diff options
Diffstat (limited to 'modules')
4 files changed, 131 insertions, 46 deletions
diff --git a/modules/profile/files/postgresql_master/pam_postgresql b/modules/profile/files/postgresql_master/pam_postgresql new file mode 100644 index 0000000..70a90ae --- /dev/null +++ b/modules/profile/files/postgresql_master/pam_postgresql | |||
@@ -0,0 +1,3 @@ | |||
1 | auth required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf | ||
2 | account required pam_ldap.so config=/etc/pam_ldap.d/postgresql.conf | ||
3 | |||
diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp new file mode 100644 index 0000000..3f68890 --- /dev/null +++ b/modules/profile/manifests/postgresql_master.pp | |||
@@ -0,0 +1,116 @@ | |||
1 | define profile::postgresql_master ( | ||
2 | $letsencrypt_host = undef, | ||
3 | $backup_hosts = [], | ||
4 | ) { | ||
5 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
6 | |||
7 | ensure_resource("file", "/var/lib/postgres/data/certs", { | ||
8 | ensure => directory, | ||
9 | mode => "0700", | ||
10 | owner => $::profile::postgresql::pg_user, | ||
11 | group => $::profile::postgresql::pg_user, | ||
12 | require => File["/var/lib/postgres"], | ||
13 | }) | ||
14 | |||
15 | ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", { | ||
16 | source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem", | ||
17 | mode => "0600", | ||
18 | links => "follow", | ||
19 | owner => $::profile::postgresql::pg_user, | ||
20 | group => $::profile::postgresql::pg_user, | ||
21 | require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] | ||
22 | }) | ||
23 | |||
24 | ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", { | ||
25 | source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem", | ||
26 | mode => "0600", | ||
27 | links => "follow", | ||
28 | owner => $::profile::postgresql::pg_user, | ||
29 | group => $::profile::postgresql::pg_user, | ||
30 | require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] | ||
31 | }) | ||
32 | |||
33 | ensure_resource("postgresql::server::config_entry", "wal_level", { | ||
34 | value => "logical", | ||
35 | }) | ||
36 | |||
37 | ensure_resource("postgresql::server::config_entry", "ssl", { | ||
38 | value => "on", | ||
39 | require => Letsencrypt::Certonly[$letsencrypt_host], | ||
40 | }) | ||
41 | |||
42 | ensure_resource("postgresql::server::config_entry", "ssl_cert_file", { | ||
43 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
44 | require => Letsencrypt::Certonly[$letsencrypt_host], | ||
45 | }) | ||
46 | |||
47 | ensure_resource("postgresql::server::config_entry", "ssl_key_file", { | ||
48 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
49 | require => Letsencrypt::Certonly[$letsencrypt_host], | ||
50 | }) | ||
51 | |||
52 | $backup_hosts.each |$backup_host| { | ||
53 | ensure_packages(["pam_ldap"]) | ||
54 | |||
55 | $facts["ldapvar"]["other"].each |$host| { | ||
56 | if ($host["cn"][0] == $backup_host) { | ||
57 | $host["ipHostNumber"].each |$ip| { | ||
58 | $infos = split($ip, "/") | ||
59 | $ipaddress = $infos[0] | ||
60 | if (length($infos) == 1 and $ipaddress =~ /:/) { | ||
61 | $mask = "128" | ||
62 | } elsif (length($infos) == 1) { | ||
63 | $mask = "32" | ||
64 | } else { | ||
65 | $mask = $infos[1] | ||
66 | } | ||
67 | |||
68 | postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": | ||
69 | type => 'hostssl', | ||
70 | database => 'replication', | ||
71 | user => $backup_host, | ||
72 | address => "$ipaddress/$mask", | ||
73 | auth_method => 'pam', | ||
74 | order => "06-01", | ||
75 | } | ||
76 | } | ||
77 | |||
78 | postgresql::server::role { $backup_host: | ||
79 | replication => true, | ||
80 | } | ||
81 | |||
82 | postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): | ||
83 | ensure => present | ||
84 | } | ||
85 | } | ||
86 | } | ||
87 | |||
88 | $ldap_server = lookup("base_installation::ldap_server") | ||
89 | $ldap_base = lookup("base_installation::ldap_base") | ||
