4 files changed, 72 insertions, 8 deletions
diff --git a/environments/global/roles/etherpad.yaml b/environments/global/roles/etherpad.yaml
index f8781e1..6210fcf 100644
--- a/environments/global/roles/etherpad.yaml
+++ b/environments/global/roles/etherpad.yaml
@@ -1,3 +1,5 @@
 ---
 classes:
  role::etherpad: ~
+letsencrypt::hosts: "ether.%{lookup('base_installation::real_hostname')}"
+role::etherpad::web_host: "ether.%{lookup('base_installation::real_hostname')}"
diff --git a/modules/profile/manifests/postgresql/master.pp b/modules/profile/manifests/postgresql/master.pp
index 969905f..02315a6 100644
--- a/modules/profile/manifests/postgresql/master.pp
+++ b/modules/profile/manifests/postgresql/master.pp
@@ -1,8 +1,51 @@
 define profile::postgresql::master (
-  $letsencrypt_host = undef,
+  $letsencrypt_host          = undef,
-  $backup_hosts     = [],
+  $backup_hosts              = [],
+  Optional[String] $pg_user  = "postgres",
+  Optional[String] $pg_group = "postgres",
 ) {
-  profile::postgresql::ssl { "/var/lib/postgres/data":
+  $pg_path = "/var/lib/postgres"
+  $pg_data_path = "$pg_path/data"
+  $postgresql_backup_port = $facts.dig("ldapvar", "self", "vars", "postgresql_backup_port", 0)
+  if ($postgresql_backup_port and !empty($backup_hosts)) {
+    $password_seed = lookup("base_installation::puppet_pass_seed")
+    $ldap_cn = lookup("base_installation::ldap_cn")
+    $ldap_password = generate_password(24, $password_seed, "ldap")
+    $host = find_host($facts["ldapvar"]["other"], $backup_hosts[0])
+    if empty($host) {
+      fail("No backup host to recover from")
+    } elsif has_key($host["vars"], "host") {
+      $pg_backup_host = $host["vars"]["host"][0]
+    } else {
+      $pg_backup_host = $host["vars"]["real_hostname"][0]
+    }
+    exec { "pg_basebackup $pg_data_path":
+      cwd         => $pg_path,
+      user        => $pg_user,
+      creates     => "$pg_data_path/PG_VERSION",
+      environment => ["PGPASSWORD=$ldap_password"],
+      command     => "/usr/bin/pg_basebackup -w -h $pg_backup_host -p $postgresql_backup_port -U $ldap_cn -D $pg_data_path",
+      before      => File[$pg_data_path],
+      require     => File[$pg_path],
+      notify      => Exec["cleanup pg_basebackup $pg_data_path"],
+    } -> file { "$pg_data_path/recovery.conf":
+      before => Concat["$pg_data_path/pg_hba.conf"],
+      ensure => absent,
+    }
+    exec { "cleanup pg_basebackup $pg_data_path":
+      refreshonly => true,
+      cwd         => $pg_path,
+      user        => $pg_user,
+      before      => Class["postgresql::server::config"],
+      command     => "/usr/bin/rm -f $pg_data_path/postgresql.conf && touch $pg_data_path/postgresql.conf",
+    }
+  }
+  profile::postgresql::ssl { $pg_data_path:
    cert                => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
    key                 => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
    require             => Letsencrypt::Certonly[$letsencrypt_host],
diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp
index 2fcb71c..b050058 100644
--- a/modules/profile/manifests/postgresql/replication.pp
+++ b/modules/profile/manifests/postgresql/replication.pp
@@ -52,6 +52,7 @@ define profile::postgresql::replication (
  if $handle_role {
    postgresql::server::role { $host_cn:
      replication => true,
+      require => Service["postgresql"],
    }
    if $add_self_role {
@@ -60,13 +61,15 @@ define profile::postgresql::replication (
      # Needed to be replicated to the backup and be able to recover later
      ensure_resource("postgresql::server::role", $ldap_cn, {
        replication => true,
+        require => Service["postgresql"],
      })
    }
  }
  if $handle_slot {
    postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
-      ensure => present
+      ensure  => present,
+      require => Service["postgresql"],
    }
  }
 }
diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp
index 28b9eb6..5ab5023 100644
--- a/modules/role/manifests/etherpad.pp
+++ b/modules/role/manifests/etherpad.pp
