diff options
7 files changed, 276 insertions, 0 deletions
diff --git a/modules/role/files/cryptoportfolio/pam_postgresql b/modules/role/files/cryptoportfolio/pam_postgresql new file mode 100644 index 0000000..70a90ae --- /dev/null +++ b/modules/role/files/cryptoportfolio/pam_postgresql | |||
@@ -0,0 +1,3 @@ | |||
1 | auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf | ||
2 | account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf | ||
3 | |||
diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp index ab485b0..37e6138 100644 --- a/modules/role/manifests/backup.pp +++ b/modules/role/manifests/backup.pp | |||
@@ -14,6 +14,7 @@ class role::backup ( | |||
14 | include "profile::xmr_stak" | 14 | include "profile::xmr_stak" |
15 | include "profile::known_hosts" | 15 | include "profile::known_hosts" |
16 | include "profile::boinc" | 16 | include "profile::boinc" |
17 | include "role::cryptoportfolio::postgresql_backup" | ||
17 | 18 | ||
18 | ensure_packages(["rsync"]) | 19 | ensure_packages(["rsync"]) |
19 | 20 | ||
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index 5db5e25..d951874 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp | |||
@@ -126,4 +126,70 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | |||
126 | order => "05-02", | 126 | order => "05-02", |
127 | } | 127 | } |
128 | 128 | ||
129 | $backup_host = "backup-1" | ||
130 | |||
131 | unless empty($backup_host) { | ||
132 | ensure_packages(["pam_ldap"]) | ||
133 | |||
134 | $facts["ldapvar"]["other"].each |$host| { | ||
135 | if ($host["cn"][0] == $backup_host) { | ||
136 | $host["ipHostNumber"].each |$ip| { | ||
137 | $infos = split($ip, "/") | ||
138 | $ipaddress = $infos[0] | ||
139 | if (length($infos) == 1 and $ipaddress =~ /:/) { | ||
140 | $mask = "128" | ||
141 | } elsif (length($infos) == 1) { | ||
142 | $mask = "32" | ||
143 | } else { | ||
144 | $mask = $infos[1] | ||
145 | } | ||
146 | |||
147 | postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": | ||
148 | type => 'hostssl', | ||
149 | database => 'replication', | ||
150 | user => 'all', | ||
151 | address => "$ipaddress/$mask", | ||
152 | auth_method => 'pam', | ||
153 | order => "06-01", | ||
154 | } | ||
155 | } | ||
156 | |||
157 | postgresql::server::role { $backup_host: | ||
158 | replication => true, | ||
159 | } | ||
160 | |||
161 | postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): | ||
162 | ensure => present | ||
163 | } | ||
164 | } | ||
165 | } | ||
166 | |||
167 | $ldap_server = lookup("base_installation::ldap_server") | ||
168 | $ldap_base = lookup("base_installation::ldap_base") | ||
169 | $ldap_dn = lookup("base_installation::ldap_dn") | ||
170 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
171 | $ldap_attribute = "cn" | ||
172 | |||
173 | file { "/etc/pam_ldap.d": | ||
174 | ensure => directory, | ||
175 | mode => "0755", | ||
176 | owner => "root", | ||
177 | group => "root", | ||
178 | } -> | ||
179 | file { "/etc/pam_ldap.d/postgresql.conf": | ||
180 | ensure => "present", | ||
181 | mode => "0644", | ||
182 | owner => "root", | ||
183 | group => "root", | ||
184 | content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), | ||
185 | } -> | ||
186 | file { "/etc/pam.d/postgresql": | ||
187 | ensure => "present", | ||
188 | mode => "0644", | ||
189 | owner => "root", | ||
190 | group => "root", | ||
191 | source => "puppet:///modules/role/cryptoportfolio/pam_postgresql" | ||
192 | } | ||
193 | } | ||
194 | |||
129 | } | 195 | } |
diff --git a/modules/role/manifests/cryptoportfolio/postgresql_backup.pp b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp new file mode 100644 index 0000000..c6ca0fa --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp | |||
@@ -0,0 +1,161 @@ | |||
1 | class role::cryptoportfolio::postgresql_backup inherits role::backup { | ||
2 | # This manifest is supposed to be part of the backup server | ||
3 | |||
