diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp index 3364e6f..dd08984 100644 --- a/manifests/database/postgresql.pp +++ b/manifests/database/postgresql.pp @@ -1,39 +1,42 @@ # Class for creating the PuppetDB postgresql database. See README.md for more # information. class puppetdb::database::postgresql( $listen_addresses = $puppetdb::params::database_host, $database_name = $puppetdb::params::database_name, $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, $database_port = $puppetdb::params::database_port, + $manage_database = $puppetdb::params::manage_database, $manage_server = $puppetdb::params::manage_dbserver, $manage_package_repo = $puppetdb::params::manage_pg_repo, $postgres_version = $puppetdb::params::postgres_version, ) inherits puppetdb::params { if $manage_server { class { '::postgresql::globals': manage_package_repo => $manage_package_repo, version => $postgres_version, } # get the pg server up and running class { '::postgresql::server': ip_mask_allow_all_users => '0.0.0.0/0', listen_addresses => $listen_addresses, port => scanf($database_port, '%i')[0], } # get the pg contrib to use pg_trgm extension class { '::postgresql::server::contrib': } postgresql::server::extension { 'pg_trgm': database => $database_name, require => Postgresql::Server::Db[$database_name], } } - # create the puppetdb database - postgresql::server::db { $database_name: - user => $database_username, - password => $database_password, - grant => 'all', + if $manage_database { + # create the puppetdb database + postgresql::server::db { $database_name: + user => $database_username, + password => $database_password, + grant => 'all', + } } } diff --git a/manifests/init.pp b/manifests/init.pp index bb7a178..893b06d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,175 +1,177 @@ # All in one class for setting up a PuppetDB instance. See README.md for more # details. class puppetdb ( $listen_address = $puppetdb::params::listen_address, $listen_port = $puppetdb::params::listen_port, $disable_cleartext = $puppetdb::params::disable_cleartext, $open_listen_port = $puppetdb::params::open_listen_port, $ssl_listen_address = $puppetdb::params::ssl_listen_address, $ssl_listen_port = $puppetdb::params::ssl_listen_port, $disable_ssl = $puppetdb::params::disable_ssl, $open_ssl_listen_port = $puppetdb::params::open_ssl_listen_port, $ssl_dir = $puppetdb::params::ssl_dir, $ssl_set_cert_paths = $puppetdb::params::ssl_set_cert_paths, $ssl_cert_path = $puppetdb::params::ssl_cert_path, $ssl_key_path = $puppetdb::params::ssl_key_path, $ssl_ca_cert_path = $puppetdb::params::ssl_ca_cert_path, $ssl_deploy_certs = $puppetdb::params::ssl_deploy_certs, $ssl_key = $puppetdb::params::ssl_key, $ssl_cert = $puppetdb::params::ssl_cert, $ssl_ca_cert = $puppetdb::params::ssl_ca_cert, $ssl_protocols = $puppetdb::params::ssl_protocols, $cipher_suites = $puppetdb::params::cipher_suites, $manage_dbserver = $puppetdb::params::manage_dbserver, + $manage_database = $puppetdb::params::manage_database, $manage_package_repo = $puppetdb::params::manage_pg_repo, $postgres_version = $puppetdb::params::postgres_version, $database = $puppetdb::params::database, $database_host = $puppetdb::params::database_host, $database_port = $puppetdb::params::database_port, $database_username = $puppetdb::params::database_username, $database_password = $puppetdb::params::database_password, $database_name = $puppetdb::params::database_name, $jdbc_ssl_properties = $puppetdb::params::jdbc_ssl_properties, $database_listen_address = $puppetdb::params::postgres_listen_addresses, $database_validate = $puppetdb::params::database_validate, $database_embedded_path = $puppetdb::params::database_embedded_path, $node_ttl = $puppetdb::params::node_ttl, $node_purge_ttl = $puppetdb::params::node_purge_ttl, $report_ttl = $puppetdb::params::report_ttl, $gc_interval = $puppetdb::params::gc_interval, $log_slow_statements = $puppetdb::params::log_slow_statements, $conn_max_age = $puppetdb::params::conn_max_age, $conn_keep_alive = $puppetdb::params::conn_keep_alive, $conn_lifetime = $puppetdb::params::conn_lifetime, $puppetdb_package = $puppetdb::params::puppetdb_package, $puppetdb_service = $puppetdb::params::puppetdb_service, $puppetdb_service_status = $puppetdb::params::puppetdb_service_status, $puppetdb_user = $puppetdb::params::puppetdb_user, $puppetdb_group = $puppetdb::params::puppetdb_group, $read_database = $puppetdb::params::read_database, $read_database_host = $puppetdb::params::read_database_host, $read_database_port = $puppetdb::params::read_database_port, $read_database_username = $puppetdb::params::read_database_username, $read_database_password = $puppetdb::params::read_database_password, $read_database_name = $puppetdb::params::read_database_name, $read_database_jdbc_ssl_properties = $puppetdb::params::read_database_jdbc_ssl_properties, $read_database_validate = $puppetdb::params::read_database_validate, $read_log_slow_statements = $puppetdb::params::read_log_slow_statements, $read_conn_max_age = $puppetdb::params::read_conn_max_age, $read_conn_keep_alive = $puppetdb::params::read_conn_keep_alive, $read_conn_lifetime = $puppetdb::params::read_conn_lifetime, $confdir = $puppetdb::params::confdir, $vardir = $puppetdb::params::vardir, $manage_firewall = $puppetdb::params::manage_firewall, $java_args = $puppetdb::params::java_args, $merge_default_java_args = $puppetdb::params::merge_default_java_args, $max_threads = $puppetdb::params::max_threads, $command_threads = $puppetdb::params::command_threads, $concurrent_writes = $puppetdb::params::concurrent_writes, $store_usage = $puppetdb::params::store_usage, $temp_usage = $puppetdb::params::temp_usage, $disable_update_checking = $puppetdb::params::disable_update_checking, $certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file, $certificate_whitelist = $puppetdb::params::certificate_whitelist, $database_max_pool_size = $puppetdb::params::database_max_pool_size, $read_database_max_pool_size = $puppetdb::params::read_database_max_pool_size, Boolean $automatic_dlo_cleanup = $puppetdb::params::automatic_dlo_cleanup, String[1] $cleanup_timer_interval = $puppetdb::params::cleanup_timer_interval, Integer[1] $dlo_max_age = $puppetdb::params::dlo_max_age, ) inherits puppetdb::params { class { '::puppetdb::server': listen_address => $listen_address, listen_port => $listen_port, disable_cleartext => $disable_cleartext, open_listen_port => $open_listen_port, ssl_listen_address => $ssl_listen_address, ssl_listen_port => $ssl_listen_port, disable_ssl => $disable_ssl, open_ssl_listen_port => $open_ssl_listen_port, ssl_dir => $ssl_dir, ssl_set_cert_paths => $ssl_set_cert_paths, ssl_cert_path => $ssl_cert_path, ssl_key_path => $ssl_key_path, ssl_ca_cert_path => $ssl_ca_cert_path, ssl_deploy_certs => $ssl_deploy_certs, ssl_key => $ssl_key, ssl_cert => $ssl_cert, ssl_ca_cert => $ssl_ca_cert, ssl_protocols => $ssl_protocols, cipher_suites => $cipher_suites, database => $database, database_host => $database_host, database_port => $database_port, database_username => $database_username, database_password => $database_password, database_name => $database_name, jdbc_ssl_properties => $jdbc_ssl_properties, database_validate => $database_validate, database_embedded_path => $database_embedded_path, node_ttl => $node_ttl, node_purge_ttl => $node_purge_ttl, report_ttl => $report_ttl, gc_interval => $gc_interval, log_slow_statements => $log_slow_statements, conn_max_age => $conn_max_age, conn_keep_alive => $conn_keep_alive, conn_lifetime => $conn_lifetime, puppetdb_package => $puppetdb_package, puppetdb_service => $puppetdb_service, puppetdb_service_status => $puppetdb_service_status, confdir => $confdir, vardir => $vardir, java_args => $java_args, merge_default_java_args => $merge_default_java_args, max_threads => $max_threads, read_database => $read_database, read_database_host => $read_database_host, read_database_port => $read_database_port, read_database_username => $read_database_username, read_database_password => $read_database_password, read_database_name => $read_database_name, read_database_jdbc_ssl_properties => $read_database_jdbc_ssl_properties, read_database_validate => $read_database_validate, read_log_slow_statements => $read_log_slow_statements, read_conn_max_age => $read_conn_max_age, read_conn_keep_alive => $read_conn_keep_alive, read_conn_lifetime => $read_conn_lifetime, puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, manage_firewall => $manage_firewall, command_threads => $command_threads, concurrent_writes => $concurrent_writes, store_usage => $store_usage, temp_usage => $temp_usage, disable_update_checking => $disable_update_checking, certificate_whitelist_file => $certificate_whitelist_file, certificate_whitelist => $certificate_whitelist, database_max_pool_size => $database_max_pool_size, read_database_max_pool_size => $read_database_max_pool_size, automatic_dlo_cleanup => $automatic_dlo_cleanup, cleanup_timer_interval => $cleanup_timer_interval, dlo_max_age => $dlo_max_age, } if ($database == 'postgres') { $database_before = str2bool($database_validate) ? { false => Class['::puppetdb::server'], default => [Class['::puppetdb::server'], Class['::puppetdb::server::validate_db']], } class { '::puppetdb::database::postgresql': listen_addresses => $database_listen_address, database_name => $database_name, database_username => $database_username, database_password => $database_password, database_port => $database_port, manage_server => $manage_dbserver, + manage_database => $manage_database, manage_package_repo => $manage_package_repo, postgres_version => $postgres_version, before => $database_before } } } diff --git a/manifests/params.pp b/manifests/params.pp index 6553b96..a34e5eb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,199 +1,200 @@ # PRIVATE CLASS - do not use directly # # The puppetdb default configuration settings. class puppetdb::params inherits puppetdb::globals { $listen_address = 'localhost' $listen_port = '8080' $disable_cleartext = false $open_listen_port = false $ssl_listen_address = '0.0.0.0' $ssl_listen_port = '8081' $ssl_protocols = undef $disable_ssl = false $cipher_suites = undef $open_ssl_listen_port = undef $postgres_listen_addresses = 'localhost' $puppetdb_version = $puppetdb::globals::version $database = $puppetdb::globals::database $manage_dbserver = true + $manage_database = true if $::osfamily =~ /RedHat|Debian/ { $manage_pg_repo = true } else { $manage_pg_repo = false } $postgres_version = '9.6' # The remaining database settings are not used for an embedded database $database_host = 'localhost' $database_port = '5432' $database_name = 'puppetdb' $database_username = 'puppetdb' $database_password = 'puppetdb' $jdbc_ssl_properties = '' $database_validate = true $database_max_pool_size = undef # These settings manage the various auto-deactivation and auto-purge settings $node_ttl = '7d' $node_purge_ttl = '14d' $report_ttl = '14d' $gc_interval = '60' $log_slow_statements = '10' $conn_max_age = '60' $conn_keep_alive = '45' $conn_lifetime = '0' $max_threads = undef # These settings are for the read database $read_database = 'postgres' $read_database_host = undef $read_database_port = '5432' $read_database_name = 'puppetdb' $read_database_username = 'puppetdb' $read_database_password = 'puppetdb' $read_database_jdbc_ssl_properties = '' $read_database_validate = true $read_log_slow_statements = '10' $read_conn_max_age = '60' $read_conn_keep_alive = '45' $read_conn_lifetime = '0' $read_database_max_pool_size = undef $manage_firewall = true $java_args = {} $merge_default_java_args = true $puppetdb_package = 'puppetdb' $puppetdb_service = 'puppetdb' $masterless = false if !