aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-28 10:32:57 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-28 12:14:44 +0200
commit3925777d9715d271c0643faef9f520e7816dba89 (patch)
treec6e3832098d19917b0ba0bcbe119103c632c7d29
parent436cae5ebfd889b1bf625b757939a57842b564da (diff)
downloadPuppet-3925777d9715d271c0643faef9f520e7816dba89.tar.gz
Puppet-3925777d9715d271c0643faef9f520e7816dba89.tar.zst
Puppet-3925777d9715d271c0643faef9f520e7816dba89.zip
Refactor cryptoportfolio postgresql
-rw-r--r--modules/profile/manifests/postgresql.pp64
-rw-r--r--modules/profile/manifests/postgresql/base_pg_hba_rules.pp2
-rw-r--r--modules/role/manifests/cryptoportfolio/postgresql.pp194
3 files changed, 26 insertions, 234 deletions
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
index 2cd1bcc..97ce572 100644
--- a/modules/profile/manifests/postgresql.pp
+++ b/modules/profile/manifests/postgresql.pp
@@ -1,4 +1,7 @@
1class profile::postgresql { 1class profile::postgresql (
2 Optional[String] $pg_user = "postgres",
3 Optional[String] $pg_group = "postgres",
4) {
2 $password_seed = lookup("base_installation::puppet_pass_seed") 5 $password_seed = lookup("base_installation::puppet_pass_seed")
3 6
4 class { '::postgresql::globals': 7 class { '::postgresql::globals':
@@ -7,16 +10,13 @@ class profile::postgresql {
7 pg_hba_conf_defaults => false, 10 pg_hba_conf_defaults => false,
8 } 11 }
9 12
10 # FIXME: get it from the postgresql module?
11 $pg_user = "postgres"
12
13 class { '::postgresql::client': } 13 class { '::postgresql::client': }
14 14
15 # FIXME: postgresql module is buggy and doesn't create dir? 15 # FIXME: postgresql module is buggy and doesn't create dir?
16 file { "/var/lib/postgres": 16 file { "/var/lib/postgres":
17 ensure => directory, 17 ensure => directory,
18 owner => $pg_user, 18 owner => $pg_user,
19 group => $pg_user, 19 group => $pg_group,
20 before => File["/var/lib/postgres/data"], 20 before => File["/var/lib/postgres/data"],
21 require => Package["postgresql-server"], 21 require => Package["postgresql-server"],
22 } 22 }
@@ -26,59 +26,7 @@ class profile::postgresql {
26 listen_addresses => "*", 26 listen_addresses => "*",
27 } 27 }
28 28
29 postgresql::server::pg_hba_rule { 'local access as postgres user': 29 profile::postgresql::base_pg_hba_rules { "default": }
30 description => 'Allow local access to postgres user',
31 type => 'local',
32 database => 'all',
33 user => $pg_user,
34 auth_method => 'ident',
35 order => "00-01",
36 }
37 postgresql::server::pg_hba_rule { 'localhost access as postgres user':
38 description => 'Allow localhost access to postgres user',
39 type => 'host',
40 database => 'all',
41 user => $pg_user,
42 address => "127.0.0.1/32",
43 auth_method => 'md5',
44 order => "00-02",
45 }
46 postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
47 description => 'Allow localhost access to postgres user',
48 type => 'host',
49 database => 'all',
50 user => $pg_user,
51 address => "::1/128",
52 auth_method => 'md5',
53 order => "00-03",
54 }
55 postgresql::server::pg_hba_rule { 'deny access to postgresql user':
56 description => 'Deny remote access to postgres user',
57 type => 'host',
58 database => 'all',
59 user => $pg_user,
60 address => "0.0.0.0/0",
61 auth_method => 'reject',
62 order => "00-04",
63 }
64
65 postgresql::server::pg_hba_rule { 'local access':
66 description => 'Allow local access with password',
67 type => 'local',
68 database => 'all',
69 user => 'all',
70 auth_method => 'md5',
71 order => "10-01",
72 }
73
74 postgresql::server::pg_hba_rule { 'local access with same name':
75 description => 'Allow local access with same name',
76 type => 'local',
77 database => 'all',
78 user => 'all',
79 auth_method => 'ident',
80 order => "10-02",
81 }
82 30
83} 31}
84 32
diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
index 13ab4ff..07c4bb6 100644
--- a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
+++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
@@ -43,8 +43,6 @@ define profile::postgresql::base_pg_hba_rules (
43 address => "::1/128", 43 address => "::1/128",
44 auth_method => 'md5', 44 auth_method => 'md5',
45 order => "00-03", 45 order => "00-03",
46 target => "$pg_path/pg_hba.conf",
47 postgresql_version => "10",
48 } 46 }
49 postgresql::server::pg_hba_rule { "$title - deny access to postgresql user": 47 postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
50 description => 'Deny remote access to postgres user', 48 description => 'Deny remote access to postgres user',
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
index 776b30f..addad67 100644
--- a/modules/role/manifests/cryptoportfolio/postgresql.pp
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
2 $password_seed = lookup("base_installation::puppet_pass_seed") 2 $password_seed = lookup("base_installation::puppet_pass_seed")
3 3
4 $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") 4 $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
5 $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
6 5
7 file { "/var/lib/postgres/data/certs": 6 profile::postgresql::master { "postgresql master for cryptoportfolio":
8 ensure => directory, 7 letsencrypt_host => $web_host,
9 mode => "0700", 8 backup_hosts => ["backup-1"],
10 owner => $::profile::postgresql::pg_user,
11 group => $::profile::postgresql::pg_user,
12 require => File["/var/lib/postgres"],
13 }
14
15 file { "/var/lib/postgres/data/certs/cert.pem":
16 source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
17 mode => "0600",
