diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-02-21 15:51:11 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-02-21 15:51:11 +0100 |
commit | b859262351650df3368d4f3fa49a487a7d9b35b7 (patch) | |
tree | 71b5d9f6d10616409606d2126cfafb7491a8353a /modules | |
parent | e17078be2c92c88e0fc8ecc88a626cdb99d0d09a (diff) | |
parent | 43c4ee4e2fd1c7ed992a420d6d478375475194dd (diff) | |
download | Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.tar.gz Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.tar.zst Puppet-b859262351650df3368d4f3fa49a487a7d9b35b7.zip |
Merge branch 'pg_replication'
Diffstat (limited to 'modules')
-rw-r--r-- | modules/profile/manifests/postgresql.pp | 3 | ||||
-rw-r--r-- | modules/profile/manifests/tools.pp | 2 | ||||
-rw-r--r-- | modules/role/manifests/cryptoportfolio.pp | 116 |
3 files changed, 114 insertions, 7 deletions
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 8dcc4cb..1024c66 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp | |||
@@ -22,7 +22,8 @@ class profile::postgresql { | |||
22 | } | 22 | } |
23 | 23 | ||
24 | class { '::postgresql::server': | 24 | class { '::postgresql::server': |
25 | postgres_password => generate_password(24, $password_seed, "postgres") | 25 | postgres_password => generate_password(24, $password_seed, "postgres"), |
26 | listen_addresses => "*", | ||
26 | } | 27 | } |
27 | 28 | ||
28 | postgresql::server::pg_hba_rule { 'local access as postgres user': | 29 | postgresql::server::pg_hba_rule { 'local access as postgres user': |
diff --git a/modules/profile/manifests/tools.pp b/modules/profile/manifests/tools.pp index 52e3cea..0b0ab46 100644 --- a/modules/profile/manifests/tools.pp +++ b/modules/profile/manifests/tools.pp | |||
@@ -1,3 +1,3 @@ | |||
1 | class profile::tools { | 1 | class profile::tools { |
2 | ensure_packages(['vim', 'bash-completion']) | 2 | ensure_packages(['vim', 'bash-completion', 'net-tools']) |
3 | } | 3 | } |
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 05f2c59..9a2bfd2 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp | |||
@@ -8,8 +8,10 @@ class role::cryptoportfolio { | |||
8 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } | 8 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } |
9 | 9 | ||
10 | $cf_pg_user = "cryptoportfolio" | 10 | $cf_pg_user = "cryptoportfolio" |
11 | $cf_pg_user_replication = "cryptoportfolio_replication" | ||
11 | $cf_pg_db = "cryptoportfolio" | 12 | $cf_pg_db = "cryptoportfolio" |
12 | $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | 13 | $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") |
14 | $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
13 | $cf_pg_host = "localhost:5432" | 15 | $cf_pg_host = "localhost:5432" |
14 | 16 | ||
15 | $cf_user = "cryptoportfolio" | 17 | $cf_user = "cryptoportfolio" |
@@ -27,9 +29,87 @@ class role::cryptoportfolio { | |||
27 | 29 | ||
28 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | 30 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" |
29 | 31 | ||
32 | file { "/var/lib/postgres/data/certs": | ||
33 | ensure => directory, | ||
34 | mode => "0700", | ||
35 | owner => $::profile::postgresql::pg_user, | ||
36 | group => $::profile::postgresql::pg_user, | ||
37 | require => File["/var/lib/postgres"], | ||
38 | } | ||
39 | |||
40 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
41 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", | ||
42 | mode => "0600", | ||
43 | links => "follow", | ||
44 | owner => $::profile::postgresql::pg_user, | ||
45 | group => $::profile::postgresql::pg_user, | ||
46 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
47 | } | ||
48 | |||
49 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
50 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | ||
51 | mode => "0600", | ||
52 | links => "follow", | ||
53 | owner => $::profile::postgresql::pg_user, | ||
54 | group => $::profile::postgresql::pg_user, | ||
55 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
56 | } | ||
57 | |||
58 | postgresql::server::config_entry { "wal_level": | ||
59 | value => "logical", | ||
60 | } | ||
61 | |||
62 | postgresql::server::config_entry { "ssl": | ||
63 | value => "on", | ||
64 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
65 | } | ||
66 | |||
67 | postgresql::server::config_entry { "ssl_cert_file": | ||
68 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
69 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
