aboutsummaryrefslogtreecommitdiff
path: root/modules/profile/manifests
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-27 21:52:02 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-28 02:34:04 +0200
commitd2f031ece106ed2dc37283b194edfa94718a6306 (patch)
tree42d4146e0f4b58ab724c4690c1ea431b3e733b7c /modules/profile/manifests
parentc53ac3f84852a42aa8b7341ee7fe0a629d2e3579 (diff)
downloadPuppet-d2f031ece106ed2dc37283b194edfa94718a6306.tar.gz
Puppet-d2f031ece106ed2dc37283b194edfa94718a6306.tar.zst
Puppet-d2f031ece106ed2dc37283b194edfa94718a6306.zip
Refactor backup postgresql
Diffstat (limited to 'modules/profile/manifests')
-rw-r--r--modules/profile/manifests/postgresql/backup_dump.pp53
-rw-r--r--modules/profile/manifests/postgresql/backup_pgbouncer.pp92
-rw-r--r--modules/profile/manifests/postgresql/backup_replication.pp135
-rw-r--r--modules/profile/manifests/postgresql/base_pg_hba_rules.pp76
-rw-r--r--modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp33
-rw-r--r--modules/profile/manifests/postgresql/replication.pp36
-rw-r--r--modules/profile/manifests/postgresql/ssl.pp47
-rw-r--r--modules/profile/manifests/postgresql_master.pp10
8 files changed, 447 insertions, 35 deletions
diff --git a/modules/profile/manifests/postgresql/backup_dump.pp b/modules/profile/manifests/postgresql/backup_dump.pp
new file mode 100644
index 0000000..10e349a
--- /dev/null
+++ b/modules/profile/manifests/postgresql/backup_dump.pp
@@ -0,0 +1,53 @@
1define profile::postgresql::backup_dump (
2 String $pg_user = "postgres",
3 String $pg_group = "postgres",
4) {
5 $base_path = $title
6 $pg_path = "$base_path/postgresql"
7 $pg_backup_path = "$base_path/postgresql_backup"
8 $pg_host = split($base_path, "/")[-1]
9
10 ensure_packages(["python", "python-pip"])
11 ensure_resource("package", "pylog2rotate", {
12 source => "git+https://github.com/avian2/pylog2rotate",
13 ensure => present,
14 provider => "pip3",
15 require => Package["python-pip"],
16 })
17
18 file { $pg_backup_path:
19 ensure => directory,
20 owner => $pg_user,
21 group => $pg_group,
22 mode => "0700",
23 require => File[$base_path],
24 }
25
26 cron::job::multiple { "backup_psql_$pg_host":
27 ensure => "present",
28 require => [File[$pg_backup_path], File[$pg_path]],
29 jobs => [
30 {
31 command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
32 user => $pg_user,
33 hour => "22,4,10,16",
34 minute => 0,
35 description => "Backup the database",
36 },
37 {
38 command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
39 user => $pg_user,
40 hour => 3,
41 minute => 0,
42 description => "Cleanup the database backups",
43 },
44 {
45 command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
46 user => $pg_user,
47 hour => 3,
48 minute => 1,
49 description => "Cleanup the database backups exponentially",
50 },
51 ]
52 }
53}
diff --git a/modules/profile/manifests/postgresql/backup_pgbouncer.pp b/modules/profile/manifests/postgresql/backup_pgbouncer.pp
new file mode 100644
index 0000000..45b8ed5
--- /dev/null
+++ b/modules/profile/manifests/postgresql/backup_pgbouncer.pp
@@ -0,0 +1,92 @@
1define profile::postgresql::backup_pgbouncer (
2 String $base_path,
3 Hash $pg_infos,
4 String $pg_user = "postgres",
5 String $pg_group = "postgres",
6) {
7 include "profile::postgresql::pam_ldap_pgbouncer"
8 ensure_packages(["pgbouncer"])
9
10 $host_cn = $title
11
12 $host = find_host($facts["ldapvar"]["other"], $host_cn)
13 if empty($host) {
14 fail("No host found for pgbouncer")
15 } elsif has_key($host["vars"], "host") {
16 $pg_backup_host = $host["vars"]["host"][0]
17 } else {
18 $pg_backup_host = $host["vars"]["real_hostname"][0]
19 }
20
21 $pg_path = "$base_path/$pg_backup_host/postgresql"
22
23 if has_key($host["vars"], "postgresql_backup_port") {
24 $pg_port = " port=${host[vars][postgresql_backup_port][0]}"
25 } else {
26 $pg_port = ""
27 }
28
29 # Config
