aboutsummaryrefslogtreecommitdiff
path: root/modules/profile
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-28 10:32:57 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-28 12:14:44 +0200
commit3925777d9715d271c0643faef9f520e7816dba89 (patch)
treec6e3832098d19917b0ba0bcbe119103c632c7d29 /modules/profile
parent436cae5ebfd889b1bf625b757939a57842b564da (diff)
downloadPuppet-3925777d9715d271c0643faef9f520e7816dba89.tar.gz
Puppet-3925777d9715d271c0643faef9f520e7816dba89.tar.zst
Puppet-3925777d9715d271c0643faef9f520e7816dba89.zip
Refactor cryptoportfolio postgresql
Diffstat (limited to 'modules/profile')
-rw-r--r--modules/profile/manifests/postgresql.pp64
-rw-r--r--modules/profile/manifests/postgresql/base_pg_hba_rules.pp2
2 files changed, 6 insertions, 60 deletions
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
index 2cd1bcc..97ce572 100644
--- a/modules/profile/manifests/postgresql.pp
+++ b/modules/profile/manifests/postgresql.pp
@@ -1,4 +1,7 @@
1class profile::postgresql { 1class profile::postgresql (
2 Optional[String] $pg_user = "postgres",
3 Optional[String] $pg_group = "postgres",
4) {
2 $password_seed = lookup("base_installation::puppet_pass_seed") 5 $password_seed = lookup("base_installation::puppet_pass_seed")
3 6
4 class { '::postgresql::globals': 7 class { '::postgresql::globals':
@@ -7,16 +10,13 @@ class profile::postgresql {
7 pg_hba_conf_defaults => false, 10 pg_hba_conf_defaults => false,
8 } 11 }
9 12
10 # FIXME: get it from the postgresql module?
11 $pg_user = "postgres"
12
13 class { '::postgresql::client': } 13 class { '::postgresql::client': }
14 14
15 # FIXME: postgresql module is buggy and doesn't create dir? 15 # FIXME: postgresql module is buggy and doesn't create dir?
16 file { "/var/lib/postgres": 16 file { "/var/lib/postgres":
17 ensure => directory, 17 ensure => directory,
18 owner => $pg_user, 18 owner => $pg_user,
19 group => $pg_user, 19 group => $pg_group,
20 before => File["/var/lib/postgres/data"], 20 before => File["/var/lib/postgres/data"],
21 require => Package["postgresql-server"], 21 require => Package["postgresql-server"],
22 } 22 }
@@ -26,59 +26,7 @@ class profile::postgresql {
26 listen_addresses => "*", 26 listen_addresses => "*",
27 } 27 }
28 28
29 postgresql::server::pg_hba_rule { 'local access as postgres user': 29 profile::postgresql::base_pg_hba_rules { "default": }
30 description => 'Allow local access to postgres user',
31 type => 'local',
32 database => 'all',
33 user => $pg_user,
34 auth_method => 'ident',
35 order => "00-01",
36 }
37 postgresql::server::pg_hba_rule { 'localhost access as postgres user':
38 description => 'Allow localhost access to postgres user',
39 type => 'host',
40 database => 'all',
41 user => $pg_user,
42 address => "127.0.0.1/32",
43 auth_method => 'md5',
44 order => "00-02",
45 }
46 postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
47 description => 'Allow localhost access to postgres user',
48 type => 'host',
49 database => 'all',
50 user => $pg_user,
51 address => "::1/128",
52 auth_method => 'md5',
53 order => "00-03",
54 }
55 postgresql::server::pg_hba_rule { 'deny access to postgresql user':
56 description => 'Deny remote access to postgres user',
57 type => 'host',
58 database => 'all',
59 user => $pg_user,
60 address => "0.0.0.0/0",
61 auth_method => 'reject',
62 order => "00-04",
63 }
64
65 postgresql::server::pg_hba_rule { 'local access':
66 description => 'Allow local access with password',
67 type => 'local',
68 database => 'all',
69 user => 'all',
70 auth_method => 'md5',
71 order => "10-01",
72 }
73
74 postgresql::server::pg_hba_rule { 'local access with same name':
75 description => 'Allow local access with same name',
76 type => 'local',
77 database => 'all',
78 user => 'all',
79 auth_method => 'ident',
80 order => "10-02",
81 }
82 30
83} 31}
84 32
diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
index 13ab4ff..07c4bb6 100644
--- a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
+++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
@@ -43,8 +43,6 @@ define profile::postgresql::base_pg_hba_rules (
43 address => "::1/128", 43 address => "::1/128",
44 auth_method => 'md5', 44 auth_method => 'md5',
45 order => "00-03", 45 order => "00-03",
46 target => "$pg_path/pg_hba.conf",
47 postgresql_version => "10",
48 } 46 }
49 postgresql::server::pg_hba_rule { "$title - deny access to postgresql user": 47 postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
50 description => 'Deny remote access to postgres user', 48 description => 'Deny remote access to postgres user',