aboutsummaryrefslogtreecommitdiff
path: root/modules/role
diff options
context:
space:
mode:
Diffstat (limited to 'modules/role')
-rw-r--r--modules/role/manifests/backup/postgresql.pp62
-rw-r--r--modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb2
2 files changed, 56 insertions, 8 deletions
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp
index b26773c..9e1c9f7 100644
--- a/modules/role/manifests/backup/postgresql.pp
+++ b/modules/role/manifests/backup/postgresql.pp
@@ -13,7 +13,7 @@ class role::backup::postgresql inherits role::backup {
13 $ldap_server = lookup("base_installation::ldap_server") 13 $ldap_server = lookup("base_installation::ldap_server")
14 $ldap_base = lookup("base_installation::ldap_base") 14 $ldap_base = lookup("base_installation::ldap_base")
15 $ldap_dn = lookup("base_installation::ldap_dn") 15 $ldap_dn = lookup("base_installation::ldap_dn")
16 $ldap_attribute = "uid" 16 $pgbouncer_ldap_attribute = "uid"
17 17
18 $pg_slot = regsubst($ldap_cn, '-', "_", "G") 18 $pg_slot = regsubst($ldap_cn, '-', "_", "G")
19 19
@@ -71,18 +71,13 @@ class role::backup::postgresql inherits role::backup {
71 ], 71 ],
72 } 72 }
73 73
74 file { "/etc/pam_ldap.d":
75 ensure => directory,
76 mode => "0755",
77 owner => "root",
78 group => "root",
79 } ->
80 file { "/etc/pam_ldap.d/pgbouncer.conf": 74 file { "/etc/pam_ldap.d/pgbouncer.conf":
81 ensure => "present", 75 ensure => "present",
82 mode => "0600", 76 mode => "0600",
83 owner => $pg_user, 77 owner => $pg_user,
84 group => "root", 78 group => "root",
85 content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), 79 content => template("role/backup/pam_ldap_pgbouncer.conf.erb"),
80 require => File["/etc/pam_ldap.d"],
86 } -> 81 } ->
87 file { "/etc/pam.d/pgbouncer": 82 file { "/etc/pam.d/pgbouncer":
88 ensure => "present", 83 ensure => "present",
@@ -94,6 +89,29 @@ class role::backup::postgresql inherits role::backup {
94 } 89 }
95 } 90 }
96 91
92 $ldap_attribute = "cn"
93
94 file { "/etc/pam_ldap.d":
95 ensure => directory,
96 mode => "0755",
97 owner => "root",
98 group => "root",
99 } ->
100 file { "/etc/pam_ldap.d/postgresql.conf":
101 ensure => "present",
102 mode => "0600",
103 owner => $pg_user,
104 group => "root",
105 content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
106 } ->
107 file { "/etc/pam.d/postgresql":
108 ensure => "present",
109 mode => "0644",
110 owner => "root",
111 group => "root",
112 source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
113 }
114
97 $pg_backup_hosts.each |$backup_host_cn, $pg_infos| { 115 $pg_backup_hosts.each |$backup_host_cn, $pg_infos| {
98 $host = find_host($facts["ldapvar"]["other"], $backup_host_cn) 116 $host = find_host($facts["ldapvar"]["other"], $backup_host_cn)
99 if empty($host) { 117 if empty($host) {
@@ -108,6 +126,31 @@ class role::backup::postgresql inherits role::backup {
108 $pg_host = "$pg_backup_host" 126 $pg_host = "$pg_backup_host"
109 $pg_port = $pg_infos["dbport"] 127 $pg_port = $pg_infos["dbport"]
110 128
129 unless empty($host) {
130 $host["ipHostNumber"].each |$ip| {
131 $infos = split($ip, "/")
132 $ipaddress = $infos[0]
133 if (length($infos) == 1 and $ipaddress =~ /:/) {
134 $mask = "128"
135 } elsif (length($infos) == 1) {
136 $mask = "32"
137 } else {
138 $mask = $infos[1]
139 }
140
141 postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask":
142 type => 'hostssl',
143 database => 'replication',
144 user => $backup_host_cn,
145 address => "$ipaddress/$mask",
146 auth_method => 'pam',
147 order => "06-01",
148 target => "$pg_path/pg_hba.conf",
149 postgresql_version => "10",
150 }
151 }
152 }
153
111 if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { 154 if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) {
112 concat::fragment { "pgbouncer_$pg_backup_host": 155 concat::fragment { "pgbouncer_$pg_backup_host":
113 target => "/etc/pgbouncer/pgbouncer.ini", 156 target => "/etc/pgbouncer/pgbouncer.ini",
@@ -292,6 +335,11 @@ class role::backup::postgresql inherits role::backup {
292 Concat["$pg_path/pg_hba.conf"], 335 Concat["$pg_path/pg_hba.conf"],
293 Concat["$pg_path/recovery.conf"], 336 Concat["$pg_path/recovery.conf"],
294 File["$pg_path/postgresql.conf"], 337 File["$pg_path/postgresql.conf"],
338 ],
339 subscribe => [
340 Concat["$pg_path/pg_hba.conf"],
341 Concat["$pg_path/recovery.conf"],
342 File["$pg_path/postgresql.conf"],
295 ] 343 ]
296 } 344 }
297 } 345 }
diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
index 12fa9bb..384a418 100644
--- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
+++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb
@@ -3,5 +3,5 @@ host <%= @ldap_server %>
3base <%= @ldap_base %> 3base <%= @ldap_base %>
4binddn <%= @ldap_dn %> 4binddn <%= @ldap_dn %>
5bindpw <%= @ldap_password %> 5bindpw <%= @ldap_password %>
6pam_login_attribute <%= @ldap_attribute %> 6pam_login_attribute <%= @pgbouncer_ldap_attribute %>
7pam_filter <%= @ldap_filter %> 7pam_filter <%= @ldap_filter %>