Merge branch 'cryptoportfolio'

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-02-18 01:13:35 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-02-18 01:13:35 +0100
commit: ee0a29d96bbc401d97819e5723a083d33c32bb17 (patch)
tree: 22ed4f129b32201e4f3e562d2f23cc45c5df5afb
parent: 28f9451daeac73f91b031470060c883008b4a363 (diff)
parent: 47d7d947ebc0da8bde02515a94d8205df47c944a (diff)
download: Puppet-ee0a29d96bbc401d97819e5723a083d33c32bb17.tar.gz
Puppet-ee0a29d96bbc401d97819e5723a083d33c32bb17.tar.zst
Puppet-ee0a29d96bbc401d97819e5723a083d33c32bb17.zip
7 files changed, 112 insertions, 1 deletions
diff --git a/.gitmodules b/.gitmodules
index fa48ebf..e380041 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -28,6 +28,9 @@
 [submodule "modules/pacman"]
        path = modules/pacman
        url = git://git.immae.eu/github/aboe76/puppet-pacman
+[submodule "modules/postgresql"]
+        path = modules/postgresql
+        url = git://git.immae.eu/github/puppetlabs/puppetlabs-postgresql.git
 [submodule "python/ovh"]
        path = python/ovh
        url = git://git.immae.eu/github/ovh/python-ovh
diff --git a/bin/generate_password b/bin/generate_password
new file mode 100755
index 0000000..9a2abb1
--- /dev/null
+++ b/bin/generate_password
@@ -0,0 +1,26 @@
+#!/bin/env ruby
+require "openssl"
+arguments = ARGV
+if arguments.size != 3
+  puts "generate_password <size> <seed_file> <password_key>"
+  exit
+end
+size = arguments.shift
+seed_file = arguments.shift
+password_key = arguments.shift
+size = size.to_i
+set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
+key = "#{File.open(seed_file).read}:#{password_key}"
+password = size.times.collect do |i|
+  set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
+end.join
+puts password
diff --git a/environments/production/data/roles/cryptoportfolio.yaml b/environments/production/data/roles/cryptoportfolio.yaml
new file mode 100644
index 0000000..da46382
--- /dev/null
+++ b/environments/production/data/roles/cryptoportfolio.yaml
@@ -0,0 +1,3 @@
+---
+classes:
+  role::cryptoportfolio: ~
diff --git a/modules/base_installation/files/cronie/puppet-post-merge b/modules/base_installation/files/cronie/puppet-post-merge
index ac5e3ff..35fa2d7 100644
--- a/modules/base_installation/files/cronie/puppet-post-merge
+++ b/modules/base_installation/files/cronie/puppet-post-merge
@@ -1,7 +1,7 @@
 #!/bin/bash
 ## Run Puppet locally using puppet apply
 git submodule update --init
-/usr/bin/puppet apply `pwd`/manifests/site.pp
+/usr/bin/puppet apply --test `pwd`/manifests/site.pp
 ## Log status of the Puppet run
 if [ $? -eq 0 ]
diff --git a/modules/postgresql b/modules/postgresql
new file mode 160000
+Subproject 52ea030ad94397ba0d066c36c3028a255341f9f
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
new file mode 100644
index 0000000..50e510e
--- /dev/null
+++ b/modules/profile/manifests/postgresql.pp
@@ -0,0 +1,65 @@
+class profile::postgresql {
+  $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
+  class { '::postgresql::globals':
+    encoding             => 'UTF-8',
+    locale               => 'en_US.UTF-8',
+    pg_hba_conf_defaults => false,
+  }
+  # FIXME: get it from the postgresql module?
+  $pg_user = "postgres"
+  class { '::postgresql::client': }
+  # FIXME: postgresql module is buggy and doesn't create dir?
+  file { "/var/lib/postgres":
+    ensure  => directory,
+    owner   => $pg_user,
+    group   => $pg_user,
+    before  => File["/var/lib/postgres/data"],
+    require => Package["postgresql-server"],
+  }
+  class { '::postgresql::server':
+    postgres_password => generate_password(24, $password_seed, "postgres")
+  }
+  postgresql::server::pg_hba_rule { 'local access as postgres user':
+    description => 'Allow local access to postgres user',
+    type        => 'local',
+    database    => 'all',
+    user        => $pg_user,
+    auth_method => 'ident',
+    order       => "a1",
+  }
+  postgresql::server::pg_hba_rule { 'deny access to postgresql user':
+    description => 'Deny remote access to postgres user',
+    type        => 'host',
+    database    => 'all',
+    user        => $pg_user,
+    address     => "0.0.0.0/0",
+    auth_method => 'reject',
+    order       => "a2",
+  }
+  postgresql::server::pg_hba_rule { 'local access':
+    description => 'Allow local access with password',
+    type        => 'local',
+    database    => 'all',
+    user        => 'all',
+    auth_method => 'md5',
+    order       => "b1",
+  }
+  postgresql::server::pg_hba_rule { 'local access with same name':
+    description => 'Allow local access with same name',
+    type        => 'local',
+    database    => 'all',
+    user        => 'all',
+    auth_method => 'ident',
+    order       => "b2",
+  }
+}
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
new file mode 100644
index 0000000..2755fee
--- /dev/null
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -0,0 +1,14 @@
+class role::cryptoportfolio {
+  include "base_installation"
+  include "profile::postgresql"
+  $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
+  postgresql::server::db { 'cryptoportfolio':
+    user =>  'cryptoportfolio',
+    password =>  postgresql_password('cryptoportfolio', generate_password(24, $password_seed, "postgres_cryptoportfolio")),
+  }
+  ensure_packages("go")
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-02-18 01:13:35 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-02-18 01:13:35 +0100
commit	ee0a29d96bbc401d97819e5723a083d33c32bb17 (patch)
tree	22ed4f129b32201e4f3e562d2f23cc45c5df5afb
parent	28f9451daeac73f91b031470060c883008b4a363 (diff)
parent	47d7d947ebc0da8bde02515a94d8205df47c944a (diff)
download	Puppet-ee0a29d96bbc401d97819e5723a083d33c32bb17.tar.gz Puppet-ee0a29d96bbc401d97819e5723a083d33c32bb17.tar.zst Puppet-ee0a29d96bbc401d97819e5723a083d33c32bb17.zip