4 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
5 | |||
6 | $user = lookup("role::backup::user") | ||
7 | $group = lookup("role::backup::group") | ||
8 | $pg_user = "postgres" | ||
9 | $pg_group = "postgres" | ||
10 | |||
11 | $ldap_cn = lookup("base_installation::ldap_cn") | ||
12 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
13 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") | ||
14 | |||
15 | ensure_packages(["postgresql"]) | ||
16 | |||
17 | $pg_backup_hosts = ["cryptoportfolio-dev.immae.eu"] | ||
18 | |||
19 | $pg_backup_hosts.each |$pg_backup_host| { | ||
20 | $pg_path = "$mountpoint/$pg_backup_host/postgresql" | ||
21 | $pg_host = "$pg_backup_host" | ||
22 | $pg_port = "5432" | ||
23 | |||
24 | file { "$mountpoint/$pg_backup_host": | ||
25 | ensure => directory, | ||
26 | owner => $user, | ||
27 | group => $group, | ||
28 | } | ||
29 | |||
30 | file { $pg_path: | ||
31 | ensure => directory, | ||
32 | owner => $pg_user, | ||
33 | group => $pg_group, | ||
34 | mode => "0700", | ||
35 | require => File["$mountpoint/$pg_backup_host"], | ||
36 | } | ||
37 | |||
38 | exec { "pg_basebackup $pg_path": | ||
39 | cwd => $pg_path, | ||
40 | user => $pg_user, | ||
41 | creates => "$pg_path/PG_VERSION", | ||
42 | environment => ["PGPASSWORD=$ldap_password"], | ||
43 | command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", | ||
44 | before => [ | ||
45 | Concat["$pg_path/pg_hba.conf"], | ||
46 | Concat["$pg_path/recovery.conf"], | ||
47 | File["$pg_path/postgresql.conf"], | ||
48 | ] | ||
49 | } | ||
50 | |||
51 | concat { "$pg_path/pg_hba.conf": | ||
52 | owner => $pg_user, | ||
53 | group => $pg_group, | ||
54 | mode => '0640', | ||
55 | warn => true, | ||
56 | } | ||
57 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": | ||
58 | description => 'Allow local access to postgres user', | ||
59 | type => 'local', | ||
60 | database => 'all', | ||
61 | user => $pg_user, | ||
62 | auth_method => 'ident', | ||
63 | order => "00-01", | ||
64 | target => "$pg_path/pg_hba.conf", | ||
65 | postgresql_version => "10", | ||
66 | } | ||
67 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": | ||
68 | description => 'Allow localhost access to postgres user', | ||
69 | type => 'host', | ||
70 | database => 'all', | ||
71 | user => $pg_user, | ||
72 | address => "127.0.0.1/32", | ||
73 | auth_method => 'md5', | ||
74 | order => "00-02", | ||
75 | target => "$pg_path/pg_hba.conf", | ||
76 | postgresql_version => "10", | ||
77 | } | ||
78 | postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": | ||
79 | description => 'Allow localhost access to postgres user', | ||
80 | type => 'host', | ||
81 | database => 'all', | ||
82 | user => $pg_user, | ||
83 | address => "::1/128", | ||
84 | auth_method => 'md5', | ||
85 | order => "00-03", | ||
86 | target => "$pg_path/pg_hba.conf", | ||
87 | postgresql_version => "10", | ||
88 | } | ||
89 | postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": | ||
90 | description => 'Deny remote access to postgres user', | ||
91 | type => 'host', | ||
92 | database => 'all', | ||
93 | user => $pg_user, | ||
94 | address => "0.0.0.0/0", | ||
95 | auth_method => 'reject', | ||
96 | order => "00-04", | ||
97 | target => "$pg_path/pg_hba.conf", | ||
98 | postgresql_version => "10", | ||
99 | } | ||
100 | |||
101 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access": | ||
102 | description => 'Allow local access with password', | ||
103 | type => 'local', | ||
104 | database => 'all', | ||
105 | user => 'all', | ||
106 | auth_method => 'md5', | ||
107 | order => "10-01", | ||
108 | target => "$pg_path/pg_hba.conf", | ||
109 | postgresql_version => "10", | ||
110 | } | ||
111 | |||
112 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": | ||
113 | description => 'Allow local access with same name', | ||
114 | type => 'local', | ||
115 | database => 'all', | ||
116 | user => 'all', | ||
