From 527c6d784b48d1c2a5d0d5075f7e1ea366452bb0 Mon Sep 17 00:00:00 2001
From: 12ww1160 <arne_teuke@confdroid.com>
Date: Fri, 5 Dec 2025 14:02:54 +0100
Subject: [PATCH] add bouncer details

---
 manifests/bouncer/bouncer.pp                |  29 +-
 manifests/main/config.pp                    |   8 +-
 manifests/params.pp                         |   9 +-
 templates/server/bouncer/bouncer_rule.erb   |   7 +-
 templates/server/bouncer/bouncer_users.erb  |   1 +
 templates/server/bouncer/pgbouncer.ini.orig | 405 ++++++++++++++++++++
 6 files changed, 448 insertions(+), 11 deletions(-)
 create mode 100644 templates/server/bouncer/bouncer_users.erb
 create mode 100644 templates/server/bouncer/pgbouncer.ini.orig

diff --git a/manifests/bouncer/bouncer.pp b/manifests/bouncer/bouncer.pp
index 78b0121..8d2305b 100644
--- a/manifests/bouncer/bouncer.pp
+++ b/manifests/bouncer/bouncer.pp
@@ -7,13 +7,36 @@ class confdroid_postgresql::bouncer::bouncer (
 
 ) inherits confdroid_postgresql::params {
   if ($fqdn == $pl_server_fqdn) and ($pl_use_pg_bouncer == true) {
-    # create the pgbouncer.ini file
+    # ensure directory exists
+    file { $pl_bouncer_dir:
+      ensure   => directory,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0750',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+    }
+    # create auth user file to be populated through placeholder
+    file { $pl_bouncer_auth_file:
+      ensure   => file,
+      owner    => 'pgbouncer',
+      group    => 'pgbouncer',
+      mode     => '0440',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+      content  => template($pl_bouncer_auth_erb),
+    }
 
+    # create the pgbouncer.ini file
     concat { $pl_bouncer_ini_file:
       ensure => present,
-      owner  => 'postgres',
+      owner  => 'pgbouncer',
       mode   => '0600',
-      notify => Service[$pl_service],
+      #notify => Service[$pl_service],
     }
 
     # manage file header
diff --git a/manifests/main/config.pp b/manifests/main/config.pp
index ce47f83..998bd43 100644
--- a/manifests/main/config.pp
+++ b/manifests/main/config.pp
@@ -6,15 +6,15 @@
 class confdroid_postgresql::main::config (
 
 ) inherits confdroid_postgresql::params {
-  include confdroid_postgresql::main::install
+  require confdroid_postgresql::main::install
 
   if $fqdn == $pl_server_fqdn {
     include confdroid_postgresql::server::service
 #    if $pl_use_exporter == true {
 #      include confdroid_postgresql::exporter::service
 #    }
-#    if $pl_use_pg_bouncer == true {
-#      include confdroid_postgresql::bouncer::service
-#    }
+    if $pl_use_pg_bouncer == true {
+      include confdroid_postgresql::bouncer::service
+    }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 369e396..b2e4d8f 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -29,8 +29,8 @@
 # @param [Boolean] pl_use_pg_bouncer whether to use the pc_bouncer
 # @param [String] pl_bouncer_listen_addr bouncer listen address
 # @param [String] pl_bouncer_port bouncer listen port
-# @param [String] pl_bouncer_auth_file bouncer auth file
 # @param [String] pl_bouncer_auth_mode bouncer auth mode
+# @param [String] pl_bouncer_auth_users placeholder for users
 # @param [String] pl_bouncer_pool_mode bouncer pool mode
 # @param [String] pl_bouncer_mx_cl_conn bouncer max client connections
 # @param [String] pl_bouncer_pool_size bouncer default pool size
@@ -72,8 +72,8 @@ class confdroid_postgresql::params (
   Boolean $pl_use_pg_bouncer      = false,
   String $pl_bouncer_listen_addr  = '0.0.0.0',
   String $pl_bouncer_port         = '6432',
-  String $pl_bouncer_auth_file    = '/etc/pgbouncer/userlist.txt',
   String $pl_bouncer_auth_mode    = 'md5',
+  String $pl_bouncer_auth_users   = 'placeholder',
   String $pl_bouncer_pool_mode    = 'transaction',
   String $pl_bouncer_mx_cl_conn   = '100',
   String $pl_bouncer_pool_size    = '20',
@@ -86,13 +86,16 @@ class confdroid_postgresql::params (
 
