diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-06-28 12:17:40 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-06-28 12:17:40 +0200 |
| commit | 0a145a25c0a8cbcd50d515d2a828bd6665836ddb (patch) | |
| tree | c6e3832098d19917b0ba0bcbe119103c632c7d29 /modules/role | |
| parent | f1d583bfdaf881116e5f9ca9e050307e7acdc28e (diff) | |
| parent | 3925777d9715d271c0643faef9f520e7816dba89 (diff) | |
| download | Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.tar.gz Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.tar.zst Puppet-0a145a25c0a8cbcd50d515d2a828bd6665836ddb.zip | |
Merge branch 'refactoring' into dev
Diffstat (limited to 'modules/role')
| -rw-r--r-- | modules/role/files/backup/pam_pgbouncer | 3 | ||||
| -rw-r--r-- | modules/role/manifests/backup.pp | 8 | ||||
| -rw-r--r-- | modules/role/manifests/backup/postgresql.pp | 376 | ||||
| -rw-r--r-- | modules/role/manifests/cryptoportfolio/postgresql.pp | 194 | ||||
| -rw-r--r-- | modules/role/manifests/etherpad.pp | 2 | ||||
| -rw-r--r-- | modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb | 7 | ||||
| -rw-r--r-- | modules/role/templates/backup/pgbouncer.ini.erb | 15 | ||||
| -rw-r--r-- | modules/role/templates/backup/postgresql_backup@.service.erb | 34 |
8 files changed, 29 insertions, 610 deletions
diff --git a/modules/role/files/backup/pam_pgbouncer b/modules/role/files/backup/pam_pgbouncer deleted file mode 100644 index 13f0d3d..0000000 --- a/modules/role/files/backup/pam_pgbouncer +++ /dev/null | |||
| @@ -1,3 +0,0 @@ | |||
| 1 | auth required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf | ||
| 2 | account required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf | ||
| 3 | |||
diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp index 51b689d..b35c542 100644 --- a/modules/role/manifests/backup.pp +++ b/modules/role/manifests/backup.pp | |||
| @@ -17,14 +17,6 @@ class role::backup ( | |||
| 17 | 17 | ||
| 18 | include "role::backup::postgresql" | 18 | include "role::backup::postgresql" |
| 19 | 19 | ||
| 20 | ensure_packages(["python", "python-pip"]) | ||
| 21 | package { "pylog2rotate": | ||
| 22 | source => "git+https://github.com/avian2/pylog2rotate", | ||
| 23 | ensure => present, | ||
| 24 | provider => "pip3", | ||
| 25 | require => Package["python-pip"], | ||
| 26 | } | ||
| 27 | |||
| 28 | ensure_packages(["rsync"]) | 20 | ensure_packages(["rsync"]) |
| 29 | 21 | ||
| 30 | ssh_keygen { $user: | 22 | ssh_keygen { $user: |
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index ee62a00..8a65dec 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp | |||
| @@ -1,381 +1,21 @@ | |||
| 1 | class role::backup::postgresql inherits role::backup { | 1 | class role::backup::postgresql inherits role::backup { |
| 2 | # This manifest is supposed to be part of the backup server | 2 | ensure_packages(["postgresql"]) |
| 3 | |||
| 4 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
| 5 | |||
| 6 | $user = lookup("role::backup::user") | ||
| 7 | $group = lookup("role::backup::group") | ||
| 8 | $pg_user = "postgres" | ||
| 9 | $pg_group = "postgres" | ||
| 10 | |||
| 11 | $ldap_cn = lookup("base_installation::ldap_cn") | ||
| 12 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
| 13 | $ldap_server = lookup("base_installation::ldap_server") | ||
| 14 | $ldap_base = lookup("base_installation::ldap_base") | ||
| 15 | $ldap_dn = lookup("base_installation::ldap_dn") | ||
| 16 | $pgbouncer_ldap_attribute = "uid" | ||
| 17 | |||
| 18 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") | ||
| 19 | |||
