6 files changed, 8 insertions, 433 deletions
diff --git a/modules/role/files/backup/pam_pgbouncer b/modules/role/files/backup/pam_pgbouncer
deleted file mode 100644
index 13f0d3d..0000000
--- a/modules/role/files/backup/pam_pgbouncer
+++ /dev/null
@@ -1,3 +0,0 @@
-auth            required        pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf
-account         required        pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf
diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp
index 51b689d..b35c542 100644
--- a/modules/role/manifests/backup.pp
+++ b/modules/role/manifests/backup.pp
@@ -17,14 +17,6 @@ class role::backup (
  include "role::backup::postgresql"
-  ensure_packages(["python", "python-pip"])
-  package { "pylog2rotate":
-    source   => "git+https://github.com/avian2/pylog2rotate",
-    ensure   => present,
-    provider => "pip3",
-    require  => Package["python-pip"],
-  }
  ensure_packages(["rsync"])
  ssh_keygen { $user:
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
index 8c7542b..8a65dec 100644
--- a/modules/role/manifests/backup/postgresql.pp
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -1,379 +1,21 @@
 class role::backup::postgresql inherits role::backup {
-  $password_seed = lookup("base_installation::puppet_pass_seed")
+  ensure_packages(["postgresql"])
-  $user = lookup("role::backup::user")
-  $group = lookup("role::backup::group")
-  $pg_user = "postgres"
-  $pg_group = "postgres"
-  $ldap_cn = lookup("base_installation::ldap_cn")
-  $ldap_password = generate_password(24, $password_seed, "ldap")
-  $ldap_server = lookup("base_installation::ldap_server")
-  $ldap_base   = lookup("base_installation::ldap_base")
-  $ldap_dn     = lookup("base_installation::ldap_dn")
-  $pgbouncer_ldap_attribute = "uid"
-  $pg_slot = regsubst($ldap_cn, '-', "_", "G")
-  ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
  $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
-  $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
-  unless empty($pg_backup_hosts) {
-    file { "/etc/systemd/system/postgresql_backup@.service":
-      mode    => "0644",
-      owner   => "root",
-      group   => "root",
-      content => template("role/backup/postgresql_backup@.service.erb"),
-    }
-    unless empty($ldap_filter) {
-      concat { "/etc/pgbouncer/pgbouncer.ini":
-        mode           => "0644",
-        owner          => "root",
-        group          => "root",
-        ensure_newline => true,
-        notify         => Service["pgbouncer"],
-      }
-      concat::fragment { "pgbouncer_head":
-        target  => "/etc/pgbouncer/pgbouncer.ini",
-        order   => "01",
-        content => template("role/backup/pgbouncer.ini.erb"),
-      }
-      file { "/etc/systemd/system/pgbouncer.service.d":
-        ensure => "directory",
-        mode   => "0644",
-        owner  => "root",
-        group  => "root",
-      }
-      file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
-        ensure  => "present",
-        mode    => "0644",
-        owner   => "root",
-        group   => "root",
-        content => "[Service]\nUser=\nUser=$pg_user\n",
-        notify  => Service["pgbouncer"],
-      }
-      service { "pgbouncer":
-        ensure  => "running",
-        enable  => true,
-        require => [
-          Package["pgbouncer"],
-          File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
-          Concat["/etc/pgbouncer/pgbouncer.ini"]
-        ],
-      }
-      file { "/etc/pam_ldap.d/pgbouncer.conf":
-        ensure  => "present",
-        mode    => "0600",
-        owner   => $pg_user,
-        group   => "root",
-        content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
-        require => File["/etc/pam_ldap.d"],