117 | auth_method => 'ident', | ||
118 | order => "10-02", | ||
119 | target => "$pg_path/pg_hba.conf", | ||
120 | postgresql_version => "10", | ||
121 | } | ||
122 | |||
123 | concat { "$pg_path/recovery.conf": | ||
124 | owner => $pg_user, | ||
125 | group => $pg_group, | ||
126 | mode => '0640', | ||
127 | warn => true, | ||
128 | } | ||
129 | postgresql::server::recovery { "$pg_backup_host recovery": | ||
130 | primary_conninfo => "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require", | ||
131 | primary_slot_name => regsubst($ldap_cn, '-', "_", "G"), | ||
132 | standby_mode => "on", | ||
133 | target => "$pg_path/recovery.conf", | ||
134 | } | ||
135 | |||
136 | file { "$pg_path/postgresql.conf": | ||
137 | owner => $pg_user, | ||
138 | group => $pg_group, | ||
139 | mode => '0640', | ||
140 | content => template("role/cryptoportfolio/postgresql_backup.conf.erb"), | ||
141 | } | ||
142 | |||
143 | service { "postgresql_backup@$pg_backup_host": | ||
144 | enable => true, | ||
145 | ensure => "running", | ||
146 | require => [ | ||
147 | File["/etc/systemd/system/postgresql_backup@.service"], | ||
148 | Concat["$pg_path/pg_hba.conf"], | ||
149 | Concat["$pg_path/recovery.conf"], | ||
150 | File["$pg_path/postgresql.conf"], | ||
151 | ] | ||
152 | } | ||
153 | } | ||
154 | |||
155 | file { "/etc/systemd/system/postgresql_backup@.service": | ||
156 | mode => "0644", | ||
157 | owner => "root", | ||
158 | group => "root", | ||
159 | content => template("role/cryptoportfolio/postgresql_backup@.service.erb"), | ||
160 | } | ||
161 | } | ||
diff --git a/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb b/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb new file mode 100644 index 0000000..f3d9674 --- /dev/null +++ b/modules/role/templates/cryptoportfolio/pam_ldap_postgresql.conf.erb | |||
@@ -0,0 +1,6 @@ | |||
1 | host <%= @ldap_server %> | ||
2 | |||
3 | base <%= @ldap_base %> | ||
4 | binddn <%= @ldap_dn %> | ||
5 | bindpw <%= @ldap_password %> | ||
6 | pam_login_attribute <%= @ldap_attribute %> | ||
diff --git a/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb b/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb new file mode 100644 index 0000000..860089b --- /dev/null +++ b/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb | |||
@@ -0,0 +1,5 @@ | |||
1 | listen_addresses= '' | ||
2 | unix_socket_directories = '<%= @pg_path %>' | ||
3 | data_directory = '<%= @pg_path %>' | ||
4 | wal_level = logical | ||
5 | |||
diff --git a/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb b/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb new file mode 100644 index 0000000..245a1cb --- /dev/null +++ b/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb | |||
@@ -0,0 +1,34 @@ | |||
1 | [Unit] | ||
2 | Description=PostgreSQL database server | ||
3 | After=network.target | ||
4 | |||
5 | [Service] | ||
6 | Type=forking | ||
7 | TimeoutSec=120 | ||
8 | User=postgres | ||
9 | Group=postgres | ||
10 | |||
11 | Environment=PGROOT=<%= @mountpoint %>/%i/postgresql | ||
12 | |||
13 | SyslogIdentifier=postgres | ||
14 | PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid | ||
15 | RuntimeDirectory=postgresql | ||
16 | RuntimeDirectoryMode=755 | ||
17 | |||
18 | ExecStartPre=/usr/bin/postgresql-check-db-dir ${PGROOT} | ||
19 | ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT} start -w -t 120 | ||
20 | ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT} reload | ||
21 | ExecStop= /usr/bin/pg_ctl -s -D ${PGROOT} stop -m fast | ||
22 | |||
23 | # Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in | ||
24 | # killing Postgres, so adjust it downward | ||
25 | OOMScoreAdjust=-200 | ||
26 | |||
27 | # Additional security-related features | ||
28 | PrivateTmp=true | ||
29 | ProtectHome=true | ||
30 | ProtectSystem=full | ||
31 | NoNewPrivileges=true | ||
32 | |||
33 | [Install] | ||
34 | WantedBy=multi-user.target | ||