Changeset View
Changeset View
Standalone View
Standalone View
site-modules/profile/manifests/postgresql/server.pp
# Install and configure a postgresql server | # Install and configure a postgresql server | ||||
class profile::postgresql::server { | class profile::postgresql::server { | ||||
$swh_base_directory = lookup('swh::base_directory') | $swh_base_directory = lookup('swh::base_directory') | ||||
$postgres_pass = lookup('swh::deploy::db::postgres::password') | $postgres_pass = lookup('swh::deploy::db::postgres::password') | ||||
$listen_addresses = lookup('swh::postgresql::listen_addresses').join(',') | $listen_addresses = lookup('swh::postgresql::listen_addresses').join(',') | ||||
# allow access through credentials | # allow access through credentials | ||||
$network_accesses = lookup('swh::postgresql::network_accesses').map | $nwk | { | $network_accesses = lookup('swh::postgresql::network_accesses').map | $nwk | { | ||||
"host all all ${nwk} md5" | "host all all ${nwk} md5" | ||||
} | } | ||||
$postgres_version = lookup('swh::postgresql::version') | $postgres_version = lookup('swh::postgresql::version') | ||||
$postgres_port = lookup('swh::postgresql::port') | $postgres_port = lookup('swh::postgresql::port') | ||||
$postgres_datadir_base = lookup('swh::postgresql::datadir_base') | $postgres_datadir_base = lookup('swh::postgresql::datadir_base') | ||||
$postgres_datadir = lookup('swh::postgresql::datadir') | $postgres_datadir = lookup('swh::postgresql::datadir') | ||||
$postgres_max_connections = lookup('swh::postgresql::max_connections') | |||||
$ip_mask_allow_all_users = '0.0.0.0/0' | $ip_mask_allow_all_users = '0.0.0.0/0' | ||||
file { [ "${postgres_datadir_base}", | file { [ $postgres_datadir_base, | ||||
"${postgres_datadir_base}/${postgres_version}" ] : | "${postgres_datadir_base}/${postgres_version}" ] : | ||||
ensure => directory, | ensure => directory, | ||||
owner => 'root', | owner => 'root', | ||||
group => 'root', | group => 'root', | ||||
mode => '0655', | mode => '0655', | ||||
} | } | ||||
-> class { 'postgresql::server': | -> class { 'postgresql::server': | ||||
ip_mask_allow_all_users => $ip_mask_allow_all_users, | ip_mask_allow_all_users => $ip_mask_allow_all_users, | ||||
ipv4acls => $network_accesses, | ipv4acls => $network_accesses, | ||||
postgres_password => $postgres_pass, | postgres_password => $postgres_pass, | ||||
port => $postgres_port, | port => $postgres_port, | ||||
listen_addresses => [$listen_addresses], | listen_addresses => [$listen_addresses], | ||||
datadir => $postgres_datadir, | datadir => $postgres_datadir, | ||||
needs_initdb => true, # Needed because managed_repo is false and data_dir is redefined by us ¯\_(ツ)_/¯ | needs_initdb => true, # Needed because managed_repo is false and data_dir is redefined by us ¯\_(ツ)_/¯ | ||||
require => Class['profile::postgresql::apt_config'], | require => Class['profile::postgresql::apt_config'], | ||||
pg_hba_conf_defaults => false, # see below for the actual default rules | pg_hba_conf_defaults => false, # see below for the actual default rules | ||||
pg_hba_rules => { | pg_hba_rules => { | ||||
# Supersedes the default rules installed by puppetlab-postgres, thus | # Supersedes the default rules installed by puppetlab-postgres, thus | ||||
# allowing pgbouncer/pgsql connection to the postgres user | # allowing pgbouncer/pgsql connection to the postgres user | ||||
'local access as postgres user' => { | 'local access as postgres user' => { | ||||
database => 'all', | database => 'all', | ||||
user => 'postgres', | user => 'postgres', | ||||
type => 'local', | type => 'local', | ||||
auth_method => 'ident', | auth_method => 'ident', | ||||
order => 1, | order => 1, | ||||
}, | }, | ||||
'local access to database with same name' => { | 'local access to database with same name' => { | ||||
database => 'all', | database => 'all', | ||||
user => 'all', | user => 'all', | ||||
type => 'local', | type => 'local', | ||||
auth_method => 'ident', | auth_method => 'ident', | ||||
order => 2, | order => 2, | ||||
}, | }, | ||||
'allow localhost TCP access to postgresql user' => { | 'allow localhost TCP access to postgresql user' => { | ||||
database => 'all', | database => 'all', | ||||
user => 'postgres', | user => 'postgres', | ||||
type => 'host', | type => 'host', | ||||
address => '127.0.0.1/32', | address => '127.0.0.1/32', | ||||
auth_method => 'md5', | auth_method => 'md5', | ||||
order => 3, | order => 3, | ||||
}, | }, | ||||
'allow access to all users' => { | 'allow access to all users' => { | ||||
database => 'all', | database => 'all', | ||||
user => 'all', | user => 'all', | ||||
type => 'host', | type => 'host', | ||||
address => $ip_mask_allow_all_users, | address => $ip_mask_allow_all_users, | ||||
auth_method => 'md5', | auth_method => 'md5', | ||||
order => 100, | order => 100, | ||||
}, | }, | ||||
'allow access to ipv6 localhost' => { | 'allow access to ipv6 localhost' => { | ||||
database => 'all', | database => 'all', | ||||
user => 'all', | user => 'all', | ||||
type => 'host', | type => 'host', | ||||
address => '::1/128', | address => '::1/128', | ||||
auth_method => 'md5', | auth_method => 'md5', | ||||
order => 101, | order => 101, | ||||
} | } | ||||
}, | |||||
} | } | ||||
postgresql::server::config_entry{'max_connections': | |||||
ensure => present, | |||||
value => $postgres_max_connections, | |||||
} | } | ||||
postgresql::server::config_entry{'shared_preload_libraries': | postgresql::server::config_entry{'shared_preload_libraries': | ||||
ensure => present, | ensure => present, | ||||
value => "pg_stat_statements", | value => 'pg_stat_statements', | ||||
} | } | ||||
# read-only user | # read-only user | ||||
$guest = 'guest' | $guest = 'guest' | ||||
postgresql::server::role { $guest: | postgresql::server::role { $guest: | ||||
password_hash => postgresql_password($guest, 'guest'), | password_hash => postgresql_password($guest, 'guest'), | ||||
require => Class['postgresql::server'] | require => Class['postgresql::server'] | ||||
} | } | ||||
$dbs = lookup('swh::dbs') | $dbs = lookup('swh::dbs') | ||||
each($dbs) | $db_type, $db_config | { | each($dbs) | $db_type, $db_config | { | ||||
# db_type in {storage, indexer, scheduler, etc...} | # db_type in {storage, indexer, scheduler, etc...} | ||||
$db_pass = pick( | $db_pass = pick( | ||||
$db_config['password'], | $db_config['password'], | ||||
lookup("swh::deploy::${db_type}::db::password", {"default_value" => undef}) | lookup("swh::deploy::${db_type}::db::password", {'default_value' => undef}) | ||||
) | ) | ||||
$db_name = $db_config['name'] | $db_name = $db_config['name'] | ||||
$db_user = $db_config['user'] | $db_user = $db_config['user'] | ||||
postgresql::server::db { $db_name: | postgresql::server::db { $db_name: | ||||
user => $db_user, | user => $db_user, | ||||
password => $db_pass, | password => $db_pass, | ||||
owner => $db_user, | owner => $db_user, | ||||
Show All 12 Lines |