18 links => "follow",
19 owner => $::profile::postgresql::pg_user,
20 group => $::profile::postgresql::pg_user,
21 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
22 }
23
24 file { "/var/lib/postgres/data/certs/privkey.pem":
25 source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
26 mode => "0600",
27 links => "follow",
28 owner => $::profile::postgresql::pg_user,
29 group => $::profile::postgresql::pg_user,
30 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
31 }
32
33 postgresql_replication_slot { $pg_user_replication:
34 ensure => present
35 }
36
37 postgresql::server::config_entry { "wal_level":
38 value => "logical",
39 }
40
41 postgresql::server::config_entry { "ssl":
42 value => "on",
43 require => Letsencrypt::Certonly[$web_host],
44 }
45
46 postgresql::server::config_entry { "ssl_cert_file":
47 value => "/var/lib/postgres/data/certs/cert.pem",
48 require => Letsencrypt::Certonly[$web_host],
49 }
50
51 postgresql::server::config_entry { "ssl_key_file":
52 value => "/var/lib/postgres/data/certs/privkey.pem",
53 require => Letsencrypt::Certonly[$web_host],
54 } 9 }
55 10
56 postgresql::server::db { $pg_db: 11 postgresql::server::db { $pg_db:
57 user => $pg_user, 12 user => $pg_user,
58 password => postgresql_password($pg_user, $pg_password), 13 password => postgresql_password($pg_user, $pg_password),
59 } 14 }
60 ->
61 postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
62 db => $pg_db,
63 unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
64 }
65 ->
66 postgresql::server::role { $pg_user_replication:
67 db => $pg_db,
68 replication => true,
69 password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
70 }
71 ->
72 postgresql::server::database_grant { $pg_user_replication:
73 db => $pg_db,
74 privilege => "CONNECT",
75 role => $pg_user_replication,
76 }
77 ->
78 postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
79 db => $pg_db,
80 role => $pg_user_replication,
81 privilege => "SELECT",
82 object_type => "ALL TABLES IN SCHEMA",
83 object_name => "public",
84 }
85 ->
86 postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
87 db => $pg_db,
88 role => $pg_user_replication,
89 privilege => "SELECT",
90 object_type => "ALL SEQUENCES IN SCHEMA",
91 object_name => "public",
92 }
93 15
94 postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': 16 postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
95 type => 'host', 17 type => 'local',
96 database => $pg_db, 18 database => $pg_db,
97 user => $pg_user, 19 user => $pg_user,
98 address => '127.0.0.1/32', 20 auth_method => 'ident',
99 auth_method => 'md5',
100 order => "05-01", 21 order => "05-01",
101 } 22 }
102 postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
103 type => 'host',
104 database => $pg_db,
105 user => $pg_user,
106 address => '::1/128',
107 auth_method => 'md5',
108 order => "05-01",
109 }
110
111 postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
112 type => 'hostssl',
113 database => 'replication',
114 user => $pg_user_replication,
115 address => 'immae.eu',
116 auth_method => 'md5',
117 order => "05-01",
118 }
119
120 postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
121 type => 'hostssl',
122 database => $pg_db,
123 user => $pg_user_replication,
124 address => 'immae.eu',
125 auth_method => 'md5',
126 order => "05-02",
127 }
128
129 $backup_host = "backup-1"
130 23
131 unless empty($backup_host) { 24 # cleanup
132 ensure_packages(["pam_ldap"]) 25 postgresql_psql { "DROP PUBLICATION ${pg_db}_publication":
133 26 db => $pg_db,
134 $facts["ldapvar"]["other"].each |$host| { 27 onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
135 if ($host["cn"][0] == $backup_host) { 28 } ->
136 $host["ipHostNumber"].each |$ip| { 29 postgresql_replication_slot { $pg_user_replication:
137 $infos = split($ip, "/") 30 ensure => absent
138 $ipaddress = $infos[0] 31 } ->
139 if (length($infos) == 1 and $ipaddress =~ /:/) { 32 postgresql_psql { "DROP OWNED BY $pg_user_replication":
140 $mask = "128" 33 db => $pg_db,
141 } elsif (length($infos) == 1) { 34 onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'"
142 $mask = "32" 35 } ->
143 } else { 36 postgresql::server::role { $pg_user_replication:
144 $mask = $infos[1] 37 ensure => absent,
145 }
146
147 postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
148 type => 'hostssl',
149 database => 'replication',
150 user => 'all',
151 address => "$ipaddress/$mask",
152 auth_method => 'pam',
153 order => "06-01",
154 }
155 }
156
157 postgresql::server::role { $backup_host:
158 replication => true,
159 }
160
161 postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
162 ensure => present
163 }
164 }
165 }
166
167 $ldap_server = lookup("base_installation::ldap_server")
168 $ldap_base = lookup("base_installation::ldap_base")
169 $ldap_dn = lookup("base_installation::ldap_dn")
170 $ldap_password = generate_password(24, $password_seed, "ldap")
171 $ldap_attribute = "cn"
172
173 file { "/etc/pam_ldap.d":
174 ensure => directory,
175 mode => "0755",
176 owner => "root",
177 group => "root",
178 } ->
179 file { "/etc/pam_ldap.d/postgresql.conf":
180 ensure => "present",
181 mode => "0600",
182 owner => $::profile::postgresql::pg_user,
183 group => "root",
184 content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
185 } ->
186 file { "/etc/pam.d/postgresql":
187 ensure => "present",
188 mode => "0644",
189 owner => "root",
190 group => "root",
191 source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
192 }
193 } 38 }
39 # /cleanup
194 40
195} 41}