Merge branch 'postgresql_backup' into dev

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-05-14 00:37:45 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-05-14 00:37:45 +0200
commit: a87d847bf496e64b10e515866bcfd86dfeb6ffa4 (patch)
tree: fbbaec6a735433be8d1da2c949df9ea50fe97539
parent: a859ab30660104d25485824afa1c23de454bb5ed (diff)
parent: 6d1c9c43fb2133689d814cfc84a4942ceec5c1c7 (diff)
download: Puppet-a87d847bf496e64b10e515866bcfd86dfeb6ffa4.tar.gz
Puppet-a87d847bf496e64b10e515866bcfd86dfeb6ffa4.tar.zst
Puppet-a87d847bf496e64b10e515866bcfd86dfeb6ffa4.zip
7 files changed, 276 insertions, 0 deletions
diff --git a/modules/role/files/cryptoportfolio/pam_postgresql b/modules/role/files/cryptoportfolio/pam_postgresql
new file mode 100644
index 0000000..70a90ae
--- /dev/null
+++ b/modules/role/files/cryptoportfolio/pam_postgresql
@@ -0,0 +1,3 @@
+auth            required        pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
+account         required        pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp
index ab485b0..37e6138 100644
--- a/modules/role/manifests/backup.pp
+++ b/modules/role/manifests/backup.pp
@@ -14,6 +14,7 @@ class role::backup (
  include "profile::xmr_stak"
  include "profile::known_hosts"
  include "profile::boinc"
+  include "role::cryptoportfolio::postgresql_backup"
  ensure_packages(["rsync"])
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
index 5db5e25..d951874 100644
--- a/modules/role/manifests/cryptoportfolio/postgresql.pp
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -126,4 +126,70 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
    order       => "05-02",
  }
+  $backup_host = "backup-1"
+  unless empty($backup_host) {
+    ensure_packages(["pam_ldap"])
+    $facts["ldapvar"]["other"].each |$host| {
+      if ($host["cn"][0] == $backup_host) {
+        $host["ipHostNumber"].each |$ip| {
+          $infos = split($ip, "/")
+          $ipaddress = $infos[0]
+          if (length($infos) == 1 and $ipaddress =~ /:/) {
+            $mask = "128"
+          } elsif (length($infos) == 1) {
+            $mask = "32"
+          } else {
+            $mask = $infos[1]
+          }
+          postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
+            type        => 'hostssl',
+            database    => 'replication',
+            user        => 'all',
+            address     => "$ipaddress/$mask",
+            auth_method => 'pam',
+            order       => "06-01",
+          }
+        }
+        postgresql::server::role { $backup_host:
+          replication => true,
+        }
+        postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
+          ensure => present
+        }
+      }
+    }
+    $ldap_server = lookup("base_installation::ldap_server")
+    $ldap_base   = lookup("base_installation::ldap_base")
+    $ldap_dn     = lookup("base_installation::ldap_dn")
+    $ldap_password = generate_password(24, $password_seed, "ldap")
+    $ldap_attribute = "cn"
+    file { "/etc/pam_ldap.d":
+      ensure => directory,
+      mode   => "0755",
+      owner  => "root",
+      group  => "root",
+    } ->
+    file { "/etc/pam_ldap.d/postgresql.conf":
+      ensure  => "present",
+      mode    => "0644",
+      owner   => "root",
+      group   => "root",
+      content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
+    } ->
+    file { "/etc/pam.d/postgresql":
+      ensure => "present",
+      mode   => "0644",
+      owner  => "root",
+      group  => "root",
+      source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
+    }
+  }
 }
diff --git a/modules/role/manifests/cryptoportfolio/postgresql_backup.pp b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp
new file mode 100644
index 0000000..c6ca0fa
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp
@@ -0,0 +1,161 @@
+class role::cryptoportfolio::postgresql_backup inherits role::backup {
+  # This manifest is supposed to be part of the backup server
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  $user = lookup("role::backup::user")
+  $group = lookup("role::backup::group")
+  $pg_user = "postgres"
+  $pg_group = "postgres"
+  $ldap_cn = lookup("base_installation::ldap_cn")
