Refactor postgresql configuration

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-27 20:45:15 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-28 02:33:05 +0200
commit: c53ac3f84852a42aa8b7341ee7fe0a629d2e3579 (patch)
tree: 694c4790a8382fe7c5ed5a2033042c377999760b /modules/profile/manifests/postgresql
parent: f1d583bfdaf881116e5f9ca9e050307e7acdc28e (diff)
download: Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.tar.gz
Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.tar.zst
Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.zip
3 files changed, 161 insertions, 0 deletions
diff --git a/modules/profile/manifests/postgresql/pam_ldap.pp b/modules/profile/manifests/postgresql/pam_ldap.pp
new file mode 100644
index 0000000..f068245
--- /dev/null
+++ b/modules/profile/manifests/postgresql/pam_ldap.pp
@@ -0,0 +1,28 @@
+class profile::postgresql::pam_ldap (
+  String $pg_user = "postgres"
+) {
+  include "profile::pam_ldap"
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  $ldap_server = lookup("base_installation::ldap_server")
+  $ldap_base   = lookup("base_installation::ldap_base")
+  $ldap_dn     = lookup("base_installation::ldap_dn")
+  $ldap_password = generate_password(24, $password_seed, "ldap")
+  $ldap_attribute = "cn"
+  file { "/etc/pam_ldap.d/postgresql.conf":
+    ensure  => "present",
+    mode    => "0400",
+    owner   => $pg_user,
+    group   => "root",
+    content => template("profile/postgresql/pam_ldap_postgresql.conf.erb"),
+    require => File["/etc/pam_ldap.d"],
+  } ->
+  file { "/etc/pam.d/postgresql":
+    ensure => "present",
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/postgresql/pam_postgresql"
+  }
+}
diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp
new file mode 100644
index 0000000..33b147f
--- /dev/null
+++ b/modules/profile/manifests/postgresql/replication.pp
@@ -0,0 +1,60 @@
+define profile::postgresql::replication (
+  Boolean $handle_role = false,
+  Boolean $add_self_role = false,
+  Boolean $handle_slot = false,
+) {
+  include "profile::postgresql::pam_ldap"
+  $host_cn = $title
+  $host_infos = find_host($facts["ldapvar"]["other"], $host_cn)
+  if empty($host_infos) {
+    fail("Unable to find host for replication")
+  }
+  ensure_resource("postgresql::server::config_entry", "wal_level", {
+    value => "logical",
+  })
+  $host_infos["ipHostNumber"].each |$ip| {
+    $infos = split($ip, "/")
+    $ipaddress = $infos[0]
+    if (length($infos) == 1 and $ipaddress =~ /:/) {
+      $mask = "128"
+    } elsif (length($infos) == 1) {
+      $mask = "32"
+    } else {
+      $mask = $infos[1]
+    }
+    postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask":
+      type        => 'hostssl',
+      database    => 'replication',
+      user        => $host_cn,
+      address     => "$ipaddress/$mask",
+      auth_method => 'pam',
+      order       => "06-01",
+    }
+  }
+  if $handle_role {
+    postgresql::server::role { $host_cn:
+      replication => true,
+    }
+    if $add_self_role {
+      $ldap_cn = lookup("base_installation::ldap_cn")
+      # Needed to be replicated to the backup and be able to recover later
+      ensure_resource("postgresql::server::role", $ldap_cn, {
+        replication => true,
+      })
+    }
+  }
+  if $handle_slot {
+    postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
+      ensure => present
+    }
+  }
+}
diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp
new file mode 100644
index 0000000..e4da8af
--- /dev/null
+++ b/modules/profile/manifests/postgresql/ssl.pp
@@ -0,0 +1,73 @@
+define profile::postgresql::ssl (
