Merge branch 'backup/recovery' into dev

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-27 13:23:13 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-27 13:23:13 +0200
commit: 320d02a091e0548126c27ca7efd86341b80be4ea (patch)
tree: 97beae3acaf1c552cf5c19521260e76dedae5913 /modules/role
parent: bcc5318b2e938234fcc93f70d6af21367290c1ce (diff)
parent: 2f3d3a34ab0b3fd31bd84e4c935954740313dbed (diff)
download: Puppet-320d02a091e0548126c27ca7efd86341b80be4ea.tar.gz
Puppet-320d02a091e0548126c27ca7efd86341b80be4ea.tar.zst
Puppet-320d02a091e0548126c27ca7efd86341b80be4ea.zip
3 files changed, 99 insertions, 10 deletions
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
index b26773c..ee62a00 100644
--- a/modules/role/manifests/backup/postgresql.pp
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -13,7 +13,7 @@ class role::backup::postgresql inherits role::backup {
  $ldap_server = lookup("base_installation::ldap_server")
  $ldap_base   = lookup("base_installation::ldap_base")
  $ldap_dn     = lookup("base_installation::ldap_dn")
-  $ldap_attribute = "uid"
+  $pgbouncer_ldap_attribute = "uid"
  $pg_slot = regsubst($ldap_cn, '-', "_", "G")
@@ -71,18 +71,13 @@ class role::backup::postgresql inherits role::backup {
        ],
      }
-      file { "/etc/pam_ldap.d":
-        ensure => directory,
-        mode   => "0755",
-        owner  => "root",
-        group  => "root",
-      } ->
      file { "/etc/pam_ldap.d/pgbouncer.conf":
        ensure  => "present",
        mode    => "0600",
        owner   => $pg_user,
        group   => "root",
        content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
+        require => File["/etc/pam_ldap.d"],
      } ->
      file { "/etc/pam.d/pgbouncer":
        ensure => "present",
@@ -94,6 +89,29 @@ class role::backup::postgresql inherits role::backup {
    }
  }
+  $ldap_attribute = "cn"
+  file { "/etc/pam_ldap.d":
+    ensure => directory,
+    mode   => "0755",
+    owner  => "root",
+    group  => "root",
+  } ->
+  file { "/etc/pam_ldap.d/postgresql.conf":
+    ensure  => "present",
+    mode    => "0600",
+    owner   => $pg_user,
+    group   => "root",
+    content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
+  } ->
+  file { "/etc/pam.d/postgresql":
+    ensure => "present",
+    mode   => "0644",
+    owner  => "root",
+    group  => "root",
+    source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
+  }
  $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
    $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
    if empty($host) {
@@ -103,16 +121,75 @@ class role::backup::postgresql inherits role::backup {
    } else {
      $pg_backup_host = $host["vars"]["real_hostname"][0]
    }
    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
    $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
    $pg_host = "$pg_backup_host"
    $pg_port = $pg_infos["dbport"]
+    if has_key($host["vars"], "postgresql_backup_port") {
+      $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
+      file { "$pg_path/certs":
+        ensure => directory,
+        mode   => "0700",
+        owner  => $pg_user,
+        group  => $pg_group,
+      } ->
+      ssl::self_signed_certificate { $backup_host_cn:
+        common_name  => $backup_host_cn,
+        country      => "FR",
+        days         => "3650",
+        organization => "Immae",
+        owner        => $pg_user,
+        group        => $pg_group,
+        directory    => "$pg_path/certs",
+        before       => File["$pg_path/postgresql.conf"],