-      } ->
-      file { "/etc/pam.d/pgbouncer":
-        ensure => "present",
-        mode   => "0644",
-        owner  => "root",
-        group  => "root",
-        source => "puppet:///modules/role/backup/pam_pgbouncer"
-      }
-    }
-  }
-  $ldap_attribute = "cn"
-  file { "/etc/pam_ldap.d":
-    ensure => directory,
-    mode   => "0755",
-    owner  => "root",
-    group  => "root",
-  } ->
-  file { "/etc/pam_ldap.d/postgresql.conf":
-    ensure  => "present",
-    mode    => "0600",
-    owner   => $pg_user,
-    group   => "root",
-    content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
-  } ->
-  file { "/etc/pam.d/postgresql":
-    ensure => "present",
-    mode   => "0644",
-    owner  => "root",
-    group  => "root",
-    source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
-  }
  $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
-    $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
+    profile::postgresql::backup_replication { $backup_host_cn:
-    if empty($host) {
+      base_path => $mountpoint,
-      $pg_backup_host = $backup_host_cn
+      pg_infos  => $pg_infos,
-    } elsif has_key($host["vars"], "host") {
-      $pg_backup_host = $host["vars"]["host"][0]
-    } else {
-      $pg_backup_host = $host["vars"]["real_hostname"][0]
-    }
-    $pg_path = "$mountpoint/$pg_backup_host/postgresql"
-    $pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
-    $pg_host = "$pg_backup_host"
-    $pg_port = $pg_infos["dbport"]
-    if has_key($host["vars"], "postgresql_backup_port") {
-      $pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
-      file { "$pg_path/certs":
-        ensure => directory,
-        mode   => "0700",
-        owner  => $pg_user,
-        group  => $pg_group,
-      } ->
-      ssl::self_signed_certificate { $backup_host_cn:
-        common_name  => $backup_host_cn,
-        country      => "FR",
-        days         => "3650",
-        organization => "Immae",
-        owner        => $pg_user,
-        group        => $pg_group,
-        directory    => "$pg_path/certs",
-        before       => File["$pg_path/postgresql.conf"],
-      }
-      $ssl_key  = "$pg_path/certs/$backup_host_cn.key"
-      $ssl_cert = "$pg_path/certs/$backup_host_cn.crt"
-    } else {
-      $pg_listen_port = undef
-      $ssl_key = undef
-      $ssl_cert = undef
    }
+    if $pg_infos["pgbouncer"] {
-    unless empty($host) {
+      profile::postgresql::backup_pgbouncer { $backup_host_cn:
-      $host["ipHostNumber"].each |$ip| {
+        base_path => $mountpoint,
-        $infos = split($ip, "/")
+        pg_infos  => $pg_infos,
-        $ipaddress = $infos[0]
-        if (length($infos) == 1 and $ipaddress =~ /:/) {
-          $mask = "128"
-        } elsif (length($infos) == 1) {
-          $mask = "32"
-        } else {
-          $mask = $infos[1]
-        }
-        postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
-          type        => 'hostssl',
-          database    => 'replication',
-          user        => $backup_host_cn,
-          address     => "$ipaddress/$mask",
-          auth_method => 'pam',
-          order       => "06-01",
-          target      => "$pg_path/pg_hba.conf",
-          postgresql_version => "10",
-        }
      }
    }
-    if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
-      if empty($pg_listen_port) {
-        $pg_listen_port_key = ""
-      } else {
-        $pg_listen_port_key = "port=$pg_listen_port"
-      }
-      concat::fragment { "pgbouncer_$pg_backup_host":
-        target  => "/etc/pgbouncer/pgbouncer.ini",
-        order   => 02,
-        content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
-      }
