From 1c90c6913652e0ec7489ed22941e4e6a31d55912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 15 May 2018 22:37:32 +0200 Subject: Add pgbouncer for backup --- modules/role/files/backup/pam_pgbouncer | 3 + modules/role/manifests/backup/postgresql.pp | 111 +++++++++++++++++++-- .../role/manifests/cryptoportfolio/postgresql.pp | 4 +- .../templates/backup/pam_ldap_pgbouncer.conf.erb | 7 ++ modules/role/templates/backup/pgbouncer.ini.erb | 15 +++ 5 files changed, 128 insertions(+), 12 deletions(-) create mode 100644 modules/role/files/backup/pam_pgbouncer create mode 100644 modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb create mode 100644 modules/role/templates/backup/pgbouncer.ini.erb (limited to 'modules/role') diff --git a/modules/role/files/backup/pam_pgbouncer b/modules/role/files/backup/pam_pgbouncer new file mode 100644 index 0000000..13f0d3d --- /dev/null +++ b/modules/role/files/backup/pam_pgbouncer @@ -0,0 +1,3 @@ +auth required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf +account required pam_ldap.so config=/etc/pam_ldap.d/pgbouncer.conf + diff --git a/modules/role/manifests/backup/postgresql.pp b/modules/role/manifests/backup/postgresql.pp index 59e4669..51ce37e 100644 --- a/modules/role/manifests/backup/postgresql.pp +++ b/modules/role/manifests/backup/postgresql.pp @@ -10,16 +10,113 @@ class role::backup::postgresql inherits role::backup { $ldap_cn = lookup("base_installation::ldap_cn") $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_attribute = "uid" + $pg_slot = regsubst($ldap_cn, '-', "_", "G") - ensure_packages(["postgresql"]) + ensure_packages(["postgresql", "pgbouncer", "pam_ldap"]) + + $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => {} }) + $ldap_filter = lookup("role::backup::postgresql::pgbouncer_access_filter", { "default_value" => undef }) + + unless empty($pg_backup_hosts) { + file { "/etc/systemd/system/postgresql_backup@.service": + mode => "0644", + owner => "root", + group => "root", + content => template("role/backup/postgresql_backup@.service.erb"), + } - $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] }) + unless empty($ldap_filter) { + concat { "/etc/pgbouncer/pgbouncer.ini": + mode => "0644", + owner => "root", + group => "root", + ensure_newline => true, + notify => Service["pgbouncer"], + } + + concat::fragment { "pgbouncer_head": + target => "/etc/pgbouncer/pgbouncer.ini", + order => "01", + content => template("role/backup/pgbouncer.ini.erb"), + } + + file { "/etc/systemd/system/pgbouncer.service.d": + ensure => "directory", + mode => "0644", + owner => "root", + group => "root", + } + + file { "/etc/systemd/system/pgbouncer.service.d/override.conf": + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + content => "[Service]\nUser=\nUser=$pg_user\n", + notify => Service["pgbouncer"], + } + + service { "pgbouncer": + ensure => "running", + enable => true, + require => [ + Package["pgbouncer"], + File["/etc/systemd/system/pgbouncer.service.d/override.conf"], + Concat["/etc/pgbouncer/pgbouncer.ini"] + ], + } + + file { "/etc/pam_ldap.d": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + } -> + file { "/etc/pam_ldap.d/pgbouncer.conf": + ensure => "present", + mode => "0600", + owner => $pg_user, + group => "root", + content => template("role/backup/pam_ldap_pgbouncer.conf.erb"), + } -> + file { "/etc/pam.d/pgbouncer": + ensure => "present", + mode => "0644", + owner => "root", + group => "root", + source => "puppet:///modules/role/backup/pam_pgbouncer" + } + } + } - $pg_backup_hosts.each |$pg_backup_host| { + $pg_backup_hosts.each |$pg_backup_host, $pg_infos| { $pg_path = "$mountpoint/$pg_backup_host/postgresql" $pg_host = "$pg_backup_host" - $pg_port = "5432" + $pg_port = $pg_infos["dbport"] + + if !empty($ldap_filter) and ($pg_infos["pgbouncer"]) { + concat::fragment { "pgbouncer_$pg_backup_host": + target => "/etc/pgbouncer/pgbouncer.ini", + order => 02, + content => "${pg_infos[pgbouncer_dbname]} = host=$mountpoint/$pg_backup_host/postgresql user=${pg_infos[dbuser]} dbname=${pg_infos[dbname]}", + } + + postgresql::server::pg_hba_rule { "$pg_backup_host - local access as ${pg_infos[dbuser]} user": + description => "Allow local access to ${pg_infos[dbuser]} user", + type => 'local', + database => $pg_infos["dbname"], + user => $pg_infos["dbuser"], + auth_method => 'trust', + order => "01-00", + target => "$pg_path/pg_hba.conf", + postgresql_version => "10", + } + } file { "$mountpoint/$pg_backup_host": ensure => directory, @@ -154,10 +251,4 @@ class role::backup::postgresql inherits role::backup { } } - file { "/etc/systemd/system/postgresql_backup@.service": - mode => "0644", - owner => "root", - group => "root", - content => template("role/backup/postgresql_backup@.service.erb"), - } } diff --git a/modules/role/manifests/cryptoportfolio/postgresql.pp b/modules/role/manifests/cryptoportfolio/postgresql.pp index d951874..776b30f 100644 --- a/modules/role/manifests/cryptoportfolio/postgresql.pp +++ b/modules/role/manifests/cryptoportfolio/postgresql.pp @@ -178,8 +178,8 @@ class role::cryptoportfolio::postgresql inherits role::cryptoportfolio { } -> file { "/etc/pam_ldap.d/postgresql.conf": ensure => "present", - mode => "0644", - owner => "root", + mode => "0600", + owner => $::profile::postgresql::pg_user, group => "root", content => template("role/cryptoportfolio/pam_ldap_postgresql.conf.erb"), } -> diff --git a/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb new file mode 100644 index 0000000..12fa9bb --- /dev/null +++ b/modules/role/templates/backup/pam_ldap_pgbouncer.conf.erb @@ -0,0 +1,7 @@ +host <%= @ldap_server %> + +base <%= @ldap_base %> +binddn <%= @ldap_dn %> +bindpw <%= @ldap_password %> +pam_login_attribute <%= @ldap_attribute %> +pam_filter <%= @ldap_filter %> diff --git a/modules/role/templates/backup/pgbouncer.ini.erb b/modules/role/templates/backup/pgbouncer.ini.erb new file mode 100644 index 0000000..3ba8728 --- /dev/null +++ b/modules/role/templates/backup/pgbouncer.ini.erb @@ -0,0 +1,15 @@ +[pgbouncer] + +listen_addr = 0.0.0.0 +listen_port = 5432 + +unix_socket_dir = /run/postgresql +unix_socket_mode = 0777 + +auth_type = pam + +admin_users = postgres +max_client_conn = 100 +default_pool_size = 20 + +[databases] -- cgit v1.2.3