.1/32', | 20 | auth_method => 'ident', |
99 | auth_method => 'md5', | ||
100 | order => "05-01", | 21 | order => "05-01", |
101 | } | 22 | } |
102 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
103 | type => 'host', | ||
104 | database => $pg_db, | ||
105 | user => $pg_user, | ||
106 | address => '::1/128', | ||
107 | auth_method => 'md5', | ||
108 | order => "05-01", | ||
109 | } | ||
110 | |||
111 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication': | ||
112 | type => 'hostssl', | ||
113 | database => 'replication', | ||
114 | user => $pg_user_replication, | ||
115 | address => 'immae.eu', | ||
116 | auth_method => 'md5', | ||
117 | order => "05-01", | ||
118 | } | ||
119 | |||
120 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
121 | type => 'hostssl', | ||
122 | database => $pg_db, | ||
123 | user => $pg_user_replication, | ||
124 | address => 'immae.eu', | ||
125 | auth_method => 'md5', | ||
126 | order => "05-02", | ||
127 | } | ||
128 | |||
129 | $backup_host = "backup-1" | ||
130 | 23 | ||
131 | unless empty($backup_host) { | 24 | # cleanup |
132 | ensure_packages(["pam_ldap"]) | 25 | postgresql_psql { "DROP PUBLICATION ${pg_db}_publication": |
133 | 26 | db => $pg_db, | |
134 | $facts["ldapvar"]["other"].each |$host| { | 27 | onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", |
135 | if ($host["cn"][0] == $backup_host) { | 28 | } -> |
136 | $host["ipHostNumber"].each |$ip| { | 29 | postgresql_replication_slot { $pg_user_replication: |
137 | $infos = split($ip, "/") | 30 | ensure => absent |
138 | $ipaddress = $infos[0] | 31 | } -> |
139 | if (length($infos) == 1 and $ipaddress =~ /:/) { | 32 | postgresql_psql { "DROP OWNED BY $pg_user_replication": |
140 | $mask = "128" | 33 | db => $pg_db, |
141 | } elsif (length($infos) == 1) { | 34 | onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'" |
142 | $mask = "32" | 35 | } -> |
143 | } else { | 36 | postgresql::server::role { $pg_user_replication: |
144 | $mask = $infos[1] | 37 | ensure => absent, |
145 | } | ||
146 | |||
147 | postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": | ||
148 | type => 'hostssl', | ||
149 | database => 'replication', | ||
150 | user => 'all', | ||
151 | address => "$ipaddress/$mask", | ||
152 | auth_method => 'pam', | ||
153 | order => "06-01", | ||
154 | } | ||
155 | } | ||
156 | |||
157 | postgresql::server::role { $backup_host: | ||
158 | replication => true, | ||
159 | } | ||
160 | |||
161 | postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): | ||
162 | ensure => present | ||
163 | } | ||
164 | } | ||
165 | } | ||
166 | |||
167 | $ldap_server = lookup("base_installation::ldap_server") | ||
168 | $ldap_base = lookup("base_installation::ldap_base") | ||
169 | $ldap_dn = lookup("base_installation::ldap_dn") | ||
170 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
171 | $ldap_attribute = "cn" | ||
172 | |||
173 | file { "/etc/pam_ldap.d": | ||
174 | ensure => directory, | ||
175 | mode => "0755", | ||
176 | owner => "root", | ||
177 | group => "root", | ||
178 | } -> | ||
179 | file { "/etc/pam_ldap.d/postgresql.conf": | ||
180 | ensure => "present", | ||
181 | mode => "0600", | ||
182 | owner => $::profile::postgresql::pg_user, | ||
183 | group => "root", | ||
184 | content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), | ||
185 | } -> | ||
186 | file { "/etc/pam.d/postgresql": | ||
187 | ensure => "present", | ||
188 | mode => "0644", | ||
189 | owner => "root", | ||
190 | group => "root", | ||
191 | source => "puppet:///modules/role/cryptoportfolio/pam_postgresql" | ||
192 | } | ||
193 | } | 38 | } |
39 | # /cleanup | ||
194 | 40 | ||
195 | } | 41 | } |