diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/profile/manifests/postgresql/master.pp | 49 | ||||
-rw-r--r-- | modules/profile/manifests/postgresql/replication.pp | 5 | ||||
-rw-r--r-- | modules/role/manifests/etherpad.pp | 24 |
3 files changed, 70 insertions, 8 deletions
diff --git a/modules/profile/manifests/postgresql/master.pp b/modules/profile/manifests/postgresql/master.pp index 969905f..02315a6 100644 --- a/modules/profile/manifests/postgresql/master.pp +++ b/modules/profile/manifests/postgresql/master.pp | |||
@@ -1,8 +1,51 @@ | |||
1 | define profile::postgresql::master ( | 1 | define profile::postgresql::master ( |
2 | $letsencrypt_host = undef, | 2 | $letsencrypt_host = undef, |
3 | $backup_hosts = [], | 3 | $backup_hosts = [], |
4 | Optional[String] $pg_user = "postgres", | ||
5 | Optional[String] $pg_group = "postgres", | ||
4 | ) { | 6 | ) { |
5 | profile::postgresql::ssl { "/var/lib/postgres/data": | 7 | $pg_path = "/var/lib/postgres" |
8 | $pg_data_path = "$pg_path/data" | ||
9 | |||
10 | $postgresql_backup_port = $facts.dig("ldapvar", "self", "vars", "postgresql_backup_port", 0) | ||
11 | if ($postgresql_backup_port and !empty($backup_hosts)) { | ||
12 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
13 | $ldap_cn = lookup("base_installation::ldap_cn") | ||
14 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
15 | |||
16 | $host = find_host($facts["ldapvar"]["other"], $backup_hosts[0]) | ||
17 | if empty($host) { | ||
18 | fail("No backup host to recover from") | ||
19 | } elsif has_key($host["vars"], "host") { | ||
20 | $pg_backup_host = $host["vars"]["host"][0] | ||
21 | } else { | ||
22 | $pg_backup_host = $host["vars"]["real_hostname"][0] | ||
23 | } | ||
24 | |||
25 | exec { "pg_basebackup $pg_data_path": | ||
26 | cwd => $pg_path, | ||
27 | user => $pg_user, | ||
28 | creates => "$pg_data_path/PG_VERSION", | ||
29 | environment => ["PGPASSWORD=$ldap_password"], | ||
30 | command => "/usr/bin/pg_basebackup -w -h $pg_backup_host -p $postgresql_backup_port -U $ldap_cn -D $pg_data_path", | ||
31 | before => File[$pg_data_path], | ||
32 | require => File[$pg_path], | ||
33 | notify => Exec["cleanup pg_basebackup $pg_data_path"], | ||
34 | } -> file { "$pg_data_path/recovery.conf": | ||
35 | before => Concat["$pg_data_path/pg_hba.conf"], | ||
36 | ensure => absent, | ||
37 | } | ||
38 | |||
39 | exec { "cleanup pg_basebackup $pg_data_path": | ||
40 | refreshonly => true, | ||
41 | cwd => $pg_path, | ||
42 | user => $pg_user, | ||
43 | before => Class["postgresql::server::config"], | ||
44 | command => "/usr/bin/rm -f $pg_data_path/postgresql.conf && touch $pg_data_path/postgresql.conf", | ||
45 | } | ||
46 | } | ||
47 | |||
48 | profile::postgresql::ssl { $pg_data_path: | ||
6 | cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem", | 49 | cert => "/etc/letsencrypt/live/$letsencrypt_host/cert.pem", |
7 | key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem", | 50 | key => "/etc/letsencrypt/live/$letsencrypt_host/privkey.pem", |
8 | require => Letsencrypt::Certonly[$letsencrypt_host], | 51 | require => Letsencrypt::Certonly[$letsencrypt_host], |
diff --git a/modules/profile/manifests/postgresql/replication.pp b/modules/profile/manifests/postgresql/replication.pp index 2fcb71c..b050058 100644 --- a/modules/profile/manifests/postgresql/replication.pp +++ b/modules/profile/manifests/postgresql/replication.pp | |||
@@ -52,6 +52,7 @@ define profile::postgresql::replication ( | |||
52 | if $handle_role { | 52 | if $handle_role { |