| 20 | ensure_packages(["postgresql", "pgbouncer", "pam_ldap"]) | ||
| 21 | 3 | ||
| 22 | $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} }) | 4 | $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} }) |
| 23 | $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef }) | ||
| 24 | |||
| 25 | unless empty($pg_backup_hosts) { | ||
| 26 | file { "/etc/systemd/system/postgresql_backup@.service": | ||
| 27 | mode => "0644", | ||
| 28 | owner => "root", | ||
| 29 | group => "root", | ||
| 30 | content => template("role/backup/postgresql_backup@.service.erb"), | ||
| 31 | } | ||
| 32 | |||
| 33 | unless empty($ldap_filter) { | ||
| 34 | concat { "/etc/pgbouncer/pgbouncer.ini": | ||
| 35 | mode => "0644", | ||
| 36 | owner => "root", | ||
| 37 | group => "root", | ||
| 38 | ensure_newline => true, | ||
| 39 | notify => Service["pgbouncer"], | ||
| 40 | } | ||
| 41 | |||
| 42 | concat::fragment { "pgbouncer_head": | ||
| 43 | target => "/etc/pgbouncer/pgbouncer.ini", | ||
| 44 | order => "01", | ||
| 45 | content => template("role/backup/pgbouncer.ini.erb"), | ||
| 46 | } | ||
| 47 | |||
| 48 | file { "/etc/systemd/system/pgbouncer.service.d": | ||
| 49 | ensure => "directory", | ||
| 50 | mode => "0644", | ||
| 51 | owner => "root", | ||
| 52 | group => "root", | ||
| 53 | } | ||
| 54 | |||
| 55 | file { "/etc/systemd/system/pgbouncer.service.d/override.conf": | ||
| 56 | ensure => "present", | ||
| 57 | mode => "0644", | ||
| 58 | owner => "root", | ||
| 59 | group => "root", | ||
| 60 | content => "[Service]\nUser=\nUser=$pg_user\n", | ||
| 61 | notify => Service["pgbouncer"], | ||
| 62 | } | ||
| 63 | |||
| 64 | service { "pgbouncer": | ||
| 65 | ensure => "running", | ||
| 66 | enable => true, | ||
| 67 | require => [ | ||
| 68 | Package["pgbouncer"], | ||
| 69 | File["/etc/systemd/system/pgbouncer.service.d/override.conf"], | ||
| 70 | Concat["/etc/pgbouncer/pgbouncer.ini"] | ||
| 71 | ], | ||
| 72 | } | ||
| 73 | |||
| 74 | file { "/etc/pam_ldap.d/pgbouncer.conf": | ||
| 75 | ensure => "present", | ||
| 76 | mode => "0600", | ||
| 77 | owner => $pg_user, | ||
| 78 | group => "root", | ||
| 79 | content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), | ||
| 80 | require => File["/etc/pam_ldap.d"], | ||
| 81 | } -> | ||
| 82 | file { "/etc/pam.d/pgbouncer": | ||
| 83 | ensure => "present", | ||
| 84 | mode => "0644", | ||
| 85 | owner => "root", | ||
| 86 | group => "root", | ||
| 87 | source => "puppet:///modules/role/backup/pam_pgbouncer" | ||
| 88 | } | ||
| 89 | } | ||
| 90 | } | ||
| 91 | |||
| 92 | $ldap_attribute = "cn" | ||
| 93 | |||
| 94 | file { "/etc/pam_ldap.d": | ||
| 95 | ensure => directory, | ||
| 96 | mode => "0755", | ||
| 97 | owner => "root", | ||
| 98 | group => "root", | ||
| 99 | } -> | ||
| 100 | file { "/etc/pam_ldap.d/postgresql.conf": | ||
| 101 | ensure => "present", | ||
| 102 | mode => "0600", | ||
| 103 | owner => $pg_user, | ||
| 104 | group => "root", | ||
| 105 | content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), | ||
| 106 | } -> | ||
| 107 | file { "/etc/pam.d/postgresql": | ||
| 108 | ensure => "present", | ||
| 109 | mode => "0644", | ||
| 110 | owner => "root", | ||
| 111 | group => "root", | ||
| 112 | source => "puppet:///modules/profile/postgresql_master/pam_postgresql" | ||
| 113 | } | ||
| 114 | 5 | ||
| 115 | $pg_backup_hosts.each |$backup_host_cn, $pg_infos| { | 6 | $pg_backup_hosts.each |$backup_host_cn, $pg_infos| { |
| 116 | $host = find_host($facts["ldapvar"]["other"], $backup_host_cn) | 7 | profile::postgresql::backup_replication { $backup_host_cn: |
