--- /dev/null
+# PRIVATE CLASS: do not call directly
+class postgresql::server::passwd {
+ $postgres_password = $postgresql::server::postgres_password
+ $user = $postgresql::server::user
+ $group = $postgresql::server::group
+ $psql_path = $postgresql::server::psql_path
+ $port = $postgresql::server::port
+ $database = $postgresql::server::default_database
+ $module_workdir = $postgresql::server::module_workdir
+
+ # psql will default to connecting as $user if you don't specify name
+ $_datbase_user_same = $database == $user
+ $_dboption = $_datbase_user_same ? {
+ false => " --dbname ${database}",
+ default => ''
+ }
+
+ if ($postgres_password != undef) {
+ # NOTE: this password-setting logic relies on the pg_hba.conf being
+ # configured to allow the postgres system user to connect via psql
+ # without specifying a password ('ident' or 'trust' security). This is
+ # the default for pg_hba.conf.
+ $escaped = postgresql_escape($postgres_password)
+ exec { 'set_postgres_postgrespw':
+ # This command works w/no password because we run it as postgres system
+ # user
+ command => "${psql_path}${_dboption} -c \"ALTER ROLE \\\"${user}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"",
+ user => $user,
+ group => $group,
+ logoutput => true,
+ cwd => $module_workdir,
+ environment => [
+ "PGPASSWORD=${postgres_password}",
+ "PGPORT=${port}",
+ "NEWPASSWD_ESCAPED=${escaped}",
+ ],
+ # With this command we're passing -h to force TCP authentication, which
+ # does require a password. We specify the password via the PGPASSWORD
+ # environment variable. If the password is correct (current), this
+ # command will exit with an exit code of 0, which will prevent the main
+ # command from running.
+ unless => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null",
+ path => '/usr/bin:/usr/local/bin:/bin',
+ }
+ }
+}