modules/profile/manifests/postgresql.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

class profile::postgresql {
  $password_seed = lookup("base_installation::puppet_pass_seed")

  class { '::postgresql::globals':
    encoding             => 'UTF-8',
    locale               => 'en_US.UTF-8',
    pg_hba_conf_defaults => false,
  }

  # FIXME: get it from the postgresql module?
  $pg_user = "postgres"

  class { '::postgresql::client': }

  # FIXME: postgresql module is buggy and doesn't create dir?
  file { "/var/lib/postgres":
    ensure  => directory,
    owner   => $pg_user,
    group   => $pg_user,
    before  => File["/var/lib/postgres/data"],
    require => Package["postgresql-server"],
  }

  class { '::postgresql::server':
    postgres_password => generate_password(24, $password_seed, "postgres"),
    listen_addresses  => "*",
  }

  postgresql::server::pg_hba_rule { 'local access as postgres user':
    description => 'Allow local access to postgres user',
    type        => 'local',
    database    => 'all',
    user        => $pg_user,
    auth_method => 'ident',
    order       => "00-01",
  }
  postgresql::server::pg_hba_rule { 'localhost access as postgres user':
    description => 'Allow localhost access to postgres user',
    type        => 'host',
    database    => 'all',
    user        => $pg_user,
    address     => "127.0.0.1/32",
    auth_method => 'md5',
    order       => "00-02",
  }
  postgresql::server::pg_hba_rule { 'localhost ip6 access as postgres user':
    description => 'Allow localhost access to postgres user',
    type        => 'host',
    database    => 'all',
    user        => $pg_user,
    address     => "::1/128",
    auth_method => 'md5',
    order       => "00-03",
  }
  postgresql::server::pg_hba_rule { 'deny access to postgresql user':
    description => 'Deny remote access to postgres user',
    type        => 'host',
    database    => 'all',
    user        => $pg_user,
    address     => "0.0.0.0/0",
    auth_method => 'reject',
    order       => "00-04",
  }

  postgresql::server::pg_hba_rule { 'local access':
    description => 'Allow local access with password',
    type        => 'local',
    database    => 'all',
    user        => 'all',
    auth_method => 'md5',
    order       => "10-01",
  }

  postgresql::server::pg_hba_rule { 'local access with same name':
    description => 'Allow local access with same name',
    type        => 'local',
    database    => 'all',
    user        => 'all',
    auth_method => 'ident',
    order       => "10-02",
  }

}