3 files changed, 26 insertions, 234 deletions
diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp
index 2cd1bcc..97ce572 100644
--- a/modules/profile/manifests/postgresql.pp
+++ b/modules/profile/manifests/postgresql.pp
@@ -1,4 +1,7 @@
-class profile::postgresql {
+class profile::postgresql (
+  Optional[String] $pg_user  = "postgres",
+  Optional[String] $pg_group = "postgres",
+) {
  $password_seed = lookup("base_installation::puppet_pass_seed")
  class { '::postgresql::globals':
@@ -7,16 +10,13 @@ class profile::postgresql {
    pg_hba_conf_defaults => false,
  }
-  # FIXME: get it from the postgresql module?
-  $pg_user = "postgres"
  class { '::postgresql::client': }
  # FIXME: postgresql module is buggy and doesn't create dir?
  file { "/var/lib/postgres":
    ensure  => directory,
    owner   => $pg_user,
-    group   => $pg_user,
+    group   => $pg_group,
    before  => File["/var/lib/postgres/data"],
    require => Package["postgresql-server"],
  }
@@ -26,59 +26,7 @@ class profile::postgresql {
    listen_addresses  => "*",
  }
-  postgresql::server::pg_hba_rule { 'local access as postgres user':
+  profile::postgresql::base_pg_hba_rules { "default": }
-    description => 'Allow local access to postgres user',
-    type        => 'local',
-    database    => 'all',
-    user        => $pg_user,
-    auth_method => 'ident',
-    order       => "00-01",
-  }
-  postgresql::server::pg_hba_rule { 'localhost access as postgres user':
-    description => 'Allow localhost access to postgres user',
-    type        => 'host',
-    database    => 'all',
-    user        => $pg_user,
-    address     => "127.0.0.1/32",
-    auth_method => 'md5',
-    order       => "00-02",
-  }
-  postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
-    description => 'Allow localhost access to postgres user',
-    type        => 'host',
-    database    => 'all',
-    user        => $pg_user,
-    address     => "::1/128",
-    auth_method => 'md5',
-    order       => "00-03",
-  }
-  postgresql::server::pg_hba_rule { 'deny access to postgresql user':
-    description => 'Deny remote access to postgres user',
-    type        => 'host',
-    database    => 'all',
-    user        => $pg_user,
-    address     => "0.0.0.0/0",
-    auth_method => 'reject',
-    order       => "00-04",
-  }
-  postgresql::server::pg_hba_rule { 'local access':
-    description => 'Allow local access with password',
-    type        => 'local',
-    database    => 'all',
-    user        => 'all',
-    auth_method => 'md5',
-    order       => "10-01",
-  }
-  postgresql::server::pg_hba_rule { 'local access with same name':
-    description => 'Allow local access with same name',
-    type        => 'local',
-    database    => 'all',
-    user        => 'all',
-    auth_method => 'ident',
-    order       => "10-02",
-  }
 }
diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
index 13ab4ff..07c4bb6 100644
--- a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
+++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
@@ -43,8 +43,6 @@ define profile::postgresql::base_pg_hba_rules (
    address     => "::1/128",
    auth_method => 'md5',
    order       => "00-03",
-    target      => "$pg_path/pg_hba.conf",
-    postgresql_version => "10",
  }
  postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
    description => 'Deny remote access to postgres user',
diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
index 776b30f..addad67 100644
--- a/modules/role/manifests/cryptoportfolio/postgresql.pp
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
  $password_seed = lookup("base_installation::puppet_pass_seed")
  $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
-  $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
-  file { "/var/lib/postgres/data/certs":
+  profile::postgresql::master { "postgresql master for cryptoportfolio":
-    ensure  => directory,
+    letsencrypt_host => $web_host,
-    mode    => "0700",
+    backup_hosts     => ["backup-1"],
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => File["/var/lib/postgres"],
-  }
-  file { "/var/lib/postgres/data/certs/cert.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-  file { "/var/lib/postgres/data/certs/privkey.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-  postgresql_replication_slot { $pg_user_replication:
-    ensure => present
-  }
-  postgresql::server::config_entry { "wal_level":
-    value   => "logical",
-  }
-  postgresql::server::config_entry { "ssl":
-    value   => "on",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-  postgresql::server::config_entry { "ssl_cert_file":
-    value   => "/var/lib/postgres/data/certs/cert.pem",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-  postgresql::server::config_entry { "ssl_key_file":
-    value   => "/var/lib/postgres/data/certs/privkey.pem",
-    require => Letsencrypt::Certonly[$web_host],
  }
  postgresql::server::db { $pg_db:
    user     =>  $pg_user,
    password =>  postgresql_password($pg_user, $pg_password),
  }
-  ->
-  postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
-    db     => $pg_db,
-    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
-  }
-  ->
-  postgresql::server::role { $pg_user_replication:
