1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
class profile::postgresql {
$password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
class { '::postgresql::globals':
encoding => 'UTF-8',
locale => 'en_US.UTF-8',
pg_hba_conf_defaults => false,
}
# FIXME: get it from the postgresql module?
$pg_user = "postgres"
class { '::postgresql::client': }
# FIXME: postgresql module is buggy and doesn't create dir?
file { "/var/lib/postgres":
ensure => directory,
owner => $pg_user,
group => $pg_user,
before => File["/var/lib/postgres/data"],
require => Package["postgresql-server"],
}
class { '::postgresql::server':
postgres_password => generate_password(24, $password_seed, "postgres")
}
postgresql::server::pg_hba_rule { 'local access as postgres user':
description => 'Allow local access to postgres user',
type => 'local',
database => 'all',
user => $pg_user,
auth_method => 'ident',
order => "a1",
}
postgresql::server::pg_hba_rule { 'localhost access as postgres user':
description => 'Allow localhost access to postgres user',
type => 'host',
database => 'all',
user => $pg_user,
address => "127.0.0.1/32",
auth_method => 'md5',
order => "a2",
}
postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
description => 'Allow localhost access to postgres user',
type => 'host',
database => 'all',
user => $pg_user,
address => "::1/128",
auth_method => 'md5',
order => "a3",
}
postgresql::server::pg_hba_rule { 'deny access to postgresql user':
description => 'Deny remote access to postgres user',
type => 'host',
database => 'all',
user => $pg_user,
address => "0.0.0.0/0",
auth_method => 'reject',
order => "a4",
}
postgresql::server::pg_hba_rule { 'local access':
description => 'Allow local access with password',
type => 'local',
database => 'all',
user => 'all',
auth_method => 'md5',
order => "b1",
}
postgresql::server::pg_hba_rule { 'local access with same name':
description => 'Allow local access with same name',
type => 'local',
database => 'all',
user => 'all',
auth_method => 'ident',
order => "b2",
}
}
|