30 ensure_resource("concat", "/etc/pgbouncer/pgbouncer.ini", {
31 mode => "0644",
32 owner => "root",
33 group => "root",
34 ensure_newline => true,
35 notify => Service["pgbouncer"],
36 before => Service["pgbouncer"],
37 })
38
39 ensure_resource("concat::fragment", "pgbouncer_head", {
40 target => "/etc/pgbouncer/pgbouncer.ini",
41 order => 01,
42 source => "puppet:///modules/profile/postgresql/pgbouncer_head.ini",
43 })
44
45 concat::fragment { "pgbouncer_$pg_backup_host":
46 target => "/etc/pgbouncer/pgbouncer.ini",
47 order => 02,
48 content => "${pg_infos[pgbouncer_dbname]} = host=$pg_path$pg_port user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
49 }
50
51 # pg_hba for accessed cluster
52 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
53 description => "Allow local access to ${pg_infos[dbuser]} user",
54 type => 'local',
55 database => $pg_infos["dbname"],
56 user => $pg_infos["dbuser"],
57 auth_method => 'trust',
58 order => "01-00",
59 target => "$pg_path/pg_hba.conf",
60 postgresql_version => "10",
61 }
62
63 # service
64 ensure_resource("file", "/etc/systemd/system/pgbouncer.service.d", {
65 ensure => "directory",
66 mode => "0644",
67 owner => "root",
68 group => "root",
69 })
70
71 ensure_resource("file", "/etc/systemd/system/pgbouncer.service.d/override.conf", {
72 ensure => "present",
73 mode => "0644",
74 owner => "root",
75 group => "root",
76 content => "[Service]\nUser=\nUser=$pg_user\n",
77 notify => Service["pgbouncer"],
78 before => Service["pgbouncer"],
79 })
80
81 ensure_resource("service", "pgbouncer", {
82 ensure => "running",
83 enable => true,
84 require => [
85 Package["pgbouncer"],
86 File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
87 Concat["/etc/pgbouncer/pgbouncer.ini"]
88 ],
89 })
90
91
92}
diff --git a/modules/profile/manifests/postgresql/backup_replication.pp b/modules/profile/manifests/postgresql/backup_replication.pp
new file mode 100644
index 0000000..a4edb8f
--- /dev/null
+++ b/modules/profile/manifests/postgresql/backup_replication.pp
@@ -0,0 +1,135 @@
1define profile::postgresql::backup_replication (
2 String $base_path,
3 Hash $pg_infos,
4 String $pg_user = "postgres",
5 String $pg_group = "postgres",
6) {
7 $host_cn = $title
8
9 $host = find_host($facts["ldapvar"]["other"], $host_cn)
10 if empty($host) {
11 $pg_backup_host = $host_cn
12 } elsif has_key($host["vars"], "host") {
13 $pg_backup_host = $host["vars"]["host"][0]
14 } else {
15 $pg_backup_host = $host["vars"]["real_hostname"][0]
16 }
17
18 $pg_path = "$base_path/$pg_backup_host/postgresql"
19
20 # Replication folder
21 ensure_resource("file", "$base_path/$pg_backup_host", {
22 ensure => directory,
23 })
24
25 file { $pg_path:
26 ensure => directory,
27 owner => $pg_user,
28 group => $pg_group,
29 mode => "0700",
30 require => File["$base_path/$pg_backup_host"],
31 }
32
33 # pg_hba.conf
34 profile::postgresql::base_pg_hba_rules { $pg_backup_host:
35 pg_path => $pg_path
36 }
37
38 # postgresql.conf file and ssl
39 concat { "$pg_path/postgresql.conf":
40 owner => $pg_user,
41 group => $pg_group,
42 mode => '0640',
43 warn => true,
44 }
45
46 if !empty($host) and has_key($host["vars"], "postgresql_backup_port") {
47 $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
48
49 profile::postgresql::ssl { $pg_path:
50 certname => $host_cn,
51 handle_concat_config => true,
52 before => Service["postgresql_backup@$pg_backup_host"]
53 }
54
55 concat::fragment { "$pg_path/postgresql.conf listen":
56 target => "$pg_path/postgresql.conf",
57 content => "listen_addresses = '*'\nport = $pg_listen_port\n",
58 }
59
60 profile::postgresql::replication { $host_cn:
61 target => "$pg_path/pg_hba.conf",
62 }
63 } else {
64 concat::fragment { "$pg_path/postgresql.conf listen":
65 target => "$pg_path/postgresql.conf",
66 content => "listen_addresses = ''\n",
67 }
68 }
69
70 concat::fragment { "$pg_path/postgresql.conf paths":