-    db            => $pg_db,
-    replication   => true,
-    password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
-  }
-  ->
-  postgresql::server::database_grant { $pg_user_replication:
-    db        => $pg_db,
-    privilege => "CONNECT",
-    role      => $pg_user_replication,
-  }
-  ->
-  postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
-    db          => $pg_db,
-    role        => $pg_user_replication,
-    privilege   => "SELECT",
-    object_type => "ALL TABLES IN SCHEMA",
-    object_name => "public",
-  }
-  ->
-  postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
-    db          => $pg_db,
-    role        => $pg_user_replication,
-    privilege   => "SELECT",
-    object_type => "ALL SEQUENCES IN SCHEMA",
-    object_name => "public",
-  }
  postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
-    type        => 'host',
+    type        => 'local',
    database    => $pg_db,
    user        => $pg_user,
-    address     => '127.0.0.1/32',
+    auth_method => 'ident',
-    auth_method => 'md5',
    order       => "05-01",
  }
-  postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
-    type        => 'host',
-    database    => $pg_db,
-    user        => $pg_user,
-    address     => '::1/128',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
-  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
-    type        => 'hostssl',
-    database    => 'replication',
-    user        => $pg_user_replication,
-    address     => 'immae.eu',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
-  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
-    type        => 'hostssl',
-    database    => $pg_db,
-    user        => $pg_user_replication,
-    address     => 'immae.eu',
-    auth_method => 'md5',
-    order       => "05-02",
-  }
-  $backup_host = "backup-1"
-  unless empty($backup_host) {
+  # cleanup
-    ensure_packages(["pam_ldap"])
+  postgresql_psql { "DROP PUBLICATION ${pg_db}_publication":
+    db     => $pg_db,
-    $facts["ldapvar"]["other"].each |$host| {
+    onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
-      if ($host["cn"][0] == $backup_host) {
+  } ->
-        $host["ipHostNumber"].each |$ip| {
+  postgresql_replication_slot { $pg_user_replication:
-          $infos = split($ip, "/")
+    ensure => absent
-          $ipaddress = $infos[0]
+  } ->
-          if (length($infos) == 1 and $ipaddress =~ /:/) {
+  postgresql_psql { "DROP OWNED BY $pg_user_replication":
-            $mask = "128"
+    db     => $pg_db,
-          } elsif (length($infos) == 1) {
+    onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'"
-            $mask = "32"
+  } ->
-          } else {
+  postgresql::server::role { $pg_user_replication:
-            $mask = $infos[1]
+    ensure        => absent,
-          }
-          postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
-            type        => 'hostssl',
-            database    => 'replication',
-            user        => 'all',
-            address     => "$ipaddress/$mask",
-            auth_method => 'pam',
-            order       => "06-01",
-          }
-        }
-        postgresql::server::role { $backup_host:
-          replication => true,
-        }
-        postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
-          ensure => present
-        }
-      }
-    }
-    $ldap_server = lookup("base_installation::ldap_server")
-    $ldap_base   = lookup("base_installation::ldap_base")
-    $ldap_dn     = lookup("base_installation::ldap_dn")
-    $ldap_password = generate_password(24, $password_seed, "ldap")
-    $ldap_attribute = "cn"
-    file { "/etc/pam_ldap.d":
-      ensure => directory,
-      mode   => "0755",
-      owner  => "root",
-      group  => "root",
-    } ->
-    file { "/etc/pam_ldap.d/postgresql.conf":
-      ensure  => "present",
-      mode    => "0600",
-      owner   => $::profile::postgresql::pg_user,
-      group   => "root",
-      content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
-    } ->
-    file { "/etc/pam.d/postgresql":
-      ensure => "present",
-      mode   => "0644",
-      owner  => "root",
-      group  => "root",
-      source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
-    }
  }
+  # /cleanup
 }

diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp index 2cd1bcc..97ce572 100644 --- a/modules/profile/manifests/postgresql.pp +++ b/modules/profile/manifests/postgresql.pp
@@ -1,4 +1,7 @@
1	class profile::postgresql {	1	class profile::postgresql (
		2	Optional[String] $pg_user = "postgres",
		3	Optional[String] $pg_group = "postgres",
		4	) {
2	$password_seed = lookup("base_installation::puppet_pass_seed")	5	$password_seed = lookup("base_installation::puppet_pass_seed")
3		6
4	class { '::postgresql::globals':	7	class { '::postgresql::globals':
@@ -7,16 +10,13 @@ class profile::postgresql {
7	pg_hba_conf_defaults => false,	10	pg_hba_conf_defaults => false,
8	}	11	}
9		12
10	# FIXME: get it from the postgresql module?
11	$pg_user = "postgres"
12
13	class { '::postgresql::client': }	13	class { '::postgresql::client': }
14		14
15	# FIXME: postgresql module is buggy and doesn't create dir?	15	# FIXME: postgresql module is buggy and doesn't create dir?
