From 3925777d9715d271c0643faef9f520e7816dba89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Thu, 28 Jun 2018 10:32:57 +0200
Subject: Refactor cryptoportfolio postgresql

---
 .../role/manifests/cryptoportfolio/postgresql.pp   | 194 +++------------------
 1 file changed, 20 insertions(+), 174 deletions(-)

(limited to 'modules/role/manifests')

diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp
index 776b30f..addad67 100644
--- a/modules/role/manifests/cryptoportfolio/postgresql.pp
+++ b/modules/role/manifests/cryptoportfolio/postgresql.pp
@@ -2,194 +2,40 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
   $password_seed = lookup("base_installation::puppet_pass_seed")
 
   $pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
-  $pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
 
-  file { "/var/lib/postgres/data/certs":
-    ensure  => directory,
-    mode    => "0700",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => File["/var/lib/postgres"],
-  }
-
-  file { "/var/lib/postgres/data/certs/cert.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/cert.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-
-  file { "/var/lib/postgres/data/certs/privkey.pem":
-    source  => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
-    mode    => "0600",
-    links   => "follow",
-    owner   => $::profile::postgresql::pg_user,
-    group   => $::profile::postgresql::pg_user,
-    require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
-  }
-
-  postgresql_replication_slot { $pg_user_replication:
-    ensure => present
-  }
-
-  postgresql::server::config_entry { "wal_level":
-    value   => "logical",
-  }
-
-  postgresql::server::config_entry { "ssl":
-    value   => "on",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-
-  postgresql::server::config_entry { "ssl_cert_file":
-    value   => "/var/lib/postgres/data/certs/cert.pem",
-    require => Letsencrypt::Certonly[$web_host],
-  }
-
-  postgresql::server::config_entry { "ssl_key_file":
-    value   => "/var/lib/postgres/data/certs/privkey.pem",
-    require => Letsencrypt::Certonly[$web_host],
+  profile::postgresql::master { "postgresql master for cryptoportfolio":
+    letsencrypt_host => $web_host,
+    backup_hosts     => ["backup-1"],
   }
 
   postgresql::server::db { $pg_db:
     user     =>  $pg_user,
     password =>  postgresql_password($pg_user, $pg_password),
   }
-  ->
-  postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
-    db     => $pg_db,
-    unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
-  }
-  ->
-  postgresql::server::role { $pg_user_replication:
-    db            => $pg_db,
-    replication   => true,
-    password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
-  }
-  ->
-  postgresql::server::database_grant { $pg_user_replication:
-    db        => $pg_db,
-    privilege => "CONNECT",
-    role      => $pg_user_replication,
-  }
-  ->
-  postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
-    db          => $pg_db,
-    role        => $pg_user_replication,
-    privilege   => "SELECT",
-    object_type => "ALL TABLES IN SCHEMA",
-    object_name => "public",
-  }
-  ->
-  postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
-    db          => $pg_db,
-    role        => $pg_user_replication,
-    privilege   => "SELECT",
-    object_type => "ALL SEQUENCES IN SCHEMA",
-    object_name => "public",
-  }
 
   postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
-    type        => 'host',
+    type        => 'local',
     database    => $pg_db,
     user        => $pg_user,
-    address     => '127.0.0.1/32',
-    auth_method => 'md5',
+    auth_method => 'ident',
     order       => "05-01",
   }
-  postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
-    type        => 'host',
-    database    => $pg_db,
-    user        => $pg_user,
-    address     => '::1/128',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
-
-  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu for replication':
-    type        => 'hostssl',
-    database    => 'replication',
-    user        => $pg_user_replication,
-    address     => 'immae.eu',
-    auth_method => 'md5',
-    order       => "05-01",
-  }
-
-  postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
-    type        => 'hostssl',
-    database    => $pg_db,
-    user        => $pg_user_replication,
-    address     => 'immae.eu',
-    auth_method => 'md5',
-    order       => "05-02",
-  }
-
-  $backup_host = "backup-1"
 
-  unless empty($backup_host) {
-    ensure_packages(["pam_ldap"])
-
-    $facts["ldapvar"]["other"].each |$host| {
-      if ($host["cn"][0] == $backup_host) {
-        $host["ipHostNumber"].each |$ip| {
-          $infos = split($ip, "/")
-          $ipaddress = $infos[0]
-          if (length($infos) == 1 and $ipaddress =~ /:/) {
-            $mask = "128"
-          } elsif (length($infos) == 1) {
-            $mask = "32"
-          } else {
-            $mask = $infos[1]
-          }
-
-          postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
-            type        => 'hostssl',
-            database    => 'replication',
-            user        => 'all',
-            address     => "$ipaddress/$mask",
-            auth_method => 'pam',
-            order       => "06-01",
-          }
-        }
-
-        postgresql::server::role { $backup_host:
-          replication => true,
-        }
-
-        postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
-          ensure => present
-        }
-      }
-    }
-
-    $ldap_server = lookup("base_installation::ldap_server")
-    $ldap_base   = lookup("base_installation::ldap_base")
-    $ldap_dn     = lookup("base_installation::ldap_dn")
-    $ldap_password = generate_password(24, $password_seed, "ldap")
-    $ldap_attribute = "cn"
-
-    file { "/etc/pam_ldap.d":
-      ensure => directory,
-      mode   => "0755",
-      owner  => "root",
-      group  => "root",
-    } ->
-    file { "/etc/pam_ldap.d/postgresql.conf":
-      ensure  => "present",
-      mode    => "0600",
-      owner   => $::profile::postgresql::pg_user,
-      group   => "root",
-      content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"),
-    } ->
-    file { "/etc/pam.d/postgresql":
-      ensure => "present",
-      mode   => "0644",
-      owner  => "root",
-      group  => "root",
-      source => "puppet:///modules/role/cryptoportfolio/pam_postgresql"
-    }
+  # cleanup
+  postgresql_psql { "DROP PUBLICATION ${pg_db}_publication":
+    db     => $pg_db,
+    onlyif => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
+  } ->
+  postgresql_replication_slot { $pg_user_replication:
+    ensure => absent
+  } ->
+  postgresql_psql { "DROP OWNED BY $pg_user_replication":
+    db     => $pg_db,
+    onlyif => "SELECT 1 FROM pg_user WHERE usename='$pg_user_replication'"
+  } ->
+  postgresql::server::role { $pg_user_replication:
+    ensure        => absent,
   }
+  # /cleanup
 
 }
-- 
cgit v1.2.3