4 files changed, 131 insertions, 46 deletions
diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql
new file mode 100644
index 0000000..70a90ae
--- /dev/null
+++ b/modules/profile/files/postgresql_master/pam_postgresql
@@ -0,0 +1,3 @@
+auth            required        pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
+account         required        pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp
new file mode 100644
index 0000000..3f68890
--- /dev/null
+++ b/modules/profile/manifests/postgresql_master.pp
@@ -0,0 +1,116 @@
+define profile::postgresql_master (
+  $letsencrypt_host = undef,
+  $backup_hosts     = [],
+) {
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  ensure_resource("file", "/var/lib/postgres/data/certs", {
+    ensure  => directory,
+    mode    => "0700",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => File["/var/lib/postgres"],
+  })
+  ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
+    source  => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
+  })
+  ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
+    source  => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
+    mode    => "0600",
+    links   => "follow",
+    owner   => $::profile::postgresql::pg_user,
+    group   => $::profile::postgresql::pg_user,
+    require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
+  })
+  ensure_resource("postgresql::server::config_entry", "wal_level", {
+    value => "logical",
+  })
+  ensure_resource("postgresql::server::config_entry", "ssl", {
+    value   => "on",
+    require => Letsencrypt::Certonly[$letsencrypt_host],
+  })
+  ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
+    value   => "/var/lib/postgres/data/certs/cert.pem",
+    require => Letsencrypt::Certonly[$letsencrypt_host],
+  })
+  ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
+    value   => "/var/lib/postgres/data/certs/privkey.pem",
+    require => Letsencrypt::Certonly[$letsencrypt_host],
+  })
+  $backup_hosts.each |$backup_host| {
+    ensure_packages(["pam_ldap"])
+    $facts["ldapvar"]["other"].each |$host| {
+      if ($host["cn"][0] == $backup_host) {
+        $host["ipHostNumber"].each |$ip| {
+          $infos = split($ip, "/")
+          $ipaddress = $infos[0]
+          if (length($infos) == 1 and $ipaddress =~ /:/) {
+            $mask = "128"
+          } elsif (length($infos) == 1) {
+            $mask = "32"
+          } else {
+            $mask = $infos[1]
+          }
+          postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
+            type        => 'hostssl',
+            database    => 'replication',
+            user        => $backup_host,
+            address     => "$ipaddress/$mask",
+            auth_method => 'pam',
+            order       => "06-01",
+          }
+        }
+        postgresql::server::role { $backup_host:
+          replication => true,
+        }
+        postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
+          ensure => present
+        }
+      }
+    }
+    $ldap_server = lookup("base_installation::ldap_server")
+    $ldap_base   = lookup("base_installation::ldap_base")
+    $ldap_dn     = lookup("base_installation::ldap_dn")
+    $ldap_password = generate_password(24, $password_seed, "ldap")
+    $ldap_attribute = "cn"
+    file { "/etc/pam_ldap.d":
+      ensure => directory,
+      mode   => "0755",
+      owner  => "root",
+      group  => "root",
+    } ->
+    file { "/etc/pam_ldap.d/postgresql.conf":
+      ensure  => "present",
+      mode    => "0600",
+      owner   => $::profile::postgresql::pg_user,
+      group   => "root",
+      content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
+    } ->
+    file { "/etc/pam.d/postgresql":
+      ensure => "present",
+      mode   => "0644",
+      owner  => "root",
+      group  => "root",
+      source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
+    }
+  }
+}
diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb
new file mode 100644
index 0000000..f3d9674
--- /dev/null
+++ b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
+host <%= @ldap_server %>
+base <%= @ldap_base %>
+binddn <%= @ldap_dn %>