@@ -1,8 +1,9 @@
 class role::etherpad (
+  String $web_host,
 ) {
  $password_seed = lookup("base_installation::puppet_pass_seed")
-  $web_host    = lookup("base_installation::real_hostname")
+  $real_host   = lookup("base_installation::real_hostname")
-  $web_listen  = "0.0.0.0"
+  $web_listen  = "127.0.0.1"
  $web_port    = 18000
  $pg_db       = "etherpad-lite"
  $pg_user     = "etherpad-lite"
@@ -83,12 +84,12 @@ class role::etherpad (
  service { "etherpad-lite":
    enable    => true,
    ensure    => "running",
-    require   => Aur::Package["etherpad-lite"],
+    require   => [Aur::Package["etherpad-lite"], Service["postgresql"]],
    subscribe => Aur::Package["etherpad-lite"],
  }
  profile::postgresql::master { "postgresql master for etherpad":
-    letsencrypt_host => $web_host,
+    letsencrypt_host => $real_host,
    backup_hosts     => ["backup-1"],
  }
@@ -105,4 +106,19 @@ class role::etherpad (
    order       => "05-01",
  }
+  class { 'apache::mod::headers': }
+  apache::vhost { $web_host:
+    port                => '443',
+    docroot             => false,
+    manage_docroot      => false,
+    proxy_dest          => "http://localhost:18000",
+    request_headers     => 'set X-Forwarded-Proto "https"',
+    ssl                 => true,
+    ssl_cert            => "/etc/letsencrypt/live/$web_host/cert.pem",
+    ssl_key             => "/etc/letsencrypt/live/$web_host/privkey.pem",
+    ssl_chain           => "/etc/letsencrypt/live/$web_host/chain.pem",
+    require             => Letsencrypt::Certonly[$web_host],
+    proxy_preserve_host => true;
+    default: *          => $::profile::apache::apache_vhost_default;
+  }
 }

diff --git a/environments/global/roles/etherpad.yaml b/environments/global/roles/etherpad.yaml index f8781e1..6210fcf 100644 --- a/environments/global/roles/etherpad.yaml +++ b/environments/global/roles/etherpad.yaml
@@ -1,3 +1,5 @@
1	---	1	---
2	classes:	2	classes:
3	role::etherpad: ~	3	role::etherpad: ~
		4	letsencrypt::hosts: "ether.%{lookup('base_installation::real_hostname')}"
		5	role::etherpad::web_host: "ether.%{lookup('base_installation::real_hostname')}"


diff --git a/modules/profile/manifests/postgresql/master.pp b/modules/profile/manifests/postgresql/master.pp index 969905f..02315a6 100644 --- a/modules/profile/manifests/postgresql/master.pp +++ b/modules/profile/manifests/postgresql/master.pp
@@ -1,8 +1,51 @@
1	define profile::postgresql::master (	1	define profile::postgresql::master (
2	$letsencrypt_host = undef,	2	$letsencrypt_host = undef,
3	$backup_hosts = [],	3	$backup_hosts = [],
		4	Optional[String] $pg_user = "postgres",
		5	Optional[String] $pg_group = "postgres",
4	) {	6	) {
5	profile::postgresql::ssl { "/var/lib/postgres/data":	7	$pg_path = "/var/lib/postgres"
		8	$pg_data_path = "$pg_path/data"
		9
		10	$postgresql_backup_port = $facts.dig("ldapvar", "self", "vars", "postgresql_backup_port", 0)
		11	if ($postgresql_backup_port and !empty($backup_hosts)) {
		12	$password_seed = lookup("base_installation::puppet_pass_seed")
		13	$ldap_cn = lookup("base_installation::ldap_cn")
		14	$ldap_password = generate_password(24, $password_seed, "ldap")
		15
		16	$host = find_host($facts["ldapvar"]["other"], $backup_hosts[0])
		17	if empty($host) {
		18	fail("No backup host to recover from")
		19	} elsif has_key($host["vars"], "host") {
		20	$pg_backup_host = $host["vars"]["host"][0]
		21	} else {
		22	$pg_backup_host = $host["vars"]["real_hostname"][0]
		23	}
		24
		25	exec { "pg_basebackup $pg_data_path":
		26	cwd => $pg_path,
		27	user => $pg_user,
		28	creates => "$pg_data_path/PG_VERSION",
		29	environment => ["PGPASSWORD=$ldap_password"],
		30	command => "/usr/bin/pg_basebackup -w -h $pg_backup_host -p $postgresql_backup_port -U $ldap_cn -D $pg_data_path",
		31	before => File[$pg_data_path],
		32	require => File[$pg_path],
		33	notify => Exec["cleanup pg_basebackup $pg_data_path"],
		34	} -> file { "$pg_data_path/recovery.conf":
		35	before => Concat["$pg_data_path/pg_hba.conf"],
		36	ensure => absent,
		37	}
		38
