|
1 | 1 | # @api private |
2 | 2 | class postgresql::server::config { |
3 | | - $ip_mask_deny_postgres_user = $postgresql::server::ip_mask_deny_postgres_user |
4 | | - $ip_mask_allow_all_users = $postgresql::server::ip_mask_allow_all_users |
5 | | - $listen_addresses = $postgresql::server::listen_addresses |
6 | | - $port = $postgresql::server::port |
7 | | - $ipv4acls = $postgresql::server::ipv4acls |
8 | | - $ipv6acls = $postgresql::server::ipv6acls |
9 | | - $pg_hba_conf_path = $postgresql::server::pg_hba_conf_path |
10 | | - $pg_ident_conf_path = $postgresql::server::pg_ident_conf_path |
11 | | - $postgresql_conf_path = $postgresql::server::postgresql_conf_path |
12 | | - $postgresql_conf_mode = $postgresql::server::postgresql_conf_mode |
13 | | - $recovery_conf_path = $postgresql::server::recovery_conf_path |
14 | | - $pg_hba_conf_defaults = $postgresql::server::pg_hba_conf_defaults |
15 | | - $user = $postgresql::server::user |
16 | | - $group = $postgresql::server::group |
17 | | - $version = $postgresql::server::_version |
18 | | - $manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf |
19 | | - $manage_pg_ident_conf = $postgresql::server::manage_pg_ident_conf |
20 | | - $manage_recovery_conf = $postgresql::server::manage_recovery_conf |
21 | | - $manage_postgresql_conf_perms = $postgresql::server::manage_postgresql_conf_perms |
22 | | - $datadir = $postgresql::server::datadir |
23 | | - $logdir = $postgresql::server::logdir |
24 | | - $service_name = $postgresql::server::service_name |
25 | | - $service_enable = $postgresql::server::service_enable |
26 | | - $log_line_prefix = $postgresql::server::log_line_prefix |
27 | | - $timezone = $postgresql::server::timezone |
28 | | - $password_encryption = $postgresql::server::password_encryption |
29 | | - $extra_systemd_config = $postgresql::server::extra_systemd_config |
30 | | - |
31 | | - if ($manage_pg_hba_conf == true) { |
32 | | - # Prepare the main pg_hba file |
33 | | - concat { $pg_hba_conf_path: |
34 | | - owner => $user, |
35 | | - group => $group, |
36 | | - mode => '0640', |
37 | | - warn => true, |
38 | | - notify => Class['postgresql::server::reload'], |
39 | | - } |
40 | | - |
41 | | - if $pg_hba_conf_defaults { |
42 | | - Postgresql::Server::Pg_hba_rule { |
43 | | - database => 'all', |
44 | | - user => 'all', |
45 | | - } |
46 | | - |
47 | | - # Lets setup the base rules |
48 | | - $local_auth_option = $version ? { |
49 | | - '8.1' => 'sameuser', |
50 | | - default => undef, |
51 | | - } |
52 | | - |
53 | | - postgresql::server::pg_hba_rule { |
54 | | - 'local access as postgres user': |
55 | | - type => 'local', |
56 | | - user => $user, |
57 | | - auth_method => 'ident', |
58 | | - auth_option => $local_auth_option, |
59 | | - order => 1; |
60 | | - |
61 | | - 'local access to database with same name': |
62 | | - type => 'local', |
63 | | - auth_method => 'ident', |
64 | | - auth_option => $local_auth_option, |
65 | | - order => 2; |
66 | | - |
67 | | - 'allow localhost TCP access to postgresql user': |
68 | | - type => 'host', |
69 | | - user => $user, |
70 | | - address => '127.0.0.1/32', |
71 | | - auth_method => 'md5', |
72 | | - order => 3; |
73 | | - |
74 | | - 'deny access to postgresql user': |
75 | | - type => 'host', |
76 | | - user => $user, |
77 | | - address => $ip_mask_deny_postgres_user, |
78 | | - auth_method => 'reject', |
79 | | - order => 4; |
80 | | - |
81 | | - 'allow access to all users': |
82 | | - type => 'host', |
83 | | - address => $ip_mask_allow_all_users, |
84 | | - auth_method => 'md5', |
85 | | - order => 100; |
86 | | - |
87 | | - 'allow access to ipv6 localhost': |
88 | | - type => 'host', |
89 | | - address => '::1/128', |
90 | | - auth_method => 'md5', |
91 | | - order => 101; |
92 | | - } |
93 | | - } |
94 | | - |
95 | | - # $ipv4acls and $ipv6acls are arrays of rule strings |
96 | | - # They are converted into hashes we can iterate over to create postgresql::server::pg_hba_rule resources. |
97 | | - ( |
98 | | - postgresql::postgresql_acls_to_resources_hash($ipv4acls, 'ipv4acls', 10) + |
99 | | - postgresql::postgresql_acls_to_resources_hash($ipv6acls, 'ipv6acls', 102) |
100 | | - ).each | String $key, Hash $attrs| { |
