Merge branch 'refactoring' into dev

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-28 12:17:40 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-28 12:17:40 +0200
commit: 0a145a25c0a8cbcd50d515d2a828bd6665836ddb (patch)
tree: c6e3832098d19917b0ba0bcbe119103c632c7d29 /modules/profile/manifests/postgresql
parent: f1d583bfdaf881116e5f9ca9e050307e7acdc28e (diff)
parent: 3925777d9715d271c0643faef9f520e7816dba89 (diff)
download: Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.tar.gz
Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.tar.zst
Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.zip
9 files changed, 589 insertions, 0 deletions
diff --git a/modules/profile/manifests/postgresql/backup_dump.pp b/modules/profile/manifests/postgresql/backup_dump.pp
new file mode 100644
index 0000000..10e349a
--- /dev/null
+++ b/modules/profile/manifests/postgresql/backup_dump.pp
@@ -0,0 +1,53 @@
+define profile::postgresql::backup_dump (
+  String $pg_user  = "postgres",
+  String $pg_group = "postgres",
+) {
+  $base_path        = $title
+  $pg_path          = "$base_path/postgresql"
+  $pg_backup_path   = "$base_path/postgresql_backup"
+  $pg_host          = split($base_path, "/")[-1]
+  ensure_packages(["python", "python-pip"])
+  ensure_resource("package", "pylog2rotate", {
+    source   => "git+https://github.com/avian2/pylog2rotate",
+    ensure   => present,
+    provider => "pip3",
+    require  => Package["python-pip"],
+  })
+  file { $pg_backup_path:
+    ensure  => directory,
+    owner   => $pg_user,
+    group   => $pg_group,
+    mode    => "0700",
+    require => File[$base_path],
+  }
+  cron::job::multiple { "backup_psql_$pg_host":
+    ensure  => "present",
+    require => [File[$pg_backup_path], File[$pg_path]],
+    jobs    => [
+      {
+        command     => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
+        user        => $pg_user,
+        hour        => "22,4,10,16",
+        minute      => 0,
+        description => "Backup the database",
+      },
+      {
+        command     => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
+        user        => $pg_user,
+        hour        => 3,
+        minute      => 0,
+        description => "Cleanup the database backups",
+      },
+      {
+        command     => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
+        user        => $pg_user,
+        hour        => 3,
+        minute      => 1,
+        description => "Cleanup the database backups exponentially",
+      },
+    ]
+  }
+}
diff --git a/modules/profile/manifests/postgresql/backup_pgbouncer.pp b/modules/profile/manifests/postgresql/backup_pgbouncer.pp
new file mode 100644
index 0000000..45b8ed5
--- /dev/null
+++ b/modules/profile/manifests/postgresql/backup_pgbouncer.pp
@@ -0,0 +1,92 @@
+define profile::postgresql::backup_pgbouncer (
+  String $base_path,
+  Hash   $pg_infos,
+  String $pg_user  = "postgres",
+  String $pg_group = "postgres",
+) {
+  include "profile::postgresql::pam_ldap_pgbouncer"
+  ensure_packages(["pgbouncer"])
+  $host_cn = $title
+  $host = find_host($facts["ldapvar"]["other"], $host_cn)
+  if empty($host) {
+    fail("No host found for pgbouncer")
+  } elsif has_key($host["vars"], "host") {
+    $pg_backup_host = $host["vars"]["host"][0]
+  } else {
+    $pg_backup_host = $host["vars"]["real_hostname"][0]
+  }
+  $pg_path = "$base_path/$pg_backup_host/postgresql"
+  if has_key($host["vars"], "postgresql_backup_port") {
+    $pg_port = " port=${host[vars][postgresql_backup_port][0]}"
+  } else {
+    $pg_port = ""
+  }
+  # Config
+  ensure_resource("concat", "/etc/pgbouncer/pgbouncer.ini", {
+    mode           => "0644",
+    owner          => "root",
+    group          => "root",
+    ensure_newline => true,
+    notify         => Service["pgbouncer"],
+    before         => Service["pgbouncer"],
+  })
+  ensure_resource("concat::fragment", "pgbouncer_head", {
+    target => "/etc/pgbouncer/pgbouncer.ini",
+    order  => 01,
+    source => "puppet:///modules/profile/postgresql/pgbouncer_head.ini",
+  })
+  concat::fragment { "pgbouncer_$pg_backup_host":
+    target  => "/etc/pgbouncer/pgbouncer.ini",
+    order   => 02,
+    content => "${pg_infos[pgbouncer_dbname]} = host=$pg_path$pg_port user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
+  }
+  # pg_hba for accessed cluster
+  postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
+    description => "Allow local access to ${pg_infos[dbuser]} user",
+    type        => 'local',
+    database    => $pg_infos["dbname"],
+    user        => $pg_infos["dbuser"],
+    auth_method => 'trust',
+    order       => "01-00",
+    target      => "$pg_path/pg_hba.conf",
+    postgresql_version => "10",
+  }
+  # service
+  ensure_resource("file", "/etc/systemd/system/pgbouncer.service.d", {
+    ensure => "directory",
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+  })
