Changeset View
Changeset View
Standalone View
Standalone View
site-modules/profile/manifests/postgresql/server.pp
# Install and configure a postgresql server | # Install and configure a postgresql server | ||||
class profile::postgresql::server { | class profile::postgresql::server { | ||||
$swh_base_directory = lookup('swh::base_directory') | $swh_base_directory = lookup('swh::base_directory') | ||||
$postgres_pass = lookup('swh::deploy::db::postgres::password') | $postgres_pass = lookup('swh::deploy::db::postgres::password') | ||||
$listen_addresses = lookup('swh::postgresql::listen_addresses').join(',') | $listen_addresses = lookup('swh::postgresql::listen_addresses').join(',') | ||||
# allow access through credentials | # allow access through credentials | ||||
$network_accesses = lookup('swh::postgresql::network_accesses').map | $nwk | { | $network_accesses = lookup('swh::postgresql::network_accesses').map | $nwk | { | ||||
"host all all ${nwk} md5" | "host all all ${nwk} md5" | ||||
} | } | ||||
$postgres_version = lookup('swh::postgresql::version') | $postgres_version = lookup('swh::postgresql::version') | ||||
$postgres_port = lookup('swh::postgresql::port') | $postgres_port = lookup('swh::postgresql::port') | ||||
$postgres_datadir = lookup('swh::postgresql::datadir') | $postgres_datadir = lookup('swh::postgresql::datadir') | ||||
$ip_mask_allow_all_users = '0.0.0.0/0' | |||||
file { [ "${swh_base_directory}/postgresql", | file { [ "${swh_base_directory}/postgresql", | ||||
"${swh_base_directory}/postgresql/${postgres_version}" ] : | "${swh_base_directory}/postgresql/${postgres_version}" ] : | ||||
ensure => directory, | ensure => directory, | ||||
owner => 'root', | owner => 'root', | ||||
group => 'root', | group => 'root', | ||||
mode => '0655', | mode => '0655', | ||||
} | } | ||||
-> class { 'postgresql::server': | -> class { 'postgresql::server': | ||||
ip_mask_allow_all_users => '0.0.0.0/0', | ip_mask_allow_all_users => $ip_mask_allow_all_users, | ||||
ipv4acls => $network_accesses, | ipv4acls => $network_accesses, | ||||
postgres_password => $postgres_pass, | postgres_password => $postgres_pass, | ||||
port => $postgres_port, | port => $postgres_port, | ||||
listen_addresses => [$listen_addresses], | listen_addresses => [$listen_addresses], | ||||
datadir => $postgres_datadir, | datadir => $postgres_datadir, | ||||
needs_initdb => true, # Needed because managed_repo is false and data_dir is redefined by us ¯\_(ツ)_/¯ | needs_initdb => true, # Needed because managed_repo is false and data_dir is redefined by us ¯\_(ツ)_/¯ | ||||
require => Class['profile::postgresql::apt_config'] | require => Class['profile::postgresql::apt_config'], | ||||
pg_hba_conf_defaults => false, # see below for the actual default rules | |||||
pg_hba_rules => { | |||||
# Supersedes the default rules installed by puppetlab-postgres, thus | |||||
# allowing pgbouncer/pgsql connection to the postgres user | |||||
'local access as postgres user' => { | |||||
database => 'all', | |||||
user => 'postgres', | |||||
type => 'local', | |||||
auth_method => 'ident', | |||||
order => 1, | |||||
}, | |||||
'local access to database with same name' => { | |||||
database => 'all', | |||||
user => 'all', | |||||
type => 'local', | |||||
auth_method => 'ident', | |||||
order => 2, | |||||
}, | |||||
'allow localhost TCP access to postgresql user' => { | |||||
database => 'all', | |||||
user => 'postgres', | |||||
type => 'host', | |||||
address => '127.0.0.1/32', | |||||
auth_method => 'md5', | |||||
order => 3, | |||||
}, | |||||
'allow access to all users' => { | |||||
database => 'all', | |||||
user => 'all', | |||||
type => 'host', | |||||
address => $ip_mask_allow_all_users, | |||||
auth_method => 'md5', | |||||
order => 100, | |||||
}, | |||||
'allow access to ipv6 localhost' => { | |||||
database => 'all', | |||||
user => 'all', | |||||
type => 'host', | |||||
address => '::1/128', | |||||
auth_method => 'md5', | |||||
order => 101, | |||||
} | |||||
ardumontAuthorUnsubmitted Done Inline Actions
ardumont: 1. There is no way to drop the simple blocking rules in the puppetlabs module. So the stand has… | |||||
} | |||||
} | } | ||||
# read-only user | |||||
$guest = 'guest' | $guest = 'guest' | ||||
postgresql::server::role { $guest: | postgresql::server::role { $guest: | ||||
password_hash => postgresql_password($guest, 'guest'), | password_hash => postgresql_password($guest, 'guest'), | ||||
require => Class['postgresql::server'] | require => Class['postgresql::server'] | ||||
} | } | ||||
$dbs = lookup('swh::dbs') | $dbs = lookup('swh::dbs') | ||||
each($dbs) | $db_type, $db_config | { | each($dbs) | $db_type, $db_config | { | ||||
Show All 21 Lines |