+bindpw <%= @ldap_password %>
+pam_login_attribute <%= @ldap_attribute %>
diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp
index 476a210..a43f146 100644
--- a/modules/role/manifests/etherpad.pp
+++ b/modules/role/manifests/etherpad.pp
@@ -66,54 +66,14 @@ class role::etherpad (
    subscribe => Aur::Package["etherpad-lite"],
  }
-  $web_host = "outils-1.v.immae.eu"
+  $web_host    = "outils-1.v.immae.eu"
-  $pg_db               = "etherpad-lite"
+  $pg_db       = "etherpad-lite"
-  $pg_user             = "etherpad-lite"
+  $pg_user     = "etherpad-lite"
  $pg_password = generate_password(24, $password_seed, "postgres_etherpad")
-  file { "/var/lib/postgres/data/certs":
+  profile::postgresql_master { "postgresql master for etherpad":
-    ensure  => directory,
+    letsencrypt_host => $web_host,
-    mode    => "0700",
+    backup_hosts     => ["backup-1"],
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => File["/var/lib/postgres"],
-  }
-  file { "/var/lib/postgres/data/certs/cert.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-  file { "/var/lib/postgres/data/certs/privkey.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-  postgresql::server::config_entry { "wal_level":
-    value   => "logical",
-  }
-  postgresql::server::config_entry { "ssl":
-    value   => "on",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-  postgresql::server::config_entry { "ssl_cert_file":
-    value   => "/var/lib/postgres/data/certs/cert.pem",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-  postgresql::server::config_entry { "ssl_key_file":
-    value   => "/var/lib/postgres/data/certs/privkey.pem",
-    require => Letsencrypt::Certonly[$web_host],
  }
  postgresql::server::db { $pg_db:

diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql new file mode 100644 index 0000000..70a90ae --- /dev/null +++ b/modules/profile/files/postgresql_master/pam_postgresql
@@ -0,0 +1,3 @@
		1	auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
		2	account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
		3


diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp new file mode 100644 index 0000000..3f68890 --- /dev/null +++ b/modules/profile/manifests/postgresql_master.pp
@@ -0,0 +1,116 @@
		1	define profile::postgresql_master (
		2	$letsencrypt_host = undef,
		3	$backup_hosts = [],
		4	) {
		5	$password_seed = lookup("base_installation::puppet_pass_seed")
		6
		7	ensure_resource("file", "/var/lib/postgres/data/certs", {
		8	ensure => directory,
		9	mode => "0700",
		10	owner => $::profile::postgresql::pg_user,
		11	group => $::profile::postgresql::pg_user,
		12	require => File["/var/lib/postgres"],
		13	})
		14
		15	ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
		16	source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
		17	mode => "0600",
		18	links => "follow",
		19	owner => $::profile::postgresql::pg_user,
		20	group => $::profile::postgresql::pg_user,
		21	require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
		22	})
		23
		24	ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
		25	source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
		26	mode => "0600",
		27	links => "follow",
		28	owner => $::profile::postgresql::pg_user,
		29	group => $::profile::postgresql::pg_user,
		30	require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
		31	})
		32
		33	ensure_resource("postgresql::server::config_entry", "wal_level", {
		34	value => "logical",
		35	})
		36
		37	ensure_resource("postgresql::server::config_entry", "ssl", {
		38	value => "on",
		39	require => Letsencrypt::Certonly[$letsencrypt_host],
		40	})
		41
		42	ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
		43	value => "/var/lib/postgres/data/certs/cert.pem",
		44	require => Letsencrypt::Certonly[$letsencrypt_host],
		45	})
		46
		47	ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
		48	value => "/var/lib/postgres/data/certs/privkey.pem",
		49	require => Letsencrypt::Certonly[$letsencrypt_host],
		50	})
		51
		52	$backup_hosts.each \|$backup_host\| {
		53	ensure_packages(["pam_ldap"])
		54
		55	$facts["ldapvar"]["other"].each \|$host\| {
		56	if ($host["cn"][0] == $backup_host) {
		57	$host["ipHostNumber"].each \|$ip\| {
