From 015fa6b401098df522b1adf8e574a88d581ef340 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 29 Sep 2019 22:30:15 +0200 Subject: [PATCH] manage danzi/main pg_hba --- data/common.yaml | 9 +++++++++ data/nodes/danzi.debian.org.yaml | 2 +- modules/ferm/manifests/per_host.pp | 20 -------------------- modules/roles/manifests/nm.pp | 17 ++++++++++++++++- modules/roles/manifests/rtmaster.pp | 17 ++++++++++++++++- modules/roles/manifests/sso.pp | 16 +++++++++++++++- 6 files changed, 57 insertions(+), 24 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index c40138685..33b14c048 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -57,6 +57,15 @@ roles::tracker::db_port: 5432 roles::debconf_wafer::db_address: danzi.debian.org roles::debconf_wafer::db_port: 5434 +roles::nm::db_address: danzi.debian.org +roles::nm::db_port: 5433 + +roles::rtmaster::db_address: danzi.debian.org +roles::rtmaster::db_port: 5433 + +roles::sso::db_address: danzi.debian.org +roles::sso::db_port: 5433 + roles::ftp_master::db_port: 5433 roles::postgresql::ftp_master_dak_replica::db_server: fasolo.debian.org diff --git a/data/nodes/danzi.debian.org.yaml b/data/nodes/danzi.debian.org.yaml index db7730537..2b6bf5a4a 100644 --- a/data/nodes/danzi.debian.org.yaml +++ b/data/nodes/danzi.debian.org.yaml @@ -2,4 +2,4 @@ classes: - roles::postgresql::server -roles::postgresql::server::manage_clusters_hba: [5432, 5434] +roles::postgresql::server::manage_clusters_hba: [5432, 5433, 5434] diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp index 3f9fdd280..7a467ea99 100644 --- a/modules/ferm/manifests/per_host.pp +++ b/modules/ferm/manifests/per_host.pp @@ -134,26 +134,6 @@ class ferm::per_host { } } danzi: { - ferm::rule { 'dsa-postgres-main': - description => 'Allow postgress access to cluster: main', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5433, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'diabelli.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'nono.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'reger.debian.org', 'ipHostNumber'), " ") } - )) - | EOF - } - ferm::rule { 'dsa-postgres-debconf': - description => 'Allow postgress access to cluster: debconf', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5434, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'debussy.debian.org', 'ipHostNumber'), " ") } - )) - | EOF - } ferm::rule { 'dsa-postgres-wannabuild': description => 'Allow postgress access to cluster: wannabuild', domain => '(ip ip6)', diff --git a/modules/roles/manifests/nm.pp b/modules/roles/manifests/nm.pp index cceb28d17..96ff2291b 100644 --- a/modules/roles/manifests/nm.pp +++ b/modules/roles/manifests/nm.pp @@ -1,4 +1,11 @@ -class roles::nm { +# nm.debian.org role +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +class roles::nm ( + String $db_address, + Integer $db_port, +) { include apache2 include roles::sso_rp @@ -11,4 +18,12 @@ class roles::nm { owner => 'nm', group => 'nm', } + + @@postgres::cluster::hba_entry { "nm-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => ['nm', 'contributors'], + user => ['nm', 'nmweb'], + address => $base::public_addresses, + } } diff --git a/modules/roles/manifests/rtmaster.pp b/modules/roles/manifests/rtmaster.pp index 131c80c12..38a6d7e3f 100644 --- a/modules/roles/manifests/rtmaster.pp +++ b/modules/roles/manifests/rtmaster.pp @@ -1,4 +1,11 @@ -class roles::rtmaster { +# rt.debian.org +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +class roles::rtmaster ( + String $db_address, + Integer $db_port, +) { include apache2 ssl::service { 'rt.debian.org': notify => Exec['service apache2 reload'], @@ -10,4 +17,12 @@ class roles::rtmaster { mail_user => 'rt', mail_group => 'rt', } + + @@postgres::cluster::hba_entry { "rt-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => 'rtdb', + user => 'rtuser', + address => $base::public_addresses, + } } diff --git a/modules/roles/manifests/sso.pp b/modules/roles/manifests/sso.pp index 4da64ebd2..dc2837f88 100644 --- a/modules/roles/manifests/sso.pp +++ b/modules/roles/manifests/sso.pp @@ -1,7 +1,13 @@ # Debian SSO class. # # This sets up the web service as well as the LDAP backend for ftmg -class roles::sso { +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +class roles::sso ( + String $db_address, + Integer $db_port, +) { include apache2 include roles::sso_rp @@ -55,4 +61,12 @@ class roles::sso { source => 'puppet:///modules/roles/sso/openssh-ldap.schema', notify => Service['slapd'], } + + @@postgres::cluster::hba_entry { "debsso-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => 'debsso', + user => ['debsso', 'debssoweb'], + address => $base::public_addresses, + } } -- 2.20.1