71 target => "$pg_path/postgresql.conf",
72 content => "unix_socket_directories = '$pg_path'\ndata_directory = '$pg_path'\nwal_level = logical\n",
73 }
74
75 $password_seed = lookup("base_installation::puppet_pass_seed")
76 $pg_host = $pg_backup_host
77 $pg_port = $pg_infos["dbport"]
78 $ldap_cn = lookup("base_installation::ldap_cn")
79 $ldap_password = generate_password(24, $password_seed, "ldap")
80 $pg_slot = regsubst($ldap_cn, '-', "_", "G")
81
82 # recovery.conf file
83 $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
84 $primary_slot_name = $pg_slot
85 $standby_mode = "on"
86
87 file { "$pg_path/recovery.conf":
88 owner => $pg_user,
89 group => $pg_group,
90 mode => '0640',
91 content => template('postgresql/recovery.conf.erb'),
92 }
93
94 # Initial replication
95 exec { "pg_basebackup $pg_path":
96 cwd => $pg_path,
97 user => $pg_user,
98 creates => "$pg_path/PG_VERSION",
99 environment => ["PGPASSWORD=$ldap_password"],
100 command => "/usr/bin/pg_basebackup -w -h $pg_host -p $pg_port -U $ldap_cn -D $pg_path -S $pg_slot",
101 before => [
102 Concat["$pg_path/pg_hba.conf"],
103 File["$pg_path/recovery.conf"],
104 Concat["$pg_path/postgresql.conf"],
105 ]
106 }
107
108 # Service
109 ensure_resource("file", "/etc/systemd/system/postgresql_backup@.service", {
110 mode => "0644",
111 owner => "root",
112 group => "root",
113 content => template("profile/postgresql/postgresql_backup@.service.erb"),
114 })
115
116 service { "postgresql_backup@$pg_backup_host":
117 enable => true,
118 ensure => "running",
119 require => [
120 File["/etc/systemd/system/postgresql_backup@.service"],
121 Concat["$pg_path/pg_hba.conf"],
122 File["$pg_path/recovery.conf"],
123 Concat["$pg_path/postgresql.conf"],
124 ],
125 subscribe => [
126 Concat["$pg_path/pg_hba.conf"],
127 File["$pg_path/recovery.conf"],
128 Concat["$pg_path/postgresql.conf"],
129 ]
130 }
131
132 # Dumps
133 profile::postgresql::backup_dump { "$base_path/$pg_backup_host": }
134
135}
diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
new file mode 100644
index 0000000..13ab4ff
--- /dev/null
+++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
@@ -0,0 +1,76 @@
1define profile::postgresql::base_pg_hba_rules (
2 Optional[String] $pg_path = undef,
3 String $pg_user = "postgres",
4 String $pg_group = "postgres",
5) {
6 unless empty($pg_path) {
7 concat { "$pg_path/pg_hba.conf":
8 owner => $pg_user,
9 group => $pg_group,
10 mode => '0640',
11 warn => true,
12 require => File[$pg_path],
13 }
14
15 Postgresql::Server::Pg_hba_rule {
16 target => "$pg_path/pg_hba.conf",
17 postgresql_version => "10",
18 }
19 }
20
21 postgresql::server::pg_hba_rule { "$title - local access as postgres user":
22 description => 'Allow local access to postgres user',
23 type => 'local',
24 database => 'all',
25 user => $pg_user,
26 auth_method => 'ident',
27 order => "00-01",
28 }
29 postgresql::server::pg_hba_rule { "$title - localhost access as postgres user":
30 description => 'Allow localhost access to postgres user',
31 type => 'host',
32 database => 'all',
33 user => $pg_user,
34 address => "127.0.0.1/32",
35 auth_method => 'md5',
36 order => "00-02",
37 }
38 postgresql::server::pg_hba_rule { "$title - localhost ip6 access as postgres user":
39 description => 'Allow localhost access to postgres user',
40 type => 'host',
41 database => 'all',
42 user => $pg_user,
43 address => "::1/128",
44 auth_method => 'md5',
45 order => "00-03",
46 target => "$pg_path/pg_hba.conf",
47 postgresql_version => "10",
48 }
49 postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
50 description => 'Deny remote access to postgres user',
51 type => 'host',
52 database => 'all',
53 user => $pg_user,
54 address => "0.0.0.0/0",
55 auth_method => 'reject',
56 order => "00-04",
57 }
58 postgresql::server::pg_hba_rule { "$title - local access":
59 description => 'Allow local access with password',
