1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
class role::cryptoportfolio::postgresql inherits role::cryptoportfolio {
$password_seed = lookup("base_installation::puppet_pass_seed")
$pg_password = generate_password(24, $password_seed, "postgres_cryptoportfolio")
$pg_replication_password = generate_password(24, $password_seed, "postgres_cryptoportfolio_replication")
file { "/var/lib/postgres/data/certs":
ensure => directory,
mode => "0700",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => File["/var/lib/postgres"],
}
file { "/var/lib/postgres/data/certs/cert.pem":
source => "file:///etc/letsencrypt/live/$web_host/cert.pem",
mode => "0600",
links => "follow",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
}
file { "/var/lib/postgres/data/certs/privkey.pem":
source => "file:///etc/letsencrypt/live/$web_host/privkey.pem",
mode => "0600",
links => "follow",
owner => $::profile::postgresql::pg_user,
group => $::profile::postgresql::pg_user,
require => [Letsencrypt::Certonly[$web_host], File["/var/lib/postgres/data/certs"]]
}
postgresql::server::config_entry { "wal_level":
value => "logical",
}
postgresql::server::config_entry { "ssl":
value => "on",
require => Letsencrypt::Certonly[$web_host],
}
postgresql::server::config_entry { "ssl_cert_file":
value => "/var/lib/postgres/data/certs/cert.pem",
require => Letsencrypt::Certonly[$web_host],
}
postgresql::server::config_entry { "ssl_key_file":
value => "/var/lib/postgres/data/certs/privkey.pem",
require => Letsencrypt::Certonly[$web_host],
}
postgresql::server::db { $pg_db:
user => $pg_user,
password => postgresql_password($pg_user, $pg_password),
}
->
postgresql_psql { "CREATE PUBLICATION ${pg_db}_publication FOR ALL TABLES":
db => $pg_db,
unless => "SELECT 1 FROM pg_catalog.pg_publication WHERE pubname = '${pg_db}_publication'",
}
->
postgresql::server::role { $pg_user_replication:
db => $pg_db,
replication => true,
password_hash => postgresql_password($pg_user_replication, $pg_replication_password),
}
->
postgresql::server::database_grant { $pg_user_replication:
db => $pg_db,
privilege => "CONNECT",
role => $pg_user_replication,
}
->
postgresql::server::grant { "all tables in schema:public:$pg_user_replication":
db => $pg_db,
role => $pg_user_replication,
privilege => "SELECT",
object_type => "ALL TABLES IN SCHEMA",
object_name => "public",
}
->
postgresql::server::grant { "all sequences in schema:public:$pg_user_replication":
db => $pg_db,
role => $pg_user_replication,
privilege => "SELECT",
object_type => "ALL SEQUENCES IN SCHEMA",
object_name => "public",
}
postgresql::server::pg_hba_rule { 'allow localhost TCP access to cryptoportfolio user':
type => 'host',
database => $pg_db,
user => $pg_user,
address => '127.0.0.1/32',
auth_method => 'md5',
order => "05-01",
}
postgresql::server::pg_hba_rule { 'allow localhost ip6 TCP access to cryptoportfolio user':
type => 'host',
database => $pg_db,
user => $pg_user,
address => '::1/128',
auth_method => 'md5',
order => "05-01",
}
postgresql::server::pg_hba_rule { 'allow TCP access to replication user from immae.eu':
type => 'hostssl',
database => $pg_db,
user => $pg_user_replication,
address => 'immae.eu',
auth_method => 'md5',
order => "05-01",
}
}
|