+  ensure_resource("file", "/etc/systemd/system/pgbouncer.service.d/override.conf", {
+    ensure  => "present",
+    mode    => "0644",
+    owner   => "root",
+    group   => "root",
+    content => "[Service]\nUser=\nUser=$pg_user\n",
+    notify  => Service["pgbouncer"],
+    before  => Service["pgbouncer"],
+  })
+  ensure_resource("service", "pgbouncer", {
+    ensure  => "running",
+    enable  => true,
+    require => [
+      Package["pgbouncer"],
+      File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
+      Concat["/etc/pgbouncer/pgbouncer.ini"]
+    ],
+  })
+}
diff --git a/modules/profile/manifests/postgresql/backup_replication.pp b/modules/profile/manifests/postgresql/backup_replication.pp
new file mode 100644
index 0000000..a4edb8f
--- /dev/null
+++ b/modules/profile/manifests/postgresql/backup_replication.pp
@@ -0,0 +1,135 @@
+define profile::postgresql::backup_replication (
+  String $base_path,
+  Hash   $pg_infos,
+  String $pg_user  = "postgres",
+  String $pg_group = "postgres",
+) {
+  $host_cn = $title
+  $host = find_host($facts["ldapvar"]["other"], $host_cn)
+  if empty($host) {
+    $pg_backup_host = $host_cn
+  } elsif has_key($host["vars"], "host") {
+    $pg_backup_host = $host["vars"]["host"][0]
+  } else {
+    $pg_backup_host = $host["vars"]["real_hostname"][0]
+  }
+  $pg_path = "$base_path/$pg_backup_host/postgresql"
+  # Replication folder
+  ensure_resource("file", "$base_path/$pg_backup_host", {
+    ensure => directory,
+  })
+  file { $pg_path:
+    ensure  => directory,
+    owner   => $pg_user,
+    group   => $pg_group,
+    mode    => "0700",
+    require => File["$base_path/$pg_backup_host"],
+  }
+  # pg_hba.conf
+  profile::postgresql::base_pg_hba_rules { $pg_backup_host:
+    pg_path => $pg_path
+  }
+  # postgresql.conf file and ssl
+  concat { "$pg_path/postgresql.conf":
+    owner => $pg_user,
+    group => $pg_group,
+    mode  => '0640',
+    warn  => true,
+  }
+  if !empty($host) and has_key($host["vars"], "postgresql_backup_port") {
+    $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
+    profile::postgresql::ssl { $pg_path:
+      certname             => $host_cn,
+      handle_concat_config => true,
+      before               => Service["postgresql_backup@$pg_backup_host"]
+    }
+    concat::fragment { "$pg_path/postgresql.conf listen":
+      target  => "$pg_path/postgresql.conf",
+      content => "listen_addresses = '*'\nport = $pg_listen_port\n",
+    }
+    profile::postgresql::replication { $host_cn:
+      target => "$pg_path/pg_hba.conf",
+    }
+  } else {
+    concat::fragment { "$pg_path/postgresql.conf listen":
+      target  => "$pg_path/postgresql.conf",
+      content => "listen_addresses = ''\n",
+    }
+  }
+  concat::fragment { "$pg_path/postgresql.conf paths":
+    target  => "$pg_path/postgresql.conf",
+    content => "unix_socket_directories = '$pg_path'\ndata_directory = '$pg_path'\nwal_level = logical\n",
+  }
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  $pg_host = $pg_backup_host
+  $pg_port = $pg_infos["dbport"]
+  $ldap_cn = lookup("base_installation::ldap_cn")
+  $ldap_password = generate_password(24, $password_seed, "ldap")
+  $pg_slot = regsubst($ldap_cn, '-', "_", "G")
+  # recovery.conf file
+  $primary_conninfo  = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
+  $primary_slot_name = $pg_slot
+  $standby_mode      = "on"
+  file { "$pg_path/recovery.conf":
+    owner   => $pg_user,
+    group   => $pg_group,
+    mode    => '0640',
+    content => template('postgresql/recovery.conf.erb'),
+  }
+  # Initial replication
+  exec { "pg_basebackup $pg_path":
+    cwd         => $pg_path,
+    user        => $pg_user,
+    creates     => "$pg_path/PG_VERSION",
+    environment => ["PGPASSWORD=$ldap_password"],
+    command     => "/usr/bin/pg_basebackup -w -h $pg_host -p $pg_port -U $ldap_cn -D $pg_path -S $pg_slot",
+    before      => [
+      Concat["$pg_path/pg_hba.conf"],
+      File["$pg_path/recovery.conf"],
+      Concat["$pg_path/postgresql.conf"],
+    ]
+  }
+  # Service
+  ensure_resource("file", "/etc/systemd/system/postgresql_backup@.service", {
+    mode    => "0644",
+    owner   => "root",
+    group   => "root",
+    content => template("profile/postgresql/postgresql_backup@.service.erb"),
+  })
+  service { "postgresql_backup@$pg_backup_host":
+    enable  => true,
+    ensure  => "running",
+    require => [
+      File["/etc/systemd/system/postgresql_backup@.service"],
+      Concat["$pg_path/pg_hba.conf"],
+      File["$pg_path/recovery.conf"],
+      Concat["$pg_path/postgresql.conf"],
+    ],
+    subscribe => [
+      Concat["$pg_path/pg_hba.conf"],
+      File["$pg_path/recovery.conf"],
+      Concat["$pg_path/postgresql.conf"],
+    ]
+  }
+  # Dumps
+  profile::postgresql::backup_dump { "$base_path/$pg_backup_host": }
+}
diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
new file mode 100644