| 117 | if empty($host) { | 8 | base_path => $mountpoint, |
| 118 | $pg_backup_host = $backup_host_cn | 9 | pg_infos => $pg_infos, |
| 119 | } elsif has_key($host["vars"], "host") { | ||
| 120 | $pg_backup_host = $host["vars"]["host"][0] | ||
| 121 | } else { | ||
| 122 | $pg_backup_host = $host["vars"]["real_hostname"][0] | ||
| 123 | } | ||
| 124 | |||
| 125 | $pg_path = "$mountpoint/$pg_backup_host/postgresql" | ||
| 126 | $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup" | ||
| 127 | $pg_host = "$pg_backup_host" | ||
| 128 | $pg_port = $pg_infos["dbport"] | ||
| 129 | |||
| 130 | if has_key($host["vars"], "postgresql_backup_port") { | ||
| 131 | $pg_listen_port = $host["vars"]["postgresql_backup_port"][0] | ||
| 132 | file { "$pg_path/certs": | ||
| 133 | ensure => directory, | ||
| 134 | mode => "0700", | ||
| 135 | owner => $pg_user, | ||
| 136 | group => $pg_group, | ||
| 137 | } -> | ||
| 138 | ssl::self_signed_certificate { $backup_host_cn: | ||
| 139 | common_name => $backup_host_cn, | ||
| 140 | country => "FR", | ||
| 141 | days => "3650", | ||
| 142 | organization => "Immae", | ||
| 143 | owner => $pg_user, | ||
| 144 | group => $pg_group, | ||
| 145 | directory => "$pg_path/certs", | ||
| 146 | before => File["$pg_path/postgresql.conf"], | ||
| 147 | } | ||
| 148 | $ssl_key = "$pg_path/certs/$backup_host_cn.key" | ||
| 149 | $ssl_cert = "$pg_path/certs/$backup_host_cn.crt" | ||
| 150 | } else { | ||
| 151 | $pg_listen_port = undef | ||
| 152 | $ssl_key = undef | ||
| 153 | $ssl_cert = undef | ||
| 154 | } | ||
| 155 | |||
| 156 | |||
| 157 | unless empty($host) { | ||
| 158 | $host["ipHostNumber"].each |$ip| { | ||
| 159 | $infos = split($ip, "/") | ||
| 160 | $ipaddress = $infos[0] | ||
| 161 | if (length($infos) == 1 and $ipaddress =~ /:/) { | ||
| 162 | $mask = "128" | ||
| 163 | } elsif (length($infos) == 1) { | ||
| 164 | $mask = "32" | ||
| 165 | } else { | ||
| 166 | $mask = $infos[1] | ||
| 167 | } | ||
| 168 | |||
| 169 | postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask": | ||
| 170 | type => 'hostssl', | ||
| 171 | database => 'replication', | ||
| 172 | user => $backup_host_cn, | ||
| 173 | address => "$ipaddress/$mask", | ||
| 174 | auth_method => 'pam', | ||
| 175 | order => "06-01", | ||
| 176 | target => "$pg_path/pg_hba.conf", | ||
| 177 | postgresql_version => "10", | ||
| 178 | } | ||
| 179 | } | ||
| 180 | } | 10 | } |
| 181 | 11 | ||
| 182 | if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { | 12 | if $pg_infos["pgbouncer"] { |
| 183 | if empty($pg_listen_port) { | 13 | profile::postgresql::backup_pgbouncer { $backup_host_cn: |
| 184 | $pg_listen_port_key = "" | 14 | base_path => $mountpoint, |
| 185 | } else { | 15 | pg_infos => $pg_infos, |
| 186 | $pg_listen_port_key = "port=$pg_listen_port" | ||
| 187 | } | ||
| 188 | |||
| 189 | concat::fragment { "pgbouncer_$pg_backup_host": | ||
| 190 | target => "/etc/pgbouncer/pgbouncer.ini", | ||
| 191 | order => 02, | ||
| 192 | content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", | ||
| 193 | } | ||
| 194 | |||
| 195 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": | ||
| 196 | description => "Allow local access to ${pg_infos[dbuser]} user", | ||
| 197 | type => 'local', | ||
| 198 | database => $pg_infos["dbname"], | ||
| 199 | user => $pg_infos["dbuser"], | ||
| 200 | auth_method => 'trust', | ||
| 201 | order => "01-00", | ||
| 202 | target => "$pg_path/pg_hba.conf", | ||
| 203 | postgresql_version => "10", | ||
| 204 | } | 16 | } |
| 205 | } | 17 | } |
| 206 | 18 | ||
