From 808f822507d47cc6e47da41e206ff9b942b506df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 14 May 2018 01:12:04 +0200 Subject: Move postgresql replication to its right place --- modules/role/manifests/backup.pp | 3 +- modules/role/manifests/backup/postgresql.pp | 163 +++++++++++++++++++++ .../manifests/cryptoportfolio/postgresql_backup.pp | 163 --------------------- modules/role/templates/backup/postgresql.conf.erb | 5 + .../backup/postgresql_backup@.service.erb | 34 +++++ .../cryptoportfolio/postgresql_backup.conf.erb | 5 - .../cryptoportfolio/postgresql_backup@.service.erb | 34 ----- 7 files changed, 204 insertions(+), 203 deletions(-) create mode 100644 modules/role/manifests/backup/postgresql.pp delete mode 100644 modules/role/manifests/cryptoportfolio/postgresql_backup.pp create mode 100644 modules/role/templates/backup/postgresql.conf.erb create mode 100644 modules/role/templates/backup/postgresql_backup@.service.erb delete mode 100644 modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb delete mode 100644 modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb diff --git a/modules/role/manifests/backup.pp b/modules/role/manifests/backup.pp index 37e6138..b35c542 100644 --- a/modules/role/manifests/backup.pp +++ b/modules/role/manifests/backup.pp @@ -14,7 +14,8 @@ class role::backup ( include "profile::xmr_stak" include "profile::known_hosts" include "profile::boinc" - include "role::cryptoportfolio::postgresql_backup" + + include "role::backup::postgresql" ensure_packages(["rsync"]) diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp new file mode 100644 index 0000000..59e4669 --- /dev/null +++ b/modules/role/manifests/backup/postgresql.pp @@ -0,0 +1,163 @@ +class role::backup::postgresql inherits role::backup { + # This manifest is supposed to be part of the backup server + + $password_seed = lookup("base_installation::puppet_pass_seed") + + $user = lookup("role::backup::user") + $group = lookup("role::backup::group") + $pg_user = "postgres" + $pg_group = "postgres" + + $ldap_cn = lookup("base_installation::ldap_cn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $pg_slot = regsubst($ldap_cn, '-', "_", "G") + + ensure_packages(["postgresql"]) + + $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] }) + + $pg_backup_hosts.each |$pg_backup_host| { + $pg_path = "$mountpoint/$pg_backup_host/postgresql" + $pg_host = "$pg_backup_host" + $pg_port = "5432" + + file { "$mountpoint/$pg_backup_host": + ensure => directory, + owner => $user, + group => $group, + } + + file { $pg_path: + ensure => directory, + owner => $pg_user, + group => $pg_group, + mode => "0700", + require => File["$mountpoint/$pg_backup_host"], + } + + exec { "pg_basebackup $pg_path": + cwd => $pg_path, + user => $pg_user, + creates => "$pg_path/PG_VERSION", + environment => ["PGPASSWORD=$ldap_password"], + command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", + before => [ + Concat["$pg_path/pg_hba.conf"], + Concat["$pg_path/recovery.conf"], + File["$pg_path/postgresql.conf"], + ] + } + + concat { "$pg_path/pg_hba.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + warn => true, + } + postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": + description => 'Allow local access to postgres user', + type => 'local', + database => 'all', + user => $pg_user, + auth_method => 'ident', + order => "00-01", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": + description => 'Allow localhost access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "127.0.0.1/32", + auth_method => 'md5', + order => "00-02", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": + description => 'Allow localhost access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "::1/128", + auth_method => 'md5', + order => "00-03", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": + description => 'Deny remote access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "0.0.0.0/0", + auth_method => 'reject', + order => "00-04", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + + postgresql::server::pg_hba_rule { "$pg_backup_host - local access": + description => 'Allow local access with password', + type => 'local', + database => 'all', + user => 'all', + auth_method => 'md5', + order => "10-01", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + + postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": + description => 'Allow local access with same name', + type => 'local', + database => 'all', + user => 'all', + auth_method => 'ident', + order => "10-02", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + + $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" + $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") + $standby_mode = "on" + + concat { "$pg_path/recovery.