+  $ldap_password = generate_password(24, $password_seed, "ldap")
+  $pg_slot = regsubst($ldap_cn, '-', "_", "G")
+  ensure_packages(["postgresql"])
+  $pg_backup_hosts = ["cryptoportfolio-dev.immae.eu"]
+  $pg_backup_hosts.each |$pg_backup_host| {
+    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
+    $pg_host = "$pg_backup_host"
+    $pg_port = "5432"
+    file { "$mountpoint/$pg_backup_host":
+      ensure => directory,
+      owner  => $user,
+      group  => $group,
+    }
+    file { $pg_path:
+      ensure  => directory,
+      owner   => $pg_user,
+      group   => $pg_group,
+      mode    => "0700",
+      require => File["$mountpoint/$pg_backup_host"],
+    }
+    exec { "pg_basebackup $pg_path":
+      cwd         => $pg_path,
+      user        => $pg_user,
+      creates     => "$pg_path/PG_VERSION",
+      environment => ["PGPASSWORD=$ldap_password"],
+      command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
+      before      => [
+        Concat["$pg_path/pg_hba.conf"],
+        Concat["$pg_path/recovery.conf"],
+        File["$pg_path/postgresql.conf"],
+      ]
+    }
+    concat { "$pg_path/pg_hba.conf":
+      owner   => $pg_user,
+      group   => $pg_group,
+      mode    => '0640',
+      warn    => true,
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
+      description => 'Allow local access to postgres user',
+      type        => 'local',
+      database    => 'all',
+      user        => $pg_user,
+      auth_method => 'ident',
+      order       => "00-01",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
+      description => 'Allow localhost access to postgres user',
+      type        => 'host',
+      database    => 'all',
+      user        => $pg_user,
+      address     => "127.0.0.1/32",
+      auth_method => 'md5',
+      order       => "00-02",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
+      description => 'Allow localhost access to postgres user',
+      type        => 'host',
+      database    => 'all',
+      user        => $pg_user,
+      address     => "::1/128",
+      auth_method => 'md5',
+      order       => "00-03",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
+      description => 'Deny remote access to postgres user',
+      type        => 'host',
+      database    => 'all',
+      user        => $pg_user,
+      address     => "0.0.0.0/0",
+      auth_method => 'reject',
+      order       => "00-04",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
+      description => 'Allow local access with password',
+      type        => 'local',
+      database    => 'all',
+      user        => 'all',
+      auth_method => 'md5',
+      order       => "10-01",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
+      description => 'Allow local access with same name',
+      type        => 'local',
+      database    => 'all',
+      user        => 'all',
+      auth_method => 'ident',
+      order       => "10-02",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    concat { "$pg_path/recovery.conf":
+      owner  => $pg_user,
+      group  => $pg_group,
+      mode   => '0640',
+      warn   => true,
+    }
+    postgresql::server::recovery { "$pg_backup_host recovery":
+      primary_conninfo  => "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require",
+      primary_slot_name => regsubst($ldap_cn, '-', "_", "G"),
+      standby_mode      => "on",
+      target            => "$pg_path/recovery.conf",
+    }
+    file { "$pg_path/postgresql.conf":
+      owner   => $pg_user,
+      group   => $pg_group,
+      mode    => '0640',
+      content => template("role/cryptoportfolio/postgresql_backup.conf.erb"),
+    }
+    service { "postgresql_backup@$pg_backup_host":
+      enable  => true,
+      ensure  => "running",
+      require => [
+        File["/etc/systemd/system/postgresql_backup@.service"],
+        Concat["$pg_path/pg_hba.conf"],
+        Concat["$pg_path/recovery.conf"],
+        File["$pg_path/postgresql.conf"],
+      ]
+    }
+  }
+  file { "/etc/systemd/system/postgresql_backup@.service":
+    mode    => "0644",
+    owner   => "root",
+    group   => "root",
+    content => template("role/cryptoportfolio/postgresql_backup@.service.erb"),
