From 6f1ddb39c54970b5ca34a01fe6fce4a81c6ea12e Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sun, 29 Sep 2019 22:45:26 +0200 Subject: [PATCH] manage danzi/wanna-build pg_hba --- data/common.yaml | 3 +++ data/nodes/danzi.debian.org.yaml | 2 +- data/nodes/respighi.debian.org.yaml | 1 + modules/ferm/manifests/per_host.pp | 13 ------------ modules/roles/manifests/buildd_master.pp | 21 ++++++++++++++++++- .../buildd_master/db_guest_access.pp | 20 ++++++++++++++++++ .../roles/manifests/buildd_master/params.pp | 9 ++++++++ modules/roles/manifests/release.pp | 6 ++++++ modules/roles/manifests/udd.pp | 3 +++ 9 files changed, 63 insertions(+), 15 deletions(-) create mode 100644 modules/roles/manifests/buildd_master/db_guest_access.pp create mode 100644 modules/roles/manifests/buildd_master/params.pp create mode 100644 modules/roles/manifests/release.pp diff --git a/data/common.yaml b/data/common.yaml index 33b14c048..0e4cac831 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -48,6 +48,9 @@ bacula::director::pool_name: 'debian' bacula::client::director_server: dinis.debian.org bacula::client::storage_server: storace.debian.org +roles::buildd_master::params::db_address: danzi.debian.org +roles::buildd_master::params::db_port: 5436 + roles::debsources::db_address: bmdb1.debian.org roles::debsources::db_port: 5440 diff --git a/data/nodes/danzi.debian.org.yaml b/data/nodes/danzi.debian.org.yaml index 2b6bf5a4a..7a8d76688 100644 --- a/data/nodes/danzi.debian.org.yaml +++ b/data/nodes/danzi.debian.org.yaml @@ -2,4 +2,4 @@ classes: - roles::postgresql::server -roles::postgresql::server::manage_clusters_hba: [5432, 5433, 5434] +roles::postgresql::server::manage_clusters_hba: true diff --git a/data/nodes/respighi.debian.org.yaml b/data/nodes/respighi.debian.org.yaml index 3ccff770b..7b3ff5dfd 100644 --- a/data/nodes/respighi.debian.org.yaml +++ b/data/nodes/respighi.debian.org.yaml @@ -1,2 +1,3 @@ classes: - roles::static_source + - roles::release diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp index 7a467ea99..e04d66ff3 100644 --- a/modules/ferm/manifests/per_host.pp +++ b/modules/ferm/manifests/per_host.pp @@ -133,19 +133,6 @@ class ferm::per_host { | EOF } } - danzi: { - ferm::rule { 'dsa-postgres-wannabuild': - description => 'Allow postgress access to cluster: wannabuild', - domain => '(ip ip6)', - rule => @("EOF"/$) - &SERVICE_RANGE(tcp, 5436, ( - ${ join(getfromhash($deprecated::allnodeinfo, 'respighi.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'wuiet.debian.org', 'ipHostNumber'), " ") } - ${ join(getfromhash($deprecated::allnodeinfo, 'ullmann.debian.org', 'ipHostNumber'), " ") } - )) - | EOF - } - } default: {} } # vpn fu diff --git a/modules/roles/manifests/buildd_master.pp b/modules/roles/manifests/buildd_master.pp index 6b386200c..fd5154cef 100644 --- a/modules/roles/manifests/buildd_master.pp +++ b/modules/roles/manifests/buildd_master.pp @@ -1,4 +1,11 @@ -class roles::buildd_master { +# wanna-build +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +class roles::buildd_master ( + String $db_address = $roles::buildd_master::params::db_address, + Integer $db_port = $roles::buildd_master::params::db_port, +) inherits roles::buildd_master::params { include apache2 include roles::sso_rp @@ -16,4 +23,16 @@ class roles::buildd_master { owner => 'wbadm', group => 'wbadm', } + + class { 'roles::buildd_master::db_guest_access': + database => ['wanna-build', 'wanna-build-test'], + } + + @@postgres::cluster::hba_entry { "buildd_master-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => ['wanna-build', 'wanna-build-test'], + user => 'all', + address => $base::public_addresses, + } } diff --git a/modules/roles/manifests/buildd_master/db_guest_access.pp b/modules/roles/manifests/buildd_master/db_guest_access.pp new file mode 100644 index 000000000..ac7462414 --- /dev/null +++ b/modules/roles/manifests/buildd_master/db_guest_access.pp @@ -0,0 +1,20 @@ +# wanna-build guest access to DB +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +# @param database list of databases to give access to +class roles::buildd_master::db_guest_access ( + String $db_address = $roles::buildd_master::params::db_address, + Integer $db_port = $roles::buildd_master::params::db_port, + Array[String] $database = ['wanna-build'] +) inherits roles::buildd_master::params { + @@postgres::cluster::hba_entry { "buildd_master-guest-${::fqdn}": + tag => "postgres::cluster::${db_port}::hba::${db_address}", + pg_port => $db_port, + database => $database, + user => 'guest', + address => $base::public_addresses, + method => 'trust', + order => '40', + } +} diff --git a/modules/roles/manifests/buildd_master/params.pp b/modules/roles/manifests/buildd_master/params.pp new file mode 100644 index 000000000..b9e330544 --- /dev/null +++ b/modules/roles/manifests/buildd_master/params.pp @@ -0,0 +1,9 @@ +# wanna-build parameters +# +# @param db_address hostname of the postgres server for this service +# @param db_port port of the postgres server for this service +class roles::buildd_master::params ( + String $db_address = $roles::buildd_master::db_address, + Integer $db_port = $roles::buildd_master::db_port, +) { +} diff --git a/modules/roles/manifests/release.pp b/modules/roles/manifests/release.pp new file mode 100644 index 000000000..077ee0ddd --- /dev/null +++ b/modules/roles/manifests/release.pp @@ -0,0 +1,6 @@ +# release.debian.org role +# +class roles::release { + + include roles::buildd_master::db_guest_access +} diff --git a/modules/roles/manifests/udd.pp b/modules/roles/manifests/udd.pp index c4f814f85..ec966278f 100644 --- a/modules/roles/manifests/udd.pp +++ b/modules/roles/manifests/udd.pp @@ -1,3 +1,4 @@ +# UDD class roles::udd { class { 'apache2': rlimitmem => 512 * 1024 * 1024, @@ -7,4 +8,6 @@ class roles::udd { notify => Exec['service apache2 reload'], key => true, } + + include roles::buildd_master::db_guest_access } -- 2.20.1