index 0000000..07c4bb6
--- /dev/null
+++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
@@ -0,0 +1,74 @@
+define profile::postgresql::base_pg_hba_rules (
+  Optional[String] $pg_path  = undef,
+  String           $pg_user  = "postgres",
+  String           $pg_group = "postgres",
+) {
+  unless empty($pg_path) {
+    concat { "$pg_path/pg_hba.conf":
+      owner   => $pg_user,
+      group   => $pg_group,
+      mode    => '0640',
+      warn    => true,
+      require => File[$pg_path],
+    }
+    Postgresql::Server::Pg_hba_rule {
+      target             => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+  }
+  postgresql::server::pg_hba_rule { "$title - local access as postgres user":
+    description => 'Allow local access to postgres user',
+    type        => 'local',
+    database    => 'all',
+    user        => $pg_user,
+    auth_method => 'ident',
+    order       => "00-01",
+  }
+  postgresql::server::pg_hba_rule { "$title - localhost access as postgres user":
+    description => 'Allow localhost access to postgres user',
+    type        => 'host',
+    database    => 'all',
+    user        => $pg_user,
+    address     => "127.0.0.1/32",
+    auth_method => 'md5',
+    order       => "00-02",
+  }
+  postgresql::server::pg_hba_rule { "$title - localhost ip6 access as postgres user":
+    description => 'Allow localhost access to postgres user',
+    type        => 'host',
+    database    => 'all',
+    user        => $pg_user,
+    address     => "::1/128",
+    auth_method => 'md5',
+    order       => "00-03",
+  }
+  postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
+    description => 'Deny remote access to postgres user',
+    type        => 'host',
+    database    => 'all',
+    user        => $pg_user,
+    address     => "0.0.0.0/0",
+    auth_method => 'reject',
+    order       => "00-04",
+  }
+  postgresql::server::pg_hba_rule { "$title - local access":
+    description => 'Allow local access with password',
+    type        => 'local',
+    database    => 'all',
+    user        => 'all',
+    auth_method => 'md5',
+    order       => "10-01",
+  }
+  postgresql::server::pg_hba_rule { "$title - local access with same name":
+    description => 'Allow local access with same name',
+    type        => 'local',
+    database    => 'all',
+    user        => 'all',
+    auth_method => 'ident',
+    order       => "10-02",
+  }
+}
diff --git a/modules/profile/manifests/postgresql/master.pp b/modules/profile/manifests/postgresql/master.pp
new file mode 100644
index 0000000..969905f
--- /dev/null
+++ b/modules/profile/manifests/postgresql/master.pp
@@ -0,0 +1,20 @@
+define profile::postgresql::master (
+  $letsencrypt_host = undef,
+  $backup_hosts     = [],
+) {
+  profile::postgresql::ssl { "/var/lib/postgres/data":
+    cert                => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
+    key                 => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
+    require             => Letsencrypt::Certonly[$letsencrypt_host],
+    handle_config_entry => true,
+  }
+  $backup_hosts.each |$backup_host| {
+    profile::postgresql::replication { $backup_host:
+      handle_config => true,
+      handle_role   => true,
+      handle_slot   => true,
+      add_self_role => true,
+    }
+  }
+}
diff --git a/modules/profile/manifests/postgresql/pam_ldap.pp b/modules/profile/manifests/postgresql/pam_ldap.pp
new file mode 100644
index 0000000..f068245
--- /dev/null
+++ b/modules/profile/manifests/postgresql/pam_ldap.pp
@@ -0,0 +1,28 @@
+class profile::postgresql::pam_ldap (
+  String $pg_user = "postgres"
+) {
+  include "profile::pam_ldap"
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  $ldap_server = lookup("base_installation::ldap_server")
+  $ldap_base   = lookup("base_installation::ldap_base")
+  $ldap_dn     = lookup("base_installation::ldap_dn")
+  $ldap_password = generate_password(24, $password_seed, "ldap")
+  $ldap_attribute = "cn"
+  file { "/etc/pam_ldap.d/postgresql.conf":
+    ensure  => "present",
+    mode    => "0400",
+    owner   => $pg_user,
+    group   => "root",
+    content => template("profile/postgresql/pam_ldap_postgresql.conf.erb"),
+    require => File["/etc/pam_ldap.d"],
+  } ->
+  file { "/etc/pam.d/postgresql":
+    ensure => "present",
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/postgresql/pam_postgresql"
+  }
+}
diff --git a/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp b/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp
new file mode 100644
index 0000000..67714f2
--- /dev/null
+++ b/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp
@@ -0,0 +1,33 @@
+class profile::postgresql::pam_ldap_pgbouncer (
+  String $pg_user = "postgres"
+) {
+  include "profile::pam_ldap"
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  $ldap_server = lookup("base_installation::ldap_server")
