Move postgresql replication to its right place

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-05-14 01:12:04 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-05-14 01:14:03 +0200
commit: 808f822507d47cc6e47da41e206ff9b942b506df (patch)
tree: 1854f0d3b061312810e635206a67a1c548070015 /modules/role/manifests/backup
parent: b0439bf9b68d4e11a1511b289cba15ea10588d8d (diff)
download: Puppet-808f822507d47cc6e47da41e206ff9b942b506df.tar.gz
Puppet-808f822507d47cc6e47da41e206ff9b942b506df.tar.zst
Puppet-808f822507d47cc6e47da41e206ff9b942b506df.zip
1 files changed, 163 insertions, 0 deletions
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
new file mode 100644
index 0000000..59e4669
--- /dev/null
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -0,0 +1,163 @@
+class role::backup::postgresql inherits role::backup {
+  # This manifest is supposed to be part of the backup server
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  $user = lookup("role::backup::user")
+  $group = lookup("role::backup::group")
+  $pg_user = "postgres"
+  $pg_group = "postgres"
+  $ldap_cn = lookup("base_installation::ldap_cn")
+  $ldap_password = generate_password(24, $password_seed, "ldap")
+  $pg_slot = regsubst($ldap_cn, '-', "_", "G")
+  ensure_packages(["postgresql"])
+  $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] })
+  $pg_backup_hosts.each |$pg_backup_host| {
+    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
+    $pg_host = "$pg_backup_host"
+    $pg_port = "5432"
+    file { "$mountpoint/$pg_backup_host":
+      ensure => directory,
+      owner  => $user,
+      group  => $group,
+    }
+    file { $pg_path:
+      ensure  => directory,
+      owner   => $pg_user,
+      group   => $pg_group,
+      mode    => "0700",
+      require => File["$mountpoint/$pg_backup_host"],
+    }
+    exec { "pg_basebackup $pg_path":
+      cwd         => $pg_path,
+      user        => $pg_user,
+      creates     => "$pg_path/PG_VERSION",
+      environment => ["PGPASSWORD=$ldap_password"],
+      command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
+      before      => [
+        Concat["$pg_path/pg_hba.conf"],
+        Concat["$pg_path/recovery.conf"],
+        File["$pg_path/postgresql.conf"],
+      ]
+    }
+    concat { "$pg_path/pg_hba.conf":
+      owner   => $pg_user,
+      group   => $pg_group,
+      mode    => '0640',
+      warn    => true,
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
+      description => 'Allow local access to postgres user',
+      type        => 'local',
+      database    => 'all',
+      user        => $pg_user,
+      auth_method => 'ident',
+      order       => "00-01",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
+      description => 'Allow localhost access to postgres user',
+      type        => 'host',
+      database    => 'all',
+      user        => $pg_user,
+      address     => "127.0.0.1/32",
+      auth_method => 'md5',
+      order       => "00-02",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
+      description => 'Allow localhost access to postgres user',
+      type        => 'host',
+      database    => 'all',
+      user        => $pg_user,
+      address     => "::1/128",
+      auth_method => 'md5',
+      order       => "00-03",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
+      description => 'Deny remote access to postgres user',
+      type        => 'host',
+      database    => 'all',
+      user        => $pg_user,
+      address     => "0.0.0.0/0",
+      auth_method => 'reject',
+      order       => "00-04",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
+      description => 'Allow local access with password',
+      type        => 'local',
+      database    => 'all',
+      user        => 'all',
+      auth_method => 'md5',
+      order       => "10-01",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
+      description => 'Allow local access with same name',
+      type        => 'local',
+      database    => 'all',
+      user        => 'all',
+      auth_method => 'ident',
+      order       => "10-02",
+      target      => "$pg_path/pg_hba.conf",
+      postgresql_version => "10",
+    }
+    $primary_conninfo  = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
+    $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
+    $standby_mode      = "on"
+    concat { "$pg_path/recovery.conf":
+      owner  => $pg_user,
+      group  => $pg_group,
+      mode   => '0640',
+      warn   => true,
+    }
+    concat::fragment { "$pg_path/recovery.conf":
+      target  => "$pg_path/recovery.conf",
+      content => template('postgresql/recovery.conf.erb'),
+    }
+    file { "$pg_path/postgresql.conf":
+      owner   => $pg_user,
+      group   => $pg_group,
+      mode    => '0640',
+      content => template("role/backup/postgresql.conf.erb"),
+    }
+    service { "postgresql_backup@$pg_backup_host":
+      enable  => true,
+      ensure  => "running",
+      require => [
+        File["/etc/systemd/system/postgresql_backup@.service"],
+        Concat["$pg_path/pg_hba.conf"],
+        Concat["$pg_path/recovery.conf"],
+        File["$pg_path/postgresql.conf"],
+      ]
+    }
+  }
+  file { "/etc/systemd/system/postgresql_backup@.service":
+    mode    => "0644",
+    owner   => "root",
+    group   => "root",
+    content => template("role/backup/postgresql_backup@.service.erb"),
