diff options
Diffstat (limited to 'modules/role')
-rw-r--r-- | modules/role/manifests/backup/postgresql.pp | 62 | ||||
-rw-r--r-- | modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb | 2 |
2 files changed, 56 insertions, 8 deletions
diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index b26773c..9e1c9f7 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp | |||
@@ -13,7 +13,7 @@ class role::backup::postgresql inherits role::backup { | |||
13 | $ldap_server = lookup("base_installation::ldap_server") | 13 | $ldap_server = lookup("base_installation::ldap_server") |
14 | $ldap_base = lookup("base_installation::ldap_base") | 14 | $ldap_base = lookup("base_installation::ldap_base") |
15 | $ldap_dn = lookup("base_installation::ldap_dn") | 15 | $ldap_dn = lookup("base_installation::ldap_dn") |
16 | $ldap_attribute = "uid" | 16 | $pgbouncer_ldap_attribute = "uid" |
17 | 17 | ||
18 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") | 18 | $pg_slot = regsubst($ldap_cn, '-', "_", "G") |
19 | 19 | ||
@@ -71,18 +71,13 @@ class role::backup::postgresql inherits role::backup { | |||
71 | ], | 71 | ], |
72 | } | 72 | } |
73 | 73 | ||
74 | file { "/etc/pam_ldap.d": | ||
75 | ensure => directory, | ||
76 | mode => "0755", | ||
77 | owner => "root", | ||
78 | group => "root", | ||
79 | } -> | ||
80 | file { "/etc/pam_ldap.d/pgbouncer.conf": | 74 | file { "/etc/pam_ldap.d/pgbouncer.conf": |
81 | ensure => "present", | 75 | ensure => "present", |
82 | mode => "0600", | 76 | mode => "0600", |
83 | owner => $pg_user, | 77 | owner => $pg_user, |
84 | group => "root", | 78 | group => "root", |
85 | content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), | 79 | content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), |
80 | require => File["/etc/pam_ldap.d"], | ||
86 | } -> | 81 | } -> |
87 | file { "/etc/pam.d/pgbouncer": | 82 | file { "/etc/pam.d/pgbouncer": |
88 | ensure => "present", | 83 | ensure => "present", |
@@ -94,6 +89,29 @@ class role::backup::postgresql inherits role::backup { | |||
94 | } | 89 | } |
95 | } | 90 | } |
96 | 91 | ||
92 | $ldap_attribute = "cn" | ||
93 | |||
94 | file { "/etc/pam_ldap.d": | ||
95 | ensure => directory, | ||
96 | mode => "0755", | ||
97 | owner => "root", | ||
98 | group => "root", | ||
99 | } -> | ||
100 | file { "/etc/pam_ldap.d/postgresql.conf": | ||
101 | ensure => "present", | ||
102 | mode => "0600", | ||
103 | owner => $pg_user, | ||
104 | group => "root", | ||
105 | content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), | ||
106 | } -> | ||
107 | file { "/etc/pam.d/postgresql": | ||
108 | ensure => "present", | ||
109 | mode => "0644", | ||
110 | owner => "root", | ||
111 | group => "root", | ||
112 | source => "puppet:///modules/profile/postgresql_master/pam_postgresql" | ||
113 | } | ||
114 | |||
97 | $pg_backup_hosts.each |$backup_host_cn, $pg_infos| { | 115 | $pg_backup_hosts.each |$backup_host_cn, $pg_infos| { |
98 | $host = find_host($facts["ldapvar"]["other"], $backup_host_cn) | 116 | $host = find_host($facts["ldapvar"]["other"], $backup_host_cn) |
99 | if empty($host) { | 117 | if empty($host) { |
@@ -108,6 +126,31 @@ class role::backup::postgresql inherits role::backup { | |||
108 | $pg_host = "$pg_backup_host" | 126 | $pg_host = "$pg_backup_host" |
109 | $pg_port = $pg_infos["dbport"] | 127 | $pg_port = $pg_infos["dbport"] |
110 | 128 | ||
129 | unless empty($host) { | ||
130 | $host["ipHostNumber"].each |$ip| { | ||
131 | $infos = split($ip, "/") | ||
132 | $ipaddress = $infos[0] | ||
133 | if (length($infos) == 1 and $ipaddress =~ /:/) { | ||
134 | $mask = "128" | ||
135 | } elsif (length($infos) == 1) { | ||
136 | $mask = "32" | ||
137 | } else { | ||
138 | $mask = $infos[1] | ||
139 | } | ||
140 | |||
141 | postgresql::server::pg_hba_rule { "allow TCP access for initial replication from $ipaddress/$mask": | ||
142 | type => 'hostssl', | ||
143 | database => 'replication', | ||
144 | user => $backup_host_cn, | ||
145 | address => "$ipaddress/$mask", | ||
146 | auth_method => 'pam', | ||
147 | order => "06-01", | ||
148 | target => "$pg_path/pg_hba.conf", | ||
149 | postgresql_version => "10", | ||
150 | } | ||
151 | } | ||
152 | } | ||
153 | |||
111 | if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { | 154 | if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { |
112 | concat::fragment { "pgbouncer_$pg_backup_host": | 155 | concat::fragment { "pgbouncer_$pg_backup_host": |
113 | target => "/etc/pgbouncer/pgbouncer.ini", | 156 | target => "/etc/pgbouncer/pgbouncer.ini", |
@@ -292,6 +335,11 @@ class role::backup::postgresql inherits role::backup { | |||
292 | Concat["$pg_path/pg_hba.conf"], | 335 | Concat["$pg_path/pg_hba.conf"], |
293 | Concat["$pg_path/recovery.conf"], | 336 | Concat["$pg_path/recovery.conf"], |
294 | File["$pg_path/postgresql.conf"], | 337 | File["$pg_path/postgresql.conf"], |
338 | ], | ||
339 | subscribe => [ | ||
340 | Concat["$pg_path/pg_hba.conf"], | ||
341 | Concat["$pg_path/recovery.conf"], | ||
342 | File["$pg_path/postgresql.conf"], | ||
295 | ] | 343 | ] |
296 | } | 344 | } |
297 | } | 345 | } |
diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb index 12fa9bb..384a418 100644 --- a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb +++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb | |||
@@ -3,5 +3,5 @@ host <%= @ldap_server %> | |||
3 | base <%= @ldap_base %> | 3 | base <%= @ldap_base %> |
4 | binddn <%= @ldap_dn %> | 4 | binddn <%= @ldap_dn %> |
5 | bindpw <%= @ldap_password %> | 5 | bindpw <%= @ldap_password %> |
6 | pam_login_attribute <%= @ldap_attribute %> | 6 | pam_login_attribute <%= @pgbouncer_ldap_attribute %> |
7 | pam_filter <%= @ldap_filter %> | 7 | pam_filter <%= @ldap_filter %> |