Refactor cryptoportfolio postgresql

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-28 10:32:57 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-28 12:14:44 +0200
commit: 3925777d9715d271c0643faef9f520e7816dba89 (patch)
tree: c6e3832098d19917b0ba0bcbe119103c632c7d29 /modules/role
parent: 436cae5ebfd889b1bf625b757939a57842b564da (diff)
download: Puppet-3925777d9715d271c0643faef9f520e7816dba89.tar.gz
Puppet-3925777d9715d271c0643faef9f520e7816dba89.tar.zst
Puppet-3925777d9715d271c0643faef9f520e7816dba89.zip
1 files changed, 20 insertions, 174 deletions
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
index 776b30f..addad67 100644
--- a/modules/role/manifests/cryptoportfolio/postgresql.pp
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
  $password_seed = lookup("base_installation::puppet_pass_seed")
  $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
-  $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
-  file { "/var/lib/postgres/data/certs":
+  profile::postgresql::master { "postgresql master for cryptoportfolio":
-    ensure  => directory,
+    letsencrypt_host => $web_host,
-    mode    => "0700",
+    backup_hosts     => ["backup-1"],
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => File["/var/lib/postgres"],
-  }
-  file { "/var/lib/postgres/data/certs/cert.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-  file { "/var/lib/postgres/data/certs/privkey.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-  postgresql_replication_slot { $pg_user_replication:
-    ensure => present
-  }
-  postgresql::server::config_entry { "wal_level":
-    value   => "logical",
-  }
-  postgresql::server::config_entry { "ssl":
-    value   => "on",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-  postgresql::server::config_entry { "ssl_cert_file":
-    value   => "/var/lib/postgres/data/certs/cert.pem",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-  postgresql::server::config_entry { "ssl_key_file":
-    value   => "/var/lib/postgres/data/certs/privkey.pem",
-    require => Letsencrypt::Certonly[$web_host],
  }
  postgresql::server::db { $pg_db:
    user     =>  $pg_user,
    password =>  postgresql_password($pg_user, $pg_password),
  }
-  ->
-  postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
-    db     => $pg_db,
-    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
-  }
-  ->
-  postgresql::server::role { $pg_user_replication:
-    db            => $pg_db,
-    replication   => true,
-    password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
-  }
-  ->
-  postgresql::server::database_grant { $pg_user_replication:
-    db        => $pg_db,
-    privilege => "CONNECT",
-    role      => $pg_user_replication,
-  }
-  ->
-  postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
-    db          => $pg_db,
-    role        => $pg_user_replication,
-    privilege   => "SELECT",
-    object_type => "ALL TABLES IN SCHEMA",
-    object_name => "public",
-  }
-  ->
-  postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
-    db          => $pg_db,
-    role        => $pg_user_replication,
-    privilege   => "SELECT",
-    object_type => "ALL SEQUENCES IN SCHEMA",
-    object_name => "public",
-  }
  postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
-    type        => 'host',
+    type        => 'local',
    database    => $pg_db,
    user        => $pg_user,
-    address     => '127.0.0.1/32',
+    auth_method => 'ident',
-    auth_method => 'md5',
    order       => "05-01",
  }
-  postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
-    type        => 'host',
-    database    => $pg_db,
-    user        => $pg_user,
-    address     => '::1/128',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
-  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
-    type        => 'hostssl',
-    database    => 'replication',
-    user        => $pg_user_replication,
-    address     => 'immae.eu',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
-  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
-    type        => 'hostssl',
-    database    => $pg_db,
-    user        => $pg_user_replication,
-    address     => 'immae.eu',
-    auth_method => 'md5',
-    order       => "05-02",
-  }
-  $backup_host = "backup-1"
-  unless empty($backup_host) {
+  # cleanup
-    ensure_packages(["pam_ldap"])
+  postgresql_psql { "DROP PUBLICATION ${pg_db}_publication":
+    db     => $pg_db,
-    $facts["ldapvar"]["other"].each |$host| {
+    onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
