diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-05-13 16:54:03 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-05-14 00:36:43 +0200 |
commit | 6d1c9c43fb2133689d814cfc84a4942ceec5c1c7 (patch) | |
tree | fbbaec6a735433be8d1da2c949df9ea50fe97539 /modules/role/manifests/cryptoportfolio/postgresql_backup.pp | |
parent | a859ab30660104d25485824afa1c23de454bb5ed (diff) | |
download | Puppet-6d1c9c43fb2133689d814cfc84a4942ceec5c1c7.tar.gz Puppet-6d1c9c43fb2133689d814cfc84a4942ceec5c1c7.tar.zst Puppet-6d1c9c43fb2133689d814cfc84a4942ceec5c1c7.zip |
Add cryptoportfolio postgresql backup
Diffstat (limited to 'modules/role/manifests/cryptoportfolio/postgresql_backup.pp')
-rw-r--r-- | modules/role/manifests/cryptoportfolio/postgresql_backup.pp | 161 |
1 files changed, 161 insertions, 0 deletions
diff --git a/modules/role/manifests/cryptoportfolio/postgresql_backup.pp b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp new file mode 100644 index 0000000..c6ca0fa --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp | |||
@@ -0,0 +1,161 @@ | |||
1 | class role::cryptoportfolio::postgresql_backup inherits role::backup { | ||
2 | # This manifest is supposed to be part of the backup server | ||
3 | |||
4 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
5 | |||
6 | $user = lookup("role::backup::user") | ||
7 | $group = lookup("role::backup::group") | ||
8 | $pg_user = "postgres" | ||
9 | $pg_group = "postgres" | ||
10 | |||
11 | $ldap_cn = lookup("base_installation::ldap_cn") | ||
12 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
13 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") | ||
14 | |||
15 | ensure_packages(["postgresql"]) | ||
16 | |||
17 | $pg_backup_hosts = ["cryptoportfolio-dev.immae.eu"] | ||
18 | |||
19 | $pg_backup_hosts.each |$pg_backup_host| { | ||
20 | $pg_path = "$mountpoint/$pg_backup_host/postgresql" | ||
21 | $pg_host = "$pg_backup_host" | ||
22 | $pg_port = "5432" | ||
23 | |||
24 | file { "$mountpoint/$pg_backup_host": | ||
25 | ensure => directory, | ||
26 | owner => $user, | ||
27 | group => $group, | ||
28 | } | ||
29 | |||
30 | file { $pg_path: | ||
31 | ensure => directory, | ||
32 | owner => $pg_user, | ||
33 | group => $pg_group, | ||
34 | mode => "0700", | ||
35 | require => File["$mountpoint/$pg_backup_host"], | ||
36 | } | ||
37 | |||
38 | exec { "pg_basebackup $pg_path": | ||
39 | cwd => $pg_path, | ||
40 | user => $pg_user, | ||
41 | creates => "$pg_path/PG_VERSION", | ||
42 | environment => ["PGPASSWORD=$ldap_password"], | ||
43 | command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", | ||
44 | before => [ | ||
45 | Concat["$pg_path/pg_hba.conf"], | ||
46 | Concat["$pg_path/recovery.conf"], | ||
47 | File["$pg_path/postgresql.conf"], | ||
48 | ] | ||
49 | } | ||
50 | |||
51 | concat { "$pg_path/pg_hba.conf": | ||
52 | owner => $pg_user, | ||
53 | group => $pg_group, | ||
54 | mode => '0640', | ||
55 | warn => true, | ||
56 | } | ||
57 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": | ||
58 | description => 'Allow local access to postgres user', | ||
59 | type => 'local', | ||
60 | database => 'all', | ||
61 | user => $pg_user, | ||
62 | auth_method => 'ident', | ||
63 | order => "00-01", | ||
64 | target => "$pg_path/pg_hba.conf", | ||
65 | postgresql_version => "10", | ||
66 | } | ||
67 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": | ||
68 | description => 'Allow localhost access to postgres user', | ||
69 | type => 'host', | ||
70 | database => 'all', | ||
71 | user => $pg_user, | ||
72 | address => "127.0.0.1/32", | ||
73 | auth_method => 'md5', | ||
74 | order => "00-02", | ||
75 | target => "$pg_path/pg_hba.conf", | ||
76 | postgresql_version => "10", | ||
77 | } | ||
78 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": | ||
79 | description => 'Allow localhost access to postgres user', | ||
80 | type => 'host', | ||
81 | database => 'all', | ||
82 | user => $pg_user, | ||
83 | address => "::1/128", | ||
84 | auth_method => 'md5', | ||
85 | order => "00-03", | ||
86 | target => "$pg_path/pg_hba.conf", | ||
87 | postgresql_version => "10", | ||
88 | } | ||
89 | postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": | ||
90 | description => 'Deny remote access to postgres user', | ||
91 | type => 'host', | ||
92 | database => 'all', | ||
93 | user => $pg_user, | ||
94 | address => "0.0.0.0/0", | ||
95 | auth_method => 'reject', | ||
96 | order => "00-04", | ||
97 | target => "$pg_path/pg_hba.conf", | ||
98 | postgresql_version => "10", | ||
99 | } | ||
100 | |||
101 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access": | ||
102 | description => 'Allow local access with password', | ||
103 | type => 'local', | ||
104 | database => 'all', | ||
105 | user => 'all', | ||
106 | auth_method => 'md5', | ||
107 | order => "10-01", | ||
108 | target => "$pg_path/pg_hba.conf", | ||
109 | postgresql_version => "10", | ||
110 | } | ||
111 | |||
112 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": | ||
113 | description => 'Allow local access with same name', | ||
114 | type => 'local', | ||
115 | database => 'all', | ||
116 | user => 'all', | ||
117 | auth_method => 'ident', | ||
118 | order => "10-02", | ||
119 | target => "$pg_path/pg_hba.conf", | ||
120 | postgresql_version => "10", | ||
121 | } | ||
122 | |||
123 | concat { "$pg_path/recovery.conf": | ||
124 | owner => $pg_user, | ||
125 | group => $pg_group, | ||
126 | mode => '0640', | ||
127 | warn => true, | ||
128 | } | ||
129 | postgresql::server::recovery { "$pg_backup_host recovery": | ||
130 | primary_conninfo => "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require", | ||
131 | primary_slot_name => regsubst($ldap_cn, '-', "_", "G"), | ||
132 | standby_mode => "on", | ||
133 | target => "$pg_path/recovery.conf", | ||
134 | } | ||
135 | |||
136 | file { "$pg_path/postgresql.conf": | ||
137 | owner => $pg_user, | ||
138 | group => $pg_group, | ||
139 | mode => '0640', | ||
140 | content => template("role/cryptoportfolio/postgresql_backup.conf.erb"), | ||
141 | } | ||
142 | |||
143 | service { "postgresql_backup@$pg_backup_host": | ||
144 | enable => true, | ||
145 | ensure => "running", | ||
146 | require => [ | ||
147 | File["/etc/systemd/system/postgresql_backup@.service"], | ||
148 | Concat["$pg_path/pg_hba.conf"], | ||
149 | Concat["$pg_path/recovery.conf"], | ||
150 | File["$pg_path/postgresql.conf"], | ||
151 | ] | ||
152 | } | ||
153 | } | ||
154 | |||
155 | file { "/etc/systemd/system/postgresql_backup@.service": | ||
156 | mode => "0644", | ||
157 | owner => "root", | ||
158 | group => "root", | ||
159 | content => template("role/cryptoportfolio/postgresql_backup@.service.erb"), | ||
160 | } | ||
161 | } | ||