diff options
Diffstat (limited to 'modules/role')
-rw-r--r-- | modules/role/files/backup/pam_pgbouncer | 3 | ||||
-rw-r--r-- | modules/role/manifests/backup/postgresql.pp | 111 | ||||
-rw-r--r-- | modules/role/manifests/cryptoportfolio/postgresql.pp | 4 | ||||
-rw-r--r-- | modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb | 7 | ||||
-rw-r--r-- | modules/role/templates/backup/pgbouncer.ini.erb | 15 |
5 files changed, 128 insertions, 12 deletions
diff --git a/modules/role/files/backup/pam_pgbouncer b/modules/role/files/backup/pam_pgbouncer new file mode 100644 index 0000000..13f0d3d --- /dev/null +++ b/modules/role/files/backup/pam_pgbouncer | |||
@@ -0,0 +1,3 @@ | |||
1 | auth required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf | ||
2 | account required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf | ||
3 | |||
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index 59e4669..51ce37e 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp | |||
@@ -10,16 +10,113 @@ class role::backup::postgresql inherits role::backup { | |||
10 | 10 | ||
11 | $ldap_cn = lookup("base_installation::ldap_cn") | 11 | $ldap_cn = lookup("base_installation::ldap_cn") |
12 | $ldap_password = generate_password(24, $password_seed, "ldap") | 12 | $ldap_password = generate_password(24, $password_seed, "ldap") |
13 | $ldap_server = lookup("base_installation::ldap_server") | ||
14 | $ldap_base = lookup("base_installation::ldap_base") | ||
15 | $ldap_dn = lookup("base_installation::ldap_dn") | ||
16 | $ldap_attribute = "uid" | ||
17 | |||
13 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") | 18 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") |
14 | 19 | ||
15 | ensure_packages(["postgresql"]) | 20 | ensure_packages(["postgresql", "pgbouncer", "pam_ldap"]) |
21 | |||
22 | $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} }) | ||
23 | $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef }) | ||
24 | |||
25 | unless empty($pg_backup_hosts) { | ||
26 | file { "/etc/systemd/system/postgresql_backup@.service": | ||
27 | mode => "0644", | ||
28 | owner => "root", | ||
29 | group => "root", | ||
30 | content => template("role/backup/postgresql_backup@.service.erb"), | ||
31 | } | ||
16 | 32 | ||
17 | $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] }) | 33 | unless empty($ldap_filter) { |
34 | concat { "/etc/pgbouncer/pgbouncer.ini": | ||
35 | mode => "0644", | ||
36 | owner => "root", | ||
37 | group => "root", | ||
38 | ensure_newline => true, | ||
39 | notify => Service["pgbouncer"], | ||
40 | } | ||
41 | |||
42 | concat::fragment { "pgbouncer_head": | ||
43 | target => "/etc/pgbouncer/pgbouncer.ini", | ||
44 | order => "01", | ||
45 | content => template("role/backup/pgbouncer.ini.erb"), | ||
46 | } | ||
47 | |||
48 | file { "/etc/systemd/system/pgbouncer.service.d": | ||
49 | ensure => "directory", | ||
50 | mode => "0644", | ||
51 | owner => "root", | ||
52 | group => "root", | ||
53 | } | ||
54 | |||
55 | file { "/etc/systemd/system/pgbouncer.service.d/override.conf": | ||
56 | ensure => "present", | ||
57 | mode => "0644", | ||
58 | owner => "root", | ||
59 | group => "root", | ||
60 | content => "[Service]\nUser=\nUser=$pg_user\n", | ||
61 | notify => Service["pgbouncer"], | ||
62 | } | ||
63 | |||
64 | service { "pgbouncer": | ||
65 | ensure => "running", | ||
66 | enable => true, | ||
67 | require => [ | ||
68 | Package["pgbouncer"], | ||
69 | File["/etc/systemd/system/pgbouncer.service.d/override.conf"], | ||
70 | Concat["/etc/pgbouncer/pgbouncer.ini"] | ||
71 | ], | ||
72 | } | ||
73 | |||
74 | file { "/etc/pam_ldap.d": | ||
75 | ensure => directory, | ||
76 | mode => "0755", | ||
77 | owner => "root", | ||
78 | group => "root", | ||
79 | } -> | ||
80 | file { "/etc/pam_ldap.d/pgbouncer.conf": | ||
81 | ensure => "present", | ||
82 | mode => "0600", | ||
