[mirror/dsa-puppet.git] / 3rdparty / modules / postgresql / manifests / server / config.pp

# PRIVATE CLASS: do not call directly
class postgresql::server::config {
  $ip_mask_deny_postgres_user = $postgresql::server::ip_mask_deny_postgres_user
  $ip_mask_allow_all_users    = $postgresql::server::ip_mask_allow_all_users
  $listen_addresses           = $postgresql::server::listen_addresses
  $port                       = $postgresql::server::port
  $ipv4acls                   = $postgresql::server::ipv4acls
  $ipv6acls                   = $postgresql::server::ipv6acls
  $pg_hba_conf_path           = $postgresql::server::pg_hba_conf_path
  $pg_ident_conf_path         = $postgresql::server::pg_ident_conf_path
  $postgresql_conf_path       = $postgresql::server::postgresql_conf_path
  $recovery_conf_path         = $postgresql::server::recovery_conf_path
  $pg_hba_conf_defaults       = $postgresql::server::pg_hba_conf_defaults
  $user                       = $postgresql::server::user
  $group                      = $postgresql::server::group
  $version                    = $postgresql::server::_version
  $manage_pg_hba_conf         = $postgresql::server::manage_pg_hba_conf
  $manage_pg_ident_conf       = $postgresql::server::manage_pg_ident_conf
  $manage_recovery_conf       = $postgresql::server::manage_recovery_conf
  $datadir                    = $postgresql::server::datadir
  $logdir                     = $postgresql::server::logdir
  $service_name               = $postgresql::server::service_name
  $log_line_prefix            = $postgresql::server::log_line_prefix
  $timezone                   = $postgresql::server::timezone

  if ($manage_pg_hba_conf == true) {
    # Prepare the main pg_hba file
    concat { $pg_hba_conf_path:
      owner  => $user,
      group  => $group,
      mode   => '0640',
      warn   => true,
      order  => 'numeric',
      notify => Class['postgresql::server::reload'],
    }

    if $pg_hba_conf_defaults {
      Postgresql::Server::Pg_hba_rule {
        database => 'all',
        user => 'all',
      }

      # Lets setup the base rules
      $local_auth_option = $version ? {
        '8.1'   => 'sameuser',
        default => undef,
      }
      postgresql::server::pg_hba_rule { 'local access as postgres user':
        type        => 'local',
        user        => $user,
        auth_method => 'ident',
        auth_option => $local_auth_option,
        order       => 1,
      }
      postgresql::server::pg_hba_rule { 'local access to database with same name':
        type        => 'local',
        auth_method => 'ident',
        auth_option => $local_auth_option,
        order       => 2,
      }
      postgresql::server::pg_hba_rule { 'allow localhost TCP access to postgresql user':
        type        => 'host',
        user        => $user,
        address     => '127.0.0.1/32',
        auth_method => 'md5',
        order       => 3,
      }
      postgresql::server::pg_hba_rule { 'deny access to postgresql user':
        type        => 'host',
        user        => $user,
        address     => $ip_mask_deny_postgres_user,
        auth_method => 'reject',
        order       => 4,
      }

      postgresql::server::pg_hba_rule { 'allow access to all users':
        type        => 'host',
        address     => $ip_mask_allow_all_users,
        auth_method => 'md5',
        order       => 100,
      }
      postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
        type        => 'host',
        address     => '::1/128',
        auth_method => 'md5',
        order       => 101,
      }
    }

    # ipv4acls are passed as an array of rule strings, here we transform
    # them into a resources hash, and pass the result to create_resources
    $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
    'ipv4acls', 10)
    create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)


    # ipv6acls are passed as an array of rule strings, here we transform
    # them into a resources hash, and pass the result to create_resources
    $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
    'ipv6acls', 102)
    create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
  }

  if $listen_addresses {
    postgresql::server::config_entry { 'listen_addresses':
      value => $listen_addresses,
    }
  }

  postgresql::server::config_entry { 'port':
    value => $port,
  }
  postgresql::server::config_entry { 'data_directory':
    value => $datadir,
  }
  if $timezone {
    postgresql::server::config_entry { 'timezone':
      value => $timezone,
    }
  }
  if $logdir {
    postgresql::server::config_entry { 'log_directory':
      value => $logdir,
    }

  }
  # Allow timestamps in log by default
  if $log_line_prefix {
    postgresql::server::config_entry {'log_line_prefix':
      value => $log_line_prefix,
    }
  }

  # RedHat-based systems hardcode some PG* variables in the init script, and need to be overriden
  # in /etc/sysconfig/pgsql/postgresql. Create a blank file so we can manage it with augeas later.
  if ($::osfamily == 'RedHat') and ($::operatingsystemrelease !~ /^7/) and ($::operatingsystem != 'Fedora') {
    file { '/etc/sysconfig/pgsql/postgresql':
      ensure  => present,
      replace => false,
    }

    # The init script from the packages of the postgresql.org repository
    # sources an alternate sysconfig file.
    # I. e. /etc/sysconfig/pgsql/postgresql-9.3 for PostgreSQL 9.3
    # Link to the sysconfig file set by this puppet module
    file { "/etc/sysconfig/pgsql/postgresql-${version}":
      ensure  => link,
      target  => '/etc/sysconfig/pgsql/postgresql',
      require => File[ '/etc/sysconfig/pgsql/postgresql' ],
    }

  }


  if ($manage_pg_ident_conf == true) {
    concat { $pg_ident_conf_path:
      owner  => $user,
      group  => $group,
      mode   => '0640',
      warn   => true,
      order  => 'numeric',
      notify => Class['postgresql::server::reload'],
    }
  }

  if ($manage_recovery_conf == true) {
    concat { $recovery_conf_path:
      owner  => $user,
      group  => $group,
      mode   => '0640',
      warn   => true,
      order  => 'numeric',
      notify => Class['postgresql::server::reload'],
    }
  }

  if $::osfamily == 'RedHat' {
    if $::operatingsystemrelease =~ /^7/ or $::operatingsystem == 'Fedora' {
      # Template uses:
      # - $::operatingsystem
      # - $service_name
      # - $port
      # - $datadir
      file { 'systemd-override':
        ensure  => present,
        path    => "/etc/systemd/system/${service_name}.service",
        owner   => root,
        group   => root,
        content => template('postgresql/systemd-override.erb'),
        notify  => [ Exec['restart-systemd'], Class['postgresql::server::service'] ],
        before  => Class['postgresql::server::reload'],
      }
      exec { 'restart-systemd':
        command     => 'systemctl daemon-reload',
        refreshonly => true,
        path        => '/bin:/usr/bin:/usr/local/bin'
      }
    }
  }
  elsif $::osfamily == 'Gentoo' {
    # Template uses:
    # - $::operatingsystem
    # - $service_name
    # - $port
    # - $datadir
    file { 'systemd-override':
      ensure  => present,
      path    => "/etc/systemd/system/${service_name}.service",
      owner   => root,
      group   => root,
      content => template('postgresql/systemd-override.erb'),
      notify  => [ Exec['restart-systemd'], Class['postgresql::server::service'] ],
      before  => Class['postgresql::server::reload'],
    }
    exec { 'restart-systemd':
      command     => 'systemctl daemon-reload',
      refreshonly => true,
      path        => '/bin:/usr/bin:/usr/local/bin'
    }
  }
}