update url

Auto-merge for build 57

See merge request puppet/postgresql_cd!40

.gitignore

@@ -3,3 +3,4 @@
 Gemfile.lock
 FileList
 .scannerwork
+.vscode

.vscode/settings.json

@@ -1,53 +0,0 @@
-{
-    "cSpell.words": [
-        "archivedir",
-        "autovacuum",
-        "bgwriter",
-        "bitmapscan",
-        "bytea",
-        "conninfo",
-        "csvlog",
-        "csvlogs",
-        "datestyle",
-        "ecdh",
-        "fdatasync",
-        "geqo",
-        "hashagg",
-        "hashjoin",
-        "hostssl",
-        "indexonlyscan",
-        "indexscan",
-        "initdb",
-        "intervalstyle",
-        "keepalives",
-        "KEEPCNT",
-        "KEEPIDLE",
-        "KEEPINTVL",
-        "keytab",
-        "llvmjit",
-        "logfile",
-        "logfiles",
-        "maxpages",
-        "mergejoin",
-        "mmap",
-        "multixact",
-        "naptime",
-        "nestloop",
-        "partitionwise",
-        "pgsql",
-        "restartpoint",
-        "seqscan",
-        "seqscans",
-        "sysconfdir",
-        "sysv",
-        "tablespace",
-        "tablespaces",
-        "tidscan",
-        "timezonesets",
-        "walsender",
-        "writethrough",
-        "xacts",
-        "xmlbinary",
-        "xmloption"
-    ]
-}

Jenkinsfile

@@ -25,10 +25,16 @@ pipeline {
       stage('pull master') {
         steps {
           sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''git config user.name "Jenkins Server"
-                  git config user.email jenkins@confdroid.com
-                  git pull origin master
-                  git checkout -b jenkins '''
+            sh '''
+                git config user.name "Jenkins Server"
+                git config user.email jenkins@confdroid.com
+                # Ensure we're on the development branch (triggered by push)
+                git checkout development
+                # Create jenkins branch from development
+                git checkout -b jenkins-build-$BUILD_NUMBER
+                # Optionally merge master into jenkins to ensure compatibility
+                git merge origin/master --no-ff || { echo "Merge conflict detected"; exit 1; }
+            '''
         }
       }
     }
@@ -53,20 +59,23 @@ pipeline {
         steps {
           sh '''/usr/local/bin/puppet-lint . \\
                 --no-variable_scope-check \\
+                || { echo "Puppet lint failed"; exit 1; }
             '''
           }
         }
 
       stage('SonarScan') {
          steps {
-             sh '''
-             /opt/sonar-scanner/bin/sonar-scanner \
-              -Dsonar.projectKey=postgresql_cd\
-              -Dsonar.sources=. \
-              -Dsonar.host.url=https://sonarqube.confdroid.com \
-              -Dsonar.token=sqa_aca21cc41336d0f31987ed196ccfb9be55ded774
-              '''
-             }
+            withCredentials([string(credentialsId: 'sonar-token', variable: 'SONAR_TOKEN')]) {
+              sh '''
+              /opt/sonar-scanner/bin/sonar-scanner \
+                -Dsonar.projectKey=confdroid_postgresql \
+                -Dsonar.sources=. \
+                -Dsonar.host.url=https://sonarqube.confdroid.com \
+                -Dsonar.token=$SONAR_TOKEN
+                '''
+              }
+            }
           }
 
       stage('create Puppet documentation') {
@@ -78,12 +87,40 @@ pipeline {
       stage('update repo') {
         steps {
           sshagent(['edd05eb6-26b5-4c7b-a5cc-ea2ab899f4fa']) {
-            sh '''git config user.name "Jenkins Server"
-                  git config user.email jenkins@confdroid.com
-                  echo `git add -A && git commit -am "recommit for updates in build $BUILD_NUMBER"`
-                  git push origin HEAD:master'''
+            sh '''
+                git config user.name "Jenkins Server"
+                git config user.email jenkins@confdroid.com
+                git rm -r --cached .vscode || echo "No .vscode to remove from git"
+                git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
+                git push origin HEAD:master
+            '''
+          }
+        }
+      }
+
+      stage('Mirror to Gitea') {
+        steps {
+          withCredentials([usernamePassword(
+            credentialsId: 'Jenkins-gitea',
+            usernameVariable: 'GITEA_USER',
+            passwordVariable: 'GITEA_TOKEN')]) {
+            script {
+              // Checkout from GitLab (already done implicitly)
+                sh '''
+                  git checkout master
+                  git pull origin master
+                  git branch -D development
+                  git branch -D jenkins-build-$BUILD_NUMBER
+                  git rm -f Jenkinsfile
+                  git rm -r --cached .vscode || echo "No .vscode to remove from git"
+                  git commit --amend --no-edit --allow-empty
+                  git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_postgresql.git
+                  git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
+                  push master --mirror
+                '''
+          }
         }
       }
     }
   }
-}
+}

README.md

@@ -1,24 +1,39 @@
 # Readme
 
-[![Build Status](https://pipelines.confdroid.com/buildStatus/icon?job=postgresql_cd)](https://pipelines.confdroid.com/job/postfresql_cd/)|
+[![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_postgresql)](https://jenkins.confdroid.com/job/postfresql_cd/)
+[![Security Hotspots](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_postgresql&metric=security_hotspots&token=sqb_34cadd0d17dba89c9735fca0b6cd96c55e22950d)](https://sonarqube.confdroid.com/dashboard?id=confdroid_postgresql)
 
-[[_TOC_]]
+- [Readme](#readme)
+  - [Synopsis](#synopsis)
+  - [WARNING](#warning)
+  - [Features](#features)
+  - [Repo Documentation](#repo-documentation)
+  - [Dependencies](#dependencies)
+  - [Deployment](#deployment)
+  - [SELINUX](#selinux)
+  - [Known Problems](#known-problems)
+  - [Support](#support)
+  - [Tests](#tests)
+  - [Contact Us](#contact-us)
+  - [Disclaimer](#disclaimer)
 
 ## Synopsis
 
 PostgreSQL is a powerful modern open source SQL database server.
 
-`postgresql_cd` is a Puppet module to automate installation, configuration and management of all aspects of PostgreSQL for Puppet 8
+`confdroid_postgresql` is a Puppet module to automate installation, configuration and management of all aspects of PostgreSQL(standalone) for Puppet 8
 
 ## WARNING
 
 ***Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production***
 
+[!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/grizzly_coda)
+
 ## Features
 
 Installation
 
-* install binaries as per given parameters for major and minor version
+* install binaries
 * initialize the database cluster
 
 Configuration
@@ -26,6 +41,13 @@ Configuration
 * manage directory structure including file system permissions and selinux context
 * manage service status
 
+Optional:
+
+* manage single line entries in pg_hba via define
+* manage roles and databases via define (set `$pl_manage_content` to true)
+* manage extensions (set `pl_manage_extensions`to `true`)
+* install and manage pg_bouncer (set `pl_use_pg_bouncer`to `true`)
+* enable SL / TLS manage TLS certificates (set `pl_ssl_enabled`to `true` and populate content externally through variables)
 
 ## Repo Documentation
 
@@ -43,13 +65,13 @@ via site.pp or nodes.pp
 
 ```ruby
 node 'example.example.net' {
-  include cd_postgresql
+  include confdroid_postgresql
 }
 ```
 
 * through Foreman:
 
-In order to apply parameters through Foreman, **__cd_postgresql::params__** must be added to the host or host group in question.
+In order to apply parameters through Foreman, **__confdroid_postgresql::params__** must be added to the host or host group in question.
 
 See [more details about class deployment on Confdroid.com](https://confdroid.com/2017/05/deploying-our-puppet-modules/).
 
@@ -61,8 +83,10 @@ All files and directories are configured with correct selinux context. If selinu
 
 ## Support
 
+This module has been developed for and tested with
+
 * OS: Rocky 9
-* Puppet 6 - 8
+* Puppet 8
 
 ## Tests
 
@@ -75,7 +99,8 @@ All files and directories are configured with correct selinux context. If selinu
 
 ## Contact Us
 
-[contact Us](https://confdroid.com/contact/)
+* [contact Us](https://confdroid.com/contact/)
+* [Feedback Portal](https://feedback.confdroid.com)
 
 ## Disclaimer
 

manifests/bouncer/bouncer.pp

@@ -0,0 +1,56 @@
+## confdroid_postgresql::bouncer::bouncer.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages the pgbouncer service
+# @example  confdroid_postgresql::bouncer::bouncer_rule { 'test connection':
+#     pl_bouncer_db_name    => 'test',
+#     pl_bouncer_host       => '127.0.0.7',
+#     pl_bouncer_host_port  => '5432',
+#     pl_bouncer_user       => 'test_user',
+#     pl_bouncer_order      => '001',
+#   }
+###############################################################################
+class confdroid_postgresql::bouncer::bouncer (
+
+) inherits confdroid_postgresql::params {
+  if ($fqdn == $pl_server_fqdn) and ($pl_use_pg_bouncer == true) {
+    # ensure directory exists
+    file { $pl_bouncer_dir:
+      ensure   => directory,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0750',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+    }
+    # create auth user file to be populated through placeholder
+    file { $pl_bouncer_auth_file:
+      ensure   => file,
+      owner    => 'pgbouncer',
+      group    => 'pgbouncer',
+      mode     => '0440',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+      content  => template($pl_bouncer_auth_erb),
+    }
+
+    # create the pgbouncer.ini file
+    concat { $pl_bouncer_ini_file:
+      ensure => present,
+      owner  => 'pgbouncer',
+      mode   => '0600',
+      #notify => Service[$pl_service],
+    }
+
+    # manage file header
+    concat::fragment { 'bouncer_header':
+      target  => $pl_bouncer_ini_file,
+      content => template($pl_bouncer_ini_erb),
+      order   => '000',
+    }
+  }
+}

manifests/bouncer/bouncer_rule.pp

@@ -0,0 +1,31 @@
+# confdroid_postgresql::bouncer::bouncer_rule.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary define manages rule entries for bouncer rules
+# @see https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html
+# @param [String] pl_bouncer_db_name db name for the bouncer rule
+# @param [String] pl_bouncer_host IP of the db host to bounce to
+# @param [String] pl_bouncer_host_port port of the db host to bounce to
+# @param [String] pl_bouncer_user user for the connection. Must be defined in
+#   userlist.txt
+# @param [String] pl_bouncer_order the order in which the rule should appear
+##############################################################################
+define confdroid_postgresql::bouncer::bouncer_rule (
+
+  String $pl_bouncer_db_name    = undef,
+  String $pl_bouncer_host       = '127.0.0.1',
+  String $pl_bouncer_host_port  = '5432',
+  String $pl_bouncer_user       = undef,
+  String $pl_bouncer_order      = undef,
+
+) {
+  $pl_bouncer_ini_file    = $confdroid_postgresql::params::pl_bouncer_ini_file
+  $pl_bouncer_ini_erb     = $confdroid_postgresql::params::pl_bouncer_ini_erb
+  $pl_bouncer_rule_erb    = $confdroid_postgresql::params::pl_bouncer_rule_erb
+
+  concat::fragment { "pl_bouncer_rule_${name}":
+    target  => $pl_bouncer_ini_file,
+    content => template($pl_bouncer_rule_erb),
+    order   => $pl_bouncer_order,
+  }
+}

manifests/bouncer/service.pp

@@ -0,0 +1,18 @@
+## confdroid_postgresql::bouncer::service.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages the pgbouncer service
+###############################################################################
+class confdroid_postgresql::bouncer::service (
+
+) inherits confdroid_postgresql::params {
+  if ($fqdn == $pl_server_fqdn) and ($pl_use_pg_bouncer == true) {
+    require confdroid_postgresql::bouncer::bouncer
+    service { $pl_bouncer_service:
+      ensure     => running,
+      hasstatus  => true,
+      hasrestart => true,
+      enable     => true,
+    }
+  }
+}

manifests/firewall/iptables.pp

@@ -1,11 +1,11 @@
-## postgresql_cd::firewall::iptables.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
+## confdroid_postgresql::firewall::iptables.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
 # @summary Class manages the alloy iptables
 ###############################################################################
-class postgresql_cd::firewall::iptables (
+class confdroid_postgresql::firewall::iptables (
 