-      if ($host["cn"][0] == $backup_host) {
+  } ->
-        $host["ipHostNumber"].each |$ip| {
+  postgresql_replication_slot { $pg_user_replication:
-          $infos = split($ip, "/")
+    ensure => absent
-          $ipaddress = $infos[0]
+  } ->
-          if (length($infos) == 1 and $ipaddress =~ /:/) {
+  postgresql_psql { "DROP OWNED BY $pg_user_replication":
-            $mask = "128"
+    db     => $pg_db,
-          } elsif (length($infos) == 1) {
+    onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'"
-            $mask = "32"
+  } ->
-          } else {
+  postgresql::server::role { $pg_user_replication:
-            $mask = $infos[1]
+    ensure        => absent,
-          }
-          postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
-            type        => 'hostssl',
-            database    => 'replication',
-            user        => 'all',
-            address     => "$ipaddress/$mask",
-            auth_method => 'pam',
-            order       => "06-01",
-          }
-        }
-        postgresql::server::role { $backup_host:
-          replication => true,
-        }
-        postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
-          ensure => present
-        }
-      }
-    }
-    $ldap_server = lookup("base_installation::ldap_server")
-    $ldap_base   = lookup("base_installation::ldap_base")
-    $ldap_dn     = lookup("base_installation::ldap_dn")
-    $ldap_password = generate_password(24, $password_seed, "ldap")
-    $ldap_attribute = "cn"
-    file { "/etc/pam_ldap.d":
-      ensure => directory,
-      mode   => "0755",
-      owner  => "root",
-      group  => "root",
-    } ->
-    file { "/etc/pam_ldap.d/postgresql.conf":
-      ensure  => "present",
-      mode    => "0600",
-      owner   => $::profile::postgresql::pg_user,
-      group   => "root",
-      content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
-    } ->
-    file { "/etc/pam.d/postgresql":
-      ensure => "present",
-      mode   => "0644",
-      owner  => "root",
-      group  => "root",
-      source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
-    }
  }
+  # /cleanup
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-28 10:32:57 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-28 12:14:44 +0200
commit	3925777d9715d271c0643faef9f520e7816dba89 (patch)
tree	c6e3832098d19917b0ba0bcbe119103c632c7d29 /modules/role
parent	436cae5ebfd889b1bf625b757939a57842b564da (diff)
download	Puppet-3925777d9715d271c0643faef9f520e7816dba89.tar.gz Puppet-3925777d9715d271c0643faef9f520e7816dba89.tar.zst Puppet-3925777d9715d271c0643faef9f520e7816dba89.zip

diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index 776b30f..addad67 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
2	$password_seed = lookup("base_installation::puppet_pass_seed")	2	$password_seed = lookup("base_installation::puppet_pass_seed")
3		3
4	$pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")	4	$pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
5	$pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
6		5
7	file { "/var/lib/postgres/data/certs":	6	profile::postgresql::master { "postgresql master for cryptoportfolio":
8	ensure => directory,	7	letsencrypt_host => $web_host,
9	mode => "0700",	8	backup_hosts => ["backup-1"],
10	owner => $::profile::postgresql::pg_user,
11	group => $::profile::postgresql::pg_user,
12	require => File["/var/lib/postgres"],
13	}
14
15	file { "/var/lib/postgres/data/certs/cert.pem":
16	source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
17	mode => "0600",
18	links => "follow",
19	owner => $::profile::postgresql::pg_user,
20	group => $::profile::postgresql::pg_user,
21	require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
22	}
23
24	file { "/var/lib/postgres/data/certs/privkey.pem":
25	source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
26	mode => "0600",
27	links => "follow",
28	owner => $::profile::postgresql::pg_user,
29	group => $::profile::postgresql::pg_user,
30	require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
31	}
32
33	postgresql_replication_slot { $pg_user_replication:
34	ensure => present
35	}
36
37	postgresql::server::config_entry { "wal_level":
38	value => "logical",
39	}
40
41	postgresql::server::config_entry { "ssl":
42	value => "on",
43	require => Letsencrypt::Certonly[$web_host],
44	}
45
46	postgresql::server::config_entry { "ssl_cert_file":
47	value => "/var/lib/postgres/data/certs/cert.pem",
48	require => Letsencrypt::Certonly[$web_host],
49	}
50
51	postgresql::server::config_entry { "ssl_key_file":