83 | owner => $pg_user, | ||
84 | group => "root", | ||
85 | content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), | ||
86 | } -> | ||
87 | file { "/etc/pam.d/pgbouncer": | ||
88 | ensure => "present", | ||
89 | mode => "0644", | ||
90 | owner => "root", | ||
91 | group => "root", | ||
92 | source => "puppet:///modules/role/backup/pam_pgbouncer" | ||
93 | } | ||
94 | } | ||
95 | } | ||
18 | 96 | ||
19 | $pg_backup_hosts.each |$pg_backup_host| { | 97 | $pg_backup_hosts.each |$pg_backup_host, $pg_infos| { |
20 | $pg_path = "$mountpoint/$pg_backup_host/postgresql" | 98 | $pg_path = "$mountpoint/$pg_backup_host/postgresql" |
21 | $pg_host = "$pg_backup_host" | 99 | $pg_host = "$pg_backup_host" |
22 | $pg_port = "5432" | 100 | $pg_port = $pg_infos["dbport"] |
101 | |||
102 | if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { | ||
103 | concat::fragment { "pgbouncer_$pg_backup_host": | ||
104 | target => "/etc/pgbouncer/pgbouncer.ini", | ||
105 | order => 02, | ||
106 | content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", | ||
107 | } | ||
108 | |||
109 | postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": | ||
110 | description => "Allow local access to ${pg_infos[dbuser]} user", | ||
111 | type => 'local', | ||
112 | database => $pg_infos["dbname"], | ||
113 | user => $pg_infos["dbuser"], | ||
114 | auth_method => 'trust', | ||
115 | order => "01-00", | ||
116 | target => "$pg_path/pg_hba.conf", | ||
117 | postgresql_version => "10", | ||
118 | } | ||
119 | } | ||
23 | 120 | ||
24 | file { "$mountpoint/$pg_backup_host": | 121 | file { "$mountpoint/$pg_backup_host": |
25 | ensure => directory, | 122 | ensure => directory, |
@@ -154,10 +251,4 @@ class role::backup::postgresql inherits role::backup { | |||
154 | } | 251 | } |
155 | } | 252 | } |
156 | 253 | ||
157 | file { "/etc/systemd/system/postgresql_backup@.service": | ||
158 | mode => "0644", | ||
159 | owner => "root", | ||
160 | group => "root", | ||
161 | content => template("role/backup/postgresql_backup@.service.erb"), | ||
162 | } | ||
163 | } | 254 | } |
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index d951874..776b30f 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp | |||
@@ -178,8 +178,8 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { | |||
178 | } -> | 178 | } -> |
179 | file { "/etc/pam_ldap.d/postgresql.conf": | 179 | file { "/etc/pam_ldap.d/postgresql.conf": |
180 | ensure => "present", | 180 | ensure => "present", |
181 | mode => "0644", | 181 | mode => "0600", |
182 | owner => "root", | 182 | owner => $::profile::postgresql::pg_user, |
183 | group => "root", | 183 | group => "root", |
184 | content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), | 184 | content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), |
185 | } -> | 185 | } -> |
diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb new file mode 100644 index 0000000..12fa9bb --- /dev/null +++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb | |||
@@ -0,0 +1,7 @@ | |||
1 | host <%= @ldap_server %> | ||
2 | |||
3 | base <%= @ldap_base %> | ||
4 | binddn <%= @ldap_dn %> | ||
5 | bindpw <%= @ldap_password %> | ||
6 | pam_login_attribute <%= @ldap_attribute %> | ||
7 | pam_filter <%= @ldap_filter %> | ||
diff --git a/modules/role/templates/backup/pgbouncer.ini.erb b/modules/role/templates/backup/pgbouncer.ini.erb new file mode 100644 index 0000000..3ba8728 --- /dev/null +++ b/modules/role/templates/backup/pgbouncer.ini.erb | |||
@@ -0,0 +1,15 @@ | |||
1 | [pgbouncer] | ||
2 | |||
3 | listen_addr = 0.0.0.0 | ||
4 | listen_port = 5432 | ||
5 | |||
6 | unix_socket_dir = /run/postgresql | ||
7 | unix_socket_mode = 0777 | ||
8 | |||
9 | auth_type = pam | ||
10 | |||
11 | admin_users = postgres | ||
12 | max_client_conn = 100 | ||
13 | default_pool_size = 20 | ||
14 | |||
15 | [databases] | ||