		39	exec { "cleanup pg_basebackup $pg_data_path":
		40	refreshonly => true,
		41	cwd => $pg_path,
		42	user => $pg_user,
		43	before => Class["postgresql::server::config"],
		44	command => "/usr/bin/rm -f $pg_data_path/postgresql.conf && touch $pg_data_path/postgresql.conf",
		45	}
		46	}
		47
		48	profile::postgresql::ssl { $pg_data_path:
6	cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",	49	cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem",
7	key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",	50	key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
8	require => Letsencrypt::Certonly[$letsencrypt_host],	51	require => Letsencrypt::Certonly[$letsencrypt_host],


diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp index 2fcb71c..b050058 100644 --- a/modules/profile/manifests/postgresql/replication.pp +++ b/modules/profile/manifests/postgresql/replication.pp
@@ -52,6 +52,7 @@ define profile::postgresql::replication (
52	if $handle_role {	52	if $handle_role {
53	postgresql::server::role { $host_cn:	53	postgresql::server::role { $host_cn:
54	replication => true,	54	replication => true,
		55	require => Service["postgresql"],
55	}	56	}
56		57
57	if $add_self_role {	58	if $add_self_role {
@@ -60,13 +61,15 @@ define profile::postgresql::replication (
60	# Needed to be replicated to the backup and be able to recover later	61	# Needed to be replicated to the backup and be able to recover later
61	ensure_resource("postgresql::server::role", $ldap_cn, {	62	ensure_resource("postgresql::server::role", $ldap_cn, {
62	replication => true,	63	replication => true,
		64	require => Service["postgresql"],
63	})	65	})
64	}	66	}
65	}	67	}
66		68
67	if $handle_slot {	69	if $handle_slot {
68	postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):	70	postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"):
69	ensure => present	71	ensure => present,
		72	require => Service["postgresql"],
70	}	73	}
71	}	74	}
72	}	75	}


diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index 28b9eb6..5ab5023 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp
@@ -1,8 +1,9 @@
1	class role::etherpad (	1	class role::etherpad (
		2	String $web_host,
2	) {	3	) {
3	$password_seed = lookup("base_installation::puppet_pass_seed")	4	$password_seed = lookup("base_installation::puppet_pass_seed")
4	$web_host = lookup("base_installation::real_hostname")	5	$real_host = lookup("base_installation::real_hostname")
5	$web_listen = "0.0.0.0"	6	$web_listen = "127.0.0.1"
6	$web_port = 18000	7	$web_port = 18000
7	$pg_db = "etherpad-lite"	8	$pg_db = "etherpad-lite"
8	$pg_user = "etherpad-lite"	9	$pg_user = "etherpad-lite"
@@ -83,12 +84,12 @@ class role::etherpad (
83	service { "etherpad-lite":	84	service { "etherpad-lite":
84	enable => true,	85	enable => true,
85	ensure => "running",	86	ensure => "running",
86	require => Aur::Package["etherpad-lite"],	87	require => [Aur::Package["etherpad-lite"], Service["postgresql"]],
87	subscribe => Aur::Package["etherpad-lite"],	88	subscribe => Aur::Package["etherpad-lite"],
88	}	89	}
89		90
90	profile::postgresql::master { "postgresql master for etherpad":	91	profile::postgresql::master { "postgresql master for etherpad":
91	letsencrypt_host => $web_host,	92	letsencrypt_host => $real_host,
92	backup_hosts => ["backup-1"],	93	backup_hosts => ["backup-1"],
93	}	94	}
94		95
@@ -105,4 +106,19 @@ class role::etherpad (
105	order => "05-01",	106	order => "05-01",
106	}	107	}
107		108
		109	class { 'apache::mod::headers': }
		110	apache::vhost { $web_host:
		111	port => '443',
		112	docroot => false,
		113	manage_docroot => false,
		114	proxy_dest => "http://localhost:18000",
		115	request_headers => 'set X-Forwarded-Proto "https"',
		116	ssl => true,
		117	ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem",
		118	ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem",
		119	ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem",
		120	require => Letsencrypt::Certonly[$web_host],
		121	proxy_preserve_host => true;
		122	default: * => $::profile::apache::apache_vhost_default;
		123	}
108	}	124	}