+  $ldap_base   = lookup("base_installation::ldap_base")
+  $ldap_dn     = lookup("base_installation::ldap_dn")
+  $ldap_password = generate_password(24, $password_seed, "ldap")
+  $ldap_attribute = "uid"
+  $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
+  if empty($ldap_filter) {
+    fail("need ldap filter for pgbouncer")
+  }
+  file { "/etc/pam_ldap.d/pgbouncer.conf":
+    ensure  => "present",
+    mode    => "0600",
+    owner   => $pg_user,
+    group   => "root",
+    content => template("profile/postgresql/pam_ldap_pgbouncer.conf.erb"),
+    require => File["/etc/pam_ldap.d"],
+  } ->
+  file { "/etc/pam.d/pgbouncer":
+    ensure => "present",
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/postgresql/pam_pgbouncer"
+  }
+}
diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp
new file mode 100644
index 0000000..2fcb71c
--- /dev/null
+++ b/modules/profile/manifests/postgresql/replication.pp
@@ -0,0 +1,72 @@
+define profile::postgresql::replication (
+  Boolean          $handle_role   = false,
+  Boolean          $handle_config = false,
+  Boolean          $add_self_role = false,
+  Boolean          $handle_slot   = false,
+  Optional[String] $target        = undef,
+) {
+  include "profile::postgresql::pam_ldap"
+  $host_cn = $title
+  $host_infos = find_host($facts["ldapvar"]["other"], $host_cn)
+  if empty($host_infos) {
+    fail("Unable to find host for replication")
+  }
+  if empty($target) {
+    $pg_version = undef
+  } else {
+    $pg_version = "10"
+  }
+  $host_infos["ipHostNumber"].each |$ip| {
+    $infos = split($ip, "/")
+    $ipaddress = $infos[0]
+    if (length($infos) == 1 and $ipaddress =~ /:/) {
+      $mask = "128"
+    } elsif (length($infos) == 1) {
+      $mask = "32"
+    } else {
+      $mask = $infos[1]
+    }
+    postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask":
+      type               => 'hostssl',
+      database           => 'replication',
+      user               => $host_cn,
+      address            => "$ipaddress/$mask",
+      auth_method        => 'pam',
+      order              => "06-01",
+      target             => $target,
+      postgresql_version => $pg_version,
+    }
+  }
+  if $handle_config {
+    ensure_resource("postgresql::server::config_entry", "wal_level", {
+      value => "logical",
+    })
+  }
+  if $handle_role {
+    postgresql::server::role { $host_cn:
+      replication => true,
+    }
+    if $add_self_role {
+      $ldap_cn = lookup("base_installation::ldap_cn")
+      # Needed to be replicated to the backup and be able to recover later
+      ensure_resource("postgresql::server::role", $ldap_cn, {
+        replication => true,
+      })
+    }
+  }
+  if $handle_slot {
+    postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
+      ensure => present
+    }
+  }
+}
diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp
new file mode 100644
index 0000000..dc56c0b
--- /dev/null
+++ b/modules/profile/manifests/postgresql/ssl.pp
@@ -0,0 +1,82 @@
+define profile::postgresql::ssl (
+  Optional[String]  $cert                 = undef,
+  Optional[String]  $key                  = undef,
+  Optional[String]  $certname             = undef,
+  Optional[Boolean] $copy_keys            = true,
+  Optional[Boolean] $handle_config_entry  = false,
+  Optional[Boolean] $handle_concat_config = false,
+  Optional[String]  $pg_user              = "postgres",
+  Optional[String]  $pg_group             = "postgres",
+) {
+  $datadir = $title
+  file { "$datadir/certs":
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $pg_user,
+    group   => $pg_group,
+    require => File[$datadir],
+  }
+  if empty($cert) or empty($key) {
+    if empty($certname) {
+      fail("A certificate name is necessary to generate ssl certificate")
+    }
+    ssl::self_signed_certificate { $certname:
+      common_name  => $certname,
+      country      => "FR",
+      days         => "3650",
+      organization => "Immae",
+      owner        => $pg_user,
+      group        => $pg_group,
+      directory    => "$datadir/certs",
+    }
+    $ssl_key  = "$datadir/certs/$certname.key"
+    $ssl_cert = "$datadir/certs/$certname.crt"
+  } elsif $copy_keys {
+    $ssl_key  = "$datadir/certs/privkey.pem"
+    $ssl_cert = "$datadir/certs/cert.pem"
+    file { $ssl_cert:
+      source  => "file://$cert",
+      mode    => "0600",
+      links   => "follow",
+      owner   => $pg_user,
+      group   => $pg_group,
+      require => File["$datadir/certs"],
+    }
+    file { $ssl_key:
+      source  => "file://$key",
+      mode    => "0600",
+      links   => "follow",
+      owner   => $pg_user,
+      group   => $pg_group,
+      require => File["$datadir/certs"],
+    }
+  } else {
+    $ssl_key  = $key
+    $ssl_cert = $cert
+  }
+  if $handle_config_entry {
+    postgresql::server::config_entry { "ssl":
+      value => "on",
+    }
+    postgresql::server::config_entry { "ssl_cert_file":