+  }
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-05-14 01:12:04 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-05-14 01:14:03 +0200
commit	808f822507d47cc6e47da41e206ff9b942b506df (patch)
tree	1854f0d3b061312810e635206a67a1c548070015 /modules/role/manifests/backup
parent	b0439bf9b68d4e11a1511b289cba15ea10588d8d (diff)
download	Puppet-808f822507d47cc6e47da41e206ff9b942b506df.tar.gz Puppet-808f822507d47cc6e47da41e206ff9b942b506df.tar.zst Puppet-808f822507d47cc6e47da41e206ff9b942b506df.zip

diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp new file mode 100644 index 0000000..59e4669 --- /dev/null +++ b/modules/role/manifests/backup/postgresql.pp
@@ -0,0 +1,163 @@
	1	class role::backup::postgresql inherits role::backup {
	2	# This manifest is supposed to be part of the backup server
	3
	4	$password_seed = lookup("base_installation::puppet_pass_seed")
	5
	6	$user = lookup("role::backup::user")
	7	$group = lookup("role::backup::group")
	8	$pg_user = "postgres"
	9	$pg_group = "postgres"
	10
	11	$ldap_cn = lookup("base_installation::ldap_cn")
	12	$ldap_password = generate_password(24, $password_seed, "ldap")
	13	$pg_slot = regsubst($ldap_cn, '-', "_", "G")
	14
	15	ensure_packages(["postgresql"])
	16
	17	$pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] })
	18
	19	$pg_backup_hosts.each \|$pg_backup_host\| {
	20	$pg_path = "$mountpoint/$pg_backup_host/postgresql"
	21	$pg_host = "$pg_backup_host"
	22	$pg_port = "5432"
	23
	24	file { "$mountpoint/$pg_backup_host":
	25	ensure => directory,
	26	owner => $user,
	27	group => $group,
	28	}
	29
	30	file { $pg_path:
	31	ensure => directory,
	32	owner => $pg_user,
	33	group => $pg_group,
	34	mode => "0700",
	35	require => File["$mountpoint/$pg_backup_host"],
	36	}
	37
	38	exec { "pg_basebackup $pg_path":
	39	cwd => $pg_path,
	40	user => $pg_user,
	41	creates => "$pg_path/PG_VERSION",
	42	environment => ["PGPASSWORD=$ldap_password"],
	43	command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
	44	before => [
	45	Concat["$pg_path/pg_hba.conf"],
	46	Concat["$pg_path/recovery.conf"],
	47	File["$pg_path/postgresql.conf"],
	48	]
	49	}
	50
	51	concat { "$pg_path/pg_hba.conf":
	52	owner => $pg_user,
	53	group => $pg_group,
	54	mode => '0640',
	55	warn => true,
	56	}
	57	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
	58	description => 'Allow local access to postgres user',
	59	type => 'local',
	60	database => 'all',
	61	user => $pg_user,
	62	auth_method => 'ident',
	63	order => "00-01",
	64	target => "$pg_path/pg_hba.conf",
	65	postgresql_version => "10",
	66	}
	67	postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
	68	description => 'Allow localhost access to postgres user',
	69	type => 'host',
	70	database => 'all',
	71	user => $pg_user,
	72	address => "127.0.0.1/32",
	73	auth_method => 'md5',
	74	order => "00-02",
	75	target => "$pg_path/pg_hba.conf",
	76	postgresql_version => "10",
	77	}
	78	postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
	79	description => 'Allow localhost access to postgres user',
	80	type => 'host',
	81	database => 'all',
	82	user => $pg_user,
	83	address => "::1/128",
	84	auth_method => 'md5',
	85	order => "00-03",
	86	target => "$pg_path/pg_hba.conf",
	87	postgresql_version => "10",
	88	}
	89	postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
	90	description => 'Deny remote access to postgres user',
	91	type => 'host',
	92	database => 'all',
	93	user => $pg_user,
	94	address => "0.0.0.0/0",
	95	auth_method => 'reject',
	96	order => "00-04",
	97	target => "$pg_path/pg_hba.conf",
	98	postgresql_version => "10",
	99	}
	100
	101	postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
	102	description => 'Allow local access with password',
	103	type => 'local',
	104	database => 'all',
	105	user => 'all',
	106	auth_method => 'md5',
	107	order => "10-01",
	108	target => "$pg_path/pg_hba.conf",
	109	postgresql_version => "10",
	110	}
	111
	112	postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
	113	description => 'Allow local access with same name',
	114	type => 'local',
	115	database => 'all',
	116	user => 'all',
	117	auth_method => 'ident',
	118	order => "10-02",
	119	target => "$pg_path/pg_hba.conf",
	120	postgresql_version => "10",
	121	}
	122
	123	$primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
	124	$primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
	125	$standby_mode = "on"
	126
	127	concat { "$pg_path/recovery.conf":
	128	owner => $pg_user,
	129	group => $pg_group,
	130	mode => '0640',
	131	warn => true,
	132	}
	133	concat::fragment { "$pg_path/recovery.conf":
	134	target => "$pg_path/recovery.conf",
	135	content => template('postgresql/recovery.conf.erb'),
	136	}
	137
	138	file { "$pg_path/postgresql.conf":
	139	owner => $pg_user,
	140	group => $pg_group,
	141	mode => '0640',
	142	content => template("role/backup/postgresql.conf.erb"),
	143	}
	144
	145	service { "postgresql_backup@$pg_backup_host":
	146	enable => true,
	147	ensure => "running",
	148	require => [
	149	File["/etc/systemd/system/postgresql_backup@.service"],
	150	Concat["$pg_path/pg_hba.conf"],
	151	Concat["$pg_path/recovery.conf"],
	152	File["$pg_path/postgresql.conf"],
	153	]
	154	}
	155	}
	156
	157	file { "/etc/systemd/system/postgresql_backup@.service":
	158	mode => "0644",
	159	owner => "root",
	160	group => "root",
	161	content => template("role/backup/postgresql_backup@.service.erb"),
	162	}
	163	}