-      postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
-        description => "Allow local access to ${pg_infos[dbuser]} user",
-        type        => 'local',
-        database    => $pg_infos["dbname"],
-        user        => $pg_infos["dbuser"],
-        auth_method => 'trust',
-        order       => "01-00",
-        target      => "$pg_path/pg_hba.conf",
-        postgresql_version => "10",
-      }
-    }
-    file { "$mountpoint/$pg_backup_host":
-      ensure => directory,
-      owner  => $user,
-      group  => $group,
-    }
-    file { $pg_path:
-      ensure  => directory,
-      owner   => $pg_user,
-      group   => $pg_group,
-      mode    => "0700",
-      require => File["$mountpoint/$pg_backup_host"],
-    }
-    file { $pg_backup_path:
-      ensure  => directory,
-      owner   => $pg_user,
-      group   => $pg_group,
-      mode    => "0700",
-      require => File["$mountpoint/$pg_backup_host"],
-    }
-    cron::job::multiple { "backup_psql_$pg_host":
-      ensure  => "present",
-      require => [File[$pg_backup_path], File[$pg_path]],
-      jobs    => [
-        {
-          command     => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
-          user        => $pg_user,
-          hour        => "22,4,10,16",
-          minute      => 0,
-          description => "Backup the database",
-        },
-        {
-          command     => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql | grep -v 'T22:' | sort -r | sed -e '1,12d')",
-          user        => $pg_user,
-          hour        => 3,
-          minute      => 0,
-          description => "Cleanup the database backups",
-        },
-        {
-          command     => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 *T22*.sql | log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
-          user        => $pg_user,
-          hour        => 3,
-          minute      => 1,
-          description => "Cleanup the database backups exponentially",
-        },
-      ]
-    }
-    exec { "pg_basebackup $pg_path":
-      cwd         => $pg_path,
-      user        => $pg_user,
-      creates     => "$pg_path/PG_VERSION",
-      environment => ["PGPASSWORD=$ldap_password"],
-      command     => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
-      before      => [
-        Concat["$pg_path/pg_hba.conf"],
-        Concat["$pg_path/recovery.conf"],
-        File["$pg_path/postgresql.conf"],
-      ]
-    }
-    concat { "$pg_path/pg_hba.conf":
-      owner   => $pg_user,
-      group   => $pg_group,
-      mode    => '0640',
-      warn    => true,
-    }
-    postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
-      description => 'Allow local access to postgres user',
-      type        => 'local',
-      database    => 'all',
-      user        => $pg_user,
-      auth_method => 'ident',
-      order       => "00-01",
-      target      => "$pg_path/pg_hba.conf",
-      postgresql_version => "10",
-    }
-    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
-      description => 'Allow localhost access to postgres user',
-      type        => 'host',
-      database    => 'all',
-      user        => $pg_user,
-      address     => "127.0.0.1/32",
-      auth_method => 'md5',
-      order       => "00-02",
-      target      => "$pg_path/pg_hba.conf",
-      postgresql_version => "10",
-    }
-    postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
-      description => 'Allow localhost access to postgres user',
-      type        => 'host',
-      database    => 'all',
-      user        => $pg_user,
-      address     => "::1/128",
-      auth_method => 'md5',
-      order       => "00-03",
-      target      => "$pg_path/pg_hba.conf",
-      postgresql_version => "10",
