diff options
-rw-r--r-- | modules/profile/manifests/postgresql.pp | 3 | ||||
-rw-r--r-- | modules/profile/manifests/tools.pp | 2 | ||||
-rw-r--r-- | modules/role/manifests/cryptoportfolio.pp | 97 |
3 files changed, 98 insertions, 4 deletions
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 8dcc4cb..1024c66 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp | |||
@@ -22,7 +22,8 @@ class profile::postgresql { | |||
22 | } | 22 | } |
23 | 23 | ||
24 | class { '::postgresql::server': | 24 | class { '::postgresql::server': |
25 | postgres_password => generate_password(24, $password_seed, "postgres") | 25 | postgres_password => generate_password(24, $password_seed, "postgres"), |
26 | listen_addresses => "*", | ||
26 | } | 27 | } |
27 | 28 | ||
28 | postgresql::server::pg_hba_rule { 'local access as postgres user': | 29 | postgresql::server::pg_hba_rule { 'local access as postgres user': |
diff --git a/modules/profile/manifests/tools.pp b/modules/profile/manifests/tools.pp index 52e3cea..0b0ab46 100644 --- a/modules/profile/manifests/tools.pp +++ b/modules/profile/manifests/tools.pp | |||
@@ -1,3 +1,3 @@ | |||
1 | class profile::tools { | 1 | class profile::tools { |
2 | ensure_packages(['vim', 'bash-completion']) | 2 | ensure_packages(['vim', 'bash-completion', 'net-tools']) |
3 | } | 3 | } |
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp index 05f2c59..e14d43d 100644 --- a/modules/role/manifests/cryptoportfolio.pp +++ b/modules/role/manifests/cryptoportfolio.pp | |||
@@ -8,8 +8,10 @@ class role::cryptoportfolio { | |||
8 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } | 8 | $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } |
9 | 9 | ||
10 | $cf_pg_user = "cryptoportfolio" | 10 | $cf_pg_user = "cryptoportfolio" |
11 | $cf_pg_user_replication = "cryptoportfolio_replication" | ||
11 | $cf_pg_db = "cryptoportfolio" | 12 | $cf_pg_db = "cryptoportfolio" |
12 | $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | 13 | $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") |
14 | $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
13 | $cf_pg_host = "localhost:5432" | 15 | $cf_pg_host = "localhost:5432" |
14 | 16 | ||
15 | $cf_user = "cryptoportfolio" | 17 | $cf_user = "cryptoportfolio" |
@@ -27,9 +29,87 @@ class role::cryptoportfolio { | |||
27 | 29 | ||
28 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" | 30 | $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" |
29 | 31 | ||
32 | file { "/var/lib/postgres/data/certs": | ||
33 | ensure => directory, | ||
34 | mode => "0700", | ||
35 | owner => $::profile::postgresql::pg_user, | ||
36 | group => $::profile::postgresql::pg_user, | ||
37 | require => File["/var/lib/postgres"], | ||
38 | } | ||
39 | |||
40 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
41 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem", | ||
42 | mode => "0600", | ||
43 | links => "follow", | ||
44 | owner => $::profile::postgresql::pg_user, | ||
45 | group => $::profile::postgresql::pg_user, | ||
46 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
47 | } | ||
48 | |||
49 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
50 | source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem", | ||
51 | mode => "0600", | ||
52 | links => "follow", | ||
53 | owner => $::profile::postgresql::pg_user, | ||
54 | group => $::profile::postgresql::pg_user, | ||
55 | require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]] | ||
56 | } | ||
57 | |||
58 | postgresql::server::config_entry { "wal_level": | ||
59 | value => "logical", | ||
60 | } | ||
61 | |||
62 | postgresql::server::config_entry { "ssl": | ||
63 | value => "on", | ||
64 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
65 | } | ||
66 | |||
67 | postgresql::server::config_entry { "ssl_cert_file": | ||
68 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
69 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
70 | } | ||
71 | |||
72 | postgresql::server::config_entry { "ssl_key_file": | ||
73 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
74 | require => Letsencrypt::Certonly[$cf_front_app_host], | ||
75 | } | ||
76 | |||
30 | postgresql::server::db { $cf_pg_db: | 77 | postgresql::server::db { $cf_pg_db: |
31 | user => $cf_pg_user, | 78 | user => $cf_pg_user, |
32 | password => postgresql_password($cf_pg_user, $cf_pg_password) | 79 | password => postgresql_password($cf_pg_user, $cf_pg_password), |
80 | } | ||
81 | -> | ||
82 | postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES": | ||
83 | db => $cf_pg_db, | ||
84 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'", | ||
85 | } | ||
86 | -> | ||
87 | postgresql::server::role { $cf_pg_user_replication: | ||
88 | db => $cf_pg_db, | ||
89 | replication => true, | ||
90 | password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password), | ||
91 | } | ||
92 | -> | ||
93 | postgresql::server::database_grant { $cf_pg_user_replication: | ||
94 | db => $cf_pg_db, | ||
95 | privilege => "CONNECT", | ||
96 | role => $cf_pg_user_replication, | ||
97 | } | ||
98 | -> | ||
99 | postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication": | ||
100 | db => $cf_pg_db, | ||
101 | role => $cf_pg_user_replication, | ||
102 | privilege => "SELECT", | ||
103 | object_type => "ALL TABLES IN SCHEMA", | ||
104 | object_name => "public", | ||
105 | } | ||
106 | -> | ||
107 | postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication": | ||
108 | db => $cf_pg_db, | ||
109 | role => $cf_pg_user_replication, | ||
110 | privilege => "SELECT", | ||
111 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
112 | object_name => "public", | ||
33 | } | 113 | } |
34 | 114 | ||
35 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | 115 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': |
@@ -49,6 +129,15 @@ class role::cryptoportfolio { | |||
49 | order => "b0", | 129 | order => "b0", |
50 | } | 130 | } |
51 | 131 | ||
132 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
133 | type => 'hostssl', | ||
134 | database => $cf_pg_db, | ||
135 | user => $cf_pg_user_replication, | ||
136 | address => 'immae.eu', | ||
137 | auth_method => 'md5', | ||
138 | order => "b0", | ||
139 | } | ||
140 | |||
52 | letsencrypt::certonly { $cf_front_app_host: ; | 141 | letsencrypt::certonly { $cf_front_app_host: ; |
53 | default: * => $::profile::apache::letsencrypt_certonly_default; | 142 | default: * => $::profile::apache::letsencrypt_certonly_default; |
54 | } | 143 | } |
@@ -157,7 +246,10 @@ class role::cryptoportfolio { | |||
157 | service { 'cryptoportfolio-app': | 246 | service { 'cryptoportfolio-app': |
158 | enable => true, | 247 | enable => true, |
159 | ensure => "running", | 248 | ensure => "running", |
160 | require => [File["/etc/systemd/system/cryptoportfolio-app.service"]], | 249 | require => [ |
250 | File["/etc/systemd/system/cryptoportfolio-app.service"], | ||
251 | Postgresql::Server::Db[$cf_pg_db] | ||
252 | ], | ||
161 | } | 253 | } |
162 | 254 | ||
163 | file { $cf_front_app_api_conf: | 255 | file { $cf_front_app_api_conf: |
@@ -199,4 +291,5 @@ class role::cryptoportfolio { | |||
199 | } | 291 | } |
200 | } | 292 | } |
201 | 293 | ||
294 | # TODO: xmr_stack | ||
202 | } | 295 | } |