Merge branch 'dev'

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-05-16 01:37:10 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-05-16 01:37:10 +0200
commit: 5892888ecd60b665978f7637896c789f5659acb6 (patch)
tree: 00c268872a57752b344abf66ef13c1f59d1b7080
parent: 6df406c7ff4371e2f6be693082f41af0782f66fd (diff)
parent: 1c90c6913652e0ec7489ed22941e4e6a31d55912 (diff)
download: Puppet-5892888ecd60b665978f7637896c789f5659acb6.tar.gz
Puppet-5892888ecd60b665978f7637896c789f5659acb6.tar.zst
Puppet-5892888ecd60b665978f7637896c789f5659acb6.zip
5 files changed, 128 insertions, 12 deletions
diff --git a/modules/role/files/backup/pam_pgbouncer b/modules/role/files/backup/pam_pgbouncer
new file mode 100644
index 0000000..13f0d3d
--- /dev/null
+++ b/modules/role/files/backup/pam_pgbouncer
@@ -0,0 +1,3 @@
+auth            required        pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf
+account         required        pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
index 59e4669..51ce37e 100644
--- a/modules/role/manifests/backup/postgresql.pp
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -10,16 +10,113 @@ class role::backup::postgresql inherits role::backup {
  $ldap_cn = lookup("base_installation::ldap_cn")
  $ldap_password = generate_password(24, $password_seed, "ldap")
+  $ldap_server = lookup("base_installation::ldap_server")
+  $ldap_base   = lookup("base_installation::ldap_base")
+  $ldap_dn     = lookup("base_installation::ldap_dn")
+  $ldap_attribute = "uid"
  $pg_slot = regsubst($ldap_cn, '-', "_", "G")
-  ensure_packages(["postgresql"])
+  ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
+  $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
+  $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
+  unless empty($pg_backup_hosts) {
+    file { "/etc/systemd/system/postgresql_backup@.service":
+      mode    => "0644",
+      owner   => "root",
+      group   => "root",
+      content => template("role/backup/postgresql_backup@.service.erb"),
+    }
-  $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] })
+    unless empty($ldap_filter) {
+      concat { "/etc/pgbouncer/pgbouncer.ini":
+        mode           => "0644",
+        owner          => "root",
+        group          => "root",
+        ensure_newline => true,
+        notify         => Service["pgbouncer"],
+      }
+      concat::fragment { "pgbouncer_head":
+        target  => "/etc/pgbouncer/pgbouncer.ini",
+        order   => "01",
+        content => template("role/backup/pgbouncer.ini.erb"),
+      }
+      file { "/etc/systemd/system/pgbouncer.service.d":
+        ensure => "directory",
+        mode   => "0644",
+        owner  => "root",
+        group  => "root",
+      }
+      file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
+        ensure  => "present",
+        mode    => "0644",
+        owner   => "root",
+        group   => "root",
+        content => "[Service]\nUser=\nUser=$pg_user\n",
+        notify  => Service["pgbouncer"],
+      }
+      service { "pgbouncer":
+        ensure  => "running",
+        enable  => true,
+        require => [
+          Package["pgbouncer"],
+          File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
+          Concat["/etc/pgbouncer/pgbouncer.ini"]
+        ],
+      }
+      file { "/etc/pam_ldap.d":
+        ensure => directory,
+        mode   => "0755",
+        owner  => "root",
+        group  => "root",
+      } ->
+      file { "/etc/pam_ldap.d/pgbouncer.conf":
+        ensure  => "present",
+        mode    => "0600",
+        owner   => $pg_user,