52	value => "/var/lib/postgres/data/certs/privkey.pem",
53	require => Letsencrypt::Certonly[$web_host],
54	}	9	}
55		10
56	postgresql::server::db { $pg_db:	11	postgresql::server::db { $pg_db:
57	user => $pg_user,	12	user => $pg_user,
58	password => postgresql_password($pg_user, $pg_password),	13	password => postgresql_password($pg_user, $pg_password),
59	}	14	}
60	->
61	postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
62	db => $pg_db,
63	unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
64	}
65	->
66	postgresql::server::role { $pg_user_replication:
67	db => $pg_db,
68	replication => true,
69	password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
70	}
71	->
72	postgresql::server::database_grant { $pg_user_replication:
73	db => $pg_db,
74	privilege => "CONNECT",
75	role => $pg_user_replication,
76	}
77	->
78	postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
79	db => $pg_db,
80	role => $pg_user_replication,
81	privilege => "SELECT",
82	object_type => "ALL TABLES IN SCHEMA",
83	object_name => "public",
84	}
85	->
86	postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
87	db => $pg_db,
88	role => $pg_user_replication,
89	privilege => "SELECT",
90	object_type => "ALL SEQUENCES IN SCHEMA",
91	object_name => "public",
92	}
93		15
94	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':	16	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
95	type => 'host',	17	type => 'local',
96	database => $pg_db,	18	database => $pg_db,
97	user => $pg_user,	19	user => $pg_user,
98	address => '127.0.0.1/32',	20	auth_method => 'ident',
99	auth_method => 'md5',
100	order => "05-01",	21	order => "05-01",
101	}	22	}
102	postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
103	type => 'host',
104	database => $pg_db,
105	user => $pg_user,
106	address => '::1/128',
107	auth_method => 'md5',
108	order => "05-01",
109	}
110
111	postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
112	type => 'hostssl',
113	database => 'replication',
114	user => $pg_user_replication,
115	address => 'immae.eu',
116	auth_method => 'md5',
117	order => "05-01",
118	}
119
120	postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
121	type => 'hostssl',
122	database => $pg_db,
123	user => $pg_user_replication,
124	address => 'immae.eu',
125	auth_method => 'md5',
126	order => "05-02",
127	}
128
129	$backup_host = "backup-1"
130		23
131	unless empty($backup_host) {	24	# cleanup
132	ensure_packages(["pam_ldap"])	25	postgresql_psql { "DROP PUBLICATION ${pg_db}_publication":
133		26	db => $pg_db,
134	$facts["ldapvar"]["other"].each \|$host\| {	27	onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
135	if ($host["cn"][0] == $backup_host) {	28	} ->
136	$host["ipHostNumber"].each \|$ip\| {	29	postgresql_replication_slot { $pg_user_replication:
137	$infos = split($ip, "/")	30	ensure => absent
138	$ipaddress = $infos[0]	31	} ->
139	if (length($infos) == 1 and $ipaddress =~ /:/) {	32	postgresql_psql { "DROP OWNED BY $pg_user_replication":
140	$mask = "128"	33	db => $pg_db,
141	} elsif (length($infos) == 1) {	34	onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'"
142	$mask = "32"	35	} ->
143	} else {	36	postgresql::server::role { $pg_user_replication:
144	$mask = $infos[1]	37	ensure => absent,
145	}
146
147	postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
148	type => 'hostssl',
149	database => 'replication',
150	user => 'all',
151	address => "$ipaddress/$mask",
152	auth_method => 'pam',
153	order => "06-01",
154	}
155	}
156
157	postgresql::server::role { $backup_host:
158	replication => true,
159	}
160
161	postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
162	ensure => present
163	}
164	}
165	}
166
167	$ldap_server = lookup("base_installation::ldap_server")
168	$ldap_base = lookup("base_installation::ldap_base")
169	$ldap_dn = lookup("base_installation::ldap_dn")
170	$ldap_password = generate_password(24, $password_seed, "ldap")
171	$ldap_attribute = "cn"
172
173	file { "/etc/pam_ldap.d":
174	ensure => directory,
175	mode => "0755",
176	owner => "root",
177	group => "root",
178	} ->
179	file { "/etc/pam_ldap.d/postgresql.conf":
180	ensure => "present",
181	mode => "0600",
182	owner => $::profile::postgresql::pg_user,
183	group => "root",
184	content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
185	} ->
186	file { "/etc/pam.d/postgresql":
187	ensure => "present",
188	mode => "0644",
189	owner => "root",
190	group => "root",
191	source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
192	}
193	}	38	}
		39	# /cleanup
194		40
195	}	41	}