+      }
+      $ssl_key  = "$pg_path/certs/$backup_host_cn.key"
+      $ssl_cert = "$pg_path/certs/$backup_host_cn.crt"
+    } else {
+      $pg_listen_port = undef
+      $ssl_key = undef
+      $ssl_cert = undef
+    }
+    unless empty($host) {
+      $host["ipHostNumber"].each |$ip| {
+        $infos = split($ip, "/")
+        $ipaddress = $infos[0]
+        if (length($infos) == 1 and $ipaddress =~ /:/) {
+          $mask = "128"
+        } elsif (length($infos) == 1) {
+          $mask = "32"
+        } else {
+          $mask = $infos[1]
+        }
+        postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
+          type        => 'hostssl',
+          database    => 'replication',
+          user        => $backup_host_cn,
+          address     => "$ipaddress/$mask",
+          auth_method => 'pam',
+          order       => "06-01",
+          target      => "$pg_path/pg_hba.conf",
+          postgresql_version => "10",
+        }
+      }
+    }
    if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
+      if empty($pg_listen_port) {
+        $pg_listen_port_key = ""
+      } else {
+        $pg_listen_port_key = "port=$pg_listen_port"
+      }
      concat::fragment { "pgbouncer_$pg_backup_host":
        target  => "/etc/pgbouncer/pgbouncer.ini",
        order   => 02,
-        content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
+        content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
      }
      postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
@@ -292,6 +369,11 @@ class role::backup::postgresql inherits role::backup {
        Concat["$pg_path/pg_hba.conf"],
        Concat["$pg_path/recovery.conf"],
        File["$pg_path/postgresql.conf"],
+      ],
+      subscribe => [
+        Concat["$pg_path/pg_hba.conf"],
+        Concat["$pg_path/recovery.conf"],
+        File["$pg_path/postgresql.conf"],
      ]
    }
  }
diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
index 12fa9bb..384a418 100644
--- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
+++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
@@ -3,5 +3,5 @@ host <%= @ldap_server %>
 base <%= @ldap_base %>
 binddn <%= @ldap_dn %>
 bindpw <%= @ldap_password %>
-pam_login_attribute <%= @ldap_attribute %>
+pam_login_attribute <%= @pgbouncer_ldap_attribute %>
 pam_filter <%= @ldap_filter %>
diff --git a/modules/role/templates/backup/postgresql.conf.erb b/modules/role/templates/backup/postgresql.conf.erb
index 860089b..8741507 100644
--- a/modules/role/templates/backup/postgresql.conf.erb
+++ b/modules/role/templates/backup/postgresql.conf.erb
@@ -1,5 +1,12 @@
+<%- if !@pg_listen_port.nil? -%>
+listen_addresses= '*'
+port = <%= @pg_listen_port %>
+ssl = on
+ssl_key_file = '<%= @ssl_key %>'
+ssl_cert_file = '<%= @ssl_cert %>'
+<%- else -%>
 listen_addresses= ''
+<%- end %>
 unix_socket_directories = '<%= @pg_path %>'
 data_directory = '<%= @pg_path %>'
 wal_level = logical
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-27 13:23:13 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-27 13:23:13 +0200
commit	320d02a091e0548126c27ca7efd86341b80be4ea (patch)
tree	97beae3acaf1c552cf5c19521260e76dedae5913 /modules/role
parent	bcc5318b2e938234fcc93f70d6af21367290c1ce (diff)
parent	2f3d3a34ab0b3fd31bd84e4c935954740313dbed (diff)
download	Puppet-320d02a091e0548126c27ca7efd86341b80be4ea.tar.gz Puppet-320d02a091e0548126c27ca7efd86341b80be4ea.tar.zst Puppet-320d02a091e0548126c27ca7efd86341b80be4ea.zip

diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index b26773c..ee62a00 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp
@@ -13,7 +13,7 @@ class role::backup::postgresql inherits role::backup {
13	$ldap_server = lookup("base_installation::ldap_server")	13	$ldap_server = lookup("base_installation::ldap_server")
14	$ldap_base = lookup("base_installation::ldap_base")	14	$ldap_base = lookup("base_installation::ldap_base")
15	$ldap_dn = lookup("base_installation::ldap_dn")	15	$ldap_dn = lookup("base_installation::ldap_dn")
16	$ldap_attribute = "uid"	16	$pgbouncer_ldap_attribute = "uid"
17		17
18	$pg_slot = regsubst($ldap_cn, '-', "_", "G")	18	$pg_slot = regsubst($ldap_cn, '-', "_", "G")
19		19
@@ -71,18 +71,13 @@ class role::backup::postgresql inherits role::backup {
71	],	71	],
72	}	72	}
73		73
74	file { "/etc/pam_ldap.d":
75	ensure => directory,
76	mode => "0755",
77	owner => "root",
78	group => "root",
79	} ->
80	file { "/etc/pam_ldap.d/pgbouncer.conf":	74	file { "/etc/pam_ldap.d/pgbouncer.conf":
81	ensure => "present",	75	ensure => "present",
82	mode => "0600",	76	mode => "0600",
83	owner => $pg_user,	77	owner => $pg_user,
84	group => "root",	78	group => "root",
85	content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),	79	content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
		80	require => File["/etc/pam_ldap.d"],
86	} ->	81	} ->
87	file { "/etc/pam.d/pgbouncer":	82	file { "/etc/pam.d/pgbouncer":
88	ensure => "present",	83	ensure => "present",
@@ -94,6 +89,29 @@ class role::backup::postgresql inherits role::backup {
94	}	89	}
95	}	90	}
96		91
		92	$ldap_attribute = "cn"
		93
		94	file { "/etc/pam_ldap.d":
		95	ensure => directory,
		96	mode => "0755",
		97	owner => "root",
		98	group => "root",
		99	} ->
		100	file { "/etc/pam_ldap.d/postgresql.conf":
		101	ensure => "present",
		102	mode => "0600",
		103	owner => $pg_user,
		104	group => "root",
		105	content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
		106	} ->
		107	file { "/etc/pam.d/postgresql":
		108	ensure => "present",
		109	mode => "0644",
		110	owner => "root",
		111	group => "root",
		112	source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
		113	}
		114
97	$pg_backup_hosts.each \|$backup_host_cn, $pg_infos\| {	115	$pg_backup_hosts.each \|$backup_host_cn, $pg_infos\| {
98	$host = find_host($facts["ldapvar"]["other"], $backup_host_cn)	116	$host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
99	if empty($host) {	117	if empty($host) {
@@ -103,16 +121,75 @@ class role::backup::postgresql inherits role::backup {
103	} else {	121	} else {
104	$pg_backup_host = $host["vars"]["real_hostname"][0]	122	$pg_backup_host = $host["vars"]["real_hostname"][0]
105	}	123	}
		124
106	$pg_path = "$mountpoint/$pg_backup_host/postgresql"	125	$pg_path = "$mountpoint/$pg_backup_host/postgresql"
107	$pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"	126	$pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
108	$pg_host = "$pg_backup_host"	127	$pg_host = "$pg_backup_host"
109	$pg_port = $pg_infos["dbport"]	128	$pg_port = $pg_infos["dbport"]
110		129
		130	if has_key($host["vars"], "postgresql_backup_port") {
		131	$pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
		132	file { "$pg_path/certs":
		133	ensure => directory,
		134	mode => "0700",
		135	owner => $pg_user,
		136	group => $pg_group,
		137	} ->
		138	ssl::self_signed_certificate { $backup_host_cn:
		139	common_name => $backup_host_cn,
		140	country => "FR",
		141	days => "3650",
		142	organization => "Immae",
		143	owner => $pg_user,
		144	group => $pg_group,
