add pg_hba rules

2025-09-28 15:47:55 +02:00
parent 95347b22bf
commit 73214a1128
7 changed files with 123 additions and 13 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -14,6 +14,7 @@
        "geqo",
        "hashagg",
        "hashjoin",
        "hostnossl",
        "hostssl",
        "indexonlyscan",
        "indexscan",
@@ -34,10 +35,12 @@
        "naptime",
        "nestloop",
        "partitionwise",
        "pghba",
        "pgsql",
        "restartpoint",
        "seqscan",
        "seqscans",
        "sspi",
        "sysconfdir",
        "sysv",
        "tablespace",
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -10,18 +10,19 @@ class postgresql_cd::main::files (
    require postgresql_cd::server::initdb
    require postgresql_cd::main::dirs
-    file { '/var/lib/pgsql/data/pg_hba.conf':
+    # outsourced to pghba::pghba for concatenation
-      ensure   => file,
+#    file { '/var/lib/pgsql/data/pg_hba.conf':
-      owner    => 'postgres',
+#      ensure   => file,
-      group    => 'postgres',
+#      owner    => 'postgres',
-      mode     => '0600',
+#      group    => 'postgres',
-      selrange => s0,
+#      mode     => '0600',
-      selrole  => object_r,
+#      selrange => s0,
-      seltype  => postgresql_db_t,
+#      selrole  => object_r,
-      seluser  => unconfined_u,
+#      seltype  => postgresql_db_t,
-      content  => template('postgresql_cd/pg_hba.conf.erb'),
+#      seluser  => unconfined_u,
-      notify   => Service[$pl_service],
+#      content  => template('postgresql_cd/pg_hba.conf.erb'),
-    }
+#      notify   => Service[$pl_service],
 #    }
    file { '/var/lib/pgsql/data/postgresql.conf':
      ensure   => file,
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -56,6 +56,10 @@ class postgresql_cd::params (
  # Directories
  $pl_data_dir              = '/var/lib/pgsql/data/'
  # files
  $pl_pl_pg_hba_conf        = "${pl_data_dir}/pg_hba.conf"
  $pl_pg_hba_rule_conf      = 'postgresql_cd/pg_hba_rule.conf.erb'
  # includes must be last
  include postgresql_cd::main::config
 }
--- a/manifests/server/pghba/pg_hba.pp
+++ b/manifests/server/pghba/pg_hba.pp
@@ -0,0 +1,55 @@
 ## postgresql_cd::server::pg_hba.pp
 # Module name: postgresql_cd
 # Author: Arne Teuke (arne_teuke@puppetsoft.com)
 # @summary Class manages pg_hba.conf file and line entries through define
 #   pg_hba_rule.pp
 # @example     postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres':
 #      psql_auth_type        => 'local',
 #      psql_auth_database    => 'all',
 #      psql_auth_user        => 'postgres',
 #      psql_auth_method      => 'trust',
 #      psql_auth_order       => '001',
 #      psql_auth_option      => '',
 #    }
 ##############################################################################
 class postgresql_cd::server::pghba::pg_hba (
 ) inherits postgresql_cd::params {
  if $fqdn == $pl_server_fqdn {
    # create the pg_hba.conf file
    concat { $pl_pg_hba_conf:
      ensure => present,
      owner  => 'postgres',
      mode   => '0640',
      notify => Service[$pl_service],
    }
    # manage file header
    concat::fragment { 'header':
      target  => $pl_pg_hba_conf,
      content => template($pl_pg_hba_conf_erb),
      order   => '000',
    }
    # manage default rules => should go into  external config set
 #    postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres':
 #      psql_auth_type        => 'local',
 #      psql_auth_database    => 'all',
 #      psql_auth_user        => $ql_user_name,
 #      psql_auth_method      => 'trust',
 #      psql_auth_order       => '001',
 #      psql_auth_option      => $ql_auth_option,
 #    }
 #    postgresql_cd::server::pghba::pg_hba_rule { 'local access for all roles':
 #      psql_auth_type        => 'local',
 #      psql_auth_database    => 'all',
 #      psql_auth_user        => 'all',
 #      psql_auth_method      => 'trust',
 #      psql_auth_order       => '002',
 #      psql_auth_option      => $pl_auth_option,
 #    }
  }
 }
--- a/manifests/server/pghba/pg_hba_rule.ppp
+++ b/manifests/server/pghba/pg_hba_rule.ppp
@@ -0,0 +1,45 @@
 ## postgresql_cd::server::pghba::pg_hba_rule
 # Module name: postgresql_cd
 # Author: Arne Teuke (arne_teuke@puppetsoft.com)
 # @summary define manages rule entries for pg_hba configuration file
 # @see https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html
 # @param [string] pl_auth_type  Specify the authentication type, can be
 #   'local', 'host', 'hostssl' or 'hostnossl'.
 # @param [string] pl_auth_database Specify the database for the connection
 # @param [string] pl_auth_user Specify the user for the connection
 # @param [string] pl_auth_address SPecify IP address or FQDN for the
 #   connection, i.e. where to connect FROM.
 # @param [string] pl_auth_method  Specify the auth method, can be 'trust',
 #   'reject', 'md5' , 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap',
 #   'radius', 'cert', 'pam','bsd'
 # @param [string] pl_auth_option After the auth-method field, there can be
 #   field(s) of the form name=value that specify options for the authentication
 #   method.
 # @param [string] pl_auth_order  Specify the  order in which the entry should
 #   appear on the list. Lower orders are higher on the list.
 # @param [string] pl_auth_description Specify a description for the entry.
 ##############################################################################
 define postgresql_cd::server::pghba::pg_hba_rule (
  Optional[String] $pl_auth_type         = undef,
  Optional[String] $pl_auth_database     = undef,
  Optional[String] $pl_auth_user         = undef,
  Optional[String] $pl_auth_address      = undef,
  Optional[String] $pl_auth_method       = undef,
  Optional[String] $pl_auth_option       = undef,
  Optional[String] $pl_auth_order        = undef,
  Optional[String] $pl_auth_description  = undef,
 ) {
  $pl_pg_hba_conf       = $postgresql_cd::params::pl_pg_hba_conf
  $pl_pg_hba_rule_conf  = $postgresql_cd::params::pl_pg_hba_rule_conf
  $pl_data_dir          = $postgresql_cd::params::pl_data_dir
 # create rule fragment
  concat::fragment { "pl_rule_${name}":
    target  => $pl_pg_hba_conf,
    content => template($pl_pg_hba_rule_conf),
    order   => $pl_auth_order,
  }
 }
--- a/templates/pg_hba.conf.erb
+++ b/templates/pg_hba.conf.erb
@@ -18,3 +18,5 @@ host    replication     all             127.0.0.1/32            md5
 host    replication     all             ::1/128                 md5
 host    all             all             0.0.0.0/0               md5
 # custom rules below
--- a/templates/pg_hba_rule.conf.erb
+++ b/templates/pg_hba_rule.conf.erb
@@ -1,3 +1,3 @@
 # description:  <%=@name%>
-# order number: <%=@psql_auth_order%>
+# order number: <%=@pl_auth_order%>
 <%= @pl_auth_type %>  <%= @pl_auth_database %>  <%= @pl_auth_user %> <%= @pl_auth_address %> <%=@pl_auth_method %> <%=@psql_auth_option%>