| 207 | file { "$mountpoint/$pg_backup_host": | ||
| 208 | ensure => directory, | ||
| 209 | owner => $user, | ||
| 210 | group => $group, | ||
| 211 | } | ||
| 212 | |||
| 213 | file { $pg_path: | ||
| 214 | ensure => directory, | ||
| 215 | owner => $pg_user, | ||
| 216 | group => $pg_group, | ||
| 217 | mode => "0700", | ||
| 218 | require => File["$mountpoint/$pg_backup_host"], | ||
| 219 | } | ||
| 220 | |||
| 221 | file { $pg_backup_path: | ||
| 222 | ensure => directory, | ||
| 223 | owner => $pg_user, | ||
| 224 | group => $pg_group, | ||
| 225 | mode => "0700", | ||
| 226 | require => File["$mountpoint/$pg_backup_host"], | ||
| 227 | } | ||
| 228 | |||
| 229 | cron::job::multiple { "backup_psql_$pg_host": | ||
| 230 | ensure => "present", | ||
| 231 | require => [File[$pg_backup_path], File[$pg_path]], | ||
| 232 | jobs => [ | ||
| 233 | { | ||
| 234 | command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql", | ||
| 235 | user => $pg_user, | ||
| 236 | hour => "22,4,10,16", | ||
| 237 | minute => 0, | ||
| 238 | description => "Backup the database", | ||
| 239 | }, | ||
| 240 | { | ||
| 241 | command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')", | ||
| 242 | user => $pg_user, | ||
| 243 | hour => 3, | ||
| 244 | minute => 0, | ||
| 245 | description => "Cleanup the database backups", | ||
| 246 | }, | ||
| 247 | { | ||
| 248 | command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')", | ||
| 249 | user => $pg_user, | ||
| 250 | hour => 3, | ||
| 251 | minute => 1, | ||
| 252 | description => "Cleanup the database backups exponentially", | ||
| 253 | }, | ||
| 254 | ] | ||
| 255 | } | ||
| 256 | |||
| 257 | exec { "pg_basebackup $pg_path": | ||
| 258 | cwd => $pg_path, | ||
| 259 | user => $pg_user, | ||
| 260 | creates => "$pg_path/PG_VERSION", | ||
| 261 | environment => ["PGPASSWORD=$ldap_password"], | ||
| 262 | command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", | ||
| 263 | before => [ | ||
| 264 | Concat["$pg_path/pg_hba.conf"], | ||
| 265 | Concat["$pg_path/recovery.conf"], | ||
| 266 | File["$pg_path/postgresql.conf"], | ||
| 267 | ] | ||
| 268 | } | ||
| 269 | |||
| 270 | concat { "$pg_path/pg_hba.conf": | ||
| 271 | owner => $pg_user, | ||
| 272 | group => $pg_group, | ||
| 273 | mode => '0640', | ||
| 274 | warn => true, | ||
| 275 | } | ||
| 276 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": | ||
| 277 | description => 'Allow local access to postgres user', | ||
| 278 | type => 'local', | ||
| 279 | database => 'all', | ||
| 280 | user => $pg_user, | ||
| 281 | auth_method => 'ident', | ||
| 282 | order => "00-01", | ||
| 283 | target => "$pg_path/pg_hba.conf", | ||
| 284 | postgresql_version => "10", | ||
| 285 | } | ||
| 286 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": | ||
| 287 | description => 'Allow localhost access to postgres user', | ||
| 288 | type => 'host', | ||
| 289 | database => 'all', | ||
| 290 | user => $pg_user, | ||
| 291 | address => "127.0.0.1/32", | ||
| 292 | auth_method => 'md5', | ||
| 293 | order => "00-02", | ||
| 294 | target => "$pg_path/pg_hba.conf", | ||
| 295 | postgresql_version => "10", | ||
| 296 | } | ||
| 297 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": | ||
| 298 | description => 'Allow localhost access to postgres user', | ||
| 299 | type => 'host', | ||
| 300 | database => 'all', | ||
| 301 | user => $pg_user, | ||
| 302 | address => "::1/128", | ||
| 303 | auth_method => 'md5', | ||
| 304 | order => "00-03", | ||
| 305 | target => "$pg_path/pg_hba.conf", | ||