-    }
-    postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
-      description => 'Deny remote access to postgres user',
-      type        => 'host',
-      database    => 'all',
-      user        => $pg_user,
-      address     => "0.0.0.0/0",
-      auth_method => 'reject',
-      order       => "00-04",
-      target      => "$pg_path/pg_hba.conf",
-      postgresql_version => "10",
-    }
-    postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
-      description => 'Allow local access with password',
-      type        => 'local',
-      database    => 'all',
-      user        => 'all',
-      auth_method => 'md5',
-      order       => "10-01",
-      target      => "$pg_path/pg_hba.conf",
-      postgresql_version => "10",
-    }
-    postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
-      description => 'Allow local access with same name',
-      type        => 'local',
-      database    => 'all',
-      user        => 'all',
-      auth_method => 'ident',
-      order       => "10-02",
-      target      => "$pg_path/pg_hba.conf",
-      postgresql_version => "10",
-    }
-    $primary_conninfo  = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
-    $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
-    $standby_mode      = "on"
-    concat { "$pg_path/recovery.conf":
-      owner  => $pg_user,
-      group  => $pg_group,
-      mode   => '0640',
-      warn   => true,
-    }
-    concat::fragment { "$pg_path/recovery.conf":
-      target  => "$pg_path/recovery.conf",
-      content => template('postgresql/recovery.conf.erb'),
-    }
-    file { "$pg_path/postgresql.conf":
-      owner   => $pg_user,
-      group   => $pg_group,
-      mode    => '0640',
-      content => template("role/backup/postgresql.conf.erb"),
-    }
-    service { "postgresql_backup@$pg_backup_host":
-      enable  => true,
-      ensure  => "running",
-      require => [
-        File["/etc/systemd/system/postgresql_backup@.service"],
-        Concat["$pg_path/pg_hba.conf"],
-        Concat["$pg_path/recovery.conf"],
-        File["$pg_path/postgresql.conf"],
-      ],
-      subscribe => [
-        Concat["$pg_path/pg_hba.conf"],
-        Concat["$pg_path/recovery.conf"],
-        File["$pg_path/postgresql.conf"],
-      ]
-    }
  }
 }
diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
deleted file mode 100644
index 384a418..0000000
--- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
+++ /dev/null
@@ -1,7 +0,0 @@
-host <%= @ldap_server %>
-base <%= @ldap_base %>
-binddn <%= @ldap_dn %>
-bindpw <%= @ldap_password %>
-pam_login_attribute <%= @pgbouncer_ldap_attribute %>
-pam_filter <%= @ldap_filter %>
diff --git a/modules/role/templates/backup/pgbouncer.ini.erb b/modules/role/templates/backup/pgbouncer.ini.erb
deleted file mode 100644
index 3ba8728..0000000
--- a/modules/role/templates/backup/pgbouncer.ini.erb
+++ /dev/null
@@ -1,15 +0,0 @@
-[pgbouncer]
-listen_addr = 0.0.0.0
-listen_port = 5432
-unix_socket_dir = /run/postgresql
-unix_socket_mode = 0777
-auth_type = pam
-admin_users = postgres
-max_client_conn = 100
-default_pool_size = 20
-[databases]
diff --git a/modules/role/templates/backup/postgresql_backup@.service.erb b/modules/role/templates/backup/postgresql_backup@.service.erb
deleted file mode 100644
index 245a1cb..0000000
--- a/modules/role/templates/backup/postgresql_backup@.service.erb
+++ /dev/null
@@ -1,34 +0,0 @@
-[Unit]
-Description=PostgreSQL database server
-After=network.target
-[Service]
-Type=forking
-TimeoutSec=120
-User=postgres
-Group=postgres
-Environment=PGROOT=<%= @mountpoint %>/%i/postgresql
-SyslogIdentifier=postgres
-PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid
-RuntimeDirectory=postgresql
