X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=3rdparty%2Fmodules%2Fpostgresql%2Fmanifests%2Fserver%2Fconfig.pp;fp=3rdparty%2Fmodules%2Fpostgresql%2Fmanifests%2Fserver%2Fconfig.pp;h=616fc341defdb73df3bb2b097b96212d1ee9dad8;hb=a69999e580f8b3abd12446c2d6ad59e517651813;hp=0000000000000000000000000000000000000000;hpb=e7b6b352165009c385c52fcfe5a1055690dbfa4b;p=mirror%2Fdsa-puppet.git diff --git a/3rdparty/modules/postgresql/manifests/server/config.pp b/3rdparty/modules/postgresql/manifests/server/config.pp new file mode 100644 index 000000000..616fc341d --- /dev/null +++ b/3rdparty/modules/postgresql/manifests/server/config.pp @@ -0,0 +1,221 @@ +# PRIVATE CLASS: do not call directly +class postgresql::server::config { + $ip_mask_deny_postgres_user = $postgresql::server::ip_mask_deny_postgres_user + $ip_mask_allow_all_users = $postgresql::server::ip_mask_allow_all_users + $listen_addresses = $postgresql::server::listen_addresses + $port = $postgresql::server::port + $ipv4acls = $postgresql::server::ipv4acls + $ipv6acls = $postgresql::server::ipv6acls + $pg_hba_conf_path = $postgresql::server::pg_hba_conf_path + $pg_ident_conf_path = $postgresql::server::pg_ident_conf_path + $postgresql_conf_path = $postgresql::server::postgresql_conf_path + $recovery_conf_path = $postgresql::server::recovery_conf_path + $pg_hba_conf_defaults = $postgresql::server::pg_hba_conf_defaults + $user = $postgresql::server::user + $group = $postgresql::server::group + $version = $postgresql::server::_version + $manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf + $manage_pg_ident_conf = $postgresql::server::manage_pg_ident_conf + $manage_recovery_conf = $postgresql::server::manage_recovery_conf + $datadir = $postgresql::server::datadir + $logdir = $postgresql::server::logdir + $service_name = $postgresql::server::service_name + $log_line_prefix = $postgresql::server::log_line_prefix + $timezone = $postgresql::server::timezone + + if ($manage_pg_hba_conf == true) { + # Prepare the main pg_hba file + concat { $pg_hba_conf_path: + owner => $user, + group => $group, + mode => '0640', + warn => true, + order => 'numeric', + notify => Class['postgresql::server::reload'], + } + + if $pg_hba_conf_defaults { + Postgresql::Server::Pg_hba_rule { + database => 'all', + user => 'all', + } + + # Lets setup the base rules + $local_auth_option = $version ? { + '8.1' => 'sameuser', + default => undef, + } + postgresql::server::pg_hba_rule { 'local access as postgres user': + type => 'local', + user => $user, + auth_method => 'ident', + auth_option => $local_auth_option, + order => 1, + } + postgresql::server::pg_hba_rule { 'local access to database with same name': + type => 'local', + auth_method => 'ident', + auth_option => $local_auth_option, + order => 2, + } + postgresql::server::pg_hba_rule { 'allow localhost TCP access to postgresql user': + type => 'host', + user => $user, + address => '127.0.0.1/32', + auth_method => 'md5', + order => 3, + } + postgresql::server::pg_hba_rule { 'deny access to postgresql user': + type => 'host', + user => $user, + address => $ip_mask_deny_postgres_user, + auth_method => 'reject', + order => 4, + } + + postgresql::server::pg_hba_rule { 'allow access to all users': + type => 'host', + address => $ip_mask_allow_all_users, + auth_method => 'md5', + order => 100, + } + postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost': + type => 'host', + address => '::1/128', + auth_method => 'md5', + order => 101, + } + } + + # ipv4acls are passed as an array of rule strings, here we transform + # them into a resources hash, and pass the result to create_resources + $ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls, + 'ipv4acls', 10) + create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources) + + + # ipv6acls are passed as an array of rule strings, here we transform + # them into a resources hash, and pass the result to create_resources + $ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, + 'ipv6acls', 102) + create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources) + } + + if $listen_addresses { + postgresql::server::config_entry { 'listen_addresses': + value => $listen_addresses, + } + } + + postgresql::server::config_entry { 'port': + value => $port, + } + postgresql::server::config_entry { 'data_directory': + value => $datadir, + } + if $timezone { + postgresql::server::config_entry { 'timezone': + value => $timezone, + } + } + if $logdir { + postgresql::server::config_entry { 'log_directory': + value => $logdir, + } + + } + # Allow timestamps in log by default + if $log_line_prefix { + postgresql::server::config_entry {'log_line_prefix': + value => $log_line_prefix, + } + } + + # RedHat-based systems hardcode some PG* variables in the init script, and need to be overriden + # in /etc/sysconfig/pgsql/postgresql. Create a blank file so we can manage it with augeas later. + if ($::osfamily == 'RedHat') and ($::operatingsystemrelease !~ /^7/) and ($::operatingsystem != 'Fedora') { + file { '/etc/sysconfig/pgsql/postgresql': + ensure => present, + replace => false, + } + + # The init script from the packages of the postgresql.org repository + # sources an alternate sysconfig file. + # I. e. /etc/sysconfig/pgsql/postgresql-9.3 for PostgreSQL 9.3 + # Link to the sysconfig file set by this puppet module + file { "/etc/sysconfig/pgsql/postgresql-${version}": + ensure => link, + target => '/etc/sysconfig/pgsql/postgresql', + require => File[ '/etc/sysconfig/pgsql/postgresql' ], + } + + } + + + if ($manage_pg_ident_conf == true) { + concat { $pg_ident_conf_path: + owner => $user, + group => $group, + mode => '0640', + warn => true, + order => 'numeric', + notify => Class['postgresql::server::reload'], + } + } + + if ($manage_recovery_conf == true) { + concat { $recovery_conf_path: + owner => $user, + group => $group, + mode => '0640', + warn => true, + order => 'numeric', + notify => Class['postgresql::server::reload'], + } + } + + if $::osfamily == 'RedHat' { + if $::operatingsystemrelease =~ /^7/ or $::operatingsystem == 'Fedora' { + # Template uses: + # - $::operatingsystem + # - $service_name + # - $port + # - $datadir + file { 'systemd-override': + ensure => present, + path => "/etc/systemd/system/${service_name}.service", + owner => root, + group => root, + content => template('postgresql/systemd-override.erb'), + notify => [ Exec['restart-systemd'], Class['postgresql::server::service'] ], + before => Class['postgresql::server::reload'], + } + exec { 'restart-systemd': + command => 'systemctl daemon-reload', + refreshonly => true, + path => '/bin:/usr/bin:/usr/local/bin' + } + } + } + elsif $::osfamily == 'Gentoo' { + # Template uses: + # - $::operatingsystem + # - $service_name + # - $port + # - $datadir + file { 'systemd-override': + ensure => present, + path => "/etc/systemd/system/${service_name}.service", + owner => root, + group => root, + content => template('postgresql/systemd-override.erb'), + notify => [ Exec['restart-systemd'], Class['postgresql::server::service'] ], + before => Class['postgresql::server::reload'], + } + exec { 'restart-systemd': + command => 'systemctl daemon-reload', + refreshonly => true, + path => '/bin:/usr/bin:/usr/local/bin' + } + } +}