+      value => $ssl_cert,
+    }
+    postgresql::server::config_entry { "ssl_key_file":
+      value => $ssl_key,
+    }
+  } elsif $handle_concat_config {
+    concat::fragment { "$datadir/postgresql.conf ssl config":
+      target  => "$datadir/postgresql.conf",
+      content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n"
+    }
+  }
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-28 12:17:40 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-28 12:17:40 +0200
commit	0a145a25c0a8cbcd50d515d2a828bd6665836ddb (patch)
tree	c6e3832098d19917b0ba0bcbe119103c632c7d29 /modules/profile/manifests/postgresql
parent	f1d583bfdaf881116e5f9ca9e050307e7acdc28e (diff)
parent	3925777d9715d271c0643faef9f520e7816dba89 (diff)
download	Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.tar.gz Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.tar.zst Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.zip

diff --git a/modules/profile/manifests/postgresql/backup_dump.pp b/modules/profile/manifests/postgresql/backup_dump.pp new file mode 100644 index 0000000..10e349a --- /dev/null +++ b/modules/profile/manifests/postgresql/backup_dump.pp
@@ -0,0 +1,53 @@
	1	define profile::postgresql::backup_dump (
	2	String $pg_user = "postgres",
	3	String $pg_group = "postgres",
	4	) {
	5	$base_path = $title
	6	$pg_path = "$base_path/postgresql"
	7	$pg_backup_path = "$base_path/postgresql_backup"
	8	$pg_host = split($base_path, "/")[-1]
	9
	10	ensure_packages(["python", "python-pip"])
	11	ensure_resource("package", "pylog2rotate", {
	12	source => "git+https://github.com/avian2/pylog2rotate",
	13	ensure => present,
	14	provider => "pip3",
	15	require => Package["python-pip"],
	16	})
	17
	18	file { $pg_backup_path:
	19	ensure => directory,
	20	owner => $pg_user,
	21	group => $pg_group,
	22	mode => "0700",
	23	require => File[$base_path],
	24	}
	25
	26	cron::job::multiple { "backup_psql_$pg_host":
	27	ensure => "present",
	28	require => [File[$pg_backup_path], File[$pg_path]],
	29	jobs => [
	30	{
	31	command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
	32	user => $pg_user,
	33	hour => "22,4,10,16",
	34	minute => 0,
	35	description => "Backup the database",
	36	},
	37	{
	38	command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql \| grep -v 'T22:' \| sort -r \| sed -e '1,12d')",
	39	user => $pg_user,
	40	hour => 3,
	41	minute => 0,
	42	description => "Cleanup the database backups",
	43	},
	44	{
	45	command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 T22.sql \| log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
	46	user => $pg_user,
	47	hour => 3,
	48	minute => 1,
	49	description => "Cleanup the database backups exponentially",
	50	},
	51	]
	52	}
	53	}


diff --git a/modules/profile/manifests/postgresql/backup_pgbouncer.pp b/modules/profile/manifests/postgresql/backup_pgbouncer.pp new file mode 100644 index 0000000..45b8ed5 --- /dev/null +++ b/modules/profile/manifests/postgresql/backup_pgbouncer.pp
@@ -0,0 +1,92 @@
	1	define profile::postgresql::backup_pgbouncer (
	2	String $base_path,
	3	Hash $pg_infos,
	4	String $pg_user = "postgres",
	5	String $pg_group = "postgres",
	6	) {
	7	include "profile::postgresql::pam_ldap_pgbouncer"
	8	ensure_packages(["pgbouncer"])
	9
	10	$host_cn = $title
	11
	12	$host = find_host($facts["ldapvar"]["other"], $host_cn)
	13	if empty($host) {
	14	fail("No host found for pgbouncer")
	15	} elsif has_key($host["vars"], "host") {
	16	$pg_backup_host = $host["vars"]["host"][0]
	17	} else {
	18	$pg_backup_host = $host["vars"]["real_hostname"][0]
	19	}
	20
	21	$pg_path = "$base_path/$pg_backup_host/postgresql"
	22
	23	if has_key($host["vars"], "postgresql_backup_port") {
	24	$pg_port = " port=${host[vars][postgresql_backup_port][0]}"
	25	} else {
	26	$pg_port = ""
	27	}
	28
	29	# Config
	30	ensure_resource("concat", "/etc/pgbouncer/pgbouncer.ini", {
	31	mode => "0644",
	32	owner => "root",
	33	group => "root",
	34	ensure_newline => true,
	35	notify => Service["pgbouncer"],
	36	before => Service["pgbouncer"],
	37	})
	38
	39	ensure_resource("concat::fragment", "pgbouncer_head", {
	40	target => "/etc/pgbouncer/pgbouncer.ini",
	41	order => 01,
	42	source => "puppet:///modules/profile/postgresql/pgbouncer_head.ini",
	43	})
	44
	45	concat::fragment { "pgbouncer_$pg_backup_host":
	46	target => "/etc/pgbouncer/pgbouncer.ini",
	47	order => 02,
	48	content => "${pg_infos[pgbouncer_dbname]} = host=$pg_path$pg_port user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
	49	}
	50
	51	# pg_hba for accessed cluster
	52	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
	53	description => "Allow local access to ${pg_infos[dbuser]} user",
	54	type => 'local',
	55	database => $pg_infos["dbname"],
	56	user => $pg_infos["dbuser"],
	57	auth_method => 'trust',
	58	order => "01-00",
	59	target => "$pg_path/pg_hba.conf",
	60	postgresql_version => "10",
	61	}
	62
	63	# service