-RuntimeDirectoryMode=755
-ExecStartPre=/usr/bin/postgresql-check-db-dir ${PGROOT}
-ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT} start -w -t 120
-ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT} reload
-ExecStop=  /usr/bin/pg_ctl -s -D ${PGROOT} stop -m fast
-# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in
-# killing Postgres, so adjust it downward
-OOMScoreAdjust=-200
-# Additional security-related features
-PrivateTmp=true
-ProtectHome=true
-ProtectSystem=full
-NoNewPrivileges=true
-[Install]
-WantedBy=multi-user.target

diff --git a/modules/role/files/backup/pam_pgbouncer b/modules/role/files/backup/pam_pgbouncer deleted file mode 100644 index 13f0d3d..0000000 --- a/modules/role/files/backup/pam_pgbouncer +++ /dev/null
@@ -1,3 +0,0 @@
1	auth required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf
2	account required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf
3


diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp index 51b689d..b35c542 100644 --- a/modules/role/manifests/backup.pp +++ b/modules/role/manifests/backup.pp
@@ -17,14 +17,6 @@ class role::backup (
17		17
18	include "role::backup::postgresql"	18	include "role::backup::postgresql"
19		19
20	ensure_packages(["python", "python-pip"])
21	package { "pylog2rotate":
22	source => "git+https://github.com/avian2/pylog2rotate",
23	ensure => present,
24	provider => "pip3",
25	require => Package["python-pip"],
26	}
27
28	ensure_packages(["rsync"])	20	ensure_packages(["rsync"])
29		21
30	ssh_keygen { $user:	22	ssh_keygen { $user:


diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index 8c7542b..8a65dec 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp
@@ -1,379 +1,21 @@
1	class role::backup::postgresql inherits role::backup {	1	class role::backup::postgresql inherits role::backup {
2	$password_seed = lookup("base_installation::puppet_pass_seed")	2	ensure_packages(["postgresql"])
3
4	$user = lookup("role::backup::user")
5	$group = lookup("role::backup::group")
6	$pg_user = "postgres"
7	$pg_group = "postgres"
8
9	$ldap_cn = lookup("base_installation::ldap_cn")
10	$ldap_password = generate_password(24, $password_seed, "ldap")
11	$ldap_server = lookup("base_installation::ldap_server")
12	$ldap_base = lookup("base_installation::ldap_base")
13	$ldap_dn = lookup("base_installation::ldap_dn")
14	$pgbouncer_ldap_attribute = "uid"
15
16	$pg_slot = regsubst($ldap_cn, '-', "_", "G")
17
18	ensure_packages(["postgresql", "pgbouncer", "pam_ldap"])
19		3
20	$pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })	4	$pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} })
21	$ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef })
22
23	unless empty($pg_backup_hosts) {
24	file { "/etc/systemd/system/postgresql_backup@.service":
25	mode => "0644",
26	owner => "root",
27	group => "root",
28	content => template("role/backup/postgresql_backup@.service.erb"),
29	}
30
31	unless empty($ldap_filter) {
32	concat { "/etc/pgbouncer/pgbouncer.ini":
33	mode => "0644",
34	owner => "root",
35	group => "root",
36	ensure_newline => true,
37	notify => Service["pgbouncer"],
38	}
39
40	concat::fragment { "pgbouncer_head":
41	target => "/etc/pgbouncer/pgbouncer.ini",
42	order => "01",
43	content => template("role/backup/pgbouncer.ini.erb"),
44	}
45
46	file { "/etc/systemd/system/pgbouncer.service.d":
47	ensure => "directory",
48	mode => "0644",
49	owner => "root",
50	group => "root",
51	}
52
53	file { "/etc/systemd/system/pgbouncer.service.d/override.conf":
54	ensure => "present",
55	mode => "0644",
56	owner => "root",
57	group => "root",
58	content => "[Service]\nUser=\nUser=$pg_user\n",
59	notify => Service["pgbouncer"],
60	}
61
62	service { "pgbouncer":
63	ensure => "running",
64	enable => true,