diff --git a/.gitmodules b/.gitmodules index fa48ebf..e380041 100644 --- a/.gitmodules +++ b/.gitmodules
@@ -28,6 +28,9 @@
28	[submodule "modules/pacman"]	28	[submodule "modules/pacman"]
29	path = modules/pacman	29	path = modules/pacman
30	url = git://git.immae.eu/github/aboe76/puppet-pacman	30	url = git://git.immae.eu/github/aboe76/puppet-pacman
		31	[submodule "modules/postgresql"]
		32	path = modules/postgresql
		33	url = git://git.immae.eu/github/puppetlabs/puppetlabs-postgresql.git
31	[submodule "python/ovh"]	34	[submodule "python/ovh"]
32	path = python/ovh	35	path = python/ovh
33	url = git://git.immae.eu/github/ovh/python-ovh	36	url = git://git.immae.eu/github/ovh/python-ovh


diff --git a/bin/generate_password b/bin/generate_password new file mode 100755 index 0000000..9a2abb1 --- /dev/null +++ b/bin/generate_password
@@ -0,0 +1,26 @@
		1	#!/bin/env ruby
		2
		3	require "openssl"
		4
		5	arguments = ARGV
		6
		7	if arguments.size != 3
		8	puts "generate_password <size> <seed_file> <password_key>"
		9	exit
		10	end
		11
		12	size = arguments.shift
		13	seed_file = arguments.shift
		14	password_key = arguments.shift
		15
		16	size = size.to_i
		17
		18	set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
		19
		20	key = "#{File.open(seed_file).read}:#{password_key}"
		21
		22	password = size.times.collect do \|i\|
		23	set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
		24	end.join
		25
		26	puts password


diff --git a/environments/production/data/roles/cryptoportfolio.yaml b/environments/production/data/roles/cryptoportfolio.yaml new file mode 100644 index 0000000..da46382 --- /dev/null +++ b/environments/production/data/roles/cryptoportfolio.yaml
@@ -0,0 +1,3 @@
		1	---
		2	classes:
		3	role::cryptoportfolio: ~