16	file { "/var/lib/postgres":	16	file { "/var/lib/postgres":
17	ensure => directory,	17	ensure => directory,
18	owner => $pg_user,	18	owner => $pg_user,
19	group => $pg_user,	19	group => $pg_group,
20	before => File["/var/lib/postgres/data"],	20	before => File["/var/lib/postgres/data"],
21	require => Package["postgresql-server"],	21	require => Package["postgresql-server"],
22	}	22	}
@@ -26,59 +26,7 @@ class profile::postgresql {
26	listen_addresses => "*",	26	listen_addresses => "*",
27	}	27	}
28		28
29	postgresql::server::pg_hba_rule { 'local access as postgres user':	29	profile::postgresql::base_pg_hba_rules { "default": }
30	description => 'Allow local access to postgres user',
31	type => 'local',
32	database => 'all',
33	user => $pg_user,
34	auth_method => 'ident',
35	order => "00-01",
36	}
37	postgresql::server::pg_hba_rule { 'localhost access as postgres user':
38	description => 'Allow localhost access to postgres user',
39	type => 'host',
40	database => 'all',
41	user => $pg_user,
42	address => "127.0.0.1/32",
43	auth_method => 'md5',
44	order => "00-02",
45	}
46	postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
47	description => 'Allow localhost access to postgres user',
48	type => 'host',
49	database => 'all',
50	user => $pg_user,
51	address => "::1/128",
52	auth_method => 'md5',
53	order => "00-03",
54	}
55	postgresql::server::pg_hba_rule { 'deny access to postgresql user':
56	description => 'Deny remote access to postgres user',
57	type => 'host',
58	database => 'all',
59	user => $pg_user,
60	address => "0.0.0.0/0",
61	auth_method => 'reject',
62	order => "00-04",
63	}
64
65	postgresql::server::pg_hba_rule { 'local access':
66	description => 'Allow local access with password',
67	type => 'local',
68	database => 'all',
69	user => 'all',
70	auth_method => 'md5',
71	order => "10-01",
72	}
73
74	postgresql::server::pg_hba_rule { 'local access with same name':
75	description => 'Allow local access with same name',
76	type => 'local',
77	database => 'all',
78	user => 'all',
79	auth_method => 'ident',
80	order => "10-02",
81	}
82		30
83	}	31	}
84		32


diff --git a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp index 13ab4ff..07c4bb6 100644 --- a/modules/profile/manifests/postgresql/base_pg_hba_rules.pp +++ b/modules/profile/manifests/postgresql/base_pg_hba_rules.pp
@@ -43,8 +43,6 @@ define profile::postgresql::base_pg_hba_rules (
43	address => "::1/128",	43	address => "::1/128",
44	auth_method => 'md5',	44	auth_method => 'md5',
45	order => "00-03",	45	order => "00-03",
46	target => "$pg_path/pg_hba.conf",
47	postgresql_version => "10",
48	}	46	}
49	postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":	47	postgresql::server::pg_hba_rule { "$title - deny access to postgresql user":
50	description => 'Deny remote access to postgres user',	48	description => 'Deny remote access to postgres user',


diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index 776b30f..addad67 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
2	$password_seed = lookup("base_installation::puppet_pass_seed")	2	$password_seed = lookup("base_installation::puppet_pass_seed")
3		3
4	$pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")	4	$pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
5	$pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
6		5
7	file { "/var/lib/postgres/data/certs":	6	profile::postgresql::master { "postgresql master for cryptoportfolio":
8	ensure => directory,	7	letsencrypt_host => $web_host,
9	mode => "0700",	8	backup_hosts => ["backup-1"],
10	owner => $::profile::postgresql::pg_user,
11	group => $::profile::postgresql::pg_user,
12	require => File["/var/lib/postgres"],
13	}
14
15	file { "/var/lib/postgres/data/certs/cert.pem":
16	source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
17	mode => "0600",
18	links => "follow",
19	owner => $::profile::postgresql::pg_user,
20	group => $::profile::postgresql::pg_user,
21	require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
22	}
23
24	file { "/var/lib/postgres/data/certs/privkey.pem":
25	source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
26	mode => "0600",
27	links => "follow",
28	owner => $::profile::postgresql::pg_user,
29	group => $::profile::postgresql::pg_user,
30	require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
31	}
32
33	postgresql_replication_slot { $pg_user_replication:
34	ensure => present
35	}
36
37	postgresql::server::config_entry { "wal_level":
38	value => "logical",
39	}
40
41	postgresql::server::config_entry { "ssl":
42	value => "on",
43	require => Letsencrypt::Certonly[$web_host],
44	}
45
46	postgresql::server::config_entry { "ssl_cert_file":