70 | } | ||
71 | |||
72 | postgresql::server::config_entry { "ssl_key_file": | ||
73 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
74 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
75 | } | ||
76 | |||
30 | postgresql::server::db { $cf_pg_db: | 77 | postgresql::server::db { $cf_pg_db: |
31 | user => $cf_pg_user, | 78 | user => $cf_pg_user, |
32 | password => postgresql_password($cf_pg_user, $cf_pg_password) | 79 | password => postgresql_password($cf_pg_user, $cf_pg_password), |
80 | } | ||
81 | -> | ||
82 | postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": | ||
83 | db => $cf_pg_db, | ||
84 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", | ||
85 | } | ||
86 | -> | ||
87 | postgresql::server::role { $cf_pg_user_replication: | ||
88 | db => $cf_pg_db, | ||
89 | replication => true, | ||
90 | password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), | ||
91 | } | ||
92 | -> | ||
93 | postgresql::server::database_grant { $cf_pg_user_replication: | ||
94 | db => $cf_pg_db, | ||
95 | privilege => "CONNECT", | ||
96 | role => $cf_pg_user_replication, | ||
97 | } | ||
98 | -> | ||
99 | postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": | ||
100 | db => $cf_pg_db, | ||
101 | role => $cf_pg_user_replication, | ||
102 | privilege => "SELECT", | ||
103 | object_type => "ALL TABLES IN SCHEMA", | ||
104 | object_name => "public", | ||
105 | } | ||
106 | -> | ||
107 | postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": | ||
108 | db => $cf_pg_db, | ||
109 | role => $cf_pg_user_replication, | ||
110 | privilege => "SELECT", | ||
111 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
112 | object_name => "public", | ||
33 | } | 113 | } |
34 | 114 | ||
35 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | 115 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': |
@@ -49,6 +129,15 @@ class role::cryptoportfolio { | |||
49 | order => "b0", | 129 | order => "b0", |
50 | } | 130 | } |
51 | 131 | ||
132 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
133 | type => 'hostssl', | ||
134 | database => $cf_pg_db, | ||
135 | user => $cf_pg_user_replication, | ||
136 | address => 'immae.eu', | ||
137 | auth_method => 'md5', | ||
138 | order => "b0", | ||
139 | } | ||
140 | |||
52 | letsencrypt::certonly { $cf_front_app_host: ; | 141 | letsencrypt::certonly { $cf_front_app_host: ; |
53 | default: * => $::profile::apache::letsencrypt_certonly_default; | 142 | default: * => $::profile::apache::letsencrypt_certonly_default; |
54 | } | 143 | } |
@@ -115,7 +204,13 @@ class role::cryptoportfolio { | |||
115 | file { "${cf_home}/front": | 204 | file { "${cf_home}/front": |
116 | ensure => "link", | 205 | ensure => "link", |
117 | target => $cf_front_app, | 206 | target => $cf_front_app, |
118 | require => Archive["/opt/cryptoportfolio/${front_version}.tar.gz"] | 207 | before => File[$cf_front_app], |
208 | } ~> | ||
209 | exec { "remove old ${cf_front_app} directory": | ||
210 | refreshonly => true, | ||
211 | user => $cf_user, | ||
212 | command => "/usr/bin/rm -rf ${cf_front_app}", | ||
213 | before => File[$cf_front_app], | ||
119 | } | 214 | } |
120 | 215 | ||
121 | exec { "go-get-dep": | 216 | exec { "go-get-dep": |
@@ -155,9 +250,19 @@ class role::cryptoportfolio { | |||
155 | } | 250 | } |
156 | 251 | ||
157 | service { 'cryptoportfolio-app': | 252 | service { 'cryptoportfolio-app': |
158 | enable => true, | 253 | enable => true, |
159 | ensure => "running", | 254 | ensure => "running", |
160 | require => [File["/etc/systemd/system/cryptoportfolio-app.service"]], | 255 | subscribe => [Exec["go-cryptoportfolio-app"], Exec["web-cryptoportfolio-build"]], |
256 | require => [ | ||
257 | File["/etc/systemd/system/cryptoportfolio-app.service"], | ||
258 | Postgresql::Server::Db[$cf_pg_db] | ||
259 | ], | ||
260 | } ~> | ||
261 | exec { "dump $cf_pg_db structure": | ||
262 | refreshonly => true, | ||
263 | user => $::profile::postgresql::pg_user, | ||
264 | group => $::profile::postgresql::pg_user, | ||
265 | command => "/usr/bin/pg_dump --schema-only --clean --no-publications $cf_pg_db > /var/lib/postgres/${cf_pg_db}.schema", | ||
161 | } | 266 | } |
162 | 267 | ||
163 | file { $cf_front_app_api_conf: | 268 | file { $cf_front_app_api_conf: |
@@ -199,4 +304,5 @@ class role::cryptoportfolio { | |||
199 | } | 304 | } |
200 | } | 305 | } |
201 | 306 | ||
307 | # TODO: xmr_stack | ||
202 | } | 308 | } |