aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/profile/files/postgresql_master/pam_postgresql3
-rw-r--r--modules/profile/manifests/postgresql_master.pp116
-rw-r--r--modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb6
-rw-r--r--modules/role/manifests/etherpad.pp52
4 files changed, 131 insertions, 46 deletions
diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql
new file mode 100644
index 0000000..70a90ae
--- /dev/null
+++ b/modules/profile/files/postgresql_master/pam_postgresql
@@ -0,0 +1,3 @@
1auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
2account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf
3
diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp
new file mode 100644
index 0000000..3f68890
--- /dev/null
+++ b/modules/profile/manifests/postgresql_master.pp
@@ -0,0 +1,116 @@
1define profile::postgresql_master (
2 $letsencrypt_host = undef,
3 $backup_hosts = [],
4) {
5 $password_seed = lookup("base_installation::puppet_pass_seed")
6
7 ensure_resource("file", "/var/lib/postgres/data/certs", {
8 ensure => directory,
9 mode => "0700",
10 owner => $::profile::postgresql::pg_user,
11 group => $::profile::postgresql::pg_user,
12 require => File["/var/lib/postgres"],
13 })
14
15 ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
16 source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
17 mode => "0600",
18 links => "follow",
19 owner => $::profile::postgresql::pg_user,
20 group => $::profile::postgresql::pg_user,
21 require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
22 })
23
24 ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
25 source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
26 mode => "0600",
27 links => "follow",
28 owner => $::profile::postgresql::pg_user,
29 group => $::profile::postgresql::pg_user,
30 require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
31 })
32
33 ensure_resource("postgresql::server::config_entry", "wal_level", {
34 value => "logical",
35 })
36
37 ensure_resource("postgresql::server::config_entry", "ssl", {
38 value => "on",
39 require => Letsencrypt::Certonly[$letsencrypt_host],
40 })
41
42 ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
43 value => "/var/lib/postgres/data/certs/cert.pem",
44 require => Letsencrypt::Certonly[$letsencrypt_host],
45 })
46
47 ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
48 value => "/var/lib/postgres/data/certs/privkey.pem",
49 require => Letsencrypt::Certonly[$letsencrypt_host],
50 })
51
52 $backup_hosts.each |$backup_host| {
53 ensure_packages(["pam_ldap"])
54
55 $facts["ldapvar"]["other"].each |$host| {
56 if ($host["cn"][0] == $backup_host) {
57 $host["ipHostNumber"].each |$ip| {
58 $infos = split($ip, "/")
59 $ipaddress = $infos[0]
60 if (length($infos) == 1 and $ipaddress =~ /:/) {
61 $mask = "128"
62 } elsif (length($infos) == 1) {
63 $mask = "32"
64 } else {
65 $mask = $infos[1]
66 }
67
68 postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
69 type => 'hostssl',
70 database => 'replication',
71 user => $backup_host,
72 address => "$ipaddress/$mask",
73 auth_method => 'pam',
74 order => "06-01",
75 }
76 }
77
78 postgresql::server::role { $backup_host:
79 replication => true,
80 }
81
82 postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
83 ensure => present
84 }
85 }
86 }
87
88 $ldap_server = lookup("base_installation::ldap_server")
89 $ldap_base = lookup("base_installation::ldap_base")
90 $ldap_dn = lookup("base_installation::ldap_dn")
91 $ldap_password = generate_password(24, $password_seed, "ldap")
92 $ldap_attribute = "cn"
93
94 file { "/etc/pam_ldap.d":
95 ensure => directory,
96 mode => "0755",
97 owner => "root",
98 group => "root",
99 } ->
100 file { "/etc/pam_ldap.d/postgresql.conf":
101 ensure => "present",
102 mode => "0600",
103 owner => $::profile::postgresql::pg_user,
104 group => "root",
105 content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
106 } ->
107 file { "/etc/pam.d/postgresql":
108 ensure => "present",
109 mode => "0644",
110 owner => "root",
111 group => "root",
112 source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
113 }
114 }
115
116}
diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb
new file mode 100644
index 0000000..f3d9674
--- /dev/null
+++ b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb
@@ -0,0 +1,6 @@
1host <%= @ldap_server %>
2
3base <%= @ldap_base %>
4binddn <%= @ldap_dn %>
5bindpw <%= @ldap_password %>
6pam_login_attribute <%= @ldap_attribute %>
diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp
index 476a210..a43f146 100644
--- a/modules/role/manifests/etherpad.pp
+++ b/modules/role/manifests/etherpad.pp
@@ -66,54 +66,14 @@ class role::etherpad (
66 subscribe => Aur::Package["etherpad-lite"], 66 subscribe => Aur::Package["etherpad-lite"],
67 } 67 }
68 68
69 $web_host = "outils-1.v.immae.eu" 69 $web_host = "outils-1.v.immae.eu"
70 $pg_db = "etherpad-lite" 70 $pg_db = "etherpad-lite"
71 $pg_user = "etherpad-lite" 71 $pg_user = "etherpad-lite"
72 $pg_password = generate_password(24, $password_seed, "postgres_etherpad") 72 $pg_password = generate_password(24, $password_seed, "postgres_etherpad")
73 73
74 file { "/var/lib/postgres/data/certs": 74 profile::postgresql_master { "postgresql master for etherpad":
75 ensure => directory, 75 letsencrypt_host => $web_host,
76 mode => "0700", 76 backup_hosts => ["backup-1"],
77 owner => $::profile::postgresql::pg_user,
78 group => $::profile::postgresql::pg_user,
79 require => File["/var/lib/postgres"],
80 }
81
82 file { "/var/lib/postgres/data/certs/cert.pem":
83 source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
84 mode => "0600",
85 links => "follow",
86 owner => $::profile::postgresql::pg_user,
87 group => $::profile::postgresql::pg_user,
88 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
89 }
90
91 file { "/var/lib/postgres/data/certs/privkey.pem":
92 source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
93 mode => "0600",
94 links => "follow",
95 owner => $::profile::postgresql::pg_user,
96 group => $::profile::postgresql::pg_user,
97 require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
98 }
99
100 postgresql::server::config_entry { "wal_level":
101 value => "logical",
102 }
103
104 postgresql::server::config_entry { "ssl":
105 value => "on",
106 require => Letsencrypt::Certonly[$web_host],
107 }
108
109 postgresql::server::config_entry { "ssl_cert_file":
110 value => "/var/lib/postgres/data/certs/cert.pem",
111 require => Letsencrypt::Certonly[$web_host],
112 }
113
114 postgresql::server::config_entry { "ssl_key_file":
115 value => "/var/lib/postgres/data/certs/privkey.pem",
116 require => Letsencrypt::Certonly[$web_host],
117 } 77 }
118 78
119 postgresql::server::db { $pg_db: 79 postgresql::server::db { $pg_db: