diff --git a/.vscode/settings.json b/.vscode/settings.json index 2922e3a..5bf56fa 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -14,6 +14,7 @@ "geqo", "hashagg", "hashjoin", + "hostnossl", "hostssl", "indexonlyscan", "indexscan", @@ -34,10 +35,12 @@ "naptime", "nestloop", "partitionwise", + "pghba", "pgsql", "restartpoint", "seqscan", "seqscans", + "sspi", "sysconfdir", "sysv", "tablespace", diff --git a/doc/_index.html b/doc/_index.html index ac8b1ec..09dfdaf 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -108,6 +108,11 @@ +
  • + postgresql_cd::server::pghba::pg_hba + +
    • +
  • postgresql_cd::server::service diff --git a/doc/puppet_class_list.html b/doc/puppet_class_list.html index 7c5cdc4..1127584 100644 --- a/doc/puppet_class_list.html +++ b/doc/puppet_class_list.html @@ -92,7 +92,14 @@
    • -
  • +
  • +
    + postgresql_cd::server::pghba::pg_hba +
    +
    • + + +
  • postgresql_cd::server::service
    diff --git a/doc/puppet_classes/postgresql_cd_3A_3Amain_3A_3Afiles.html b/doc/puppet_classes/postgresql_cd_3A_3Amain_3A_3Afiles.html index 8d2be67..146e44f 100644 --- a/doc/puppet_classes/postgresql_cd_3A_3Amain_3A_3Afiles.html +++ b/doc/puppet_classes/postgresql_cd_3A_3Amain_3A_3Afiles.html @@ -134,7 +134,8 @@ 36 37 38 -39 +39 +40 
    # File 'manifests/main/files.pp', line 6
@@ -146,18 +147,19 @@ class postgresql_cd::main::files (
     require postgresql_cd::server::initdb
     require postgresql_cd::main::dirs
 
-    file { '/var/lib/pgsql/data/pg_hba.conf':
-      ensure   => file,
-      owner    => 'postgres',
-      group    => 'postgres',
-      mode     => '0600',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => postgresql_db_t,
-      seluser  => unconfined_u,
-      content  => template('postgresql_cd/pg_hba.conf.erb'),
-      notify   => Service[$pl_service],
-    }
+    # outsourced to pghba::pghba for concatenation
+#    file { '/var/lib/pgsql/data/pg_hba.conf':
+#      ensure   => file,
+#      owner    => 'postgres',
+#      group    => 'postgres',
+#      mode     => '0600',
+#      selrange => s0,
+#      selrole  => object_r,
+#      seltype  => postgresql_db_t,
+#      seluser  => unconfined_u,
+#      content  => template('postgresql_cd/pg_hba.conf.erb'),
+#      notify   => Service[$pl_service],
+#    }
 
     file { '/var/lib/pgsql/data/postgresql.conf':
       ensure   => file,
diff --git a/doc/puppet_classes/postgresql_cd_3A_3Aparams.html b/doc/puppet_classes/postgresql_cd_3A_3Aparams.html
index d8234ef..8e0dd28 100644
--- a/doc/puppet_classes/postgresql_cd_3A_3Aparams.html
+++ b/doc/puppet_classes/postgresql_cd_3A_3Aparams.html
@@ -81,6 +81,8 @@
       
       postgresql_cd::firewall::iptables
    
       
+      postgresql_cd::server::pghba::pg_hba
    
+      
     
   
   
@@ -429,7 +431,11 @@
 58
 59
 60
-61
    +61 +62 +63 +64 +65 
    # File 'manifests/params.pp', line 23
@@ -470,6 +476,10 @@ class postgresql_cd::params (
   # Directories
   $pl_data_dir              = '/var/lib/pgsql/data/'
 
+  # files
+  $pl_pl_pg_hba_conf        = "${pl_data_dir}/pg_hba.conf"
+  $pl_pg_hba_rule_conf      = 'postgresql_cd/pg_hba_rule.conf.erb'
+
   # includes must be last
   include postgresql_cd::main::config
 }
    diff --git a/doc/puppet_classes/postgresql_cd_3A_3Aserver_3A_3Apghba_3A_3Apg_hba.html b/doc/puppet_classes/postgresql_cd_3A_3Aserver_3A_3Apghba_3A_3Apg_hba.html new file mode 100644 index 0000000..a5b6901 --- /dev/null +++ b/doc/puppet_classes/postgresql_cd_3A_3Aserver_3A_3Apghba_3A_3Apg_hba.html @@ -0,0 +1,220 @@ + + + + + + + Puppet Class: postgresql_cd::server::pghba::pg_hba + + — Documentation by YARD 0.9.36 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Puppet Class: postgresql_cd::server::pghba::pg_hba

    +
    + +
    +
    Inherits:
    +
    postgresql_cd::params
    +
    + + +
    +
    Defined in:
    +
    + manifests/server/pghba/pg_hba.pp +
    +
    +
    + +

    Summary

    + Class manages pg_hba.conf file and line entries through define +pg_hba_rule.pp + +

    Overview

    +
    +
    + +

    postgresql_cd::server::pg_hba.pp Module name: postgresql_cd Author: Arne Teuke (arne_teuke@puppetsoft.com) }

    + +
    +
    + + + +
    + +
    +

    Examples:

    + + +

    +

    postgresql_cd::server::pghba::pg_hba_rule { ‘local access for role postgres’:

    +

    + + 
    psql_auth_type        => 'local',
+psql_auth_database    => 'all',
+psql_auth_user        => 'postgres',
+psql_auth_method      => 'trust',
+psql_auth_order       => '001',
+psql_auth_option      => '',
    + +
    + + + +
    + + + + + +
    + 
    +
+
+15
+16
+17
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+55
    +     		+ 
    # File 'manifests/server/pghba/pg_hba.pp', line 15
+
+class postgresql_cd::server::pghba::pg_hba (
+
+) inherits postgresql_cd::params {
+  if $fqdn == $pl_server_fqdn {
+    # create the pg_hba.conf file
+
+    concat { $pl_pg_hba_conf:
+      ensure => present,
+      owner  => 'postgres',
+      mode   => '0640',
+      notify => Service[$pl_service],
+    }
+
+    # manage file header
+
+    concat::fragment { 'header':
+      target  => $pl_pg_hba_conf,
+      content => template($pl_pg_hba_conf_erb),
+      order   => '000',
+    }
+
+    # manage default rules => should go into  external config set
+#    postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres':
+#      psql_auth_type        => 'local',
+#      psql_auth_database    => 'all',
+#      psql_auth_user        => $ql_user_name,
+#      psql_auth_method      => 'trust',
+#      psql_auth_order       => '001',
+#      psql_auth_option      => $ql_auth_option,
+#    }
+
+#    postgresql_cd::server::pghba::pg_hba_rule { 'local access for all roles':
+#      psql_auth_type        => 'local',
+#      psql_auth_database    => 'all',
+#      psql_auth_user        => 'all',
+#      psql_auth_method      => 'trust',
+#      psql_auth_order       => '002',
+#      psql_auth_option      => $pl_auth_option,
+#    }
+  }
+}
    +
    +
    +
    + + + +
    + + \ No newline at end of file diff --git a/manifests/main/files.pp b/manifests/main/files.pp index cf531ec..c65674e 100644 --- a/manifests/main/files.pp +++ b/manifests/main/files.pp @@ -10,18 +10,19 @@ class postgresql_cd::main::files ( require postgresql_cd::server::initdb require postgresql_cd::main::dirs - file { '/var/lib/pgsql/data/pg_hba.conf': - ensure => file, - owner => 'postgres', - group => 'postgres', - mode => '0600', - selrange => s0, - selrole => object_r, - seltype => postgresql_db_t, - seluser => unconfined_u, - content => template('postgresql_cd/pg_hba.conf.erb'), - notify => Service[$pl_service], - } + # outsourced to pghba::pghba for concatenation +# file { '/var/lib/pgsql/data/pg_hba.conf': +# ensure => file, +# owner => 'postgres', +# group => 'postgres', +# mode => '0600', +# selrange => s0, +# selrole => object_r, +# seltype => postgresql_db_t, +# seluser => unconfined_u, +# content => template('postgresql_cd/pg_hba.conf.erb'), +# notify => Service[$pl_service], +# } file { '/var/lib/pgsql/data/postgresql.conf': ensure => file, diff --git a/manifests/params.pp b/manifests/params.pp index a816b21..21a2ac8 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -56,6 +56,10 @@ class postgresql_cd::params ( # Directories $pl_data_dir = '/var/lib/pgsql/data/' + # files + $pl_pl_pg_hba_conf = "${pl_data_dir}/pg_hba.conf" + $pl_pg_hba_rule_conf = 'postgresql_cd/pg_hba_rule.conf.erb' + # includes must be last include postgresql_cd::main::config } diff --git a/manifests/server/pghba/pg_hba.pp b/manifests/server/pghba/pg_hba.pp new file mode 100644 index 0000000..364e343 --- /dev/null +++ b/manifests/server/pghba/pg_hba.pp @@ -0,0 +1,55 @@ +## postgresql_cd::server::pg_hba.pp +# Module name: postgresql_cd +# Author: Arne Teuke (arne_teuke@puppetsoft.com) +# @summary Class manages pg_hba.conf file and line entries through define +# pg_hba_rule.pp +# @example postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres': +# psql_auth_type => 'local', +# psql_auth_database => 'all', +# psql_auth_user => 'postgres', +# psql_auth_method => 'trust', +# psql_auth_order => '001', +# psql_auth_option => '', +# } +############################################################################## +class postgresql_cd::server::pghba::pg_hba ( + +) inherits postgresql_cd::params { + if $fqdn == $pl_server_fqdn { + # create the pg_hba.conf file + + concat { $pl_pg_hba_conf: + ensure => present, + owner => 'postgres', + mode => '0640', + notify => Service[$pl_service], + } + + # manage file header + + concat::fragment { 'header': + target => $pl_pg_hba_conf, + content => template($pl_pg_hba_conf_erb), + order => '000', + } + + # manage default rules => should go into external config set +# postgresql_cd::server::pghba::pg_hba_rule { 'local access for role postgres': +# psql_auth_type => 'local', +# psql_auth_database => 'all', +# psql_auth_user => $ql_user_name, +# psql_auth_method => 'trust', +# psql_auth_order => '001', +# psql_auth_option => $ql_auth_option, +# } + +# postgresql_cd::server::pghba::pg_hba_rule { 'local access for all roles': +# psql_auth_type => 'local', +# psql_auth_database => 'all', +# psql_auth_user => 'all', +# psql_auth_method => 'trust', +# psql_auth_order => '002', +# psql_auth_option => $pl_auth_option, +# } + } +} diff --git a/manifests/server/pghba/pg_hba_rule.ppp b/manifests/server/pghba/pg_hba_rule.ppp new file mode 100644 index 0000000..58f68ad --- /dev/null +++ b/manifests/server/pghba/pg_hba_rule.ppp @@ -0,0 +1,45 @@ +## postgresql_cd::server::pghba::pg_hba_rule +# Module name: postgresql_cd +# Author: Arne Teuke (arne_teuke@puppetsoft.com) +# @summary define manages rule entries for pg_hba configuration file +# @see https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html +# @param [string] pl_auth_type Specify the authentication type, can be +# 'local', 'host', 'hostssl' or 'hostnossl'. +# @param [string] pl_auth_database Specify the database for the connection +# @param [string] pl_auth_user Specify the user for the connection +# @param [string] pl_auth_address SPecify IP address or FQDN for the +# connection, i.e. where to connect FROM. +# @param [string] pl_auth_method Specify the auth method, can be 'trust', +# 'reject', 'md5' , 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap', +# 'radius', 'cert', 'pam','bsd' +# @param [string] pl_auth_option After the auth-method field, there can be +# field(s) of the form name=value that specify options for the authentication +# method. +# @param [string] pl_auth_order Specify the order in which the entry should +# appear on the list. Lower orders are higher on the list. +# @param [string] pl_auth_description Specify a description for the entry. +############################################################################## +define postgresql_cd::server::pghba::pg_hba_rule ( + + Optional[String] $pl_auth_type = undef, + Optional[String] $pl_auth_database = undef, + Optional[String] $pl_auth_user = undef, + Optional[String] $pl_auth_address = undef, + Optional[String] $pl_auth_method = undef, + Optional[String] $pl_auth_option = undef, + Optional[String] $pl_auth_order = undef, + Optional[String] $pl_auth_description = undef, + +) { + $pl_pg_hba_conf = $postgresql_cd::params::pl_pg_hba_conf + $pl_pg_hba_rule_conf = $postgresql_cd::params::pl_pg_hba_rule_conf + $pl_data_dir = $postgresql_cd::params::pl_data_dir + +# create rule fragment + + concat::fragment { "pl_rule_${name}": + target => $pl_pg_hba_conf, + content => template($pl_pg_hba_rule_conf), + order => $pl_auth_order, + } +} diff --git a/templates/pg_hba.conf.erb b/templates/pg_hba.conf.erb index 53cdb06..958ce22 100644 --- a/templates/pg_hba.conf.erb +++ b/templates/pg_hba.conf.erb @@ -18,3 +18,5 @@ host replication all 127.0.0.1/32 md5 host replication all ::1/128 md5 host all all 0.0.0.0/0 md5 + +# custom rules below diff --git a/templates/pg_hba_rule.conf.erb b/templates/pg_hba_rule.conf.erb index 2e84157..4cdf5a8 100644 --- a/templates/pg_hba_rule.conf.erb +++ b/templates/pg_hba_rule.conf.erb @@ -1,3 +1,3 @@ # description: <%=@name%> -# order number: <%=@psql_auth_order%> +# order number: <%=@pl_auth_order%> <%= @pl_auth_type %> <%= @pl_auth_database %> <%= @pl_auth_user %> <%= @pl_auth_address %> <%=@pl_auth_method %> <%=@psql_auth_option%> diff --git a/templates/postgresql.conf.erb b/templates/postgresql.conf.erb index 41f1078..325105c 100644 --- a/templates/postgresql.conf.erb +++ b/templates/postgresql.conf.erb @@ -96,7 +96,7 @@ max_connections = <%= @pl_max_conn %> # - SSL - <% if @pl_ssl_enabled == true -%> -ssl = on +ssl = on ssl_ca_file = '<%= @pl_data_dir %><%= @pl_ca_crt -%>' ssl_cert_file = '<%= @pl_data_dir %><%= @pl_server_crt -%>' ssl_key_file = '<%= @pl_data_dir %><%= @pl_server_key -%>'