	64	ensure_resource("file", "/etc/systemd/system/pgbouncer.service.d", {
	65	ensure => "directory",
	66	mode => "0644",
	67	owner => "root",
	68	group => "root",
	69	})
	70
	71	ensure_resource("file", "/etc/systemd/system/pgbouncer.service.d/override.conf", {
	72	ensure => "present",
	73	mode => "0644",
	74	owner => "root",
	75	group => "root",
	76	content => "[Service]\nUser=\nUser=$pg_user\n",
	77	notify => Service["pgbouncer"],
	78	before => Service["pgbouncer"],
	79	})
	80
	81	ensure_resource("service", "pgbouncer", {
	82	ensure => "running",
	83	enable => true,
	84	require => [
	85	Package["pgbouncer"],
	86	File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
	87	Concat["/etc/pgbouncer/pgbouncer.ini"]
	88	],
	89	})
	90
	91
	92	}


diff --git a/modules/profile/manifests/postgresql/backup_replication.pp b/modules/profile/manifests/postgresql/backup_replication.pp new file mode 100644 index 0000000..a4edb8f --- /dev/null +++ b/modules/profile/manifests/postgresql/backup_replication.pp
@@ -0,0 +1,135 @@
	1	define profile::postgresql::backup_replication (
	2	String $base_path,
	3	Hash $pg_infos,
	4	String $pg_user = "postgres",
	5	String $pg_group = "postgres",
	6	) {
	7	$host_cn = $title
	8
	9	$host = find_host($facts["ldapvar"]["other"], $host_cn)
	10	if empty($host) {
	11	$pg_backup_host = $host_cn
	12	} elsif has_key($host["vars"], "host") {
	13	$pg_backup_host = $host["vars"]["host"][0]
	14	} else {
	15	$pg_backup_host = $host["vars"]["real_hostname"][0]
	16	}
	17
	18	$pg_path = "$base_path/$pg_backup_host/postgresql"
	19
	20	# Replication folder
	21	ensure_resource("file", "$base_path/$pg_backup_host", {
	22	ensure => directory,
	23	})
	24
	25	file { $pg_path:
	26	ensure => directory,
	27	owner => $pg_user,
	28	group => $pg_group,
	29	mode => "0700",
	30	require => File["$base_path/$pg_backup_host"],
	31	}
	32
	33	# pg_hba.conf
	34	profile::postgresql::base_pg_hba_rules { $pg_backup_host:
	35	pg_path => $pg_path
	36	}
	37
	38	# postgresql.conf file and ssl
	39	concat { "$pg_path/postgresql.conf":
	40	owner => $pg_user,
	41	group => $pg_group,
	42	mode => '0640',
	43	warn => true,
	44	}
	45
	46	if !empty($host) and has_key($host["vars"], "postgresql_backup_port") {
	47	$pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
	48
	49	profile::postgresql::ssl { $pg_path:
	50	certname => $host_cn,
	51	handle_concat_config => true,
	52	before => Service["postgresql_backup@$pg_backup_host"]
	53	}
	54
	55	concat::fragment { "$pg_path/postgresql.conf listen":
	56	target => "$pg_path/postgresql.conf",
	57	content => "listen_addresses = '*'\nport = $pg_listen_port\n",
	58	}
	59
	60	profile::postgresql::replication { $host_cn:
	61	target => "$pg_path/pg_hba.conf",
	62	}
	63	} else {
	64	concat::fragment { "$pg_path/postgresql.conf listen":
	65	target => "$pg_path/postgresql.conf",
	66	content => "listen_addresses = ''\n",
	67	}
	68	}
	69
	70	concat::fragment { "$pg_path/postgresql.conf paths":
	71	target => "$pg_path/postgresql.conf",
	72	content => "unix_socket_directories = '$pg_path'\ndata_directory = '$pg_path'\nwal_level = logical\n",
	73	}
	74
	75	$password_seed = lookup("base_installation::puppet_pass_seed")
	76	$pg_host = $pg_backup_host
	77	$pg_port = $pg_infos["dbport"]
	78	$ldap_cn = lookup("base_installation::ldap_cn")
	79	$ldap_password = generate_password(24, $password_seed, "ldap")
	80	$pg_slot = regsubst($ldap_cn, '-', "_", "G")
	81
	82	# recovery.conf file
	83	$primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
	84	$primary_slot_name = $pg_slot
	85	$standby_mode = "on"
	86
	87	file { "$pg_path/recovery.conf":
	88	owner => $pg_user,
	89	group => $pg_group,
	90	mode => '0640',
	91	content => template('postgresql/recovery.conf.erb'),
	92	}
	93
	94	# Initial replication
	95	exec { "pg_basebackup $pg_path":
	96	cwd => $pg_path,
	97	user => $pg_user,
	98	creates => "$pg_path/PG_VERSION",
	99	environment => ["PGPASSWORD=$ldap_password"],
	100	command => "/usr/bin/pg_basebackup -w -h $pg_host -p $pg_port -U $ldap_cn -D $pg_path -S $pg_slot",
	101	before => [
	102	Concat["$pg_path/pg_hba.conf"],
	103	File["$pg_path/recovery.conf"],
	104	Concat["$pg_path/postgresql.conf"],
	105	]
	106	}
	107
	108	# Service
	109	ensure_resource("file", "/etc/systemd/system/postgresql_backup@.service", {
	110	mode => "0644",
	111	owner => "root",
	112	group => "root",
	113	content => template("profile/postgresql/postgresql_backup@.service.erb"),
	114	})
	115
	116	service { "postgresql_backup@$pg_backup_host":
	117	enable => true,
	118	ensure => "running",
	119	require => [
	120	File["/etc/systemd/system/postgresql_backup@.service"],
	121	Concat["$pg_path/pg_hba.conf"],
	122	File["$pg_path/recovery.conf"],
	123	Concat["$pg_path/postgresql.conf"],
	124	],
	125	subscribe => [
	126	Concat["$pg_path/pg_hba.conf"],
	127	File["$pg_path/recovery.conf"],
	128	Concat["$pg_path/postgresql.conf"],
	129	]
	130	}
	131
	132	# Dumps
	133	profile::postgresql::backup_dump { "$base_path/$pg_backup_host": }
