aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/profile/manifests/postgresql.pp3
-rw-r--r--modules/profile/manifests/tools.pp2
-rw-r--r--modules/role/manifests/cryptoportfolio.pp97
3 files changed, 98 insertions, 4 deletions
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
index 8dcc4cb..1024c66 100644
--- a/modules/profile/manifests/postgresql.pp
+++ b/modules/profile/manifests/postgresql.pp
@@ -22,7 +22,8 @@ class profile::postgresql {
22 } 22 }
23 23
24 class { '::postgresql::server': 24 class { '::postgresql::server':
25 postgres_password => generate_password(24, $password_seed, "postgres") 25 postgres_password => generate_password(24, $password_seed, "postgres"),
26 listen_addresses => "*",
26 } 27 }
27 28
28 postgresql::server::pg_hba_rule { 'local access as postgres user': 29 postgresql::server::pg_hba_rule { 'local access as postgres user':
diff --git a/modules/profile/manifests/tools.pp b/modules/profile/manifests/tools.pp
index 52e3cea..0b0ab46 100644
--- a/modules/profile/manifests/tools.pp
+++ b/modules/profile/manifests/tools.pp
@@ -1,3 +1,3 @@
1class profile::tools { 1class profile::tools {
2 ensure_packages(['vim', 'bash-completion']) 2 ensure_packages(['vim', 'bash-completion', 'net-tools'])
3} 3}
diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp
index 05f2c59..e14d43d 100644
--- a/modules/role/manifests/cryptoportfolio.pp
+++ b/modules/role/manifests/cryptoportfolio.pp
@@ -8,8 +8,10 @@ class role::cryptoportfolio {
8 $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } 8 $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
9 9
10 $cf_pg_user = "cryptoportfolio" 10 $cf_pg_user = "cryptoportfolio"
11 $cf_pg_user_replication = "cryptoportfolio_replication"
11 $cf_pg_db = "cryptoportfolio" 12 $cf_pg_db = "cryptoportfolio"
12 $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") 13 $cf_pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
14 $cf_pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
13 $cf_pg_host = "localhost:5432" 15 $cf_pg_host = "localhost:5432"
14 16
15 $cf_user = "cryptoportfolio" 17 $cf_user = "cryptoportfolio"
@@ -27,9 +29,87 @@ class role::cryptoportfolio {
27 29
28 $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env" 30 $cf_front_app_static_conf = "${cf_front_app}/cmd/web/env/prod.env"
29 31
32 file { "/var/lib/postgres/data/certs":
33 ensure => directory,
34 mode => "0700",
35 owner => $::profile::postgresql::pg_user,
36 group => $::profile::postgresql::pg_user,
37 require => File["/var/lib/postgres"],
38 }
39
40 file { "/var/lib/postgres/data/certs/cert.pem":
41 source => "file:///etc/letsencrypt/live/$cf_front_app_host/cert.pem",
42 mode => "0600",
43 links => "follow",
44 owner => $::profile::postgresql::pg_user,
45 group => $::profile::postgresql::pg_user,
46 require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
47 }
48
49 file { "/var/lib/postgres/data/certs/privkey.pem":
50 source => "file:///etc/letsencrypt/live/$cf_front_app_host/privkey.pem",
51 mode => "0600",
52 links => "follow",
53 owner => $::profile::postgresql::pg_user,
54 group => $::profile::postgresql::pg_user,
55 require => [Letsencrypt::Certonly[$cf_front_app_host], File["/var/lib/postgres/data/certs"]]
56 }
57
58 postgresql::server::config_entry { "wal_level":
59 value => "logical",
60 }
61
62 postgresql::server::config_entry { "ssl":
63 value => "on",
64 require => Letsencrypt::Certonly[$cf_front_app_host],
65 }
66
67 postgresql::server::config_entry { "ssl_cert_file":
68 value => "/var/lib/postgres/data/certs/cert.pem",
69 require => Letsencrypt::Certonly[$cf_front_app_host],
70 }
71
72 postgresql::server::config_entry { "ssl_key_file":
73 value => "/var/lib/postgres/data/certs/privkey.pem",
74 require => Letsencrypt::Certonly[$cf_front_app_host],
75 }
76
30 postgresql::server::db { $cf_pg_db: 77 postgresql::server::db { $cf_pg_db:
31 user => $cf_pg_user, 78 user => $cf_pg_user,
32 password => postgresql_password($cf_pg_user, $cf_pg_password) 79 password => postgresql_password($cf_pg_user, $cf_pg_password),
80 }
81 ->
82 postgresql_psql { "CREATE PUBLICATION ${cf_pg_db}_publication FOR ALL TABLES":
83 db => $cf_pg_db,
84 unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${cf_pg_db}_publication'",
85 }
86 ->
87 postgresql::server::role { $cf_pg_user_replication:
88 db => $cf_pg_db,
89 replication => true,
90 password_hash => postgresql_password($cf_pg_user_replication, $cf_pg_replication_password),
91 }
92 ->
93 postgresql::server::database_grant { $cf_pg_user_replication:
94 db => $cf_pg_db,
95 privilege => "CONNECT",
96 role => $cf_pg_user_replication,
97 }
98 ->
99 postgresql::server::grant { "all tables in schema:public:$cf_pg_user_replication":
100 db => $cf_pg_db,
101 role => $cf_pg_user_replication,
102 privilege => "SELECT",
103 object_type => "ALL TABLES IN SCHEMA",
104 object_name => "public",
105 }
106 ->
107 postgresql::server::grant { "all sequences in schema:public:$cf_pg_user_replication":
108 db => $cf_pg_db,
109 role => $cf_pg_user_replication,
110 privilege => "SELECT",
111 object_type => "ALL SEQUENCES IN SCHEMA",
112 object_name => "public",
33 } 113 }
34 114
35 postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': 115 postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
@@ -49,6 +129,15 @@ class role::cryptoportfolio {
49 order => "b0", 129 order => "b0",
50 } 130 }
51 131
132 postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
133 type => 'hostssl',
134 database => $cf_pg_db,
135 user => $cf_pg_user_replication,
136 address => 'immae.eu',
137 auth_method => 'md5',
138 order => "b0",
139 }
140
52 letsencrypt::certonly { $cf_front_app_host: ; 141 letsencrypt::certonly { $cf_front_app_host: ;
53 default: * => $::profile::apache::letsencrypt_certonly_default; 142 default: * => $::profile::apache::letsencrypt_certonly_default;
54 } 143 }
@@ -157,7 +246,10 @@ class role::cryptoportfolio {
157 service { 'cryptoportfolio-app': 246 service { 'cryptoportfolio-app':
158 enable => true, 247 enable => true,
159 ensure => "running", 248 ensure => "running",
160 require => [File["/etc/systemd/system/cryptoportfolio-app.service"]], 249 require => [
250 File["/etc/systemd/system/cryptoportfolio-app.service"],
251 Postgresql::Server::Db[$cf_pg_db]
252 ],
161 } 253 }
162 254
163 file { $cf_front_app_api_conf: 255 file { $cf_front_app_api_conf:
@@ -199,4 +291,5 @@ class role::cryptoportfolio {
199 } 291 }
200 } 292 }
201 293
294 # TODO: xmr_stack
202} 295}