		145	directory => "$pg_path/certs",
		146	before => File["$pg_path/postgresql.conf"],
		147	}
		148	$ssl_key = "$pg_path/certs/$backup_host_cn.key"
		149	$ssl_cert = "$pg_path/certs/$backup_host_cn.crt"
		150	} else {
		151	$pg_listen_port = undef
		152	$ssl_key = undef
		153	$ssl_cert = undef
		154	}
		155
		156
		157	unless empty($host) {
		158	$host["ipHostNumber"].each \|$ip\| {
		159	$infos = split($ip, "/")
		160	$ipaddress = $infos[0]
		161	if (length($infos) == 1 and $ipaddress =~ /:/) {
		162	$mask = "128"
		163	} elsif (length($infos) == 1) {
		164	$mask = "32"
		165	} else {
		166	$mask = $infos[1]
		167	}
		168
		169	postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
		170	type => 'hostssl',
		171	database => 'replication',
		172	user => $backup_host_cn,
		173	address => "$ipaddress/$mask",
		174	auth_method => 'pam',
		175	order => "06-01",
		176	target => "$pg_path/pg_hba.conf",
		177	postgresql_version => "10",
		178	}
		179	}
		180	}
		181
111	if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {	182	if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
		183	if empty($pg_listen_port) {
		184	$pg_listen_port_key = ""
		185	} else {
		186	$pg_listen_port_key = "port=$pg_listen_port"
		187	}
		188
112	concat::fragment { "pgbouncer_$pg_backup_host":	189	concat::fragment { "pgbouncer_$pg_backup_host":
113	target => "/etc/pgbouncer/pgbouncer.ini",	190	target => "/etc/pgbouncer/pgbouncer.ini",
114	order => 02,	191	order => 02,
115	content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",	192	content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
116	}	193	}
117		194
118	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":	195	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
@@ -292,6 +369,11 @@ class role::backup::postgresql inherits role::backup {
292	Concat["$pg_path/pg_hba.conf"],	369	Concat["$pg_path/pg_hba.conf"],
293	Concat["$pg_path/recovery.conf"],	370	Concat["$pg_path/recovery.conf"],
294	File["$pg_path/postgresql.conf"],	371	File["$pg_path/postgresql.conf"],
		372	],
		373	subscribe => [
		374	Concat["$pg_path/pg_hba.conf"],
		375	Concat["$pg_path/recovery.conf"],
		376	File["$pg_path/postgresql.conf"],
295	]	377	]
296	}	378	}
297	}	379	}


diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb index 12fa9bb..384a418 100644 --- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb +++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
@@ -3,5 +3,5 @@ host <%= @ldap_server %>
3	base <%= @ldap_base %>	3	base <%= @ldap_base %>
4	binddn <%= @ldap_dn %>	4	binddn <%= @ldap_dn %>
5	bindpw <%= @ldap_password %>	5	bindpw <%= @ldap_password %>
6	pam_login_attribute <%= @ldap_attribute %>	6	pam_login_attribute <%= @pgbouncer_ldap_attribute %>
7	pam_filter <%= @ldap_filter %>	7	pam_filter <%= @ldap_filter %>


diff --git a/modules/role/templates/backup/postgresql.conf.erb b/modules/role/templates/backup/postgresql.conf.erb index 860089b..8741507 100644 --- a/modules/role/templates/backup/postgresql.conf.erb +++ b/modules/role/templates/backup/postgresql.conf.erb
@@ -1,5 +1,12 @@
		1	<%- if !@pg_listen_port.nil? -%>
		2	listen_addresses= '*'
		3	port = <%= @pg_listen_port %>
		4	ssl = on
		5	ssl_key_file = '<%= @ssl_key %>'
		6	ssl_cert_file = '<%= @ssl_cert %>'
		7	<%- else -%>
1	listen_addresses= ''	8	listen_addresses= ''
		9	<%- end %>
2	unix_socket_directories = '<%= @pg_path %>'	10	unix_socket_directories = '<%= @pg_path %>'
3	data_directory = '<%= @pg_path %>'	11	data_directory = '<%= @pg_path %>'
4	wal_level = logical	12	wal_level = logical
5