Merge branch 'etherpad' into dev

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-26 00:53:16 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-26 00:53:16 +0200
commit: bcc5318b2e938234fcc93f70d6af21367290c1ce (patch)
tree: c85aa84d53c6dd66626b38a3b3092dde8c459a5f /modules/profile
parent: a0fb226454d038c365d27bf5185c0831a487607f (diff)
parent: 9313fa2ea3c7b796b448f6249f13a588c6618889 (diff)
download: Puppet-bcc5318b2e938234fcc93f70d6af21367290c1ce.tar.gz
Puppet-bcc5318b2e938234fcc93f70d6af21367290c1ce.tar.zst
Puppet-bcc5318b2e938234fcc93f70d6af21367290c1ce.zip
3 files changed, 124 insertions, 0 deletions
diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql
new file mode 100644
index 0000000..70a90ae
--- /dev/null
+++ b/modules/profile/files/postgresql_master/pam_postgresql
@@ -0,0 +1,3 @@
+auth            required        pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
+account         required        pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp
new file mode 100644
index 0000000..9966f0d
--- /dev/null
+++ b/modules/profile/manifests/postgresql_master.pp
@@ -0,0 +1,115 @@
+define profile::postgresql_master (
+  $letsencrypt_host = undef,
+  $backup_hosts     = [],
+) {
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  ensure_resource("file", "/var/lib/postgres/data/certs", {
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => File["/var/lib/postgres"],
+  })
+  ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
+    source  => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
+  })
+  ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
+    source  => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
+  })
+  ensure_resource("postgresql::server::config_entry", "wal_level", {
+    value => "logical",
+  })
+  ensure_resource("postgresql::server::config_entry", "ssl", {
+    value   => "on",
+    require => Letsencrypt::Certonly[$letsencrypt_host],
+  })
+  ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
+    value   => "/var/lib/postgres/data/certs/cert.pem",
+    require => Letsencrypt::Certonly[$letsencrypt_host],
+  })
+  ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
+    value   => "/var/lib/postgres/data/certs/privkey.pem",
+    require => Letsencrypt::Certonly[$letsencrypt_host],
+  })
+  $backup_hosts.each |$backup_host| {
+    ensure_packages(["pam_ldap"])
+    $host = find_host($facts["ldapvar"]["other"], $backup_host)
+    unless empty($host) {
+      $host["ipHostNumber"].each |$ip| {
+        $infos = split($ip, "/")
+        $ipaddress = $infos[0]
+        if (length($infos) == 1 and $ipaddress =~ /:/) {
+          $mask = "128"
+        } elsif (length($infos) == 1) {
+          $mask = "32"
+        } else {
+          $mask = $infos[1]
+        }
+        postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
+          type        => 'hostssl',
+          database    => 'replication',
+          user        => $backup_host,
+          address     => "$ipaddress/$mask",
+          auth_method => 'pam',
+          order       => "06-01",
+        }
+      }
+      postgresql::server::role { $backup_host:
+        replication => true,
+      }
+      postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
+        ensure => present
+      }
+    }
+    $ldap_server = lookup("base_installation::ldap_server")
+    $ldap_base   = lookup("base_installation::ldap_base")
+    $ldap_dn     = lookup("base_installation::ldap_dn")
+    $ldap_password = generate_password(24, $password_seed, "ldap")
+    $ldap_attribute = "cn"
+    file { "/etc/pam_ldap.d":
+      ensure => directory,
+      mode   => "0755",
+      owner  => "root",
+      group  => "root",
+    } ->
+    file { "/etc/pam_ldap.d/postgresql.conf":
+      ensure  => "present",
+      mode    => "0600",
+      owner   => $::profile::postgresql::pg_user,
+      group   => "root",
+      content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
+    } ->
+    file { "/etc/pam.d/postgresql":
+      ensure => "present",
+      mode   => "0644",
+      owner  => "root",
+      group  => "root",
+      source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
+    }
+  }
+}
diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb
new file mode 100644
index 0000000..f3d9674
--- /dev/null
+++ b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
+host <%= @ldap_server %>
+base <%= @ldap_base %>
+binddn <%= @ldap_dn %>
+bindpw <%= @ldap_password %>
+pam_login_attribute <%= @ldap_attribute %>
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-26 00:53:16 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-26 00:53:16 +0200
commit	bcc5318b2e938234fcc93f70d6af21367290c1ce (patch)
tree	c85aa84d53c6dd66626b38a3b3092dde8c459a5f /modules/profile
parent	a0fb226454d038c365d27bf5185c0831a487607f (diff)
parent	9313fa2ea3c7b796b448f6249f13a588c6618889 (diff)
download	Puppet-bcc5318b2e938234fcc93f70d6af21367290c1ce.tar.gz Puppet-bcc5318b2e938234fcc93f70d6af21367290c1ce.tar.zst Puppet-bcc5318b2e938234fcc93f70d6af21367290c1ce.zip

diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql new file mode 100644 index 0000000..70a90ae --- /dev/null +++ b/modules/profile/files/postgresql_master/pam_postgresql
@@ -0,0 +1,3 @@
	1	auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
	2	account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
	3


diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp new file mode 100644 index 0000000..9966f0d --- /dev/null +++ b/modules/profile/manifests/postgresql_master.pp
@@ -0,0 +1,115 @@
	1	define profile::postgresql_master (
	2	$letsencrypt_host = undef,
	3	$backup_hosts = [],
	4	) {
	5	$password_seed = lookup("base_installation::puppet_pass_seed")
	6
	7	ensure_resource("file", "/var/lib/postgres/data/certs", {
	8	ensure => directory,
	9	mode => "0700",
	10	owner => $::profile::postgresql::pg_user,
	11	group => $::profile::postgresql::pg_user,
	12	require => File["/var/lib/postgres"],
	13	})
	14
	15	ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
	16	source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
	17	mode => "0600",
	18	links => "follow",
	19	owner => $::profile::postgresql::pg_user,
	20	group => $::profile::postgresql::pg_user,
	21	require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
	22	})
	23
	24	ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
	25	source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
	26	mode => "0600",
	27	links => "follow",
	28	owner => $::profile::postgresql::pg_user,
	29	group => $::profile::postgresql::pg_user,
	30	require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
	31	})
	32
	33	ensure_resource("postgresql::server::config_entry", "wal_level", {
	34	value => "logical",
	35	})
	36
	37	ensure_resource("postgresql::server::config_entry", "ssl", {
	38	value => "on",
	39	require => Letsencrypt::Certonly[$letsencrypt_host],
	40	})
	41
	42	ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
	43	value => "/var/lib/postgres/data/certs/cert.pem",
	44	require => Letsencrypt::Certonly[$letsencrypt_host],
	45	})
	46
	47	ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
	48	value => "/var/lib/postgres/data/certs/privkey.pem",
	49	require => Letsencrypt::Certonly[$letsencrypt_host],
	50	})
	51
	52	$backup_hosts.each \|$backup_host\| {
	53	ensure_packages(["pam_ldap"])
	54
	55	$host = find_host($facts["ldapvar"]["other"], $backup_host)
	56	unless empty($host) {
	57	$host["ipHostNumber"].each \|$ip\| {
	58	$infos = split($ip, "/")
	59	$ipaddress = $infos[0]
	60	if (length($infos) == 1 and $ipaddress =~ /:/) {
	61	$mask = "128"
	62	} elsif (length($infos) == 1) {
	63	$mask = "32"
	64	} else {
	65	$mask = $infos[1]
	66	}
	67
	68	postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
	69	type => 'hostssl',
	70	database => 'replication',
	71	user => $backup_host,
	72	address => "$ipaddress/$mask",
	73	auth_method => 'pam',
	74	order => "06-01",
	75	}
	76	}
	77
	78	postgresql::server::role { $backup_host:
	79	replication => true,
	80	}
	81
	82	postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
	83	ensure => present
	84	}
	85	}
	86
	87	$ldap_server = lookup("base_installation::ldap_server")
	88	$ldap_base = lookup("base_installation::ldap_base")
	89	$ldap_dn = lookup("base_installation::ldap_dn")
	90	$ldap_password = generate_password(24, $password_seed, "ldap")
	91	$ldap_attribute = "cn"
	92
	93	file { "/etc/pam_ldap.d":
	94	ensure => directory,
	95	mode => "0755",
	96	owner => "root",
	97	group => "root",
	98	} ->
	99	file { "/etc/pam_ldap.d/postgresql.conf":
	100	ensure => "present",
	101	mode => "0600",
	102	owner => $::profile::postgresql::pg_user,
	103	group => "root",
	104	content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
	105	} ->
	106	file { "/etc/pam.d/postgresql":
	107	ensure => "present",
	108	mode => "0644",
	109	owner => "root",
	110	group => "root",
	111	source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
	112	}
	113	}
	114
	115	}


diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb new file mode 100644 index 0000000..f3d9674 --- /dev/null +++ b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
	1	host <%= @ldap_server %>
	2
	3	base <%= @ldap_base %>
	4	binddn <%= @ldap_dn %>
	5	bindpw <%= @ldap_password %>
	6	pam_login_attribute <%= @ldap_attribute %>