+  }
+}
diff --git a/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb b/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb
new file mode 100644
index 0000000..f3d9674
--- /dev/null
+++ b/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
+host <%= @ldap_server %>
+base <%= @ldap_base %>
+binddn <%= @ldap_dn %>
+bindpw <%= @ldap_password %>
+pam_login_attribute <%= @ldap_attribute %>
diff --git a/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb b/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb
new file mode 100644
index 0000000..860089b
--- /dev/null
+++ b/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb
@@ -0,0 +1,5 @@
+listen_addresses= ''
+unix_socket_directories = '<%= @pg_path %>'
+data_directory = '<%= @pg_path %>'
+wal_level = logical
diff --git a/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb b/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb
new file mode 100644
index 0000000..245a1cb
--- /dev/null
+++ b/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb
@@ -0,0 +1,34 @@
+[Unit]
+Description=PostgreSQL database server
+After=network.target
+[Service]
+Type=forking
+TimeoutSec=120
+User=postgres
+Group=postgres
+Environment=PGROOT=<%= @mountpoint %>/%i/postgresql
+SyslogIdentifier=postgres
+PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid
+RuntimeDirectory=postgresql
+RuntimeDirectoryMode=755
+ExecStartPre=/usr/bin/postgresql-check-db-dir ${PGROOT}
+ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT} start -w -t 120
+ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT} reload
+ExecStop=  /usr/bin/pg_ctl -s -D ${PGROOT} stop -m fast
+# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in
+# killing Postgres, so adjust it downward
+OOMScoreAdjust=-200
+# Additional security-related features
+PrivateTmp=true
+ProtectHome=true
+ProtectSystem=full
+NoNewPrivileges=true
+[Install]
+WantedBy=multi-user.target
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-05-14 00:37:45 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-05-14 00:37:45 +0200
commit	a87d847bf496e64b10e515866bcfd86dfeb6ffa4 (patch)
tree	fbbaec6a735433be8d1da2c949df9ea50fe97539
parent	a859ab30660104d25485824afa1c23de454bb5ed (diff)
parent	6d1c9c43fb2133689d814cfc84a4942ceec5c1c7 (diff)
download	Puppet-a87d847bf496e64b10e515866bcfd86dfeb6ffa4.tar.gz Puppet-a87d847bf496e64b10e515866bcfd86dfeb6ffa4.tar.zst Puppet-a87d847bf496e64b10e515866bcfd86dfeb6ffa4.zip

diff --git a/modules/role/files/cryptoportfolio/pam_postgresql b/modules/role/files/cryptoportfolio/pam_postgresql new file mode 100644 index 0000000..70a90ae --- /dev/null +++ b/modules/role/files/cryptoportfolio/pam_postgresql
@@ -0,0 +1,3 @@
		1	auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
		2	account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
		3


diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp index ab485b0..37e6138 100644 --- a/modules/role/manifests/backup.pp +++ b/modules/role/manifests/backup.pp
@@ -14,6 +14,7 @@ class role::backup (
14	include "profile::xmr_stak"	14	include "profile::xmr_stak"
15	include "profile::known_hosts"	15	include "profile::known_hosts"
16	include "profile::boinc"	16	include "profile::boinc"
		17	include "role::cryptoportfolio::postgresql_backup"
17		18
18	ensure_packages(["rsync"])	19	ensure_packages(["rsync"])
19		20


diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index 5db5e25..d951874 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -126,4 +126,70 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
126	order => "05-02",	126	order => "05-02",
127	}	127	}
128		128
		129	$backup_host = "backup-1"
		130
		131	unless empty($backup_host) {
		132	ensure_packages(["pam_ldap"])
		133
		134	$facts["ldapvar"]["other"].each \|$host\| {
		135	if ($host["cn"][0] == $backup_host) {
		136	$host["ipHostNumber"].each \|$ip\| {
		137	$infos = split($ip, "/")
		138	$ipaddress = $infos[0]
		139	if (length($infos) == 1 and $ipaddress =~ /:/) {
		140	$mask = "128"
		141	} elsif (length($infos) == 1) {
		142	$mask = "32"
		143	} else {
		144	$mask = $infos[1]
		145	}
		146
		147	postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
		148	type => 'hostssl',
