From f568173a3d8a43ac30fa9294a75c260042b9e415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 18 Jun 2018 14:09:05 +0200 Subject: Add postgresql_master profile --- modules/profile/manifests/postgresql_master.pp | 116 +++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 modules/profile/manifests/postgresql_master.pp (limited to 'modules/profile/manifests/postgresql_master.pp') diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp new file mode 100644 index 0000000..3f68890 --- /dev/null +++ b/modules/profile/manifests/postgresql_master.pp @@ -0,0 +1,116 @@ +define profile::postgresql_master ( + $letsencrypt_host = undef, + $backup_hosts = [], +) { + $password_seed = lookup("base_installation::puppet_pass_seed") + + ensure_resource("file", "/var/lib/postgres/data/certs", { + ensure => directory, + mode => "0700", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => File["/var/lib/postgres"], + }) + + ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", { + source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] + }) + + ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", { + source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem", + mode => "0600", + links => "follow", + owner => $::profile::postgresql::pg_user, + group => $::profile::postgresql::pg_user, + require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]] + }) + + ensure_resource("postgresql::server::config_entry", "wal_level", { + value => "logical", + }) + + ensure_resource("postgresql::server::config_entry", "ssl", { + value => "on", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + ensure_resource("postgresql::server::config_entry", "ssl_cert_file", { + value => "/var/lib/postgres/data/certs/cert.pem", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + ensure_resource("postgresql::server::config_entry", "ssl_key_file", { + value => "/var/lib/postgres/data/certs/privkey.pem", + require => Letsencrypt::Certonly[$letsencrypt_host], + }) + + $backup_hosts.each |$backup_host| { + ensure_packages(["pam_ldap"]) + + $facts["ldapvar"]["other"].each |$host| { + if ($host["cn"][0] == $backup_host) { + $host["ipHostNumber"].each |$ip| { + $infos = split($ip, "/") + $ipaddress = $infos[0] + if (length($infos) == 1 and $ipaddress =~ /:/) { + $mask = "128" + } elsif (length($infos) == 1) { + $mask = "32" + } else { + $mask = $infos[1] + } + + postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": + type => 'hostssl', + database => 'replication', + user => $backup_host, + address => "$ipaddress/$mask", + auth_method => 'pam', + order => "06-01", + } + } + + postgresql::server::role { $backup_host: + replication => true, + } + + postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): + ensure => present + } + } + } + + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_attribute = "cn" + + file { "/etc/pam_ldap.d": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } -> + file { "/etc/pam_ldap.d/postgresql.conf": + ensure => "present", + mode => "0600", + owner => $::profile::postgresql::pg_user, + group => "root", + content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"), + } -> + file { "/etc/pam.d/postgresql": + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/profile/postgresql_master/pam_postgresql" + } + } + +} -- cgit v1.2.3 From 9313fa2ea3c7b796b448f6249f13a588c6618889 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 26 Jun 2018 00:27:26 +0200 Subject: Add find_host function to help finding host --- modules/profile/manifests/postgresql_master.pp | 51 +++++++++++++------------- 1 file changed, 25 insertions(+), 26 deletions(-) (limited to 'modules/profile/manifests/postgresql_master.pp') diff --git a/modules/profile/manifests/postgresql_master.pp b/modules/profile/manifests/postgresql_master.pp index 3f68890..9966f0d 100644 --- a/modules/profile/manifests/postgresql_master.pp +++ b/modules/profile/manifests/postgresql_master.pp @@ -52,36 +52,35 @@ define profile::postgresql_master ( $backup_hosts.each |$backup_host| { ensure_packages(["pam_ldap"]) - $facts["ldapvar"]["other"].each |$host| { - if ($host["cn"][0] == $backup_host) { - $host["ipHostNumber"].each |$ip| { - $infos = split($ip, "/") - $ipaddress = $infos[0] - if (length($infos) == 1 and $ipaddress =~ /:/) { - $mask = "128" - } elsif (length($infos) == 1) { - $mask = "32" - } else { - $mask = $infos[1] - } - - postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": - type => 'hostssl', - database => 'replication', - user => $backup_host, - address => "$ipaddress/$mask", - auth_method => 'pam', - order => "06-01", - } + $host = find_host($facts["ldapvar"]["other"], $backup_host) + unless empty($host) { + $host["ipHostNumber"].each |$ip| { + $infos = split($ip, "/") + $ipaddress = $infos[0] + if (length($infos) == 1 and $ipaddress =~ /:/) { + $mask = "128" + } elsif (length($infos) == 1) { + $mask = "32" + } else { + $mask = $infos[1] } - postgresql::server::role { $backup_host: - replication => true, + postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask": + type => 'hostssl', + database => 'replication', + user => $backup_host, + address => "$ipaddress/$mask", + auth_method => 'pam', + order => "06-01", } + } - postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): - ensure => present - } + postgresql::server::role { $backup_host: + replication => true, + } + + postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"): + ensure => present } } -- cgit v1.2.3