53 | postgresql::server::role { $host_cn: | 53 | postgresql::server::role { $host_cn: |
54 | replication => true, | 54 | replication => true, |
55 | require => Service["postgresql"], | ||
55 | } | 56 | } |
56 | 57 | ||
57 | if $add_self_role { | 58 | if $add_self_role { |
@@ -60,13 +61,15 @@ define profile::postgresql::replication ( | |||
60 | # Needed to be replicated to the backup and be able to recover later | 61 | # Needed to be replicated to the backup and be able to recover later |
61 | ensure_resource("postgresql::server::role", $ldap_cn, { | 62 | ensure_resource("postgresql::server::role", $ldap_cn, { |
62 | replication => true, | 63 | replication => true, |
64 | require => Service["postgresql"], | ||
63 | }) | 65 | }) |
64 | } | 66 | } |
65 | } | 67 | } |
66 | 68 | ||
67 | if $handle_slot { | 69 | if $handle_slot { |
68 | postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"): | 70 | postgresql_replication_slot { regsubst($host_cn, '-', "_", "G"): |
69 | ensure => present | 71 | ensure => present, |
72 | require => Service["postgresql"], | ||
70 | } | 73 | } |
71 | } | 74 | } |
72 | } | 75 | } |
diff --git a/modules/role/manifests/etherpad.pp b/modules/role/manifests/etherpad.pp index 28b9eb6..5ab5023 100644 --- a/modules/role/manifests/etherpad.pp +++ b/modules/role/manifests/etherpad.pp | |||
@@ -1,8 +1,9 @@ | |||
1 | class role::etherpad ( | 1 | class role::etherpad ( |
2 | String $web_host, | ||
2 | ) { | 3 | ) { |
3 | $password_seed = lookup("base_installation::puppet_pass_seed") | 4 | $password_seed = lookup("base_installation::puppet_pass_seed") |
4 | $web_host = lookup("base_installation::real_hostname") | 5 | $real_host = lookup("base_installation::real_hostname") |
5 | $web_listen = "0.0.0.0" | 6 | $web_listen = "127.0.0.1" |
6 | $web_port = 18000 | 7 | $web_port = 18000 |
7 | $pg_db = "etherpad-lite" | 8 | $pg_db = "etherpad-lite" |
8 | $pg_user = "etherpad-lite" | 9 | $pg_user = "etherpad-lite" |
@@ -83,12 +84,12 @@ class role::etherpad ( | |||
83 | service { "etherpad-lite": | 84 | service { "etherpad-lite": |
84 | enable => true, | 85 | enable => true, |
85 | ensure => "running", | 86 | ensure => "running", |
86 | require => Aur::Package["etherpad-lite"], | 87 | require => [Aur::Package["etherpad-lite"], Service["postgresql"]], |
87 | subscribe => Aur::Package["etherpad-lite"], | 88 | subscribe => Aur::Package["etherpad-lite"], |
88 | } | 89 | } |
89 | 90 | ||
90 | profile::postgresql::master { "postgresql master for etherpad": | 91 | profile::postgresql::master { "postgresql master for etherpad": |
91 | letsencrypt_host => $web_host, | 92 | letsencrypt_host => $real_host, |
92 | backup_hosts => ["backup-1"], | 93 | backup_hosts => ["backup-1"], |
93 | } | 94 | } |
94 | 95 | ||
@@ -105,4 +106,19 @@ class role::etherpad ( | |||
105 | order => "05-01", | 106 | order => "05-01", |
106 | } | 107 | } |
107 | 108 | ||
109 | class { 'apache::mod::headers': } | ||
110 | apache::vhost { $web_host: | ||
111 | port => '443', | ||
112 | docroot => false, | ||
113 | manage_docroot => false, | ||
114 | proxy_dest => "http://localhost:18000", | ||
115 | request_headers => 'set X-Forwarded-Proto "https"', | ||
116 | ssl => true, | ||
117 | ssl_cert => "/etc/letsencrypt/live/$web_host/cert.pem", | ||
118 | ssl_key => "/etc/letsencrypt/live/$web_host/privkey.pem", | ||
119 | ssl_chain => "/etc/letsencrypt/live/$web_host/chain.pem", | ||
120 | require => Letsencrypt::Certonly[$web_host], | ||
121 | proxy_preserve_host => true; | ||
122 | default: * => $::profile::apache::apache_vhost_default; | ||
123 | } | ||
108 | } | 124 | } |