		149	database => 'replication',
		150	user => 'all',
		151	address => "$ipaddress/$mask",
		152	auth_method => 'pam',
		153	order => "06-01",
		154	}
		155	}
		156
		157	postgresql::server::role { $backup_host:
		158	replication => true,
		159	}
		160
		161	postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
		162	ensure => present
		163	}
		164	}
		165	}
		166
		167	$ldap_server = lookup("base_installation::ldap_server")
		168	$ldap_base = lookup("base_installation::ldap_base")
		169	$ldap_dn = lookup("base_installation::ldap_dn")
		170	$ldap_password = generate_password(24, $password_seed, "ldap")
		171	$ldap_attribute = "cn"
		172
		173	file { "/etc/pam_ldap.d":
		174	ensure => directory,
		175	mode => "0755",
		176	owner => "root",
		177	group => "root",
		178	} ->
		179	file { "/etc/pam_ldap.d/postgresql.conf":
		180	ensure => "present",
		181	mode => "0644",
		182	owner => "root",
		183	group => "root",
		184	content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
		185	} ->
		186	file { "/etc/pam.d/postgresql":
		187	ensure => "present",
		188	mode => "0644",
		189	owner => "root",
		190	group => "root",
		191	source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
		192	}
		193	}
		194
129	}	195	}


diff --git a/modules/role/manifests/cryptoportfolio/postgresql_backup.pp b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp new file mode 100644 index 0000000..c6ca0fa --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp
@@ -0,0 +1,161 @@
		1	class role::cryptoportfolio::postgresql_backup inherits role::backup {
		2	# This manifest is supposed to be part of the backup server
		3
		4	$password_seed = lookup("base_installation::puppet_pass_seed")
		5
		6	$user = lookup("role::backup::user")
		7	$group = lookup("role::backup::group")
		8	$pg_user = "postgres"
		9	$pg_group = "postgres"
		10
		11	$ldap_cn = lookup("base_installation::ldap_cn")
		12	$ldap_password = generate_password(24, $password_seed, "ldap")
		13	$pg_slot = regsubst($ldap_cn, '-', "_", "G")
		14
		15	ensure_packages(["postgresql"])
		16
		17	$pg_backup_hosts = ["cryptoportfolio-dev.immae.eu"]
		18
		19	$pg_backup_hosts.each \|$pg_backup_host\| {
		20	$pg_path = "$mountpoint/$pg_backup_host/postgresql"
		21	$pg_host = "$pg_backup_host"
		22	$pg_port = "5432"
		23
		24	file { "$mountpoint/$pg_backup_host":
		25	ensure => directory,
		26	owner => $user,
		27	group => $group,
		28	}
		29
		30	file { $pg_path:
		31	ensure => directory,
		32	owner => $pg_user,
		33	group => $pg_group,
		34	mode => "0700",
		35	require => File["$mountpoint/$pg_backup_host"],
		36	}
		37
		38	exec { "pg_basebackup $pg_path":
		39	cwd => $pg_path,
		40	user => $pg_user,
		41	creates => "$pg_path/PG_VERSION",
		42	environment => ["PGPASSWORD=$ldap_password"],
		43	command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
		44	before => [
		45	Concat["$pg_path/pg_hba.conf"],
		46	Concat["$pg_path/recovery.conf"],
		47	File["$pg_path/postgresql.conf"],
		48	]
		49	}
		50
		51	concat { "$pg_path/pg_hba.conf":
		52	owner => $pg_user,
		53	group => $pg_group,
		54	mode => '0640',
		55	warn => true,
		56	}
		57	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
		58	description => 'Allow local access to postgres user',
		59	type => 'local',
		60	database => 'all',
		61	user => $pg_user,
		62	auth_method => 'ident',
		63	order => "00-01",
		64	target => "$pg_path/pg_hba.conf",
		65	postgresql_version => "10",
		66	}
		67	postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
		68	description => 'Allow localhost access to postgres user',
		69	type => 'host',
		70	database => 'all',
		71	user => $pg_user,
		72	address => "127.0.0.1/32",
		73	auth_method => 'md5',
		74	order => "00-02",
		75	target => "$pg_path/pg_hba.conf",
		76	postgresql_version => "10",
		77	}
		78	postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
		79	description => 'Allow localhost access to postgres user',
		80	type => 'host',
		81	database => 'all',
		82	user => $pg_user,
		83	address => "::1/128",
		84	auth_method => 'md5',
		85	order => "00-03",
		86	target => "$pg_path/pg_hba.conf",
		87	postgresql_version => "10",
		88	}
		89	postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
