1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
define profile::postgresql_master (
$letsencrypt_host = undef,
$backup_hosts = [],
) {
$password_seed = lookup("base_installation::puppet_pass_seed")
ensure_resource("file", "/var/lib/postgres/data/certs", {
ensure => directory,
mode => "0700",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => File["/var/lib/postgres"],
})
ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
source => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
mode => "0600",
links => "follow",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
})
ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
source => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
mode => "0600",
links => "follow",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
})
ensure_resource("postgresql::server::config_entry", "wal_level", {
value => "logical",
})
ensure_resource("postgresql::server::config_entry", "ssl", {
value => "on",
require => Letsencrypt::Certonly[$letsencrypt_host],
})
ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
value => "/var/lib/postgres/data/certs/cert.pem",
require => Letsencrypt::Certonly[$letsencrypt_host],
})
ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
value => "/var/lib/postgres/data/certs/privkey.pem",
require => Letsencrypt::Certonly[$letsencrypt_host],
})
$backup_hosts.each |$backup_host| {
ensure_packages(["pam_ldap"])
$host = find_host($facts["ldapvar"]["other"], $backup_host)
unless empty($host) {
$host["ipHostNumber"].each |$ip| {
$infos = split($ip, "/")
$ipaddress = $infos[0]
if (length($infos) == 1 and $ipaddress =~ /:/) {
$mask = "128"
} elsif (length($infos) == 1) {
$mask = "32"
} else {
$mask = $infos[1]
}
postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
type => 'hostssl',
database => 'replication',
user => $backup_host,
address => "$ipaddress/$mask",
auth_method => 'pam',
order => "06-01",
}
}
postgresql::server::role { $backup_host:
replication => true,
}
postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
ensure => present
}
}
$ldap_server = lookup("base_installation::ldap_server")
$ldap_base = lookup("base_installation::ldap_base")
$ldap_dn = lookup("base_installation::ldap_dn")
$ldap_password = generate_password(24, $password_seed, "ldap")
$ldap_attribute = "cn"
file { "/etc/pam_ldap.d":
ensure => directory,
mode => "0755",
owner => "root",
group => "root",
} ->
file { "/etc/pam_ldap.d/postgresql.conf":
ensure => "present",
mode => "0600",
owner => $::profile::postgresql::pg_user,
group => "root",
content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
} ->
file { "/etc/pam.d/postgresql":
ensure => "present",
mode => "0644",
owner => "root",
group => "root",
source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
}
}
}
|