| 306 | postgresql_version => "10", | ||
| 307 | } | ||
| 308 | postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": | ||
| 309 | description => 'Deny remote access to postgres user', | ||
| 310 | type => 'host', | ||
| 311 | database => 'all', | ||
| 312 | user => $pg_user, | ||
| 313 | address => "0.0.0.0/0", | ||
| 314 | auth_method => 'reject', | ||
| 315 | order => "00-04", | ||
| 316 | target => "$pg_path/pg_hba.conf", | ||
| 317 | postgresql_version => "10", | ||
| 318 | } | ||
| 319 | |||
| 320 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access": | ||
| 321 | description => 'Allow local access with password', | ||
| 322 | type => 'local', | ||
| 323 | database => 'all', | ||
| 324 | user => 'all', | ||
| 325 | auth_method => 'md5', | ||
| 326 | order => "10-01", | ||
| 327 | target => "$pg_path/pg_hba.conf", | ||
| 328 | postgresql_version => "10", | ||
| 329 | } | ||
| 330 | |||
| 331 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": | ||
| 332 | description => 'Allow local access with same name', | ||
| 333 | type => 'local', | ||
| 334 | database => 'all', | ||
| 335 | user => 'all', | ||
| 336 | auth_method => 'ident', | ||
| 337 | order => "10-02", | ||
| 338 | target => "$pg_path/pg_hba.conf", | ||
| 339 | postgresql_version => "10", | ||
| 340 | } | ||
| 341 | |||
| 342 | $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" | ||
| 343 | $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") | ||
| 344 | $standby_mode = "on" | ||
| 345 | |||
| 346 | concat { "$pg_path/recovery.conf": | ||
| 347 | owner => $pg_user, | ||
| 348 | group => $pg_group, | ||
| 349 | mode => '0640', | ||
| 350 | warn => true, | ||
| 351 | } | ||
| 352 | concat::fragment { "$pg_path/recovery.conf": | ||
| 353 | target => "$pg_path/recovery.conf", | ||
| 354 | content => template('postgresql/recovery.conf.erb'), | ||
| 355 | } | ||
| 356 | |||
| 357 | file { "$pg_path/postgresql.conf": | ||
| 358 | owner => $pg_user, | ||
| 359 | group => $pg_group, | ||
| 360 | mode => '0640', | ||
| 361 | content => template("role/backup/postgresql.conf.erb"), | ||
| 362 | } | ||
| 363 | |||
| 364 | service { "postgresql_backup@$pg_backup_host": | ||
| 365 | enable => true, | ||
| 366 | ensure => "running", | ||
| 367 | require => [ | ||
| 368 | File["/etc/systemd/system/postgresql_backup@.service"], | ||
| 369 | Concat["$pg_path/pg_hba.conf"], | ||
| 370 | Concat["$pg_path/recovery.conf"], | ||
| 371 | File["$pg_path/postgresql.conf"], | ||
| 372 | ], | ||
| 373 | subscribe => [ | ||
| 374 | Concat["$pg_path/pg_hba.conf"], | ||
| 375 | Concat["$pg_path/recovery.conf"], | ||
| 376 | File["$pg_path/postgresql.conf"], | ||
| 377 | ] | ||
| 378 | } | ||
| 379 | } | 19 | } |
| 380 | 20 | ||
| 381 | } | 21 | } |
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index 776b30f..addad67 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp | |||
| @@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | |||
| 2 | $password_seed = lookup("base_installation::puppet_pass_seed") | 2 | $password_seed = lookup("base_installation::puppet_pass_seed") |
| 3 | 3 | ||
| 4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | 4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") |
| 5 | $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
| 6 | 5 | ||
| 7 | file { "/var/lib/postgres/data/certs": | 6 | profile::postgresql::master { "postgresql master for cryptoportfolio": |
| 8 | ensure => directory, | 7 | letsencrypt_host => $web_host, |
| 9 | mode => "0700", | 8 | backup_hosts => ["backup-1"], |
| 10 | owner => $::profile::postgresql::pg_user, | ||