	134
	135	}


diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp new file mode 100644 index 0000000..07c4bb6 --- /dev/null +++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
@@ -0,0 +1,74 @@
	1	define profile::postgresql::base_pg_hba_rules (
	2	Optional[String] $pg_path = undef,
	3	String $pg_user = "postgres",
	4	String $pg_group = "postgres",
	5	) {
	6	unless empty($pg_path) {
	7	concat { "$pg_path/pg_hba.conf":
	8	owner => $pg_user,
	9	group => $pg_group,
	10	mode => '0640',
	11	warn => true,
	12	require => File[$pg_path],
	13	}
	14
	15	Postgresql::Server::Pg_hba_rule {
	16	target => "$pg_path/pg_hba.conf",
	17	postgresql_version => "10",
	18	}
	19	}
	20
	21	postgresql::server::pg_hba_rule { "$title - local access as postgres user":
	22	description => 'Allow local access to postgres user',
	23	type => 'local',
	24	database => 'all',
	25	user => $pg_user,
	26	auth_method => 'ident',
	27	order => "00-01",
	28	}
	29	postgresql::server::pg_hba_rule { "$title - localhost access as postgres user":
	30	description => 'Allow localhost access to postgres user',
	31	type => 'host',
	32	database => 'all',
	33	user => $pg_user,
	34	address => "127.0.0.1/32",
	35	auth_method => 'md5',
	36	order => "00-02",
	37	}
	38	postgresql::server::pg_hba_rule { "$title - localhost ip6 access as postgres user":
	39	description => 'Allow localhost access to postgres user',
	40	type => 'host',
	41	database => 'all',
	42	user => $pg_user,
	43	address => "::1/128",
	44	auth_method => 'md5',
	45	order => "00-03",
	46	}
	47	postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
	48	description => 'Deny remote access to postgres user',
	49	type => 'host',
	50	database => 'all',
	51	user => $pg_user,
	52	address => "0.0.0.0/0",
	53	auth_method => 'reject',
	54	order => "00-04",
	55	}
	56	postgresql::server::pg_hba_rule { "$title - local access":
	57	description => 'Allow local access with password',
	58	type => 'local',
	59	database => 'all',
	60	user => 'all',
	61	auth_method => 'md5',
	62	order => "10-01",
	63	}
	64
	65	postgresql::server::pg_hba_rule { "$title - local access with same name":
	66	description => 'Allow local access with same name',
	67	type => 'local',
	68	database => 'all',
	69	user => 'all',
	70	auth_method => 'ident',
	71	order => "10-02",
	72	}
	73
	74	}


diff --git a/modules/profile/manifests/postgresql/master.pp b/modules/profile/manifests/postgresql/master.pp new file mode 100644 index 0000000..969905f --- /dev/null +++ b/modules/profile/manifests/postgresql/master.pp
@@ -0,0 +1,20 @@
	1	define profile::postgresql::master (
	2	$letsencrypt_host = undef,
	3	$backup_hosts = [],
	4	) {
	5	profile::postgresql::ssl { "/var/lib/postgres/data":
	6	cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
	7	key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
	8	require => Letsencrypt::Certonly[$letsencrypt_host],
	9	handle_config_entry => true,
	10	}
	11
	12	$backup_hosts.each \|$backup_host\| {
	13	profile::postgresql::replication { $backup_host:
	14	handle_config => true,
	15	handle_role => true,
	16	handle_slot => true,
	17	add_self_role => true,
	18	}
	19	}
	20	}


diff --git a/modules/profile/manifests/postgresql/pam_ldap.pp b/modules/profile/manifests/postgresql/pam_ldap.pp new file mode 100644 index 0000000..f068245 --- /dev/null +++ b/modules/profile/manifests/postgresql/pam_ldap.pp
@@ -0,0 +1,28 @@
	1	class profile::postgresql::pam_ldap (
	2	String $pg_user = "postgres"
	3	) {
	4	include "profile::pam_ldap"
	5
	6	$password_seed = lookup("base_installation::puppet_pass_seed")
	7	$ldap_server = lookup("base_installation::ldap_server")
	8	$ldap_base = lookup("base_installation::ldap_base")
	9	$ldap_dn = lookup("base_installation::ldap_dn")
	10	$ldap_password = generate_password(24, $password_seed, "ldap")
	11	$ldap_attribute = "cn"
	12
	13	file { "/etc/pam_ldap.d/postgresql.conf":
	14	ensure => "present",
	15	mode => "0400",
	16	owner => $pg_user,
	17	group => "root",
	18	content => template("profile/postgresql/pam_ldap_postgresql.conf.erb"),
	19	require => File["/etc/pam_ldap.d"],
	20	} ->
	21	file { "/etc/pam.d/postgresql":
	22	ensure => "present",
	23	mode => "0644",
	24	owner => "root",
	25	group => "root",
	26	source => "puppet:///modules/profile/postgresql/pam_postgresql"
	27	}
	28	}


diff --git a/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp b/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp new file mode 100644 index 0000000..67714f2 --- /dev/null +++ b/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp
@@ -0,0 +1,33 @@
	1	class profile::postgresql::pam_ldap_pgbouncer (
	2	String $pg_user = "postgres"
	3	) {
	4	include "profile::pam_ldap"
	5
	6	$password_seed = lookup("base_installation::puppet_pass_seed")
	7	$ldap_server = lookup("base_installation::ldap_server")
	8	$ldap_base = lookup("base_installation::ldap_base")
	9	$ldap_dn = lookup("base_installation::ldap_dn")