+        group   => "root",
+        content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
+      } ->
+      file { "/etc/pam.d/pgbouncer":
+        ensure => "present",
+        mode   => "0644",
+        owner  => "root",
+        group  => "root",
+        source => "puppet:///modules/role/backup/pam_pgbouncer"
+      }
+    }
+  }
-  $pg_backup_hosts.each |$pg_backup_host| {
+  $pg_backup_hosts.each |$pg_backup_host, $pg_infos| {
    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
    $pg_host = "$pg_backup_host"
-    $pg_port = "5432"
+    $pg_port = $pg_infos["dbport"]
+    if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
+      concat::fragment { "pgbouncer_$pg_backup_host":
+        target  => "/etc/pgbouncer/pgbouncer.ini",
+        order   => 02,
+        content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
+      }
+      postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
+        description => "Allow local access to ${pg_infos[dbuser]} user",
+        type        => 'local',
+        database    => $pg_infos["dbname"],
+        user        => $pg_infos["dbuser"],
+        auth_method => 'trust',
+        order       => "01-00",
+        target      => "$pg_path/pg_hba.conf",
+        postgresql_version => "10",
+      }
+    }
    file { "$mountpoint/$pg_backup_host":
      ensure => directory,
@@ -154,10 +251,4 @@ class role::backup::postgresql inherits role::backup {
    }
  }
-  file { "/etc/systemd/system/postgresql_backup@.service":
-    mode    => "0644",
-    owner   => "root",
-    group   => "root",
-    content => template("role/backup/postgresql_backup@.service.erb"),
-  }
 }
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
index d951874..776b30f 100644
--- a/modules/role/manifests/cryptoportfolio/postgresql.pp
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -178,8 +178,8 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
    } ->
    file { "/etc/pam_ldap.d/postgresql.conf":
      ensure  => "present",
-      mode    => "0644",
+      mode    => "0600",
-      owner   => "root",
+      owner   => $::profile::postgresql::pg_user,
      group   => "root",
      content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
    } ->
diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
new file mode 100644
index 0000000..12fa9bb
--- /dev/null
+++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
@@ -0,0 +1,7 @@
+host <%= @ldap_server %>
+base <%= @ldap_base %>
+binddn <%= @ldap_dn %>
+bindpw <%= @ldap_password %>
+pam_login_attribute <%= @ldap_attribute %>
+pam_filter <%= @ldap_filter %>
diff --git a/modules/role/templates/backup/pgbouncer.ini.erb b/modules/role/templates/backup/pgbouncer.ini.erb
new file mode 100644
index 0000000..3ba8728
--- /dev/null
+++ b/modules/role/templates/backup/pgbouncer.ini.erb
@@ -0,0 +1,15 @@
+[pgbouncer]
+listen_addr = 0.0.0.0
+listen_port = 5432
+unix_socket_dir = /run/postgresql
+unix_socket_mode = 0777
+auth_type = pam
+admin_users = postgres
+max_client_conn = 100
+default_pool_size = 20
+[databases]
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-05-16 01:37:10 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-05-16 01:37:10 +0200
commit	5892888ecd60b665978f7637896c789f5659acb6 (patch)
tree	00c268872a57752b344abf66ef13c1f59d1b7080
parent	6df406c7ff4371e2f6be693082f41af0782f66fd (diff)
parent	1c90c6913652e0ec7489ed22941e4e6a31d55912 (diff)
download	Puppet-5892888ecd60b665978f7637896c789f5659acb6.tar.gz Puppet-5892888ecd60b665978f7637896c789f5659acb6.tar.zst Puppet-5892888ecd60b665978f7637896c789f5659acb6.zip