($puppetdb_version in ['latest','present','absent']) and versioncmp($puppetdb_version, '3.0.0') < 0 { case $::osfamily { 'RedHat', 'Suse', 'Archlinux','Debian': { $etcdir = '/etc/puppetdb' $vardir = '/var/lib/puppetdb' $database_embedded_path = "${vardir}/db/db" $puppet_confdir = pick($settings::confdir,'/etc/puppet') $puppet_service_name = 'puppetmaster' } 'OpenBSD': { $etcdir = '/etc/puppetdb' $vardir = '/var/db/puppetdb' $database_embedded_path = "${vardir}/db/db" $puppet_confdir = pick($settings::confdir,'/etc/puppet') $puppet_service_name = 'puppetmasterd' } 'FreeBSD': { $etcdir = '/usr/local/etc/puppetdb' $vardir = '/var/db/puppetdb' $database_embedded_path = "${vardir}/db/db" $puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppet') $puppet_service_name = 'puppetmaster' } default: { fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.") } } $terminus_package = 'puppetdb-terminus' $test_url = '/v3/version' } else { case $::osfamily { 'RedHat', 'Suse', 'Archlinux','Debian': { $etcdir = '/etc/puppetlabs/puppetdb' $puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet') $puppet_service_name = 'puppetserver' } 'OpenBSD': { $etcdir = '/etc/puppetlabs/puppetdb' $puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet') $puppet_service_name = undef } 'FreeBSD': { $etcdir = '/usr/local/etc/puppetlabs/puppetdb' $puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppetlabs/puppet') $puppet_service_name = undef } default: { fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.") } } $terminus_package = 'puppetdb-termini' $test_url = '/pdb/meta/v1/version' $vardir = '/opt/puppetlabs/server/data/puppetdb' $database_embedded_path = "${vardir}/db/db" } $confdir = "${etcdir}/conf.d" $ssl_dir = "${etcdir}/ssl" case $::osfamily { 'RedHat', 'Suse', 'Archlinux': { $puppetdb_user = 'puppetdb' $puppetdb_group = 'puppetdb' $puppetdb_initconf = '/etc/sysconfig/puppetdb' } 'Debian': { $puppetdb_user = 'puppetdb' $puppetdb_group = 'puppetdb' $puppetdb_initconf = '/etc/default/puppetdb' } 'OpenBSD': { $puppetdb_user = '_puppetdb' $puppetdb_group = '_puppetdb' $puppetdb_initconf = undef } 'FreeBSD': { $puppetdb_user = 'puppetdb' $puppetdb_group = 'puppetdb' $puppetdb_initconf = undef } default: { fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.") } } $puppet_conf = "${puppet_confdir}/puppet.conf" $puppetdb_startup_timeout = 120 $puppetdb_service_status = 'running' $command_threads = undef $concurrent_writes = undef $store_usage = undef $temp_usage = undef $disable_update_checking = undef # reports of failed actions: https://puppet.com/docs/puppetdb/5.2/maintain_and_tune.html#clean-up-the-dead-letter-office $automatic_dlo_cleanup = true # any value for a systemd timer is valid: https://www.freedesktop.org/software/systemd/man/systemd.time.html $cleanup_timer_interval = "*-*-* ${fqdn_rand(24)}:${fqdn_rand(60)}:00" $dlo_max_age = 90 $ssl_set_cert_paths = false $ssl_cert_path = "${ssl_dir}/public.pem" $ssl_key_path = "${ssl_dir}/private.pem" $ssl_ca_cert_path = "${ssl_dir}/ca.pem" $ssl_deploy_certs = false $ssl_key = undef $ssl_cert = undef $ssl_ca_cert = undef $certificate_whitelist_file = "${etcdir}/certificate-whitelist" # the default is free access for now $certificate_whitelist = [ ] # change to this to only allow access by the puppet master by default: #$certificate_whitelist = [ $::servername ] # Get the parameter name for the database connection pool tuning if $puppetdb_version in ['latest','present'] or versioncmp($puppetdb_version, '4.0.0') >= 0 { $database_max_pool_size_setting_name = 'maximum-pool-size' } elsif versioncmp($puppetdb_version, '2.8.0') >= 0 { $database_max_pool_size_setting_name = 'partition-conn-max' } else { $database_max_pool_size_setting_name = undef } }