101 | | - postgresql::server::pg_hba_rule { $key: |
102 | | - * => $attrs, |
103 | | - } |
104 | | - } |
105 | | - } |
106 | | - |
107 | | - if $manage_postgresql_conf_perms { |
108 | | - file { $postgresql_conf_path: |
109 | | - ensure => file, |
110 | | - owner => $user, |
111 | | - group => $group, |
112 | | - mode => $postgresql_conf_mode, |
113 | | - } |
114 | | - } |
115 | | - |
116 | | - if $listen_addresses { |
117 | | - postgresql::server::config_entry { 'listen_addresses': |
118 | | - value => $listen_addresses, |
119 | | - } |
120 | | - } |
121 | | - |
122 | | - # ensure that SELinux has a proper label for the port defined |
123 | | - if $postgresql::server::manage_selinux == true and $facts['os']['selinux']['enabled'] == true { |
124 | | - case $facts['os']['family'] { |
125 | | - 'RedHat', 'Linux': { |
126 | | - if $facts['os']['name'] == 'Amazon' { |
127 | | - $package_name = 'policycoreutils' |
128 | | - } |
129 | | - else { |
130 | | - $package_name = $facts['os']['release']['major'] ? { |
131 | | - '5' => 'policycoreutils', |
132 | | - '6' => 'policycoreutils-python', |
133 | | - '7' => 'policycoreutils-python', |
134 | | - default => 'policycoreutils-python-utils', |
135 | | - } |
136 | | - } |
137 | | - } |
138 | | - default: { |
139 | | - $package_name = 'policycoreutils' |
140 | | - } |
141 | | - } |
142 | | - |
143 | | - ensure_packages([$package_name]) |
144 | | - |
145 | | - $exec_command = ['/usr/sbin/semanage', 'port', '-a', '-t', 'postgresql_port_t', '-p', 'tcp', $port] |
146 | | - $exec_unless = "/usr/sbin/semanage port -l | grep -qw ${port}" |
147 | | - exec { "/usr/sbin/semanage port -a -t postgresql_port_t -p tcp ${port}": |
148 | | - command => $exec_command, |
149 | | - unless => $exec_unless, |
150 | | - before => Postgresql::Server::Config_entry['port'], |
151 | | - require => Package[$package_name], |
152 | | - } |
153 | | - } |
154 | | - |
155 | | - postgresql::server::config_entry { 'port': |
156 | | - value => $port, |
157 | | - } |
158 | | - |
159 | | - if ($password_encryption) and (versioncmp($version, '10') >= 0) { |
160 | | - postgresql::server::config_entry { 'password_encryption': |
161 | | - value => $password_encryption, |
162 | | - } |
163 | | - } |
164 | | - |
165 | | - postgresql::server::config_entry { 'data_directory': |
166 | | - value => $datadir, |
167 | | - } |
168 | | - if $timezone { |
169 | | - postgresql::server::config_entry { 'timezone': |
170 | | - value => $timezone, |
171 | | - } |
172 | | - } |
173 | | - if $logdir { |
174 | | - postgresql::server::config_entry { 'log_directory': |
175 | | - value => $logdir, |
176 | | - } |
177 | | - } |
178 | | - # Allow timestamps in log by default |
179 | | - if $log_line_prefix { |
180 | | - postgresql::server::config_entry { 'log_line_prefix': |
181 | | - value => $log_line_prefix, |
182 | | - } |
183 | | - } |
184 | | - |
185 | | - # RedHat-based systems hardcode some PG* variables in the init script, and need to be overriden |
186 | | - # in /etc/sysconfig/pgsql/postgresql. Create a blank file so we can manage it with augeas later. |
187 | | - if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') < 0 { |
188 | | - file { '/etc/sysconfig/pgsql/postgresql': |
189 | | - ensure => file, |
190 | | - replace => false, |
191 | | - } |
192 | | - |
193 | | - # The init script from the packages of the postgresql.org repository |
194 | | - # sources an alternate sysconfig file. |
195 | | - # I. e. /etc/sysconfig/pgsql/postgresql-9.3 for PostgreSQL 9.3 |
196 | | - # Link to the sysconfig file set by this puppet module |
197 | | - file { "/etc/sysconfig/pgsql/postgresql-${version}": |
198 | | - ensure => link, |
199 | | - target => '/etc/sysconfig/pgsql/postgresql', |
200 | | - require => File['/etc/sysconfig/pgsql/postgresql'], |
201 | | - } |
202 | | - } |
203 | | - |
204 | | - if ($manage_pg_ident_conf == true) { |
205 | | - concat { $pg_ident_conf_path: |
206 | | - owner => $user, |
207 | | - group => $group, |
208 | | - mode => '0640', |
209 | | - warn => true, |
210 | | - notify => Class['postgresql::server::reload'], |
211 | | - } |
212 | | - } |
213 | | - |
214 | | - # RHEL 7 and 8 both support drop-in files for systemd units. The old include directive is deprecated and may be removed in future systemd releases. |