| 11 | group => $::profile::postgresql::pg_user, | ||
| 12 | require => File["/var/lib/postgres"], | ||
| 13 | } | ||
| 14 | |||
| 15 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
| 16 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | ||
| 17 | mode => "0600", | ||
| 18 | links => "follow", | ||
| 19 | owner => $::profile::postgresql::pg_user, | ||
| 20 | group => $::profile::postgresql::pg_user, | ||
| 21 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
| 22 | } | ||
| 23 | |||
| 24 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
| 25 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | ||
| 26 | mode => "0600", | ||
| 27 | links => "follow", | ||
| 28 | owner => $::profile::postgresql::pg_user, | ||
| 29 | group => $::profile::postgresql::pg_user, | ||
| 30 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
| 31 | } | ||
| 32 | |||
| 33 | postgresql_replication_slot { $pg_user_replication: | ||
| 34 | ensure => present | ||
| 35 | } | ||
| 36 | |||
| 37 | postgresql::server::config_entry { "wal_level": | ||
| 38 | value => "logical", | ||
| 39 | } | ||
| 40 | |||
| 41 | postgresql::server::config_entry { "ssl": | ||
| 42 | value => "on", | ||
| 43 | require => Letsencrypt::Certonly[$web_host], | ||
| 44 | } | ||
| 45 | |||
| 46 | postgresql::server::config_entry { "ssl_cert_file": | ||
| 47 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
| 48 | require => Letsencrypt::Certonly[$web_host], | ||
| 49 | } | ||
| 50 | |||
| 51 | postgresql::server::config_entry { "ssl_key_file": | ||
| 52 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
| 53 | require => Letsencrypt::Certonly[$web_host], | ||
| 54 | } | 9 | } |
| 55 | 10 | ||
| 56 | postgresql::server::db { $pg_db: | 11 | postgresql::server::db { $pg_db: |
| 57 | user => $pg_user, | 12 | user => $pg_user, |
| 58 | password => postgresql_password($pg_user, $pg_password), | 13 | password => postgresql_password($pg_user, $pg_password), |
| 59 | } | 14 | } |
| 60 | -> | ||
| 61 | postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": | ||
| 62 | db => $pg_db, | ||
| 63 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", | ||
| 64 | } | ||
| 65 | -> | ||
| 66 | postgresql::server::role { $pg_user_replication: | ||
| 67 | db => $pg_db, | ||
| 68 | replication => true, | ||
| 69 | password_hash => postgresql_password($pg_user_replication, $pg_replication_password), | ||
| 70 | } | ||
| 71 | -> | ||
| 72 | postgresql::server::database_grant { $pg_user_replication: | ||
| 73 | db => $pg_db, | ||
| 74 | privilege => "CONNECT", | ||
| 75 | role => $pg_user_replication, | ||
| 76 | } | ||
| 77 | -> | ||
| 78 | postgresql::server::grant { "all tables in schema:public:$pg_user_replication": | ||
| 79 | db => $pg_db, | ||
| 80 | role => $pg_user_replication, | ||
| 81 | privilege => "SELECT", | ||
| 82 | object_type => "ALL TABLES IN SCHEMA", | ||
| 83 | object_name => "public", | ||
| 84 | } | ||
| 85 | -> | ||
| 86 | postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": | ||
| 87 | db => $pg_db, | ||
| 88 | role => $pg_user_replication, | ||
| 89 | privilege => "SELECT", | ||
| 90 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
| 91 | object_name => "public", | ||
| 92 | } | ||
| 93 | 15 | ||
| 94 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | 16 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': |
| 95 | type => 'host', | 17 | type => 'local', |
| 96 | database => $pg_db, | 18 | database => $pg_db, |
| 97 | user => $pg_user, | 19 | user => $pg_user, |
| 98 | address => '127.0.0.1/32', | 20 | auth_method => 'ident', |
| 99 | auth_method => 'md5', | ||
| 100 | order => "05-01", | 21 | order => "05-01", |
| 101 | } | 22 | } |
| 102 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
| 103 | type => 'host', | ||
| 104 | database => $pg_db, | ||
| 105 | user => $pg_user, | ||
| 106 | address => '::1/128', | ||
| 107 | auth_method => 'md5', | ||
| 108 | order => "05-01", | ||
| 109 | } | ||
| 110 | |||
| 111 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication': | ||
| 112 | type => 'hostssl', | ||
| 113 | database => 'replication', | ||
| 114 | user => $pg_user_replication, | ||
| 115 | address => 'immae.eu', | ||
| 116 | auth_method => 'md5', | ||
| 117 | order => "05-01", | ||
| 118 | } | ||
| 119 | |||
| 120 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
| 121 | type => 'hostssl', | ||
| 122 | database => $pg_db, | ||
| 123 | user => $pg_user_replication, | ||
| 124 | address => 'immae.eu', | ||
| 125 | auth_method => 'md5', | ||
| 126 | order => "05-02", | ||
| 127 | } | ||
| 128 | |||
| 129 | $backup_host = "backup-1" | ||
| 130 | 23 | ||
| 131 | unless empty($backup_host) { | 24 | # cleanup |
| 132 | ensure_packages(["pam_ldap"]) | 25 | postgresql_psql { "DROP PUBLICATION ${pg_db}_publication": |
| 133 | 26 | db => $pg_db, | |
| 134 | $facts["ldapvar"]["other"].each |$host| { | 27 | onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", |
| 135 | if ($host["cn"][0] == $backup_host) { | 28 | } -> |
| 136 | $host["ipHostNumber"].each |$ip| { | 29 | postgresql_replication_slot { $pg_user_replication: |
| 137 | $infos = split($ip, "/") | 30 | ensure => absent |
| 138 | $ipaddress = $infos[0] | 31 | } -> |
| 139 | if (length($infos) == 1 and $ipaddress =~ /:/) { | 32 | postgresql_psql { "DROP OWNED BY $pg_user_replication": |
| 140 | $mask = "128" | 33 | db => $pg_db, |
| 141 | } elsif (length($infos) == 1) { | 34 | onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'" |
| 142 | $mask = "32" | 35 | } -> |
| 143 | } else { | 36 | postgresql::server::role { $pg_user_replication: |
| 144 | $mask = $infos[1] | 37 | ensure => absent, |
| 145 | } | ||
| 146 | |||
| 147 | postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": | ||
| 148 | type => 'hostssl', | ||
| 149 | database => 'replication', | ||
| 150 | user => 'all', | ||
| 151 | address => "$ipaddress/$mask", | ||
| 152 | auth_method => 'pam', | ||
| 153 | order => "06-01", | ||
| 154 | } | ||
| 155 | } | ||
| 156 | |||
| 157 | postgresql::server::role { $backup_host: | ||
| 158 | replication => true, | ||
| 159 | } | ||
| 160 | |||
| 161 | postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): | ||
| 162 | ensure => present | ||
| 163 | } | ||
| 164 | } | ||
| 165 | } | ||
| 166 | |||
| 167 | $ldap_server = lookup("base_installation::ldap_server") | ||
| 168 | $ldap_base = lookup("base_installation::ldap_base") | ||
| 169 | $ldap_dn = lookup("base_installation::ldap_dn") | ||
| 170 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
| 171 | $ldap_attribute = "cn" | ||
| 172 | |||
| 173 | file { "/etc/pam_ldap.d": | ||
| 174 | ensure => directory, | ||
| 175 | mode => "0755", | ||
| 176 | owner => "root", | ||
| 177 | group => "root", | ||
| 178 | } -> | ||
| 179 | file { "/etc/pam_ldap.d/postgresql.conf": | ||
| 180 | ensure => "present", | ||
| 181 | mode => "0600", | ||
| 182 | owner => $::profile::postgresql::pg_user, | ||
| 183 | group => "root", | ||
| 184 | content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), | ||
| 185 | } -> | ||
| 186 | file { "/etc/pam.d/postgresql": | ||