65	require => [
66	Package["pgbouncer"],
67	File["/etc/systemd/system/pgbouncer.service.d/override.conf"],
68	Concat["/etc/pgbouncer/pgbouncer.ini"]
69	],
70	}
71
72	file { "/etc/pam_ldap.d/pgbouncer.conf":
73	ensure => "present",
74	mode => "0600",
75	owner => $pg_user,
76	group => "root",
77	content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
78	require => File["/etc/pam_ldap.d"],
79	} ->
80	file { "/etc/pam.d/pgbouncer":
81	ensure => "present",
82	mode => "0644",
83	owner => "root",
84	group => "root",
85	source => "puppet:///modules/role/backup/pam_pgbouncer"
86	}
87	}
88	}
89
90	$ldap_attribute = "cn"
91
92	file { "/etc/pam_ldap.d":
93	ensure => directory,
94	mode => "0755",
95	owner => "root",
96	group => "root",
97	} ->
98	file { "/etc/pam_ldap.d/postgresql.conf":
99	ensure => "present",
100	mode => "0600",
101	owner => $pg_user,
102	group => "root",
103	content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
104	} ->
105	file { "/etc/pam.d/postgresql":
106	ensure => "present",
107	mode => "0644",
108	owner => "root",
109	group => "root",
110	source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
111	}
112		5
113	$pg_backup_hosts.each \|$backup_host_cn, $pg_infos\| {	6	$pg_backup_hosts.each \|$backup_host_cn, $pg_infos\| {
114	$host = find_host($facts["ldapvar"]["other"], $backup_host_cn)	7	profile::postgresql::backup_replication { $backup_host_cn:
115	if empty($host) {	8	base_path => $mountpoint,
116	$pg_backup_host = $backup_host_cn	9	pg_infos => $pg_infos,
117	} elsif has_key($host["vars"], "host") {
118	$pg_backup_host = $host["vars"]["host"][0]
119	} else {
120	$pg_backup_host = $host["vars"]["real_hostname"][0]
121	}
122
123	$pg_path = "$mountpoint/$pg_backup_host/postgresql"
124	$pg_backup_path = "$mountpoint/$pg_backup_host/postgresql_backup"
125	$pg_host = "$pg_backup_host"
126	$pg_port = $pg_infos["dbport"]
127
128	if has_key($host["vars"], "postgresql_backup_port") {
129	$pg_listen_port = $host["vars"]["postgresql_backup_port"][0]
130	file { "$pg_path/certs":
131	ensure => directory,
132	mode => "0700",
133	owner => $pg_user,
134	group => $pg_group,
135	} ->
136	ssl::self_signed_certificate { $backup_host_cn:
137	common_name => $backup_host_cn,
138	country => "FR",
139	days => "3650",
140	organization => "Immae",
141	owner => $pg_user,
142	group => $pg_group,
143	directory => "$pg_path/certs",
144	before => File["$pg_path/postgresql.conf"],
145	}
146	$ssl_key = "$pg_path/certs/$backup_host_cn.key"
147	$ssl_cert = "$pg_path/certs/$backup_host_cn.crt"
148	} else {
149	$pg_listen_port = undef
150	$ssl_key = undef
151	$ssl_cert = undef
152	}	10	}
153		11
154		12	if $pg_infos["pgbouncer"] {
155	unless empty($host) {	13	profile::postgresql::backup_pgbouncer { $backup_host_cn:
156	$host["ipHostNumber"].each \|$ip\| {	14	base_path => $mountpoint,
157	$infos = split($ip, "/")	15	pg_infos => $pg_infos,
158	$ipaddress = $infos[0]
159	if (length($infos) == 1 and $ipaddress =~ /:/) {
160	$mask = "128"
161	} elsif (length($infos) == 1) {
162	$mask = "32"
163	} else {
164	$mask = $infos[1]
165	}
166
167	postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
168	type => 'hostssl',
169	database => 'replication',
170	user => $backup_host_cn,
171	address => "$ipaddress/$mask",
172	auth_method => 'pam',
173	order => "06-01",
174	target => "$pg_path/pg_hba.conf",
175	postgresql_version => "10",
176	}
177	}	16	}
178	}	17	}
179		18
180	if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
181	if empty($pg_listen_port) {
182	$pg_listen_port_key = ""
183	} else {
184	$pg_listen_port_key = "port=$pg_listen_port"
185	}
186
187	concat::fragment { "pgbouncer_$pg_backup_host":
188	target => "/etc/pgbouncer/pgbouncer.ini",
189	order => 02,
