Replication

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-02-20 15:54:25 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-02-21 15:32:21 +0100
commit: b3015828f95acd3f239ab7a614418918f21fb8d1 (patch)
tree: d4724a0c98342711f1e34462cee9eaf08da53a5a /modules/role
parent: e17078be2c92c88e0fc8ecc88a626cdb99d0d09a (diff)
download: Puppet-b3015828f95acd3f239ab7a614418918f21fb8d1.tar.gz
Puppet-b3015828f95acd3f239ab7a614418918f21fb8d1.tar.zst
Puppet-b3015828f95acd3f239ab7a614418918f21fb8d1.zip
1 files changed, 95 insertions, 2 deletions
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index 05f2c59..e14d43d 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -8,8 +8,10 @@ class role::cryptoportfolio {
  $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
  $cf_pg_user = "cryptoportfolio"
+  $cf_pg_user_replication = "cryptoportfolio_replication"
  $cf_pg_db = "cryptoportfolio"
  $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
+  $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
  $cf_pg_host = "localhost:5432"
  $cf_user = "cryptoportfolio"
@@ -27,9 +29,87 @@ class role::cryptoportfolio {
  $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
+  file { "/var/lib/postgres/data/certs":
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => File["/var/lib/postgres"],
+  }
+  file { "/var/lib/postgres/data/certs/cert.pem":
+    source  => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+  }
+  file { "/var/lib/postgres/data/certs/privkey.pem":
+    source  => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
+  }
+  postgresql::server::config_entry { "wal_level":
+    value   => "logical",
+  }
+  postgresql::server::config_entry { "ssl":
+    value   => "on",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
+  postgresql::server::config_entry { "ssl_cert_file":
+    value   => "/var/lib/postgres/data/certs/cert.pem",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
+  postgresql::server::config_entry { "ssl_key_file":
+    value   => "/var/lib/postgres/data/certs/privkey.pem",
+    require => Letsencrypt::Certonly[$cf_front_app_host],
+  }
  postgresql::server::db { $cf_pg_db:
    user     =>  $cf_pg_user,
-    password =>  postgresql_password($cf_pg_user, $cf_pg_password)
+    password =>  postgresql_password($cf_pg_user, $cf_pg_password),
+  }
+  ->
+  postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
+    db     => $cf_pg_db,
+    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
+  }
+  ->
+  postgresql::server::role { $cf_pg_user_replication:
+    db            => $cf_pg_db,
+    replication   => true,
+    password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
+  }
+  ->
+  postgresql::server::database_grant { $cf_pg_user_replication:
+    db        => $cf_pg_db,
+    privilege => "CONNECT",
+    role      => $cf_pg_user_replication,
+  }
+  ->
+  postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
+    db          => $cf_pg_db,
+    role        => $cf_pg_user_replication,
+    privilege   => "SELECT",
+    object_type => "ALL TABLES IN SCHEMA",
+    object_name => "public",
+  }
+  ->
+  postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
+    db          => $cf_pg_db,
+    role        => $cf_pg_user_replication,
+    privilege   => "SELECT",
+    object_type => "ALL SEQUENCES IN SCHEMA",
+    object_name => "public",
  }
  postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
@@ -49,6 +129,15 @@ class role::cryptoportfolio {
    order       => "b0",
  }
+  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
+    type        => 'hostssl',
+    database    => $cf_pg_db,
+    user        => $cf_pg_user_replication,
+    address     => 'immae.eu',
+    auth_method => 'md5',
+    order       => "b0",
+  }
  letsencrypt::certonly { $cf_front_app_host: ;
    default: * => $::profile::apache::letsencrypt_certonly_default;
  }
@@ -157,7 +246,10 @@ class role::cryptoportfolio {
    service { 'cryptoportfolio-app':
      enable  => true,
      ensure  => "running",
-      require => [File["/etc/systemd/system/cryptoportfolio-app.service"]],
+      require => [
+        File["/etc/systemd/system/cryptoportfolio-app.service"],
+        Postgresql::Server::Db[$cf_pg_db]
+      ],
    }
    file { $cf_front_app_api_conf:
@@ -199,4 +291,5 @@ class role::cryptoportfolio {
    }
  }
+  # TODO: xmr_stack
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-02-20 15:54:25 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-02-21 15:32:21 +0100
commit	b3015828f95acd3f239ab7a614418918f21fb8d1 (patch)
tree	d4724a0c98342711f1e34462cee9eaf08da53a5a /modules/role
parent	e17078be2c92c88e0fc8ecc88a626cdb99d0d09a (diff)
download	Puppet-b3015828f95acd3f239ab7a614418918f21fb8d1.tar.gz Puppet-b3015828f95acd3f239ab7a614418918f21fb8d1.tar.zst Puppet-b3015828f95acd3f239ab7a614418918f21fb8d1.zip

diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 05f2c59..e14d43d 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp
@@ -8,8 +8,10 @@ class role::cryptoportfolio {