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + warn => true, + } + concat::fragment { "$pg_path/recovery.conf": + target => "$pg_path/recovery.conf", + content => template('postgresql/recovery.conf.erb'), + } + + file { "$pg_path/postgresql.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + content => template("role/backup/postgresql.conf.erb"), + } + + service { "postgresql_backup@$pg_backup_host": + enable => true, + ensure => "running", + require => [ + File["/etc/systemd/system/postgresql_backup@.service"], + Concat["$pg_path/pg_hba.conf"], + Concat["$pg_path/recovery.conf"], + File["$pg_path/postgresql.conf"], + ] + } + } + + file { "/etc/systemd/system/postgresql_backup@.service": + mode => "0644", + owner => "root", + group => "root", + content => template("role/backup/postgresql_backup@.service.erb"), + } +} diff --git a/modules/role/manifests/cryptoportfolio/postgresql_backup.pp b/modules/role/manifests/cryptoportfolio/postgresql_backup.pp deleted file mode 100644 index 5d937bd..0000000 --- a/modules/role/manifests/cryptoportfolio/postgresql_backup.pp +++ /dev/null @@ -1,163 +0,0 @@ -class role::cryptoportfolio::postgresql_backup inherits role::backup { - # This manifest is supposed to be part of the backup server - - $password_seed = lookup("base_installation::puppet_pass_seed") - - $user = lookup("role::backup::user") - $group = lookup("role::backup::group") - $pg_user = "postgres" - $pg_group = "postgres" - - $ldap_cn = lookup("base_installation::ldap_cn") - $ldap_password = generate_password(24, $password_seed, "ldap") - $pg_slot = regsubst($ldap_cn, '-', "_", "G") - - ensure_packages(["postgresql"]) - - $pg_backup_hosts = ["cryptoportfolio-dev.immae.eu", "cryptoportfolio.immae.eu"] - - $pg_backup_hosts.each |$pg_backup_host| { - $pg_path = "$mountpoint/$pg_backup_host/postgresql" - $pg_host = "$pg_backup_host" - $pg_port = "5432" - - file { "$mountpoint/$pg_backup_host": - ensure => directory, - owner => $user, - group => $group, - } - - file { $pg_path: - ensure => directory, - owner => $pg_user, - group => $pg_group, - mode => "0700", - require => File["$mountpoint/$pg_backup_host"], - } - - exec { "pg_basebackup $pg_path": - cwd => $pg_path, - user => $pg_user, - creates => "$pg_path/PG_VERSION", - environment => ["PGPASSWORD=$ldap_password"], - command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", - before => [ - Concat["$pg_path/pg_hba.conf"], - Concat["$pg_path/recovery.conf"], - File["$pg_path/postgresql.conf"], - ] - } - - concat { "$pg_path/pg_hba.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - warn => true, - } - postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": - description => 'Allow local access to postgres user', - type => 'local', - database => 'all', - user => $pg_user, - auth_method => 'ident', - order => "00-01", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": - description => 'Allow localhost access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "127.0.0.1/32", - auth_method => 'md5', - order => "00-02", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": - description => 'Allow localhost access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "::1/128", - auth_method => 'md5', - order => "00-03", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": - description => 'Deny remote access to postgres user', - type => 'host', - database => 'all', - user => $pg_user, - address => "0.0.0.0/0", - auth_method => 'reject', - order => "00-04", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - postgresql::server::pg_hba_rule { "$pg_backup_host - local access": - description => 'Allow local access with password', - type => 'local', - database => 'all', - user => 'all', - auth_method => 'md5', - order => "10-01", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": - description => 'Allow local access with same name', - type => 'local', - database => 'all', - user => 'all', - auth_method => 'ident', - order => "10-02", - target => "$pg_path/pg_hba.conf", - postgresql_version => "10", - } - - $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" - $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") - $standby_mode = "on" - - concat { "$pg_path/recovery.