190	content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql $pg_listen_port_key user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}",
191	}
192
193	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user":
194	description => "Allow local access to ${pg_infos[dbuser]} user",
195	type => 'local',
196	database => $pg_infos["dbname"],
197	user => $pg_infos["dbuser"],
198	auth_method => 'trust',
199	order => "01-00",
200	target => "$pg_path/pg_hba.conf",
201	postgresql_version => "10",
202	}
203	}
204
205	file { "$mountpoint/$pg_backup_host":
206	ensure => directory,
207	owner => $user,
208	group => $group,
209	}
210
211	file { $pg_path:
212	ensure => directory,
213	owner => $pg_user,
214	group => $pg_group,
215	mode => "0700",
216	require => File["$mountpoint/$pg_backup_host"],
217	}
218
219	file { $pg_backup_path:
220	ensure => directory,
221	owner => $pg_user,
222	group => $pg_group,
223	mode => "0700",
224	require => File["$mountpoint/$pg_backup_host"],
225	}
226
227	cron::job::multiple { "backup_psql_$pg_host":
228	ensure => "present",
229	require => [File[$pg_backup_path], File[$pg_path]],
230	jobs => [
231	{
232	command => "/usr/bin/pg_dumpall -h $pg_path -f $pg_backup_path/\$(date -Iseconds).sql",
233	user => $pg_user,
234	hour => "22,4,10,16",
235	minute => 0,
236	description => "Backup the database",
237	},
238	{
239	command => "/usr/bin/rm -f $(ls -1 $pg_backup_path/*.sql \| grep -v 'T22:' \| sort -r \| sed -e '1,12d')",
240	user => $pg_user,
241	hour => 3,
242	minute => 0,
243	description => "Cleanup the database backups",
244	},
245	{
246	command => "cd $pg_backup_path ; /usr/bin/rm -f $(ls -1 T22.sql \| log2rotate --skip 7 --fuzz 7 --delete --format='%Y-%m-%dT%H:%M:%S+02:00.sql')",
247	user => $pg_user,
248	hour => 3,
249	minute => 1,
250	description => "Cleanup the database backups exponentially",
251	},
252	]
253	}
254
255	exec { "pg_basebackup $pg_path":
256	cwd => $pg_path,
257	user => $pg_user,
258	creates => "$pg_path/PG_VERSION",
259	environment => ["PGPASSWORD=$ldap_password"],
260	command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
261	before => [
262	Concat["$pg_path/pg_hba.conf"],
263	Concat["$pg_path/recovery.conf"],
264	File["$pg_path/postgresql.conf"],
265	]
266	}
267
268	concat { "$pg_path/pg_hba.conf":
269	owner => $pg_user,
270	group => $pg_group,
271	mode => '0640',
272	warn => true,
273	}
274	postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
275	description => 'Allow local access to postgres user',
276	type => 'local',
277	database => 'all',
278	user => $pg_user,
279	auth_method => 'ident',
280	order => "00-01",
281	target => "$pg_path/pg_hba.conf",
282	postgresql_version => "10",
283	}
284	postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
285	description => 'Allow localhost access to postgres user',
286	type => 'host',
287	database => 'all',
288	user => $pg_user,
289	address => "127.0.0.1/32",
290	auth_method => 'md5',
291	order => "00-02",
292	target => "$pg_path/pg_hba.conf",
293	postgresql_version => "10",
294	}
295	postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
296	description => 'Allow localhost access to postgres user',
297	type => 'host',
298	database => 'all',
299	user => $pg_user,
300	address => "::1/128",
301	auth_method => 'md5',
302	order => "00-03",
303	target => "$pg_path/pg_hba.conf",
304	postgresql_version => "10",
305	}
306	postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
307	description => 'Deny remote access to postgres user',
308	type => 'host',
309	database => 'all',
310	user => $pg_user,
311	address => "0.0.0.0/0",
312	auth_method => 'reject',
313	order => "00-04",
314	target => "$pg_path/pg_hba.conf",
315	postgresql_version => "10",
316	}
317
318	postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