8	$password_seed = lookup("base_installation::puppet_pass_seed") \|$key\| { {} }	8	$password_seed = lookup("base_installation::puppet_pass_seed") \|$key\| { {} }
9		9
10	$cf_pg_user = "cryptoportfolio"	10	$cf_pg_user = "cryptoportfolio"
		11	$cf_pg_user_replication = "cryptoportfolio_replication"
11	$cf_pg_db = "cryptoportfolio"	12	$cf_pg_db = "cryptoportfolio"
12	$cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")	13	$cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
		14	$cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
13	$cf_pg_host = "localhost:5432"	15	$cf_pg_host = "localhost:5432"
14		16
15	$cf_user = "cryptoportfolio"	17	$cf_user = "cryptoportfolio"
@@ -27,9 +29,87 @@ class role::cryptoportfolio {
27		29
28	$cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"	30	$cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
29		31
		32	file { "/var/lib/postgres/data/certs":
		33	ensure => directory,
		34	mode => "0700",
		35	owner => $::profile::postgresql::pg_user,
		36	group => $::profile::postgresql::pg_user,
		37	require => File["/var/lib/postgres"],
		38	}
		39
		40	file { "/var/lib/postgres/data/certs/cert.pem":
		41	source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
		42	mode => "0600",
		43	links => "follow",
		44	owner => $::profile::postgresql::pg_user,
		45	group => $::profile::postgresql::pg_user,
		46	require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
		47	}
		48
		49	file { "/var/lib/postgres/data/certs/privkey.pem":
		50	source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
		51	mode => "0600",
		52	links => "follow",
		53	owner => $::profile::postgresql::pg_user,
		54	group => $::profile::postgresql::pg_user,
		55	require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
		56	}
		57
		58	postgresql::server::config_entry { "wal_level":
		59	value => "logical",
		60	}
		61
		62	postgresql::server::config_entry { "ssl":
		63	value => "on",
		64	require => Letsencrypt::Certonly[$cf_front_app_host],
		65	}
		66
		67	postgresql::server::config_entry { "ssl_cert_file":
		68	value => "/var/lib/postgres/data/certs/cert.pem",
		69	require => Letsencrypt::Certonly[$cf_front_app_host],
		70	}
		71
		72	postgresql::server::config_entry { "ssl_key_file":
		73	value => "/var/lib/postgres/data/certs/privkey.pem",
		74	require => Letsencrypt::Certonly[$cf_front_app_host],
		75	}
		76
30	postgresql::server::db { $cf_pg_db:	77	postgresql::server::db { $cf_pg_db:
31	user => $cf_pg_user,	78	user => $cf_pg_user,
32	password => postgresql_password($cf_pg_user, $cf_pg_password)	79	password => postgresql_password($cf_pg_user, $cf_pg_password),
		80	}
		81	->
		82	postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
		83	db => $cf_pg_db,
		84	unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
		85	}
		86	->
		87	postgresql::server::role { $cf_pg_user_replication:
		88	db => $cf_pg_db,
		89	replication => true,
		90	password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
		91	}
		92	->
		93	postgresql::server::database_grant { $cf_pg_user_replication:
		94	db => $cf_pg_db,
		95	privilege => "CONNECT",
		96	role => $cf_pg_user_replication,
		97	}
		98	->
		99	postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
		100	db => $cf_pg_db,
		101	role => $cf_pg_user_replication,
		102	privilege => "SELECT",
		103	object_type => "ALL TABLES IN SCHEMA",
		104	object_name => "public",
		105	}
		106	->
		107	postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
		108	db => $cf_pg_db,
		109	role => $cf_pg_user_replication,
		110	privilege => "SELECT",
		111	object_type => "ALL SEQUENCES IN SCHEMA",
		112	object_name => "public",
33	}	113	}
34		114
35	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':	115	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
@@ -49,6 +129,15 @@ class role::cryptoportfolio {
49	order => "b0",	129	order => "b0",
50	}	130	}
51		131
		132	postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
		133	type => 'hostssl',
		134	database => $cf_pg_db,
		135	user => $cf_pg_user_replication,
		136	address => 'immae.eu',
		137	auth_method => 'md5',
		138	order => "b0",
		139	}
		140
52	letsencrypt::certonly { $cf_front_app_host: ;	141	letsencrypt::certonly { $cf_front_app_host: ;
53	default: * => $::profile::apache::letsencrypt_certonly_default;	142	default: * => $::profile::apache::letsencrypt_certonly_default;
54	}	143	}
@@ -157,7 +246,10 @@ class role::cryptoportfolio {
157	service { 'cryptoportfolio-app':	246	service { 'cryptoportfolio-app':
158	enable => true,	247	enable => true,
159	ensure => "running",	248	ensure => "running",
160	require => [File["/etc/systemd/system/cryptoportfolio-app.service"]],	249	require => [
		250	File["/etc/systemd/system/cryptoportfolio-app.service"],
		251	Postgresql::Server::Db[$cf_pg_db]
		252	],
161	}	253	}
162		254
163	file { $cf_front_app_api_conf:	255	file { $cf_front_app_api_conf:
@@ -199,4 +291,5 @@ class role::cryptoportfolio {
199	}	291	}
200	}	292	}
201		293
		294	# TODO: xmr_stack
202	}	295	}