From 57ae81eaeb85a2892f1afe07ea5be1917f64d065 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 17 Feb 2018 19:31:35 +0100 Subject: Add postgresql module and cryptoportfolio role --- .gitmodules | 3 + .../production/data/roles/cryptoportfolio.yaml | 3 + modules/postgresql | 1 + modules/profile/manifests/postgresql.pp | 65 ++++++++++++++++++++++ modules/role/manifests/cryptoportfolio.pp | 14 +++++ 5 files changed, 86 insertions(+) create mode 100644 environments/production/data/roles/cryptoportfolio.yaml create mode 160000 modules/postgresql create mode 100644 modules/profile/manifests/postgresql.pp create mode 100644 modules/role/manifests/cryptoportfolio.pp diff --git a/.gitmodules b/.gitmodules index fa48ebf..e380041 100644 --- a/.gitmodules +++ b/.gitmodules @@ -28,6 +28,9 @@ [submodule "modules/pacman"] path = modules/pacman url = git://git.immae.eu/github/aboe76/puppet-pacman +[submodule "modules/postgresql"] + path = modules/postgresql + url = git://git.immae.eu/github/puppetlabs/puppetlabs-postgresql.git [submodule "python/ovh"] path = python/ovh url = git://git.immae.eu/github/ovh/python-ovh diff --git a/environments/production/data/roles/cryptoportfolio.yaml b/environments/production/data/roles/cryptoportfolio.yaml new file mode 100644 index 0000000..da46382 --- /dev/null +++ b/environments/production/data/roles/cryptoportfolio.yaml @@ -0,0 +1,3 @@ +--- +classes: + role::cryptoportfolio: ~ diff --git a/modules/postgresql b/modules/postgresql new file mode 160000 index 0000000..52ea030 --- /dev/null +++ b/modules/postgresql @@ -0,0 +1 @@ +Subproject commit 52ea030ad94397ba0d066c36c3028a255341f9fd diff --git a/modules/profile/manifests/postgresql.pp b/modules/profile/manifests/postgresql.pp new file mode 100644 index 0000000..50e510e --- /dev/null +++ b/modules/profile/manifests/postgresql.pp @@ -0,0 +1,65 @@ +class profile::postgresql { + $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } + + class { '::postgresql::globals': + encoding => 'UTF-8', + locale => 'en_US.UTF-8', + pg_hba_conf_defaults => false, + } + + # FIXME: get it from the postgresql module? + $pg_user = "postgres" + + class { '::postgresql::client': } + + # FIXME: postgresql module is buggy and doesn't create dir? + file { "/var/lib/postgres": + ensure => directory, + owner => $pg_user, + group => $pg_user, + before => File["/var/lib/postgres/data"], + require => Package["postgresql-server"], + } + + class { '::postgresql::server': + postgres_password => generate_password(24, $password_seed, "postgres") + } + + postgresql::server::pg_hba_rule { 'local access as postgres user': + description => 'Allow local access to postgres user', + type => 'local', + database => 'all', + user => $pg_user, + auth_method => 'ident', + order => "a1", + } + postgresql::server::pg_hba_rule { 'deny access to postgresql user': + description => 'Deny remote access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "0.0.0.0/0", + auth_method => 'reject', + order => "a2", + } + + postgresql::server::pg_hba_rule { 'local access': + description => 'Allow local access with password', + type => 'local', + database => 'all', + user => 'all', + auth_method => 'md5', + order => "b1", + } + + postgresql::server::pg_hba_rule { 'local access with same name': + description => 'Allow local access with same name', + type => 'local', + database => 'all', + user => 'all', + auth_method => 'ident', + order => "b2", + } + +} + diff --git a/modules/role/manifests/cryptoportfolio.pp b/modules/role/manifests/cryptoportfolio.pp new file mode 100644 index 0000000..2755fee --- /dev/null +++ b/modules/role/manifests/cryptoportfolio.pp @@ -0,0 +1,14 @@ +class role::cryptoportfolio { + include "base_installation" + + include "profile::postgresql" + + $password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} } + + postgresql::server::db { 'cryptoportfolio': + user => 'cryptoportfolio', + password => postgresql_password('cryptoportfolio', generate_password(24, $password_seed, "postgres_cryptoportfolio")), + } + + ensure_packages("go") +} -- cgit v1.2.3 From 7c43beaa3f3a6eab784f6cbca79955c9f6a7fff9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 17 Feb 2018 22:04:56 +0100 Subject: Change post-merge script --- modules/base_installation/files/cronie/puppet-post-merge | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/base_installation/files/cronie/puppet-post-merge b/modules/base_installation/files/cronie/puppet-post-merge index ac5e3ff..35fa2d7 100644 --- a/modules/base_installation/files/cronie/puppet-post-merge +++ b/modules/base_installation/files/cronie/puppet-post-merge @@ -1,7 +1,7 @@ #!/bin/bash ## Run Puppet locally using puppet apply git submodule update --init -/usr/bin/puppet apply `pwd`/manifests/site.pp +/usr/bin/puppet apply --test `pwd`/manifests/site.pp ## Log status of the Puppet run if [ $? -eq 0 ] -- cgit v1.2.3 From 47d7d947ebc0da8bde02515a94d8205df47c944a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 18 Feb 2018 00:15:28 +0100 Subject: Add generate_password equivalent script --- bin/generate_password | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100755 bin/generate_password diff --git a/bin/generate_password b/bin/generate_password new file mode 100755 index 0000000..9a2abb1 --- /dev/null +++ b/bin/generate_password @@ -0,0 +1,26 @@ +#!/bin/env ruby + +require "openssl" + +arguments = ARGV + +if arguments.size != 3 + puts "generate_password " + exit +end + +size = arguments.shift +seed_file = arguments.shift +password_key = arguments.shift + +size = size.to_i + +set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a + +key = "#{File.open(seed_file).read}:#{password_key}" + +password = size.times.collect do |i| + set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size] +end.join + +puts password -- cgit v1.2.3