|
| 1 | +# lint:ignore:140chars |
| 2 | +# @param user Overrides the default PostgreSQL super user and owner of PostgreSQL related files in the file system. |
| 3 | +# @param group Overrides the default postgres user group to be used for related files in the file system. |
| 4 | +# Default value: 5432. Meaning the Postgres server listens on TCP port 5432. |
| 5 | +# @param psql_path Specifies the path to the psql command. |
| 6 | +# @param port Specifies the port for the PostgreSQL server to listen on. Note: The same port number is used for all IP addresses the server listens on. Also, for Red Hat systems and early Debian systems, changing the port causes the server to come to a full stop before being able to make the change. |
| 7 | +# @param database Specifies the name of the database to connect with. On most systems this is 'postgres'. |
| 8 | +# @param module_workdir Working directory for the PostgreSQL module |
| 9 | +# @param postgres_password Sets the password for the postgres user to your specified value. By default, this setting uses the superuser account in the Postgres database, with a user called postgres and no password. |
| 10 | +# lint:endignore:140chars |
| 11 | +define postgresql::server::instance_passwd ( |
| 12 | + $user = $postgresql::server::user, |
| 13 | + $group = $postgresql::server::group, |
| 14 | + $psql_path = $postgresql::server::psql_path, |
| 15 | + $port = $postgresql::server::port, |
| 16 | + $database = $postgresql::server::default_database, |
| 17 | + $module_workdir = $postgresql::server::module_workdir, |
| 18 | + $postgres_password = $postgresql::server::postgres_password, |
| 19 | + |
| 20 | +) { |
| 21 | + $real_postgres_password = if $postgres_password =~ Sensitive { |
| 22 | + $postgres_password.unwrap |
| 23 | + } else { |
| 24 | + $postgres_password |
| 25 | + } |
| 26 | + |
| 27 | + # psql will default to connecting as $user if you don't specify name |
| 28 | + $_datbase_user_same = $database == $user |
| 29 | + $_dboption = $_datbase_user_same ? { |
| 30 | + false => " --dbname ${shell_escape($database)}", |
| 31 | + default => '' |
| 32 | + } |
| 33 | + |
| 34 | + if $real_postgres_password { |
| 35 | + # NOTE: this password-setting logic relies on the pg_hba.conf being |
| 36 | + # configured to allow the postgres system user to connect via psql |
| 37 | + # without specifying a password ('ident' or 'trust' security). This is |
| 38 | + # the default for pg_hba.conf. |
| 39 | + $escaped = postgresql::postgresql_escape($real_postgres_password) |
| 40 | + $exec_command = "${shell_escape($psql_path)}${_dboption} -c \"ALTER ROLE \\\"${shell_escape($user)}\\\" PASSWORD \${NEWPASSWD_ESCAPED}\"" # lint:ignore:140chars |
| 41 | + exec { 'set_postgres_postgrespw': |
| 42 | + # This command works w/no password because we run it as postgres system |
| 43 | + # user |
| 44 | + command => $exec_command, |
| 45 | + user => $user, |
| 46 | + group => $group, |
| 47 | + logoutput => true, |
| 48 | + cwd => $module_workdir, |
| 49 | + environment => [ |
| 50 | + "PGPASSWORD=${real_postgres_password}", |
| 51 | + "PGPORT=${port}", |
| 52 | + "NEWPASSWD_ESCAPED=${escaped}", |
| 53 | + ], |
| 54 | + # With this command we're passing -h to force TCP authentication, which |
| 55 | + # does require a password. We specify the password via the PGPASSWORD |
| 56 | + # environment variable. If the password is correct (current), this |
| 57 | + # command will exit with an exit code of 0, which will prevent the main |
| 58 | + # command from running. |
| 59 | + unless => "${psql_path} -h localhost -p ${port} -c 'select 1' > /dev/null", |
| 60 | + path => '/usr/bin:/usr/local/bin:/bin', |
| 61 | + } |
| 62 | + } |
| 63 | +} |
0 commit comments