-) inherits postgresql_cd::params {
+) inherits confdroid_postgresql::params {
   if ($fqdn == $pl_server_fqdn) and ($pl_enable_fw == true) {
     firewall { "${pl_fw_rule_order}${pl_fw_port} tcp port ${pl_fw_port}":
       source => $pl_source_range,
@@ -13,5 +13,13 @@ class postgresql_cd::firewall::iptables (
       dport  => $pl_fw_port,
       jump   => 'accept',
     }
+    if $pl_use_pg_bouncer == true {
+      firewall { "${pl_fw_rule_order}${pl_bouncer_port} tcp port ${pl_bouncer_port}":
+        source => $pl_source_range,
+        proto  => 'tcp',
+        dport  => $pl_bouncer_port,
+        jump   => 'accept',
+      }
+    }
   }
 }

manifests/init.pp

@@ -1,8 +1,8 @@
-## postgresql_cd::init.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class initializes the postgresql_cd module.
+## confdroid_postgresql::init.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class initializes the confdroid_postgresql module.
 ##############################################################################
-class postgresql_cd {
-  include postgresql_cd::params
+class confdroid_postgresql {
+  include confdroid_postgresql::params
 }

manifests/main/config.pp

@@ -1,10 +1,17 @@
-## postgresql_cd::main::config.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages logic for the postgresql_cd module.
+## confdroid_postgresql::main::config.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages logic for the confdroid_postgresql module.
 ##############################################################################
-class postgresql_cd::main::config (
+class confdroid_postgresql::main::config (
 
-) inherits postgresql_cd::params {
-  include postgresql_cd::server::service
+) inherits confdroid_postgresql::params {
+  require confdroid_postgresql::main::install
+
+  if $fqdn == $pl_server_fqdn {
+    include confdroid_postgresql::server::service
+    if $pl_use_pg_bouncer == true {
+      include confdroid_postgresql::bouncer::service
+    }
+  }
 }

manifests/main/dirs.pp

@@ -1,10 +1,10 @@
-## postgresql_cd::main::dirs.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages logic for the postgresql_cd module.
+## confdroid_postgresql::main::dirs.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages logic for the confdroid_postgresql module.
 ##############################################################################
-class postgresql_cd::main::dirs (
+class confdroid_postgresql::main::dirs (
 
-) inherits postgresql_cd::params {
-  require postgresql_cd::main::install
+) inherits confdroid_postgresql::params {
+  require confdroid_postgresql::main::install
 }

manifests/main/files.pp

@@ -1,27 +1,14 @@
-## postgresql_cd::main::files.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages logic for the postgresql_cd module.
+## confdroid_postgresql::main::files.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages logic for the confdroid_postgresql module.
 ##############################################################################
-class postgresql_cd::main::files (
+class confdroid_postgresql::main::files (
 
-) inherits postgresql_cd::params {
+) inherits confdroid_postgresql::params {
   if $fqdn == $pl_server_fqdn {
-    require postgresql_cd::server::initdb
-    require postgresql_cd::main::dirs
-
-    file { '/var/lib/pgsql/data/pg_hba.conf':
-      ensure   => file,
-      owner    => 'postgres',
-      group    => 'postgres',
-      mode     => '0600',
-      selrange => s0,
-      selrole  => object_r,
-      seltype  => postgresql_db_t,
-      seluser  => unconfined_u,
-      content  => template('postgresql_cd/pg_hba.conf.erb'),
-      notify   => Service[$pl_service],
-    }
+    require confdroid_postgresql::server::initdb
+    require confdroid_postgresql::main::dirs
 
     file { '/var/lib/pgsql/data/postgresql.conf':
       ensure   => file,
@@ -32,8 +19,50 @@ class postgresql_cd::main::files (
       selrole  => object_r,
       seltype  => postgresql_db_t,
       seluser  => unconfined_u,
-      content  => template('postgresql_cd/postgresql.conf.erb'),
+      content  => template('confdroid_postgresql/postgresql.conf.erb'),
       notify   => Service[$pl_service],
     }
+    if $pl_ssl_enabled == true {
+      # manage tls certs
+      ## ca.crt
+      file { $pl_ca_crt_file:
+        ensure   => file,
+        owner    => 'postgres',
+        group    => 'postgres',
+        mode     => '0400',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => postgresql_db_t,
+        seluser  => unconfined_u,
+        content  => template($pl_ca_crt_erb),
+        notify   => Service[$pl_service],
+      }
+      ## server.crt
+      file { $pl_server_crt_file:
+        ensure   => file,
+        owner    => 'postgres',
+        group    => 'postgres',
+        mode     => '0400',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => postgresql_db_t,
+        seluser  => unconfined_u,
+        content  => template($pl_server_crt_erb),
+        notify   => Service[$pl_service],
+      }
+      ## server.key
+      file { $pl_server_key_file:
+        ensure   => file,
+        owner    => 'postgres',
+        group    => 'postgres',
+        mode     => '0400',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => postgresql_db_t,
+        seluser  => unconfined_u,
+        content  => template($pl_server_key_erb),
+        notify   => Service[$pl_service],
+      }
+    }
   }
 }

manifests/main/install.pp

@@ -1,11 +1,11 @@
-## postgresql_cd::main::install.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
-# @summary Class manages logic for the postgresql_cd module.
+## confdroid_postgresql::main::install.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class manages logic for the confdroid_postgresql module.
 ##############################################################################
-class postgresql_cd::main::install (
+class confdroid_postgresql::main::install (
 