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - warn => true, - } - concat::fragment { "$pg_path/recovery.conf": - target => "$pg_path/recovery.conf", - content => template('postgresql/recovery.conf.erb'), - } - - file { "$pg_path/postgresql.conf": - owner => $pg_user, - group => $pg_group, - mode => '0640', - content => template("role/cryptoportfolio/postgresql_backup.conf.erb"), - } - - service { "postgresql_backup@$pg_backup_host": - enable => true, - ensure => "running", - require => [ - File["/etc/systemd/system/postgresql_backup@.service"], - Concat["$pg_path/pg_hba.conf"], - Concat["$pg_path/recovery.conf"], - File["$pg_path/postgresql.conf"], - ] - } - } - - file { "/etc/systemd/system/postgresql_backup@.service": - mode => "0644", - owner => "root", - group => "root", - content => template("role/cryptoportfolio/postgresql_backup@.service.erb"), - } -} diff --git a/modules/role/templates/backup/postgresql.conf.erb b/modules/role/templates/backup/postgresql.conf.erb new file mode 100644 index 0000000..860089b --- /dev/null +++ b/modules/role/templates/backup/postgresql.conf.erb @@ -0,0 +1,5 @@ +listen_addresses= '' +unix_socket_directories = '<%= @pg_path %>' +data_directory = '<%= @pg_path %>' +wal_level = logical + diff --git a/modules/role/templates/backup/postgresql_backup@.service.erb b/modules/role/templates/backup/postgresql_backup@.service.erb new file mode 100644 index 0000000..245a1cb --- /dev/null +++ b/modules/role/templates/backup/postgresql_backup@.service.erb @@ -0,0 +1,34 @@ +[Unit] +Description=PostgreSQL database server +After=network.target + +[Service] +Type=forking +TimeoutSec=120 +User=postgres +Group=postgres + +Environment=PGROOT=<%= @mountpoint %>/%i/postgresql + +SyslogIdentifier=postgres +PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid +RuntimeDirectory=postgresql +RuntimeDirectoryMode=755 + +ExecStartPre=/usr/bin/postgresql-check-db-dir ${PGROOT} +ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT} start -w -t 120 +ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT} reload +ExecStop= /usr/bin/pg_ctl -s -D ${PGROOT} stop -m fast + +# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in +# killing Postgres, so adjust it downward +OOMScoreAdjust=-200 + +# Additional security-related features +PrivateTmp=true +ProtectHome=true +ProtectSystem=full +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target diff --git a/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb b/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb deleted file mode 100644 index 860089b..0000000 --- a/modules/role/templates/cryptoportfolio/postgresql_backup.conf.erb +++ /dev/null @@ -1,5 +0,0 @@ -listen_addresses= '' -unix_socket_directories = '<%= @pg_path %>' -data_directory = '<%= @pg_path %>' -wal_level = logical - diff --git a/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb b/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb deleted file mode 100644 index 245a1cb..0000000 --- a/modules/role/templates/cryptoportfolio/postgresql_backup@.service.erb +++ /dev/null @@ -1,34 +0,0 @@ -[Unit] -Description=PostgreSQL database server -After=network.target - -[Service] -Type=forking -TimeoutSec=120 -User=postgres -Group=postgres - -Environment=PGROOT=<%= @mountpoint %>/%i/postgresql - -SyslogIdentifier=postgres -PIDFile=<%= @mountpoint %>/%i/postgresql/postmaster.pid -RuntimeDirectory=postgresql -RuntimeDirectoryMode=755 - -ExecStartPre=/usr/bin/postgresql-check-db-dir ${PGROOT} -ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT} start -w -t 120 -ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT} reload -ExecStop= /usr/bin/pg_ctl -s -D ${PGROOT} stop -m fast - -# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in -# killing Postgres, so adjust it downward -OOMScoreAdjust=-200 - -# Additional security-related features -PrivateTmp=true -ProtectHome=true -ProtectSystem=full -NoNewPrivileges=true - -[Install] -WantedBy=multi-user.target -- cgit v1.2.3