   # Directories
   $pl_data_dir              = '/var/lib/pgsql/data/'
+  $pl_bouncer_dir           = '/etc/pgbouncer'
 
   # files
   $pl_pg_hba_conf           = "${pl_data_dir}/pg_hba.conf"
   $pl_pg_hba_rule_conf      = 'confdroid_postgresql/server/pghba/pg_hba_rule.conf.erb'
   $pl_pg_hba_conf_erb       = 'confdroid_postgresql/server/pghba/pg_hba.conf.erb'
-  $pl_bouncer_ini_file     = '/etc/pgbouncer/pgbouncer.ini',
+  $pl_bouncer_ini_file      = "${pl_bouncer_dir}/pgbouncer.ini",
   $pl_bouncer_ini_erb       = 'confdroid_postgresql/server/bouncer/pgbouncer.ini.erb'
+  $pl_bouncer_auth_file     = "${pl_bouncer_dir}/userlist.txt",
+  $pl_bouncer_auth_erb      = 'confdroid_postgresql/server/bouncer/bouncer_users.erb'
 
   # Service
   $pl_service               = 'postgresql'
diff --git a/templates/server/bouncer/bouncer_rule.erb b/templates/server/bouncer/bouncer_rule.erb
index 55a4fc3..362bfbd 100644
--- a/templates/server/bouncer/bouncer_rule.erb
+++ b/templates/server/bouncer/bouncer_rule.erb
@@ -1 +1,6 @@
-<%= @bouncer_db_name %> = host=<%= @bouncer_host %> port=<%= @db_host_port %> dbname=<%= @bouncer_db_name %>
\ No newline at end of file
+<%= @bouncer_db_name %> = host=<%= @bouncer_host %> port=<%= @db_host_port %> dbname=<%= @bouncer_db_name %>
+
+ user= password= auth_user=
+;;   client_encoding= datestyle= timezone=
+;;   pool_size= reserve_pool_size= max_db_connections=
+;;   pool_mode= connect_query= application_name=
\ No newline at end of file
diff --git a/templates/server/bouncer/bouncer_users.erb b/templates/server/bouncer/bouncer_users.erb
new file mode 100644
index 0000000..8c43af8
--- /dev/null
+++ b/templates/server/bouncer/bouncer_users.erb
@@ -0,0 +1 @@
+<%= @pl_bouncer_auth_users %>
\ No newline at end of file
diff --git a/templates/server/bouncer/pgbouncer.ini.orig b/templates/server/bouncer/pgbouncer.ini.orig
new file mode 100644
index 0000000..f5eb04e
--- /dev/null
+++ b/templates/server/bouncer/pgbouncer.ini.orig
@@ -0,0 +1,405 @@
+;;;
+;;; PgBouncer configuration file
+;;;
+
+;; database name = connect string
+;;
+;; connect string params:
+;;   dbname= host= port= user= password= auth_user=
+;;   client_encoding= datestyle= timezone=
+;;   pool_size= reserve_pool_size= max_db_connections=
+;;   pool_mode= connect_query= application_name=
+[databases]
+
+;; foodb over Unix socket
+;foodb =
+
+;; redirect bardb to bazdb on localhost
+;bardb = host=localhost dbname=bazdb
+
+;; access to dest database will go with single user
+;forcedb = host=localhost port=300 user=baz password=foo client_encoding=UNICODE datestyle=ISO connect_query='SELECT 1'
+
+;; use custom pool sizes
+;nondefaultdb = pool_size=50 reserve_pool_size=10
+
+;; use auth_user with auth_query if user not present in auth_file
+;; auth_user must exist in auth_file
+; foodb = auth_user=bar
+
+;; run auth_query on a specific database.
+; bardb = auth_dbname=foo max_db_client_connections=10
+
+;; fallback connect string
+;* = host=testserver
+
+;; User-specific configuration
+[users]
+
+;user1 = pool_size=5 reserve_pool_size=2 pool_mode=transaction max_user_connections=10 max_user_client_connections=20
+
+;; Configuration section
+[pgbouncer]
+
+;;;
+;;; Administrative settings
+;;;
+
+logfile = /var/log/pgbouncer/pgbouncer.log
+pidfile = /var/run/pgbouncer/pgbouncer.pid
+
+;;;
+;;; Where to wait for clients
+;;;
+
+;; IP address or * which means all IPs
+listen_addr = localhost
+listen_port = 6432
+
+;; Unix socket is also used for -R.
+;; On Debian it should be /var/run/postgresql
+;unix_socket_dir = /tmp
+;unix_socket_mode = 0777
+;unix_socket_group =
+
+;; The peer id used to identify this pgbouncer process in a group of pgbouncer
+;; processes that are peered together. When set to 0 pgbouncer peering is disabled
+;peer_id = 0
+
+;;; Notify client that they are queued after this many seconds
+;;; Disabled when set to 0
+;query_wait_notify = 5
+
+;;;
+;;; TLS settings for accepting clients
+;;;
+
+;; disable, allow, require, verify-ca, verify-full
+;client_tls_sslmode = disable
+
+;; Path to file that contains trusted CA certs
+;client_tls_ca_file = <system default>
+
+;; Private key and cert to present to clients.
+;; Required for accepting TLS connections from clients.
+;client_tls_key_file =
+;client_tls_cert_file =
+
+;; default, secure, fast, normal, <ciphersuite string>
+;client_tls_ciphers = default
+
+; TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
+; TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_SHA256
+;client_tls13_ciphers =
+
+;; all, secure, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
+;client_tls_protocols = secure
+
+;; none, auto, legacy
+;client_tls_dheparams = auto
+
+;; none, auto, <curve name>
+;client_tls_ecdhcurve = auto
+
+;;;
+;;; TLS settings for connecting to backend databases
+;;;
+
+;; disable, allow, prefer, require, verify-ca, verify-full
+;server_tls_sslmode = prefer
+
+;; Path to that contains trusted CA certs
+;server_tls_ca_file = <system default>
+
+;; Private key and cert to present to backend.
+;; Needed only if backend server require client cert.
+;server_tls_key_file =
+;server_tls_cert_file =
+
+;; all, secure, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
+;server_tls_protocols = secure
+
+;; default, secure, fast, normal, <ciphersuite string>
+;server_tls_ciphers = default
+
+;; See client_tls13_ciphers.
+;server_tls13_ciphers =
+
+;;;
+;;; Authentication settings
+;;;
+
+;; any, trust, plain, md5, cert, hba, ldap, pam
+auth_type = md5
+auth_file = /etc/pgbouncer/userlist.txt
+
+;; Path to HBA-style auth config
+;auth_hba_file =
+
+;; Path to Pg-ident-style map file
+;auth_ident_file =
+
+;; LDAP connection options when "auth_type = ldap"
+;auth_ldap_options =
+
+;; Query to use to fetch password from database.  Result
+;; must have 2 columns - username and password hash.
+;auth_query = SELECT rolname, CASE WHEN rolvaliduntil < pg_catalog.now() THEN NULL ELSE rolpassword END FROM pg_authid WHERE rolname=$1 AND rolcanlogin
+
+;; Authentication database that can be set globally to run "auth_query".
+;auth_dbname =
+
+;;;
+;;; Users allowed into database 'pgbouncer'
+;;;
+
+;; comma-separated list of users who are allowed to change settings
+admin_users = postgres
+
+;; comma-separated list of users who are just allowed to use SHOW command
+stats_users = stats, postgres
+
+;;;
+;;; Pooler personality questions
+;;;
+
+;; When server connection is released back to pool:
+;;   session      - after client disconnects (default)
+;;   transaction  - after transaction finishes
+;;   statement    - after statement finishes
+;pool_mode = session
+
+;; Number of prepared statements to cache on a server connection (zero value
+;; disables support of prepared statements).
+;max_prepared_statements = 0
+
+;; The number of computational iterations to be performed when
+;; encrypting a password using SCRAM-SHA-256.
+;scram_iterations = 4096
+
+;; Query for cleaning connection immediately after releasing from
+;; client.  No need to put ROLLBACK here, pgbouncer does not reuse
+;; connections where transaction is left open.
+;server_reset_query = DISCARD ALL
+
+;; Whether server_reset_query should run in all pooling modes.  If it
+;; is off, server_reset_query is used only for session-pooling.
+;server_reset_query_always = 0
+
+;; Comma-separated list of parameters to track per client.  The
+;; Postgres parameters listed here will be cached per client by
+;; pgbouncer and restored in server every time the client runs a query.
+;track_extra_parameters = IntervalStyle
+
+;; Comma-separated list of parameters to ignore when given in startup
+;; packet.  Newer JDBC versions require the extra_float_digits here.
+;ignore_startup_parameters = extra_float_digits
+
+;; When taking idle server into use, this query is run first.
+;server_check_query = select 1
+
+;; If server was used more recently that this many seconds ago,
+;; skip the check query.  Value 0 may or may not run in immediately.
+;server_check_delay = 30
+
+;; Close servers in session pooling mode after a RECONNECT, RELOAD,
+;; etc. when they are idle instead of at the end of the session.
+;server_fast_close = 0
+
+;; Use <appname - host> as application_name on server.
+;application_name_add_host = 0
+
+;; Period for updating aggregated stats.
+;stats_period = 60
+
+;;;
+;;; Connection limits
+;;;
+
+;; Total number of clients that can connect
+;max_client_conn = 100
+
+;; Default pool size.  20 is good number when transaction pooling
+;; is in use, in session pooling it needs to be the number of
+;; max clients you want to handle at any moment
+;default_pool_size = 20
+
+;; Minimum number of server connections to keep in pool.
+;min_pool_size = 0
+
+; how many additional connection to allow in case of trouble
+;reserve_pool_size = 0
+
+;; If a clients needs to wait more than this many seconds, use reserve
+;; pool.
+;reserve_pool_timeout = 5
+
+;; Maximum number of server connections for a database
+;max_db_connections = 0
+
+;; Maximum number of server connections for a user
+;max_user_connections = 0
+
+;; If off, then server connections are reused in LIFO manner
+;server_round_robin = 0
+
+;;;
+;;; Logging
+;;;
+
+;; Syslog settings
+;syslog = 0
+;syslog_facility = daemon
+;syslog_ident = pgbouncer
+
+;; log if client connects or server connection is made
+;log_connections = 1
+
+;; log if and why connection was closed
+;log_disconnections = 1
+
+;; log error messages pooler sends to clients
+;log_pooler_errors = 1
+
+;; write aggregated stats into log
+;log_stats = 1
+
+;; Logging verbosity.  Same as -v switch on command line.
+;verbose = 0
+
+;;;
+;;; Timeouts
+;;;
+
+;; Close server connection if its been connected longer.
+;server_lifetime = 3600
+
+;; Close server connection if its not been used in this time.  Allows
+;; to clean unnecessary connections from pool after peak.
+;server_idle_timeout = 600
+
+;; Cancel connection attempt if server does not answer takes longer.
+;server_connect_timeout = 15
+
+;; If server login failed (server_connect_timeout or auth failure)
+;; then wait this many second before trying again.
+;server_login_retry = 15
+
+;; Dangerous.  Server connection is closed if query does not return in
+;; this time.  Should be used to survive network problems, _not_ as
+;; statement_timeout. (default: 0)
+;query_timeout = 0
+
+;; Dangerous.  Client connection is closed if the query is not
+;; assigned to a server in this time.  Should be used to limit the
+;; number of queued queries in case of a database or network
+;; failure. (default: 120)
+;query_wait_timeout = 120
+
+;; Dangerous.  Client connection is closed if the cancellation request
+;; is not assigned to a server in this time.  Should be used to limit
+;; the time a client application blocks on a queued cancel request in
+;; case of a database or network failure. (default: 10)
+;cancel_wait_timeout = 10
+
+;; Dangerous.  Client connection is closed if no activity in this
+;; time.  Should be used to survive network problems. (default: 0)
+;client_idle_timeout = 0
+
+;; Disconnect clients who have not managed to log in after connecting
+;; in this many seconds.
+;client_login_timeout = 60
+
+;; Clean automatically created database entries (via "*") if they stay
+;; unused in this many seconds.
+;autodb_idle_timeout = 3600
+
+;; Close connections which are in "IDLE in transaction" state longer
+;; than this many seconds.
+;idle_transaction_timeout = 0
+
+;; How long SUSPEND/-R waits for buffer flush before closing
+;; connection.
+;suspend_timeout = 10
+
+;;;
+;;; Low-level tuning options
+;;;
+
+;; buffer for streaming packets
+;pkt_buf = 4096
+
+;; man 2 listen
+;listen_backlog = 128
+
+;; Max number pkt_buf to process in one event loop.
+;sbuf_loopcnt = 5
+
+;; Maximum PostgreSQL protocol packet size.
+;max_packet_size = 2147483647
+
+;; Set SO_REUSEPORT socket option
+;so_reuseport = 0
+
+;; networking options, for info: man 7 tcp
+
+;; Linux: Notify program about new connection only if there is also
+;; data received.  (Seconds to wait.)  On Linux the default is 45, on
+;; other OS'es 0.
+;tcp_defer_accept = 0
+
+;; In-kernel buffer size (Linux default: 4096)
+;tcp_socket_buffer = 0
+
+;; whether tcp keepalive should be turned on (0/1)
+;tcp_keepalive = 1
+
+;; The following options are Linux-specific.  They also require
+;; tcp_keepalive=1.
+
+;; Count of keepalive packets
+;tcp_keepcnt = 0
+
+;; How long the connection can be idle before sending keepalive
+;; packets
+;tcp_keepidle = 0
+
+;; The time between individual keepalive probes
+;tcp_keepintvl = 0
+
+;; How long may transmitted data remain unacknowledged before TCP
+;; connection is closed (in milliseconds)
+;tcp_user_timeout = 0
+
+;; DNS lookup caching time
+;dns_max_ttl = 15
+
+;; DNS zone SOA lookup period
+;dns_zone_check_period = 0
+
+;; DNS negative result caching time
+;dns_nxdomain_ttl = 15
+
+;; Custom resolv.conf file, to set custom DNS servers or other options
+;; (default: empty = use OS settings)
+;resolv_conf = /etc/pgbouncer/resolv.conf
+
+;;;
+;;; Random stuff
+;;;
+
+;; Hackish security feature.  Helps against SQL injection: when PQexec
+;; is disabled, multi-statement cannot be made.
+;disable_pqexec = 0
+
+;; Config file to use for next RELOAD/SIGHUP
+;; By default contains config file from command line.
+;conffile
+
+;; Windows service name to register as.  job_name is alias for
+;; service_name, used by some Skytools scripts.
+;service_name = pgbouncer
+;job_name = pgbouncer
+
+;; Read additional config from other file
+;%include /etc/pgbouncer/pgbouncer-other.ini