	10	$ldap_password = generate_password(24, $password_seed, "ldap")
	11	$ldap_attribute = "uid"
	12	$ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
	13
	14	if empty($ldap_filter) {
	15	fail("need ldap filter for pgbouncer")
	16	}
	17
	18	file { "/etc/pam_ldap.d/pgbouncer.conf":
	19	ensure => "present",
	20	mode => "0600",
	21	owner => $pg_user,
	22	group => "root",
	23	content => template("profile/postgresql/pam_ldap_pgbouncer.conf.erb"),
	24	require => File["/etc/pam_ldap.d"],
	25	} ->
	26	file { "/etc/pam.d/pgbouncer":
	27	ensure => "present",
	28	mode => "0644",
	29	owner => "root",
	30	group => "root",
	31	source => "puppet:///modules/profile/postgresql/pam_pgbouncer"
	32	}
	33	}


diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp new file mode 100644 index 0000000..2fcb71c --- /dev/null +++ b/modules/profile/manifests/postgresql/replication.pp
@@ -0,0 +1,72 @@
	1	define profile::postgresql::replication (
	2	Boolean $handle_role = false,
	3	Boolean $handle_config = false,
	4	Boolean $add_self_role = false,
	5	Boolean $handle_slot = false,
	6	Optional[String] $target = undef,
	7	) {
	8	include "profile::postgresql::pam_ldap"
	9
	10	$host_cn = $title
	11	$host_infos = find_host($facts["ldapvar"]["other"], $host_cn)
	12
	13	if empty($host_infos) {
	14	fail("Unable to find host for replication")
	15	}
	16
	17	if empty($target) {
	18	$pg_version = undef
	19	} else {
	20	$pg_version = "10"
	21	}
	22
	23	$host_infos["ipHostNumber"].each \|$ip\| {
	24	$infos = split($ip, "/")
	25	$ipaddress = $infos[0]
	26	if (length($infos) == 1 and $ipaddress =~ /:/) {
	27	$mask = "128"
	28	} elsif (length($infos) == 1) {
	29	$mask = "32"
	30	} else {
	31	$mask = $infos[1]
	32	}
	33
	34	postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask":
	35	type => 'hostssl',
	36	database => 'replication',
	37	user => $host_cn,
	38	address => "$ipaddress/$mask",
	39	auth_method => 'pam',
	40	order => "06-01",
	41	target => $target,
	42	postgresql_version => $pg_version,
	43	}
	44	}
	45
	46	if $handle_config {
	47	ensure_resource("postgresql::server::config_entry", "wal_level", {
	48	value => "logical",
	49	})
	50	}
	51
	52	if $handle_role {
	53	postgresql::server::role { $host_cn:
	54	replication => true,
	55	}
	56
	57	if $add_self_role {
	58	$ldap_cn = lookup("base_installation::ldap_cn")
	59
	60	# Needed to be replicated to the backup and be able to recover later
	61	ensure_resource("postgresql::server::role", $ldap_cn, {
	62	replication => true,
	63	})
	64	}
	65	}
	66
	67	if $handle_slot {
	68	postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
	69	ensure => present
	70	}
	71	}
	72	}


diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp new file mode 100644 index 0000000..dc56c0b --- /dev/null +++ b/modules/profile/manifests/postgresql/ssl.pp
@@ -0,0 +1,82 @@
	1	define profile::postgresql::ssl (
	2	Optional[String] $cert = undef,
	3	Optional[String] $key = undef,
	4	Optional[String] $certname = undef,
	5	Optional[Boolean] $copy_keys = true,
	6	Optional[Boolean] $handle_config_entry = false,
	7	Optional[Boolean] $handle_concat_config = false,
	8	Optional[String] $pg_user = "postgres",
	9	Optional[String] $pg_group = "postgres",
	10	) {
	11	$datadir = $title
	12
	13	file { "$datadir/certs":
	14	ensure => directory,
	15	mode => "0700",
	16	owner => $pg_user,
	17	group => $pg_group,
	18	require => File[$datadir],
	19	}
	20
	21	if empty($cert) or empty($key) {
	22	if empty($certname) {
	23	fail("A certificate name is necessary to generate ssl certificate")
	24	}
	25
	26	ssl::self_signed_certificate { $certname:
	27	common_name => $certname,
	28	country => "FR",
	29	days => "3650",
	30	organization => "Immae",
	31	owner => $pg_user,
	32	group => $pg_group,
	33	directory => "$datadir/certs",
	34	}
	35
	36	$ssl_key = "$datadir/certs/$certname.key"
	37	$ssl_cert = "$datadir/certs/$certname.crt"
	38	} elsif $copy_keys {
	39	$ssl_key = "$datadir/certs/privkey.pem"
	40	$ssl_cert = "$datadir/certs/cert.pem"
	41
	42	file { $ssl_cert:
	43	source => "file://$cert",
	44	mode => "0600",
	45	links => "follow",
	46	owner => $pg_user,
	47	group => $pg_group,
	48	require => File["$datadir/certs"],
	49	}
	50	file { $ssl_key:
	51	source => "file://$key",
	52	mode => "0600",
	53	links => "follow",
	54	owner => $pg_user,
	55	group => $pg_group,
	56	require => File["$datadir/certs"],
	57	}
	58	} else {
	59	$ssl_key = $key
	60	$ssl_cert = $cert
	61	}
	62
	63	if $handle_config_entry {
	64	postgresql::server::config_entry { "ssl":
	65	value => "on",
	66	}
	67
	68	postgresql::server::config_entry { "ssl_cert_file":
	69	value => $ssl_cert,
	70	}
	71
	72	postgresql::server::config_entry { "ssl_key_file":
	73	value => $ssl_key,
	74	}
	75	} elsif $handle_concat_config {
	76	concat::fragment { "$datadir/postgresql.conf ssl config":
	77	target => "$datadir/postgresql.conf",
	78	content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n"
	79	}
	80	}
	81
	82	}