diff options
Diffstat (limited to 'modules/role/manifests/cryptoportfolio/postgresql.pp')
-rw-r--r-- | modules/role/manifests/cryptoportfolio/postgresql.pp | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp new file mode 100644 index 0000000..cc4d2a9 --- /dev/null +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp | |||
@@ -0,0 +1,116 @@ | |||
1 | class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | ||
2 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
3 | |||
4 | $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio") | ||
5 | $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication") | ||
6 | |||
7 | file { "/var/lib/postgres/data/certs": | ||
8 | ensure => directory, | ||
9 | mode => "0700", | ||
10 | owner => $::profile::postgresql::pg_user, | ||
11 | group => $::profile::postgresql::pg_user, | ||
12 | require => File["/var/lib/postgres"], | ||
13 | } | ||
14 | |||
15 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
16 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | ||
17 | mode => "0600", | ||
18 | links => "follow", | ||
19 | owner => $::profile::postgresql::pg_user, | ||
20 | group => $::profile::postgresql::pg_user, | ||
21 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
22 | } | ||
23 | |||
24 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
25 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | ||
26 | mode => "0600", | ||
27 | links => "follow", | ||
28 | owner => $::profile::postgresql::pg_user, | ||
29 | group => $::profile::postgresql::pg_user, | ||
30 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
31 | } | ||
32 | |||
33 | postgresql::server::config_entry { "wal_level": | ||
34 | value => "logical", | ||
35 | } | ||
36 | |||
37 | postgresql::server::config_entry { "ssl": | ||
38 | value => "on", | ||
39 | require => Letsencrypt::Certonly[$web_host], | ||
40 | } | ||
41 | |||
42 | postgresql::server::config_entry { "ssl_cert_file": | ||
43 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
44 | require => Letsencrypt::Certonly[$web_host], | ||
45 | } | ||
46 | |||
47 | postgresql::server::config_entry { "ssl_key_file": | ||
48 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
49 | require => Letsencrypt::Certonly[$web_host], | ||
50 | } | ||
51 | |||
52 | postgresql::server::db { $pg_db: | ||
53 | user => $pg_user, | ||
54 | password => postgresql_password($pg_user, $pg_password), | ||
55 | } | ||
56 | -> | ||
57 | postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES": | ||
58 | db => $pg_db, | ||
59 | unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'", | ||
60 | } | ||
61 | -> | ||
62 | postgresql::server::role { $pg_user_replication: | ||
63 | db => $pg_db, | ||
64 | replication => true, | ||
65 | password_hash => postgresql_password($pg_user_replication, $pg_replication_password), | ||
66 | } | ||
67 | -> | ||
68 | postgresql::server::database_grant { $pg_user_replication: | ||
69 | db => $pg_db, | ||
70 | privilege => "CONNECT", | ||
71 | role => $pg_user_replication, | ||
72 | } | ||
73 | -> | ||
74 | postgresql::server::grant { "all tables in schema:public:$pg_user_replication": | ||
75 | db => $pg_db, | ||
76 | role => $pg_user_replication, | ||
77 | privilege => "SELECT", | ||
78 | object_type => "ALL TABLES IN SCHEMA", | ||
79 | object_name => "public", | ||
80 | } | ||
81 | -> | ||
82 | postgresql::server::grant { "all sequences in schema:public:$pg_user_replication": | ||
83 | db => $pg_db, | ||
84 | role => $pg_user_replication, | ||
85 | privilege => "SELECT", | ||
86 | object_type => "ALL SEQUENCES IN SCHEMA", | ||
87 | object_name => "public", | ||
88 | } | ||
89 | |||
90 | postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user': | ||
91 | type => 'host', | ||
92 | database => $pg_db, | ||
93 | user => $pg_user, | ||
94 | address => '127.0.0.1/32', | ||
95 | auth_method => 'md5', | ||
96 | order => "05-01", | ||
97 | } | ||
98 | postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user': | ||
99 | type => 'host', | ||
100 | database => $pg_db, | ||
101 | user => $pg_user, | ||
102 | address => '::1/128', | ||
103 | auth_method => 'md5', | ||
104 | order => "05-01", | ||
105 | } | ||
106 | |||
107 | postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu': | ||
108 | type => 'hostssl', | ||
109 | database => $pg_db, | ||
110 | user => $pg_user_replication, | ||
111 | address => 'immae.eu', | ||
112 | auth_method => 'md5', | ||
113 | order => "05-01", | ||
114 | } | ||
115 | |||
116 | } | ||