60 type => 'local',
61 database => 'all',
62 user => 'all',
63 auth_method => 'md5',
64 order => "10-01",
65 }
66
67 postgresql::server::pg_hba_rule { "$title - local access with same name":
68 description => 'Allow local access with same name',
69 type => 'local',
70 database => 'all',
71 user => 'all',
72 auth_method => 'ident',
73 order => "10-02",
74 }
75
76}
diff --git a/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp b/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp
new file mode 100644
index 0000000..67714f2
--- /dev/null
+++ b/modules/profile/manifests/postgresql/pam_ldap_pgbouncer.pp
@@ -0,0 +1,33 @@
1class profile::postgresql::pam_ldap_pgbouncer (
2 String $pg_user = "postgres"
3) {
4 include "profile::pam_ldap"
5
6 $password_seed = lookup("base_installation::puppet_pass_seed")
7 $ldap_server = lookup("base_installation::ldap_server")
8 $ldap_base = lookup("base_installation::ldap_base")
9 $ldap_dn = lookup("base_installation::ldap_dn")
10 $ldap_password = generate_password(24, $password_seed, "ldap")
11 $ldap_attribute = "uid"
12 $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
13
14 if empty($ldap_filter) {
15 fail("need ldap filter for pgbouncer")
16 }
17
18 file { "/etc/pam_ldap.d/pgbouncer.conf":
19 ensure => "present",
20 mode => "0600",
21 owner => $pg_user,
22 group => "root",
23 content => template("profile/postgresql/pam_ldap_pgbouncer.conf.erb"),
24 require => File["/etc/pam_ldap.d"],
25 } ->
26 file { "/etc/pam.d/pgbouncer":
27 ensure => "present",
28 mode => "0644",
29 owner => "root",
30 group => "root",
31 source => "puppet:///modules/profile/postgresql/pam_pgbouncer"
32 }
33}
diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp
index 33b147f..2fcb71c 100644
--- a/modules/profile/manifests/postgresql/replication.pp
+++ b/modules/profile/manifests/postgresql/replication.pp
@@ -1,7 +1,9 @@
1define profile::postgresql::replication ( 1define profile::postgresql::replication (
2 Boolean $handle_role = false, 2 Boolean $handle_role = false,
3 Boolean $add_self_role = false, 3 Boolean $handle_config = false,
4 Boolean $handle_slot = false, 4 Boolean $add_self_role = false,
5 Boolean $handle_slot = false,
6 Optional[String] $target = undef,
5) { 7) {
6 include "profile::postgresql::pam_ldap" 8 include "profile::postgresql::pam_ldap"
7 9
@@ -12,9 +14,11 @@ define profile::postgresql::replication (
12 fail("Unable to find host for replication") 14 fail("Unable to find host for replication")
13 } 15 }
14 16
15 ensure_resource("postgresql::server::config_entry", "wal_level", { 17 if empty($target) {
16 value => "logical", 18 $pg_version = undef
17 }) 19 } else {
20 $pg_version = "10"
21 }
18 22
19 $host_infos["ipHostNumber"].each |$ip| { 23 $host_infos["ipHostNumber"].each |$ip| {
20 $infos = split($ip, "/") 24 $infos = split($ip, "/")
@@ -28,15 +32,23 @@ define profile::postgresql::replication (
28 } 32 }
29 33
30 postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask": 34 postgresql::server::pg_hba_rule { "allow TCP access for replication to user $host_cn from $ipaddress/$mask":
31 type => 'hostssl', 35 type => 'hostssl',
32 database => 'replication', 36 database => 'replication',
33 user => $host_cn, 37 user => $host_cn,
34 address => "$ipaddress/$mask", 38 address => "$ipaddress/$mask",
35 auth_method => 'pam', 39 auth_method => 'pam',
36 order => "06-01", 40 order => "06-01",
41 target => $target,
42 postgresql_version => $pg_version,
37 } 43 }
38 } 44 }
39 45
46 if $handle_config {
47 ensure_resource("postgresql::server::config_entry", "wal_level", {
48 value => "logical",
49 })
50 }
51
40 if $handle_role { 52 if $handle_role {
41 postgresql::server::role { $host_cn: 53 postgresql::server::role { $host_cn:
42 replication => true, 54 replication => true,
diff --git a/modules/profile/manifests/postgresql/ssl.pp b/modules/profile/manifests/postgresql/ssl.pp