319	description => 'Allow local access with password',
320	type => 'local',
321	database => 'all',
322	user => 'all',
323	auth_method => 'md5',
324	order => "10-01",
325	target => "$pg_path/pg_hba.conf",
326	postgresql_version => "10",
327	}
328
329	postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
330	description => 'Allow local access with same name',
331	type => 'local',
332	database => 'all',
333	user => 'all',
334	auth_method => 'ident',
335	order => "10-02",
336	target => "$pg_path/pg_hba.conf",
337	postgresql_version => "10",
338	}
339
340	$primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
341	$primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
342	$standby_mode = "on"
343
344	concat { "$pg_path/recovery.conf":
345	owner => $pg_user,
346	group => $pg_group,
347	mode => '0640',
348	warn => true,
349	}
350	concat::fragment { "$pg_path/recovery.conf":
351	target => "$pg_path/recovery.conf",
352	content => template('postgresql/recovery.conf.erb'),
353	}
354
355	file { "$pg_path/postgresql.conf":
356	owner => $pg_user,
357	group => $pg_group,
358	mode => '0640',
359	content => template("role/backup/postgresql.conf.erb"),
360	}
361
362	service { "postgresql_backup@$pg_backup_host":
363	enable => true,
364	ensure => "running",
365	require => [
366	File["/etc/systemd/system/postgresql_backup@.service"],
367	Concat["$pg_path/pg_hba.conf"],
368	Concat["$pg_path/recovery.conf"],
369	File["$pg_path/postgresql.conf"],
370	],
371	subscribe => [
372	Concat["$pg_path/pg_hba.conf"],
373	Concat["$pg_path/recovery.conf"],
374	File["$pg_path/postgresql.conf"],
375	]
376	}
377	}	19	}
378		20
379	}	21	}


diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb deleted file mode 100644 index 384a418..0000000 --- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb +++ /dev/null
@@ -1,7 +0,0 @@
1	host <%= @ldap_server %>
2
3	base <%= @ldap_base %>
4	binddn <%= @ldap_dn %>
5	bindpw <%= @ldap_password %>
6	pam_login_attribute <%= @pgbouncer_ldap_attribute %>
7	pam_filter <%= @ldap_filter %>


diff --git a/modules/role/templates/backup/pgbouncer.ini.erb b/modules/role/templates/backup/pgbouncer.ini.erb deleted file mode 100644 index 3ba8728..0000000 --- a/modules/role/templates/backup/pgbouncer.ini.erb +++ /dev/null
@@ -1,15 +0,0 @@
1	[pgbouncer]
2
3	listen_addr = 0.0.0.0
4	listen_port = 5432
5
6	unix_socket_dir = /run/postgresql
7	unix_socket_mode = 0777
8
9	auth_type = pam
10
11	admin_users = postgres
12	max_client_conn = 100
13	default_pool_size = 20
14
15	[databases]


diff --git a/modules/role/templates/backup/postgresql_backup@.service.erb b/modules/role/templates/backup/postgresql_backup@.service.erb deleted file mode 100644 index 245a1cb..0000000 --- a/modules/role/templates/backup/postgresql_backup@.service.erb +++ /dev/null
@@ -1,34 +0,0 @@
1	[Unit]
2	Description=PostgreSQL database server
3	After=network.target
4
5	[Service]
6	Type=forking
7	TimeoutSec=120
8	User=postgres
9	Group=postgres
10
11	Environment=PGROOT=<%= @mountpoint %>/%i/postgresql
12
13	SyslogIdentifier=postgres
14	PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid
15	RuntimeDirectory=postgresql
16	RuntimeDirectoryMode=755
17
18	ExecStartPre=/usr/bin/postgresql-check-db-dir ${PGROOT}
19	ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT} start -w -t 120
20	ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT} reload
21	ExecStop= /usr/bin/pg_ctl -s -D ${PGROOT} stop -m fast
22
23	# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in
24	# killing Postgres, so adjust it downward
25	OOMScoreAdjust=-200
26
27	# Additional security-related features
28	PrivateTmp=true
29	ProtectHome=true
30	ProtectSystem=full
31	NoNewPrivileges=true
32
33	[Install]
34	WantedBy=multi-user.target