		58	$infos = split($ip, "/")
		59	$ipaddress = $infos[0]
		60	if (length($infos) == 1 and $ipaddress =~ /:/) {
		61	$mask = "128"
		62	} elsif (length($infos) == 1) {
		63	$mask = "32"
		64	} else {
		65	$mask = $infos[1]
		66	}
		67
		68	postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
		69	type => 'hostssl',
		70	database => 'replication',
		71	user => $backup_host,
		72	address => "$ipaddress/$mask",
		73	auth_method => 'pam',
		74	order => "06-01",
		75	}
		76	}
		77
		78	postgresql::server::role { $backup_host:
		79	replication => true,
		80	}
		81
		82	postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
		83	ensure => present
		84	}
		85	}
		86	}
		87
		88	$ldap_server = lookup("base_installation::ldap_server")
		89	$ldap_base = lookup("base_installation::ldap_base")
		90	$ldap_dn = lookup("base_installation::ldap_dn")
		91	$ldap_password = generate_password(24, $password_seed, "ldap")
		92	$ldap_attribute = "cn"
		93
		94	file { "/etc/pam_ldap.d":
		95	ensure => directory,
		96	mode => "0755",
		97	owner => "root",
		98	group => "root",
		99	} ->
		100	file { "/etc/pam_ldap.d/postgresql.conf":
		101	ensure => "present",
		102	mode => "0600",
		103	owner => $::profile::postgresql::pg_user,
		104	group => "root",
		105	content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
		106	} ->
		107	file { "/etc/pam.d/postgresql":
		108	ensure => "present",
		109	mode => "0644",
		110	owner => "root",
		111	group => "root",
		112	source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
		113	}
		114	}
		115
		116	}


diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb new file mode 100644 index 0000000..f3d9674 --- /dev/null +++ b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
		1	host <%= @ldap_server %>
		2
		3	base <%= @ldap_base %>
		4	binddn <%= @ldap_dn %>
		5	bindpw <%= @ldap_password %>
		6	pam_login_attribute <%= @ldap_attribute %>


diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index 476a210..a43f146 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp
@@ -66,54 +66,14 @@ class role::etherpad (
66	subscribe => Aur::Package["etherpad-lite"],	66	subscribe => Aur::Package["etherpad-lite"],
67	}	67	}
68		68
69	$web_host = "outils-1.v.immae.eu"	69	$web_host = "outils-1.v.immae.eu"
70	$pg_db = "etherpad-lite"	70	$pg_db = "etherpad-lite"
71	$pg_user = "etherpad-lite"	71	$pg_user = "etherpad-lite"
72	$pg_password = generate_password(24, $password_seed, "postgres_etherpad")	72	$pg_password = generate_password(24, $password_seed, "postgres_etherpad")
73		73
74	file { "/var/lib/postgres/data/certs":	74	profile::postgresql_master { "postgresql master for etherpad":
75	ensure => directory,	75	letsencrypt_host => $web_host,
76	mode => "0700",	76	backup_hosts => ["backup-1"],
77	owner => $::profile::postgresql::pg_user,
78	group => $::profile::postgresql::pg_user,
79	require => File["/var/lib/postgres"],
80	}
81
82	file { "/var/lib/postgres/data/certs/cert.pem":
83	source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
84	mode => "0600",
85	links => "follow",
86	owner => $::profile::postgresql::pg_user,
87	group => $::profile::postgresql::pg_user,
88	require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
89	}
90
91	file { "/var/lib/postgres/data/certs/privkey.pem":
92	source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
93	mode => "0600",
94	links => "follow",
95	owner => $::profile::postgresql::pg_user,
96	group => $::profile::postgresql::pg_user,
97	require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
98	}
99
100	postgresql::server::config_entry { "wal_level":
101	value => "logical",
102	}
103
104	postgresql::server::config_entry { "ssl":
105	value => "on",
106	require => Letsencrypt::Certonly[$web_host],
107	}
108
109	postgresql::server::config_entry { "ssl_cert_file":
110	value => "/var/lib/postgres/data/certs/cert.pem",
111	require => Letsencrypt::Certonly[$web_host],
112	}
113
114	postgresql::server::config_entry { "ssl_key_file":
115	value => "/var/lib/postgres/data/certs/privkey.pem",
116	require => Letsencrypt::Certonly[$web_host],
117	}	77	}
118		78
119	postgresql::server::db { $pg_db:	79	postgresql::server::db { $pg_db: