From 73214a112804e56f0daaddcb85e70e08003ddc19 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 28 Sep 2025 15:47:55 +0200 Subject: [PATCH] add pg_hba rules --- .vscode/settings.json | 3 ++ manifests/main/files.pp | 25 ++++++------ manifests/params.pp | 4 ++ manifests/server/pghba/pg_hba.pp | 55 ++++++++++++++++++++++++++ manifests/server/pghba/pg_hba_rule.ppp | 45 +++++++++++++++++++++ templates/pg_hba.conf.erb | 2 + templates/pg_hba_rule.conf.erb | 2 +- 7 files changed, 123 insertions(+), 13 deletions(-) create mode 100644 manifests/server/pghba/pg_hba.pp create mode 100644 manifests/server/pghba/pg_hba_rule.ppp diff --git a/.vscode/settings.json b/.vscode/settings.json index 2922e3a..5bf56fa 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -14,6 +14,7 @@ "geqo", "hashagg", "hashjoin", + "hostnossl", "hostssl", "indexonlyscan", "indexscan", @@ -34,10 +35,12 @@ "naptime", "nestloop", "partitionwise", + "pghba", "pgsql", "restartpoint", "seqscan", "seqscans", + "sspi", "sysconfdir", "sysv", "tablespace", diff --git a/manifests/main/files.pp b/manifests/main/files.pp index cf531ec..c65674e 100644 --- a/manifests/main/files.pp +++ b/manifests/main/files.pp @@ -10,18 +10,19 @@ class postgresql_cd::main::files ( require postgresql_cd::server::initdb require postgresql_cd::main::dirs - file { '/var/lib/pgsql/data/pg_hba.conf': - ensure => file, - owner => 'postgres', - group => 'postgres', - mode => '0600', - selrange => s0, - selrole => object_r, - seltype => postgresql_db_t, - seluser => unconfined_u, - content => template('postgresql_cd/pg_hba.conf.erb'), - notify => Service[$pl_service], - } + # outsourced to pghba::pghba for concatenation +# file { '/var/lib/pgsql/data/pg_hba.conf': +# ensure => file, +# owner => 'postgres', +# group => 'postgres', +# mode => '0600', +# selrange => s0, +# selrole => object_r, +# seltype => postgresql_db_t, +# seluser => unconfined_u, +# content => template('postgresql_cd/pg_hba.conf.erb'), +# notify => Service[$pl_service], +# } file { '/var/lib/pgsql/data/postgresql.conf': ensure => file, diff --git a/manifests/params.pp b/manifests/params.pp index a816b21..21a2ac8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -56,6 +56,10 @@ class postgresql_cd::params ( # Directories $pl_data_dir = '/var/lib/pgsql/data/' + # files + $pl_pl_pg_hba_conf = "${pl_data_dir}/pg_hba.conf" + $pl_pg_hba_rule_conf = 'postgresql_cd/pg_hba_rule.conf.erb' + # includes must be last include postgresql_cd::main::config } diff --git a/manifests/server/pghba/pg_hba.pp b/manifests/server/pghba/pg_hba.pp new file mode 100644 index 0000000..364e343 --- /dev/null +++ b/manifests/server/pghba/pg_hba.pp @@ -0,0 +1,55 @@ +## postgresql_cd::server::pg_hba.pp +# Module name: postgresql_cd +# Author: Arne Teuke (arne_teuke@puppetsoft.com) +# @summary Class manages pg_hba.conf file and line entries through define +# pg_hba_rule.pp +# @example postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres': +# psql_auth_type => 'local', +# psql_auth_database => 'all', +# psql_auth_user => 'postgres', +# psql_auth_method => 'trust', +# psql_auth_order => '001', +# psql_auth_option => '', +# } +############################################################################## +class postgresql_cd::server::pghba::pg_hba ( + +) inherits postgresql_cd::params { + if $fqdn == $pl_server_fqdn { + # create the pg_hba.conf file + + concat { $pl_pg_hba_conf: + ensure => present, + owner => 'postgres', + mode => '0640', + notify => Service[$pl_service], + } + + # manage file header + + concat::fragment { 'header': + target => $pl_pg_hba_conf, + content => template($pl_pg_hba_conf_erb), + order => '000', + } + + # manage default rules => should go into external config set +# postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres': +# psql_auth_type => 'local', +# psql_auth_database => 'all', +# psql_auth_user => $ql_user_name, +# psql_auth_method => 'trust', +# psql_auth_order => '001', +# psql_auth_option => $ql_auth_option, +# } + +# postgresql_cd::server::pghba::pg_hba_rule { 'local access for all roles': +# psql_auth_type => 'local', +# psql_auth_database => 'all', +# psql_auth_user => 'all', +# psql_auth_method => 'trust', +# psql_auth_order => '002', +# psql_auth_option => $pl_auth_option, +# } + } +} diff --git a/manifests/server/pghba/pg_hba_rule.ppp b/manifests/server/pghba/pg_hba_rule.ppp new file mode 100644 index 0000000..58f68ad --- /dev/null +++ b/manifests/server/pghba/pg_hba_rule.ppp @@ -0,0 +1,45 @@ +## postgresql_cd::server::pghba::pg_hba_rule +# Module name: postgresql_cd +# Author: Arne Teuke (arne_teuke@puppetsoft.com) +# @summary define manages rule entries for pg_hba configuration file +# @see https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html +# @param [string] pl_auth_type Specify the authentication type, can be +# 'local', 'host', 'hostssl' or 'hostnossl'. +# @param [string] pl_auth_database Specify the database for the connection +# @param [string] pl_auth_user Specify the user for the connection +# @param [string] pl_auth_address SPecify IP address or FQDN for the +# connection, i.e. where to connect FROM. +# @param [string] pl_auth_method Specify the auth method, can be 'trust', +# 'reject', 'md5' , 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', +# 'radius', 'cert', 'pam','bsd' +# @param [string] pl_auth_option After the auth-method field, there can be +# field(s) of the form name=value that specify options for the authentication +# method. +# @param [string] pl_auth_order Specify the order in which the entry should +# appear on the list. Lower orders are higher on the list. +# @param [string] pl_auth_description Specify a description for the entry. +############################################################################## +define postgresql_cd::server::pghba::pg_hba_rule ( + + Optional[String] $pl_auth_type = undef, + Optional[String] $pl_auth_database = undef, + Optional[String] $pl_auth_user = undef, + Optional[String] $pl_auth_address = undef, + Optional[String] $pl_auth_method = undef, + Optional[String] $pl_auth_option = undef, + Optional[String] $pl_auth_order = undef, + Optional[String] $pl_auth_description = undef, + +) { + $pl_pg_hba_conf = $postgresql_cd::params::pl_pg_hba_conf + $pl_pg_hba_rule_conf = $postgresql_cd::params::pl_pg_hba_rule_conf + $pl_data_dir = $postgresql_cd::params::pl_data_dir + +# create rule fragment + + concat::fragment { "pl_rule_${name}": + target => $pl_pg_hba_conf, + content => template($pl_pg_hba_rule_conf), + order => $pl_auth_order, + } +} diff --git a/templates/pg_hba.conf.erb b/templates/pg_hba.conf.erb index 53cdb06..958ce22 100644 --- a/templates/pg_hba.conf.erb +++ b/templates/pg_hba.conf.erb @@ -18,3 +18,5 @@ host replication all 127.0.0.1/32 md5 host replication all ::1/128 md5 host all all 0.0.0.0/0 md5 + +# custom rules below diff --git a/templates/pg_hba_rule.conf.erb b/templates/pg_hba_rule.conf.erb index 2e84157..4cdf5a8 100644 --- a/templates/pg_hba_rule.conf.erb +++ b/templates/pg_hba_rule.conf.erb @@ -1,3 +1,3 @@ # description: <%=@name%> -# order number: <%=@psql_auth_order%> +# order number: <%=@pl_auth_order%> <%= @pl_auth_type %> <%= @pl_auth_database %> <%= @pl_auth_user %> <%= @pl_auth_address %> <%=@pl_auth_method %> <%=@psql_auth_option%>