diff --git a/modules/role/files/backup/pam_pgbouncer b/modules/role/files/backup/pam_pgbouncer new file mode 100644 index 0000000..13f0d3d --- /dev/null +++ b/modules/role/files/backup/pam_pgbouncer
@@ -0,0 +1,3 @@
		1	auth required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf
		2	account required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf
		3


diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index 59e4669..51ce37e 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp
@@ -10,16 +10,113 @@ class role::backup::postgresql inherits role::backup {
10		10
11	$ldap_cn = lookup("base_installation::ldap_cn")	11	$ldap_cn = lookup("base_installation::ldap_cn")
12	$ldap_password = generate_password(24, $password_seed, "ldap")	12	$ldap_password = generate_password(24, $password_seed, "ldap")
		13	$ldap_server = lookup("base_installation::ldap_server")
		14	$ldap_base = lookup("base_installation::ldap_base")
		15	$ldap_dn = lookup("base_installation::ldap_dn")
		16	$ldap_attribute = "uid"
		17
13	$pg_slot = regsubst($ldap_cn, '-', "_", "G")	18	$pg_slot = regsubst($ldap_cn, '-', "_", "G")
14		19
15	ensure_packages(["postgresql"])	20	ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
		21
		22	$pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
		23	$ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
		24
		25	unless empty($pg_backup_hosts) {
		26	file { "/etc/systemd/system/postgresql_backup@.service":
		27	mode => "0644",
		28	owner => "root",
		29	group => "root",
		30	content => template("role/backup/postgresql_backup@.service.erb"),
		31	}
16		32
17	$pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] })	33	unless empty($ldap_filter) {
		34	concat { "/etc/pgbouncer/pgbouncer.ini":
		35	mode => "0644",
		36	owner => "root",
		37	group => "root",
		38	ensure_newline => true,
		39	notify => Service["pgbouncer"],
		40	}
		41
		42	concat::fragment { "pgbouncer_head":
		43	target => "/etc/pgbouncer/pgbouncer.ini",
		44	order => "01",
		45	content => template("role/backup/pgbouncer.ini.erb"),
		46	}
		47
		48	file { "/etc/systemd/system/pgbouncer.service.d":
		49	ensure => "directory",
		50	mode => "0644",
		51	owner => "root",
		52	group => "root",
		53	}
		54
		55	file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
		56	ensure => "present",
		57	mode => "0644",
		58	owner => "root",
		59	group => "root",
		60	content => "[Service]\nUser=\nUser=$pg_user\n",
		61	notify => Service["pgbouncer"],
		62	}
		63
		64	service { "pgbouncer":
		65	ensure => "running",
		66	enable => true,
		67	require => [
		68	Package["pgbouncer"],
		69	File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
		70	Concat["/etc/pgbouncer/pgbouncer.ini"]
		71	],
		72	}
		73
		74	file { "/etc/pam_ldap.d":
		75	ensure => directory,
		76	mode => "0755",
		77	owner => "root",
		78	group => "root",
		79	} ->
		80	file { "/etc/pam_ldap.d/pgbouncer.conf":
		81	ensure => "present",
		82	mode => "0600",
		83	owner => $pg_user,
		84	group => "root",
		85	content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
		86	} ->
		87	file { "/etc/pam.d/pgbouncer":
		88	ensure => "present",
		89	mode => "0644",
		90	owner => "root",
		91	group => "root",
		92	source => "puppet:///modules/role/backup/pam_pgbouncer"
		93	}
		94	}
		95	}
18		96
19	$pg_backup_hosts.each \|$pg_backup_host\| {	97	$pg_backup_hosts.each \|$pg_backup_host, $pg_infos\| {
20	$pg_path = "$mountpoint/$pg_backup_host/postgresql"	98	$pg_path = "$mountpoint/$pg_backup_host/postgresql"
21	$pg_host = "$pg_backup_host"	99	$pg_host = "$pg_backup_host"
22	$pg_port = "5432"	100	$pg_port = $pg_infos["dbport"]
		101
		102	if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
		103	concat::fragment { "pgbouncer_$pg_backup_host":
		104	target => "/etc/pgbouncer/pgbouncer.ini",
		105	order => 02,
		106	content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
		107	}
		108
		109	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
		110	description => "Allow local access to ${pg_infos[dbuser]} user",
		111	type => 'local',
		112	database => $pg_infos["dbname"],
		113	user => $pg_infos["dbuser"],
		114	auth_method => 'trust',
		115	order => "01-00",
		116	target => "$pg_path/pg_hba.conf",
		117	postgresql_version => "10",
		118	}
		119	}
23		120
24	file { "$mountpoint/$pg_backup_host":	121	file { "$mountpoint/$pg_backup_host":
25	ensure => directory,	122	ensure => directory,
@@ -154,10 +251,4 @@ class role::backup::postgresql inherits role::backup {
154	}	251	}
155	}	252	}
156		253
157	file { "/etc/systemd/system/postgresql_backup@.service":
158	mode => "0644",
159	owner => "root",
160	group => "root",
161	content => template("role/backup/postgresql_backup@.service.erb"),
162	}
163	}	254	}


diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index d951874..776b30f 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -178,8 +178,8 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
178	} ->	178	} ->
179	file { "/etc/pam_ldap.d/postgresql.conf":	179	file { "/etc/pam_ldap.d/postgresql.conf":
180	ensure => "present",	180	ensure => "present",
181	mode => "0644",	181	mode => "0600",
182	owner => "root",	182	owner => $::profile::postgresql::pg_user,
183	group => "root",	183	group => "root",
184	content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),	184	content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
185	} ->	185	} ->


diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb new file mode 100644 index 0000000..12fa9bb --- /dev/null +++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
@@ -0,0 +1,7 @@
		1	host <%= @ldap_server %>
		2
		3	base <%= @ldap_base %>
		4	binddn <%= @ldap_dn %>
		5	bindpw <%= @ldap_password %>
		6	pam_login_attribute <%= @ldap_attribute %>
		7	pam_filter <%= @ldap_filter %>


diff --git a/modules/role/templates/backup/pgbouncer.ini.erb b/modules/role/templates/backup/pgbouncer.ini.erb new file mode 100644 index 0000000..3ba8728 --- /dev/null +++ b/modules/role/templates/backup/pgbouncer.ini.erb
@@ -0,0 +1,15 @@
		1	[pgbouncer]
		2
		3	listen_addr = 0.0.0.0
		4	listen_port = 5432
		5
		6	unix_socket_dir = /run/postgresql
		7	unix_socket_mode = 0777
		8
		9	auth_type = pam
		10
		11	admin_users = postgres
		12	max_client_conn = 100
		13	default_pool_size = 20
		14
		15	[databases]