index e4da8af..dc56c0b 100644
--- a/modules/profile/manifests/postgresql/ssl.pp
+++ b/modules/profile/manifests/postgresql/ssl.pp
@@ -1,20 +1,21 @@
1define profile::postgresql::ssl ( 1define profile::postgresql::ssl (
2 Optional[String] $cert = undef, 2 Optional[String] $cert = undef,
3 Optional[String] $key = undef, 3 Optional[String] $key = undef,
4 Optional[String] $certname = undef, 4 Optional[String] $certname = undef,
5 Optional[Boolean] $copy_keys = true, 5 Optional[Boolean] $copy_keys = true,
6 Optional[String] $pg_user = $profile::postgresql::pg_user, 6 Optional[Boolean] $handle_config_entry = false,
7 Optional[String] $pg_group = $profile::postgresql::pg_user 7 Optional[Boolean] $handle_concat_config = false,
8 Optional[String] $pg_user = "postgres",
9 Optional[String] $pg_group = "postgres",
8) { 10) {
9 $pg_dir = $title 11 $datadir = $title
10 $datadir = "$pg_dir/data"
11 12
12 file { "$datadir/certs": 13 file { "$datadir/certs":
13 ensure => directory, 14 ensure => directory,
14 mode => "0700", 15 mode => "0700",
15 owner => $pg_user, 16 owner => $pg_user,
16 group => $pg_group, 17 group => $pg_group,
17 require => File[$pg_dir], 18 require => File[$datadir],
18 } 19 }
19 20
20 if empty($cert) or empty($key) { 21 if empty($cert) or empty($key) {
@@ -32,8 +33,8 @@ define profile::postgresql::ssl (
32 directory => "$datadir/certs", 33 directory => "$datadir/certs",
33 } 34 }
34 35
35 $ssl_key = "$datadir/certs/$backup_host_cn.key" 36 $ssl_key = "$datadir/certs/$certname.key"
36 $ssl_cert = "$datadir/certs/$backup_host_cn.crt" 37 $ssl_cert = "$datadir/certs/$certname.crt"
37 } elsif $copy_keys { 38 } elsif $copy_keys {
38 $ssl_key = "$datadir/certs/privkey.pem" 39 $ssl_key = "$datadir/certs/privkey.pem"
39 $ssl_cert = "$datadir/certs/cert.pem" 40 $ssl_cert = "$datadir/certs/cert.pem"
@@ -59,15 +60,23 @@ define profile::postgresql::ssl (
59 $ssl_cert = $cert 60 $ssl_cert = $cert
60 } 61 }
61 62
62 postgresql::server::config_entry { "ssl": 63 if $handle_config_entry {
63 value => "on", 64 postgresql::server::config_entry { "ssl":
64 } 65 value => "on",
66 }
65 67
66 postgresql::server::config_entry { "ssl_cert_file": 68 postgresql::server::config_entry { "ssl_cert_file":
67 value => $ssl_cert, 69 value => $ssl_cert,
68 } 70 }
69 71
70 postgresql::server::config_entry { "ssl_key_file": 72 postgresql::server::config_entry { "ssl_key_file":
71 value => $ssl_key, 73 value => $ssl_key,
74 }
75 } elsif $handle_concat_config {
76 concat::fragment { "$datadir/postgresql.conf ssl config":
77 target => "$datadir/postgresql.conf",
78 content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n"
79 }
72 } 80 }
81
73} 82}
diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp
index e28c1b0..3de4f22 100644
--- a/modules/profile/manifests/postgresql_master.pp
+++ b/modules/profile/manifests/postgresql_master.pp
@@ -2,14 +2,16 @@ define profile::postgresql_master (
2 $letsencrypt_host = undef, 2 $letsencrypt_host = undef,
3 $backup_hosts = [], 3 $backup_hosts = [],
4) { 4) {
5 profile::postgresql::ssl { "/var/lib/postgres": 5 profile::postgresql::ssl { "/var/lib/postgres/data":
6 cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem", 6 cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
7 key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem", 7 key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
8 require => Letsencrypt::Certonly[$letsencrypt_host], 8 require => Letsencrypt::Certonly[$letsencrypt_host],
9 handle_config_entry => true,
9 } 10 }
10 11
11 $backup_hosts.each |$backup_host| { 12 $backup_hosts.each |$backup_host| {
12 profile::postgresql::replication { $backup_host: 13 profile::postgresql::replication { $backup_host:
14 handle_config => true,
13 handle_role => true, 15 handle_role => true,
14 handle_slot => true, 16 handle_slot => true,
15 add_self_role => true, 17 add_self_role => true,