+  Optional[String] $cert       = undef,
+  Optional[String] $key        = undef,
+  Optional[String] $certname   = undef,
+  Optional[Boolean] $copy_keys = true,
+  Optional[String] $pg_user    = $profile::postgresql::pg_user,
+  Optional[String] $pg_group   = $profile::postgresql::pg_user
+) {
+  $pg_dir  = $title
+  $datadir = "$pg_dir/data"
+  file { "$datadir/certs":
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $pg_user,
+    group   => $pg_group,
+    require => File[$pg_dir],
+  }
+  if empty($cert) or empty($key) {
+    if empty($certname) {
+      fail("A certificate name is necessary to generate ssl certificate")
+    }
+    ssl::self_signed_certificate { $certname:
+      common_name  => $certname,
+      country      => "FR",
+      days         => "3650",
+      organization => "Immae",
+      owner        => $pg_user,
+      group        => $pg_group,
+      directory    => "$datadir/certs",
+    }
+    $ssl_key  = "$datadir/certs/$backup_host_cn.key"
+    $ssl_cert = "$datadir/certs/$backup_host_cn.crt"
+  } elsif $copy_keys {
+    $ssl_key  = "$datadir/certs/privkey.pem"
+    $ssl_cert = "$datadir/certs/cert.pem"
+    file { $ssl_cert:
+      source  => "file://$cert",
+      mode    => "0600",
+      links   => "follow",
+      owner   => $pg_user,
+      group   => $pg_group,
+      require => File["$datadir/certs"],
+    }
+    file { $ssl_key:
+      source  => "file://$key",
+      mode    => "0600",
+      links   => "follow",
+      owner   => $pg_user,
+      group   => $pg_group,
+      require => File["$datadir/certs"],
+    }
+  } else {
+    $ssl_key  = $key
+    $ssl_cert = $cert
+  }
+  postgresql::server::config_entry { "ssl":
+    value => "on",
+  }
+  postgresql::server::config_entry { "ssl_cert_file":
+    value => $ssl_cert,
+  }
+  postgresql::server::config_entry { "ssl_key_file":
+    value => $ssl_key,
+  }
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-27 20:45:15 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-28 02:33:05 +0200
commit	c53ac3f84852a42aa8b7341ee7fe0a629d2e3579 (patch)
tree	694c4790a8382fe7c5ed5a2033042c377999760b /modules/profile/manifests/postgresql
parent	f1d583bfdaf881116e5f9ca9e050307e7acdc28e (diff)
download	Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.tar.gz Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.tar.zst Puppet-c53ac3f84852a42aa8b7341ee7fe0a629d2e3579.zip

diff --git a/modules/profile/manifests/postgresql/pam_ldap.pp b/modules/profile/manifests/postgresql/pam_ldap.pp new file mode 100644 index 0000000..f068245 --- /dev/null +++ b/modules/profile/manifests/postgresql/pam_ldap.pp
@@ -0,0 +1,28 @@
	1	class profile::postgresql::pam_ldap (
	2	String $pg_user = "postgres"
	3	) {
	4	include "profile::pam_ldap"
	5
	6	$password_seed = lookup("base_installation::puppet_pass_seed")
	7	$ldap_server = lookup("base_installation::ldap_server")
	8	$ldap_base = lookup("base_installation::ldap_base")
	9	$ldap_dn = lookup("base_installation::ldap_dn")
	10	$ldap_password = generate_password(24, $password_seed, "ldap")
	11	$ldap_attribute = "cn"
	12
	13	file { "/etc/pam_ldap.d/postgresql.conf":
	14	ensure => "present",
	15	mode => "0400",
	16	owner => $pg_user,
	17	group => "root",
	18	content => template("profile/postgresql/pam_ldap_postgresql.conf.erb"),
	19	require => File["/etc/pam_ldap.d"],
	20	} ->
	21	file { "/etc/pam.d/postgresql":
	22	ensure => "present",
	23	mode => "0644",
	24	owner => "root",
	25	group => "root",
	26	source => "puppet:///modules/profile/postgresql/pam_postgresql"
	27	}
	28	}


diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp new file mode 100644 index 0000000..33b147f --- /dev/null +++ b/modules/profile/manifests/postgresql/replication.pp
@@ -0,0 +1,60 @@
	1	define profile::postgresql::replication (
	2	Boolean $handle_role = false,
	3	Boolean $add_self_role = false,
	4	Boolean $handle_slot = false,
	5	) {
	6	include "profile::postgresql::pam_ldap"
	7
	8	$host_cn = $title
	9	$host_infos = find_host($facts["ldapvar"]["other"], $host_cn)
	10
	11	if empty($host_infos) {
	12	fail("Unable to find host for replication")
	13	}
	14
	15	ensure_resource("postgresql::server::config_entry", "wal_level", {
	16	value => "logical",
	17	})
	18
	19	$host_infos["ipHostNumber"].each \|$ip\| {
	20	$infos = split($ip, "/")
	21	$ipaddress = $infos[0]
	22	if (length($infos) == 1 and $ipaddress =~ /:/) {
	23	$mask = "128"
	24	} elsif (length($infos) == 1) {
	25	$mask = "32"
	26	} else {
	27	$mask = $infos[1]
	28	}
	29
	30	postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask":
	31	type => 'hostssl',
	32	database => 'replication',
	33	user => $host_cn,
	34	address => "$ipaddress/$mask",
	35	auth_method => 'pam',
	36	order => "06-01",
	37	}
	38	}
	39
	40	if $handle_role {
	41	postgresql::server::role { $host_cn:
	42	replication => true,
	43	}
	44
	45	if $add_self_role {
	46	$ldap_cn = lookup("base_installation::ldap_cn")
	47
	48	# Needed to be replicated to the backup and be able to recover later
	49	ensure_resource("postgresql::server::role", $ldap_cn, {
	50	replication => true,
	51	})
	52	}
	53	}
	54
	55	if $handle_slot {
	56	postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
	57	ensure => present
	58	}
	59	}
	60	}


diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp new file mode 100644 index 0000000..e4da8af --- /dev/null +++ b/modules/profile/manifests/postgresql/ssl.pp
@@ -0,0 +1,73 @@
	1	define profile::postgresql::ssl (
	2	Optional[String] $cert = undef,
	3	Optional[String] $key = undef,
	4	Optional[String] $certname = undef,
	5	Optional[Boolean] $copy_keys = true,
	6	Optional[String] $pg_user = $profile::postgresql::pg_user,
	7	Optional[String] $pg_group = $profile::postgresql::pg_user
	8	) {
	9	$pg_dir = $title
	10	$datadir = "$pg_dir/data"
	11
	12	file { "$datadir/certs":
	13	ensure => directory,
	14	mode => "0700",
	15	owner => $pg_user,
	16	group => $pg_group,
	17	require => File[$pg_dir],
	18	}
	19
	20	if empty($cert) or empty($key) {
	21	if empty($certname) {
	22	fail("A certificate name is necessary to generate ssl certificate")
	23	}
	24
	25	ssl::self_signed_certificate { $certname:
	26	common_name => $certname,
	27	country => "FR",
	28	days => "3650",
	29	organization => "Immae",
	30	owner => $pg_user,
	31	group => $pg_group,
	32	directory => "$datadir/certs",
	33	}
	34
	35	$ssl_key = "$datadir/certs/$backup_host_cn.key"
	36	$ssl_cert = "$datadir/certs/$backup_host_cn.crt"
	37	} elsif $copy_keys {
	38	$ssl_key = "$datadir/certs/privkey.pem"
	39	$ssl_cert = "$datadir/certs/cert.pem"
	40
	41	file { $ssl_cert:
	42	source => "file://$cert",
	43	mode => "0600",
	44	links => "follow",
	45	owner => $pg_user,
	46	group => $pg_group,
	47	require => File["$datadir/certs"],
	48	}
	49	file { $ssl_key:
	50	source => "file://$key",
	51	mode => "0600",
	52	links => "follow",
	53	owner => $pg_user,
	54	group => $pg_group,
	55	require => File["$datadir/certs"],
	56	}
	57	} else {
	58	$ssl_key = $key
	59	$ssl_cert = $cert
	60	}
	61
	62	postgresql::server::config_entry { "ssl":
	63	value => "on",
	64	}
	65
	66	postgresql::server::config_entry { "ssl_cert_file":
	67	value => $ssl_cert,
	68	}
	69
	70	postgresql::server::config_entry { "ssl_key_file":
	71	value => $ssl_key,
	72	}
	73	}