From 808f822507d47cc6e47da41e206ff9b942b506df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Mon, 14 May 2018 01:12:04 +0200 Subject: Move postgresql replication to its right place --- modules/role/manifests/backup/postgresql.pp | 163 ++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 modules/role/manifests/backup/postgresql.pp (limited to 'modules/role/manifests/backup') diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp new file mode 100644 index 0000000..59e4669 --- /dev/null +++ b/modules/role/manifests/backup/postgresql.pp @@ -0,0 +1,163 @@ +class role::backup::postgresql inherits role::backup { + # This manifest is supposed to be part of the backup server + + $password_seed = lookup("base_installation::puppet_pass_seed") + + $user = lookup("role::backup::user") + $group = lookup("role::backup::group") + $pg_user = "postgres" + $pg_group = "postgres" + + $ldap_cn = lookup("base_installation::ldap_cn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $pg_slot = regsubst($ldap_cn, '-', "_", "G") + + ensure_packages(["postgresql"]) + + $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] }) + + $pg_backup_hosts.each |$pg_backup_host| { + $pg_path = "$mountpoint/$pg_backup_host/postgresql" + $pg_host = "$pg_backup_host" + $pg_port = "5432" + + file { "$mountpoint/$pg_backup_host": + ensure => directory, + owner => $user, + group => $group, + } + + file { $pg_path: + ensure => directory, + owner => $pg_user, + group => $pg_group, + mode => "0700", + require => File["$mountpoint/$pg_backup_host"], + } + + exec { "pg_basebackup $pg_path": + cwd => $pg_path, + user => $pg_user, + creates => "$pg_path/PG_VERSION", + environment => ["PGPASSWORD=$ldap_password"], + command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot", + before => [ + Concat["$pg_path/pg_hba.conf"], + Concat["$pg_path/recovery.conf"], + File["$pg_path/postgresql.conf"], + ] + } + + concat { "$pg_path/pg_hba.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + warn => true, + } + postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user": + description => 'Allow local access to postgres user', + type => 'local', + database => 'all', + user => $pg_user, + auth_method => 'ident', + order => "00-01", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user": + description => 'Allow localhost access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "127.0.0.1/32", + auth_method => 'md5', + order => "00-02", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user": + description => 'Allow localhost access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "::1/128", + auth_method => 'md5', + order => "00-03", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user": + description => 'Deny remote access to postgres user', + type => 'host', + database => 'all', + user => $pg_user, + address => "0.0.0.0/0", + auth_method => 'reject', + order => "00-04", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + + postgresql::server::pg_hba_rule { "$pg_backup_host - local access": + description => 'Allow local access with password', + type => 'local', + database => 'all', + user => 'all', + auth_method => 'md5', + order => "10-01", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + + postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name": + description => 'Allow local access with same name', + type => 'local', + database => 'all', + user => 'all', + auth_method => 'ident', + order => "10-02", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + + $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require" + $primary_slot_name = regsubst($ldap_cn, '-', "_", "G") + $standby_mode = "on" + + concat { "$pg_path/recovery.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + warn => true, + } + concat::fragment { "$pg_path/recovery.conf": + target => "$pg_path/recovery.conf", + content => template('postgresql/recovery.conf.erb'), + } + + file { "$pg_path/postgresql.conf": + owner => $pg_user, + group => $pg_group, + mode => '0640', + content => template("role/backup/postgresql.conf.erb"), + } + + service { "postgresql_backup@$pg_backup_host": + enable => true, + ensure => "running", + require => [ + File["/etc/systemd/system/postgresql_backup@.service"], + Concat["$pg_path/pg_hba.conf"], + Concat["$pg_path/recovery.conf"], + File["$pg_path/postgresql.conf"], + ] + } + } + + file { "/etc/systemd/system/postgresql_backup@.service": + mode => "0644", + owner => "root", + group => "root", + content => template("role/backup/postgresql_backup@.service.erb"), + } +} -- cgit v1.2.3