215 | | - # Gentoo also supports drop-in files. |
216 | | - if $facts['os']['family'] in ['RedHat', 'Gentoo'] and $facts['service_provider'] == 'systemd' { |
217 | | - # While Puppet 6.1 and newer can do a daemon-reload if needed, systemd |
218 | | - # doesn't appear to report that correctly in all cases. |
219 | | - # One such case seems to be when an overriding unit file is removed from /etc |
220 | | - # and the original one from /lib *should* be used again. |
221 | | - # |
222 | | - # This can be removed when Puppet < 6.1 support is dropped *and* the file |
223 | | - # old-systemd-override is removed. |
224 | | - $systemd_command = ['systemctl', 'daemon-reload'] |
225 | | - exec { 'restart-systemd': |
226 | | - command => $systemd_command, |
227 | | - refreshonly => true, |
228 | | - path => '/bin:/usr/bin:/usr/local/bin', |
229 | | - before => Class['postgresql::server::service'], |
230 | | - } |
231 | | - |
232 | | - file { |
233 | | - default: |
234 | | - ensure => file, |
235 | | - owner => root, |
236 | | - group => root, |
237 | | - notify => [Exec['restart-systemd'], Class['postgresql::server::service']], |
238 | | - before => Class['postgresql::server::reload']; |
239 | | - |
240 | | - 'systemd-conf-dir': |
241 | | - ensure => directory, |
242 | | - path => "/etc/systemd/system/${service_name}.service.d"; |
243 | | - |
244 | | - # Template uses: |
245 | | - # - $facts['os']['name'] |
246 | | - # - $facts['os']['release']['major'] |
247 | | - # - $service_name |
248 | | - # - $port |
249 | | - # - $datadir |
250 | | - # - $extra_systemd_config |
251 | | - 'systemd-override': |
252 | | - path => "/etc/systemd/system/${service_name}.service.d/${service_name}.conf", |
253 | | - content => template('postgresql/systemd-override.erb'), |
254 | | - require => File['systemd-conf-dir']; |
255 | | - } |
256 | | - |
257 | | - if $service_enable != 'mask' { |
258 | | - # Remove old unit file to avoid conflicts |
259 | | - file { 'old-systemd-override': |
260 | | - ensure => absent, |
261 | | - path => "/etc/systemd/system/${service_name}.service", |
262 | | - notify => [Exec['restart-systemd'], Class['postgresql::server::service']], |
263 | | - before => Class['postgresql::server::reload'], |
264 | | - } |
265 | | - } |
| 3 | + postgresql::server::instance_config { 'main': |
| 4 | + ip_mask_deny_postgres_user => $postgresql::server::ip_mask_deny_postgres_user, |
| 5 | + ip_mask_allow_all_users => $postgresql::server::ip_mask_allow_all_users, |
| 6 | + listen_addresses => $postgresql::server::listen_addresses, |
| 7 | + port => $postgresql::server::port, |
| 8 | + ipv4acls => $postgresql::server::ipv4acls, |
| 9 | + ipv6acls => $postgresql::server::ipv6acls, |
| 10 | + pg_hba_conf_path => $postgresql::server::pg_hba_conf_path, |
| 11 | + pg_ident_conf_path => $postgresql::server::pg_ident_conf_path, |
| 12 | + postgresql_conf_path => $postgresql::server::postgresql_conf_path, |
| 13 | + postgresql_conf_mode => $postgresql::server::postgresql_conf_mode, |
| 14 | + recovery_conf_path => $postgresql::server::recovery_conf_path, |
| 15 | + pg_hba_conf_defaults => $postgresql::server::pg_hba_conf_defaults, |
| 16 | + user => $postgresql::server::user, |
| 17 | + group => $postgresql::server::group, |
| 18 | + version => $postgresql::server::_version, |
| 19 | + manage_pg_hba_conf => $postgresql::server::manage_pg_hba_conf, |
| 20 | + manage_pg_ident_conf => $postgresql::server::manage_pg_ident_conf, |
| 21 | + manage_recovery_conf => $postgresql::server::manage_recovery_conf, |
| 22 | + manage_postgresql_conf_perms => $postgresql::server::manage_postgresql_conf_perms, |
| 23 | + datadir => $postgresql::server::datadir, |
| 24 | + logdir => $postgresql::server::logdir, |
| 25 | + service_name => $postgresql::server::service_name, |
| 26 | + service_enable => $postgresql::server::service_enable, |
| 27 | + log_line_prefix => $postgresql::server::log_line_prefix, |
| 28 | + timezone => $postgresql::server::timezone, |
| 29 | + password_encryption => $postgresql::server::password_encryption, |
| 30 | + extra_systemd_config => $postgresql::server::extra_systemd_config, |
266 | 31 | } |
267 | 32 | } |
0 commit comments