| 187 | ensure => "present", | ||
| 188 | mode => "0644", | ||
| 189 | owner => "root", | ||
| 190 | group => "root", | ||
| 191 | source => "puppet:///modules/role/cryptoportfolio/pam_postgresql" | ||
| 192 | } | ||
| 193 | } | 38 | } |
| 39 | # /cleanup | ||
| 194 | 40 | ||
| 195 | } | 41 | } |
diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index 109da96..28b9eb6 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp | |||
| @@ -87,7 +87,7 @@ class role::etherpad ( | |||
| 87 | subscribe => Aur::Package["etherpad-lite"], | 87 | subscribe => Aur::Package["etherpad-lite"], |
| 88 | } | 88 | } |
| 89 | 89 | ||
| 90 | profile::postgresql_master { "postgresql master for etherpad": | 90 | profile::postgresql::master { "postgresql master for etherpad": |
| 91 | letsencrypt_host => $web_host, | 91 | letsencrypt_host => $web_host, |
| 92 | backup_hosts => ["backup-1"], | 92 | backup_hosts => ["backup-1"], |
| 93 | } | 93 | } |
diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb deleted file mode 100644 index 384a418..0000000 --- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb +++ /dev/null | |||
| @@ -1,7 +0,0 @@ | |||
| 1 | host <%= @ldap_server %> | ||
| 2 | |||
| 3 | base <%= @ldap_base %> | ||
| 4 | binddn <%= @ldap_dn %> | ||
| 5 | bindpw <%= @ldap_password %> | ||
| 6 | pam_login_attribute <%= @pgbouncer_ldap_attribute %> | ||
| 7 | pam_filter <%= @ldap_filter %> | ||
diff --git a/modules/role/templates/backup/pgbouncer.ini.erb b/modules/role/templates/backup/pgbouncer.ini.erb deleted file mode 100644 index 3ba8728..0000000 --- a/modules/role/templates/backup/pgbouncer.ini.erb +++ /dev/null | |||
| @@ -1,15 +0,0 @@ | |||
| 1 | [pgbouncer] | ||
| 2 | |||
| 3 | listen_addr = 0.0.0.0 | ||
| 4 | listen_port = 5432 | ||
| 5 | |||
| 6 | unix_socket_dir = /run/postgresql | ||
| 7 | unix_socket_mode = 0777 | ||
| 8 | |||
| 9 | auth_type = pam | ||
| 10 | |||
| 11 | admin_users = postgres | ||
| 12 | max_client_conn = 100 | ||
| 13 | default_pool_size = 20 | ||
| 14 | |||
| 15 | [databases] | ||
diff --git a/modules/role/templates/backup/postgresql_backup@.service.erb b/modules/role/templates/backup/postgresql_backup@.service.erb deleted file mode 100644 index 245a1cb..0000000 --- a/modules/role/templates/backup/postgresql_backup@.service.erb +++ /dev/null | |||
| @@ -1,34 +0,0 @@ | |||
| 1 | [Unit] | ||
| 2 | Description=PostgreSQL database server | ||
| 3 | After=network.target | ||
| 4 | |||
| 5 | [Service] | ||
| 6 | Type=forking | ||
| 7 | TimeoutSec=120 | ||
| 8 | User=postgres | ||
| 9 | Group=postgres | ||
| 10 | |||
| 11 | Environment=PGROOT=<%= @mountpoint %>/%i/postgresql | ||
| 12 | |||
| 13 | SyslogIdentifier=postgres | ||
| 14 | PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid | ||
| 15 | RuntimeDirectory=postgresql | ||
| 16 | RuntimeDirectoryMode=755 | ||
| 17 | |||
| 18 | ExecStartPre=/usr/bin/postgresql-check-db-dir ${PGROOT} | ||
| 19 | ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT} start -w -t 120 | ||
| 20 | ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT} reload | ||
| 21 | ExecStop= /usr/bin/pg_ctl -s -D ${PGROOT} stop -m fast | ||
| 22 | |||
| 23 | # Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in | ||
| 24 | # killing Postgres, so adjust it downward | ||
| 25 | OOMScoreAdjust=-200 | ||
| 26 | |||
| 27 | # Additional security-related features | ||
| 28 | PrivateTmp=true | ||
| 29 | ProtectHome=true | ||
| 30 | ProtectSystem=full | ||
| 31 | NoNewPrivileges=true | ||
| 32 | |||
| 33 | [Install] | ||
| 34 | WantedBy=multi-user.target | ||