		90	description => 'Deny remote access to postgres user',
		91	type => 'host',
		92	database => 'all',
		93	user => $pg_user,
		94	address => "0.0.0.0/0",
		95	auth_method => 'reject',
		96	order => "00-04",
		97	target => "$pg_path/pg_hba.conf",
		98	postgresql_version => "10",
		99	}
		100
		101	postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
		102	description => 'Allow local access with password',
		103	type => 'local',
		104	database => 'all',
		105	user => 'all',
		106	auth_method => 'md5',
		107	order => "10-01",
		108	target => "$pg_path/pg_hba.conf",
		109	postgresql_version => "10",
		110	}
		111
		112	postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
		113	description => 'Allow local access with same name',
		114	type => 'local',
		115	database => 'all',
		116	user => 'all',
		117	auth_method => 'ident',
		118	order => "10-02",
		119	target => "$pg_path/pg_hba.conf",
		120	postgresql_version => "10",
		121	}
		122
		123	concat { "$pg_path/recovery.conf":
		124	owner => $pg_user,
		125	group => $pg_group,
		126	mode => '0640',
		127	warn => true,
		128	}
		129	postgresql::server::recovery { "$pg_backup_host recovery":
		130	primary_conninfo => "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require",
		131	primary_slot_name => regsubst($ldap_cn, '-', "_", "G"),
		132	standby_mode => "on",
		133	target => "$pg_path/recovery.conf",
		134	}
		135
		136	file { "$pg_path/postgresql.conf":
		137	owner => $pg_user,
		138	group => $pg_group,
		139	mode => '0640',
		140	content => template("role/cryptoportfolio/postgresql_backup.conf.erb"),
		141	}
		142
		143	service { "postgresql_backup@$pg_backup_host":
		144	enable => true,
		145	ensure => "running",
		146	require => [
		147	File["/etc/systemd/system/postgresql_backup@.service"],
		148	Concat["$pg_path/pg_hba.conf"],
		149	Concat["$pg_path/recovery.conf"],
		150	File["$pg_path/postgresql.conf"],
		151	]
		152	}
		153	}
		154
		155	file { "/etc/systemd/system/postgresql_backup@.service":
		156	mode => "0644",
		157	owner => "root",
		158	group => "root",
		159	content => template("role/cryptoportfolio/postgresql_backup@.service.erb"),
		160	}
		161	}


diff --git a/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb b/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb new file mode 100644 index 0000000..f3d9674 --- /dev/null +++ b/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
		1	host <%= @ldap_server %>
		2
		3	base <%= @ldap_base %>
		4	binddn <%= @ldap_dn %>
		5	bindpw <%= @ldap_password %>
		6	pam_login_attribute <%= @ldap_attribute %>


diff --git a/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb b/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb new file mode 100644 index 0000000..860089b --- /dev/null +++ b/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb
@@ -0,0 +1,5 @@
		1	listen_addresses= ''
		2	unix_socket_directories = '<%= @pg_path %>'
		3	data_directory = '<%= @pg_path %>'
		4	wal_level = logical
		5


diff --git a/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb b/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb new file mode 100644 index 0000000..245a1cb --- /dev/null +++ b/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb
@@ -0,0 +1,34 @@
		1	[Unit]
		2	Description=PostgreSQL database server
		3	After=network.target
		4
		5	[Service]
		6	Type=forking
		7	TimeoutSec=120
		8	User=postgres
		9	Group=postgres
		10
		11	Environment=PGROOT=<%= @mountpoint %>/%i/postgresql
		12
		13	SyslogIdentifier=postgres
		14	PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid
		15	RuntimeDirectory=postgresql
		16	RuntimeDirectoryMode=755
		17
		18	ExecStartPre=/usr/bin/postgresql-check-db-dir ${PGROOT}
		19	ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT} start -w -t 120
		20	ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT} reload
		21	ExecStop= /usr/bin/pg_ctl -s -D ${PGROOT} stop -m fast
		22
		23	# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in
		24	# killing Postgres, so adjust it downward
		25	OOMScoreAdjust=-200
		26
		27	# Additional security-related features
		28	PrivateTmp=true
		29	ProtectHome=true
		30	ProtectSystem=full
		31	NoNewPrivileges=true
		32
		33	[Install]
		34	WantedBy=multi-user.target