diff --git a/modules/base_installation/files/cronie/puppet-post-merge b/modules/base_installation/files/cronie/puppet-post-merge index ac5e3ff..35fa2d7 100644 --- a/modules/base_installation/files/cronie/puppet-post-merge +++ b/modules/base_installation/files/cronie/puppet-post-merge
@@ -1,7 +1,7 @@
1	#!/bin/bash	1	#!/bin/bash
2	## Run Puppet locally using puppet apply	2	## Run Puppet locally using puppet apply
3	git submodule update --init	3	git submodule update --init
4	/usr/bin/puppet apply `pwd`/manifests/site.pp	4	/usr/bin/puppet apply --test `pwd`/manifests/site.pp
5		5
6	## Log status of the Puppet run	6	## Log status of the Puppet run
7	if [ $? -eq 0 ]	7	if [ $? -eq 0 ]


diff --git a/modules/postgresql b/modules/postgresql new file mode 160000
			Subproject 52ea030ad94397ba0d066c36c3028a255341f9f


diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp new file mode 100644 index 0000000..50e510e --- /dev/null +++ b/modules/profile/manifests/postgresql.pp
@@ -0,0 +1,65 @@
		1	class profile::postgresql {
		2	$password_seed = lookup("base_installation::puppet_pass_seed") \|$key\| { {} }
		3
		4	class { '::postgresql::globals':
		5	encoding => 'UTF-8',
		6	locale => 'en_US.UTF-8',
		7	pg_hba_conf_defaults => false,
		8	}
		9
		10	# FIXME: get it from the postgresql module?
		11	$pg_user = "postgres"
		12
		13	class { '::postgresql::client': }
		14
		15	# FIXME: postgresql module is buggy and doesn't create dir?
		16	file { "/var/lib/postgres":
		17	ensure => directory,
		18	owner => $pg_user,
		19	group => $pg_user,
		20	before => File["/var/lib/postgres/data"],
		21	require => Package["postgresql-server"],
		22	}
		23
		24	class { '::postgresql::server':
		25	postgres_password => generate_password(24, $password_seed, "postgres")
		26	}
		27
		28	postgresql::server::pg_hba_rule { 'local access as postgres user':
		29	description => 'Allow local access to postgres user',
		30	type => 'local',
		31	database => 'all',
		32	user => $pg_user,
		33	auth_method => 'ident',
		34	order => "a1",
		35	}
		36	postgresql::server::pg_hba_rule { 'deny access to postgresql user':
		37	description => 'Deny remote access to postgres user',
		38	type => 'host',
		39	database => 'all',
		40	user => $pg_user,
		41	address => "0.0.0.0/0",
		42	auth_method => 'reject',
		43	order => "a2",
		44	}
		45
		46	postgresql::server::pg_hba_rule { 'local access':
		47	description => 'Allow local access with password',
		48	type => 'local',
		49	database => 'all',
		50	user => 'all',
		51	auth_method => 'md5',
		52	order => "b1",
		53	}
		54
		55	postgresql::server::pg_hba_rule { 'local access with same name':
		56	description => 'Allow local access with same name',
		57	type => 'local',
		58	database => 'all',
		59	user => 'all',
		60	auth_method => 'ident',
		61	order => "b2",
		62	}
		63
		64	}
		65


diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp new file mode 100644 index 0000000..2755fee --- /dev/null +++ b/modules/role/manifests/cryptoportfolio.pp
@@ -0,0 +1,14 @@
		1	class role::cryptoportfolio {
		2	include "base_installation"
		3
		4	include "profile::postgresql"
		5
		6	$password_seed = lookup("base_installation::puppet_pass_seed") \|$key\| { {} }
		7
		8	postgresql::server::db { 'cryptoportfolio':
		9	user => 'cryptoportfolio',
		10	password => postgresql_password('cryptoportfolio', generate_password(24, $password_seed, "postgres_cryptoportfolio")),
		11	}
		12
		13	ensure_packages("go")
		14	}