90 | $ldap_dn = lookup("base_installation::ldap_dn") | ||
91 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
92 | $ldap_attribute = "cn" | ||
93 | |||
94 | file { "/etc/pam_ldap.d": | ||
95 | ensure => directory, | ||
96 | mode => "0755", | ||
97 | owner => "root", | ||
98 | group => "root", | ||
99 | } -> | ||
100 | file { "/etc/pam_ldap.d/postgresql.conf": | ||
101 | ensure => "present", | ||
102 | mode => "0600", | ||
103 | owner => $::profile::postgresql::pg_user, | ||
104 | group => "root", | ||
105 | content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), | ||
106 | } -> | ||
107 | file { "/etc/pam.d/postgresql": | ||
108 | ensure => "present", | ||
109 | mode => "0644", | ||
110 | owner => "root", | ||
111 | group => "root", | ||
112 | source => "puppet:///modules/profile/postgresql_master/pam_postgresql" | ||
113 | } | ||
114 | } | ||
115 | |||
116 | } | ||
diff --git a/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb new file mode 100644 index 0000000..f3d9674 --- /dev/null +++ b/modules/profile/templates/postgresql_master/pam_ldap_postgresql.conf.erb | |||
@@ -0,0 +1,6 @@ | |||
1 | host <%= @ldap_server %> | ||
2 | |||
3 | base <%= @ldap_base %> | ||
4 | binddn <%= @ldap_dn %> | ||
5 | bindpw <%= @ldap_password %> | ||
6 | pam_login_attribute <%= @ldap_attribute %> | ||
diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index 476a210..a43f146 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp | |||
@@ -66,54 +66,14 @@ class role::etherpad ( | |||
66 | subscribe => Aur::Package["etherpad-lite"], | 66 | subscribe => Aur::Package["etherpad-lite"], |
67 | } | 67 | } |
68 | 68 | ||
69 | $web_host = "outils-1.v.immae.eu" | 69 | $web_host = "outils-1.v.immae.eu" |
70 | $pg_db = "etherpad-lite" | 70 | $pg_db = "etherpad-lite" |
71 | $pg_user = "etherpad-lite" | 71 | $pg_user = "etherpad-lite" |
72 | $pg_password = generate_password(24, $password_seed, "postgres_etherpad") | 72 | $pg_password = generate_password(24, $password_seed, "postgres_etherpad") |
73 | 73 | ||
74 | file { "/var/lib/postgres/data/certs": | 74 | profile::postgresql_master { "postgresql master for etherpad": |
75 | ensure => directory, | 75 | letsencrypt_host => $web_host, |
76 | mode => "0700", | 76 | backup_hosts => ["backup-1"], |
77 | owner => $::profile::postgresql::pg_user, | ||
78 | group => $::profile::postgresql::pg_user, | ||
79 | require => File["/var/lib/postgres"], | ||
80 | } | ||
81 | |||
82 | file { "/var/lib/postgres/data/certs/cert.pem": | ||
83 | source => "file:///etc/letsencrypt/live/$web_host/cert.pem", | ||
84 | mode => "0600", | ||
85 | links => "follow", | ||
86 | owner => $::profile::postgresql::pg_user, | ||
87 | group => $::profile::postgresql::pg_user, | ||
88 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
89 | } | ||
90 | |||
91 | file { "/var/lib/postgres/data/certs/privkey.pem": | ||
92 | source => "file:///etc/letsencrypt/live/$web_host/privkey.pem", | ||
93 | mode => "0600", | ||
94 | links => "follow", | ||
95 | owner => $::profile::postgresql::pg_user, | ||
96 | group => $::profile::postgresql::pg_user, | ||
97 | require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]] | ||
98 | } | ||
99 | |||
100 | postgresql::server::config_entry { "wal_level": | ||
101 | value => "logical", | ||
102 | } | ||
103 | |||
104 | postgresql::server::config_entry { "ssl": | ||
105 | value => "on", | ||
106 | require => Letsencrypt::Certonly[$web_host], | ||
107 | } | ||
108 | |||
109 | postgresql::server::config_entry { "ssl_cert_file": | ||
110 | value => "/var/lib/postgres/data/certs/cert.pem", | ||
111 | require => Letsencrypt::Certonly[$web_host], | ||
112 | } | ||
113 | |||
114 | postgresql::server::config_entry { "ssl_key_file": | ||
115 | value => "/var/lib/postgres/data/certs/privkey.pem", | ||
116 | require => Letsencrypt::Certonly[$web_host], | ||
117 | } | 77 | } |
118 | 78 | ||
119 | postgresql::server::db { $pg_db: | 79 | postgresql::server::db { $pg_db: |