47	value => "/var/lib/postgres/data/certs/cert.pem",
48	require => Letsencrypt::Certonly[$web_host],
49	}
50
51	postgresql::server::config_entry { "ssl_key_file":
52	value => "/var/lib/postgres/data/certs/privkey.pem",
53	require => Letsencrypt::Certonly[$web_host],
54	}	9	}
55		10
56	postgresql::server::db { $pg_db:	11	postgresql::server::db { $pg_db:
57	user => $pg_user,	12	user => $pg_user,
58	password => postgresql_password($pg_user, $pg_password),	13	password => postgresql_password($pg_user, $pg_password),
59	}	14	}
60	->
61	postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
62	db => $pg_db,
63	unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
64	}
65	->
66	postgresql::server::role { $pg_user_replication:
67	db => $pg_db,
68	replication => true,
69	password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
70	}
71	->
72	postgresql::server::database_grant { $pg_user_replication:
73	db => $pg_db,
74	privilege => "CONNECT",
75	role => $pg_user_replication,
76	}
77	->
78	postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
79	db => $pg_db,
80	role => $pg_user_replication,
81	privilege => "SELECT",
82	object_type => "ALL TABLES IN SCHEMA",
83	object_name => "public",
84	}
85	->
86	postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
87	db => $pg_db,
88	role => $pg_user_replication,
89	privilege => "SELECT",
90	object_type => "ALL SEQUENCES IN SCHEMA",
91	object_name => "public",
92	}
93		15
94	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':	16	postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
95	type => 'host',	17	type => 'local',
96	database => $pg_db,	18	database => $pg_db,
97	user => $pg_user,	19	user => $pg_user,
98	address => '127.0.0.1/32',	20	auth_method => 'ident',
99	auth_method => 'md5',
100	order => "05-01",	21	order => "05-01",
101	}	22	}
102	postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
103	type => 'host',
104	database => $pg_db,
105	user => $pg_user,
106	address => '::1/128',
107	auth_method => 'md5',
108	order => "05-01",
109	}
110
111	postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
112	type => 'hostssl',
113	database => 'replication',
114	user => $pg_user_replication,
115	address => 'immae.eu',
116	auth_method => 'md5',
117	order => "05-01",
118	}
119
120	postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
121	type => 'hostssl',
122	database => $pg_db,
123	user => $pg_user_replication,
124	address => 'immae.eu',
125	auth_method => 'md5',
126	order => "05-02",
127	}
128
129	$backup_host = "backup-1"
130		23
131	unless empty($backup_host) {	24	# cleanup
132	ensure_packages(["pam_ldap"])	25	postgresql_psql { "DROP PUBLICATION ${pg_db}_publication":
133		26	db => $pg_db,
134	$facts["ldapvar"]["other"].each \|$host\| {	27	onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
135	if ($host["cn"][0] == $backup_host) {	28	} ->
136	$host["ipHostNumber"].each \|$ip\| {	29	postgresql_replication_slot { $pg_user_replication:
137	$infos = split($ip, "/")	30	ensure => absent
138	$ipaddress = $infos[0]	31	} ->
139	if (length($infos) == 1 and $ipaddress =~ /:/) {	32	postgresql_psql { "DROP OWNED BY $pg_user_replication":
140	$mask = "128"	33	db => $pg_db,
141	} elsif (length($infos) == 1) {	34	onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'"
142	$mask = "32"	35	} ->
143	} else {	36	postgresql::server::role { $pg_user_replication:
144	$mask = $infos[1]	37	ensure => absent,
145	}
146
147	postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
148	type => 'hostssl',
149	database => 'replication',
150	user => 'all',
151	address => "$ipaddress/$mask",
152	auth_method => 'pam',
153	order => "06-01",
154	}
155	}
156
157	postgresql::server::role { $backup_host:
158	replication => true,
159	}
160
161	postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
162	ensure => present
163	}
164	}
165	}
166
167	$ldap_server = lookup("base_installation::ldap_server")
168	$ldap_base = lookup("base_installation::ldap_base")
169	$ldap_dn = lookup("base_installation::ldap_dn")
170	$ldap_password = generate_password(24, $password_seed, "ldap")
171	$ldap_attribute = "cn"
172
173	file { "/etc/pam_ldap.d":
174	ensure => directory,
175	mode => "0755",
176	owner => "root",
177	group => "root",
178	} ->
179	file { "/etc/pam_ldap.d/postgresql.conf":
180	ensure => "present",
181	mode => "0600",
182	owner => $::profile::postgresql::pg_user,
183	group => "root",
184	content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
185	} ->
186	file { "/etc/pam.d/postgresql":
187	ensure => "present",
188	mode => "0644",
189	owner => "root",
190	group => "root",
191	source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
192	}
193	}	38	}
		39	# /cleanup
194		40
195	}	41	}