-) inherits postgresql_cd::params {
+) inherits confdroid_postgresql::params {
   if $fqdn == $pl_server_fqdn {
     package { $reqpackages_server:
       ensure => $pkg_ensure,
@@ -13,6 +13,16 @@ class postgresql_cd::main::install (
     package { $reqpackages_client:
       ensure => $pkg_ensure,
     }
+    if $pl_manage_extensions == true {
+      package { $reqpackages_extensions:
+        ensure => $pkg_ensure,
+      }
+    }
+    if $pl_use_pg_bouncer == true {
+      package { $reqpackages_bouncer:
+        ensure => $pkg_ensure,
+      }
+    }
   }
 
   if $fqdn != $pl_server_fqdn {

manifests/params.pp

@@ -1,10 +1,13 @@
-## postgresql_cd::params.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
+## confdroid_postgresql::params.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary Class contains all parameters for the confdroid_postgresql module.
 # @param [String] pl_server_fqdn the fqdn of the postgresql server. Any other
 #   system will be configured as client
-# @param [String] reqpackages_server the packages for the server
+# @param [Array] reqpackages_server the packages for the server
+# @param [String] reqpackages_extensions the packages for extensions
 # @param [String] reqpackages_client the packages for the client
+# @param [String] reqpackages_bouncer the packages for the bouncer
 # @param [String] pkg_ensure which version of the packages to install, i.e.
 #   'latest', 'present' '13.20',
 # @param [String] pl_fw_rule_order the prefix for the firewall rule
@@ -14,15 +17,31 @@
 # @param [String] pl_listen_address which address should the service listen on
 # @param [String] pl_listen_port which port should the service listen on
 # @param [String] pl_max_conn maximum connections the service will accept
-# @summary Class contains all parameters for the postgresql_cd module.
+# @param [Boolean] pl_ssl_enabled whether SSL is enabled (true) or disabled (false)
+# @param [String] pl_server_crt the name of the server cert
+# @param [String] pl_server_key the name of the server key
+# @param [String] pl_ca_crt the name of the CA  crt
+# @param [Boolean] pl_manage_content whether to manage roles and databases
+# @param [Boolean] pl_manage_extensions whether to manage extensions
+# @param [String] pl_idle_timeout  idle_in_transaction_session_timeout
+# @param [Boolean] pl_use_pg_bouncer whether to use the pc_bouncer
+# @param [String] pl_bouncer_listen_addr bouncer listen address
+# @param [String] pl_bouncer_port bouncer listen port
+# @param [String] pl_bouncer_auth_mode bouncer auth mode
+# @param [String] pl_bouncer_auth_users placeholder for users
+# @param [String] pl_bouncer_pool_mode bouncer pool mode
+# @param [String] pl_bouncer_mx_cl_conn bouncer max client connections
+# @param [String] pl_bouncer_pool_size bouncer default pool size
 ##############################################################################
-class postgresql_cd::params (
+class confdroid_postgresql::params (
 
   String $pl_server_fqdn    = undef,
 
   # installation
-  String $reqpackages_server      = 'postgresql-server',
+  Array $reqpackages_server       = ['postgresql-server','postgresql-contrib'],
+  String $reqpackages_extensions  = 'timescaledb',
   String $reqpackages_client      = 'postgresql',
+  String $reqpackages_bouncer     = 'pgbouncer',
   String $pkg_ensure              = 'latest',
 
   # firewall
@@ -34,7 +53,24 @@ class postgresql_cd::params (
   # main config
   String $pl_listen_address       = '*',
   String $pl_listen_port          = '5432',
-  String $pl_max_conn              = '100',
+  String $pl_max_conn             = '100',
+  String $pl_idle_timeout         = '60000',
+  Boolean $pl_ssl_enabled         = false,
+  String $pl_server_crt           = 'server.crt',
+  String $pl_server_key           = 'server.key',
+  String $pl_ca_crt               = 'root.crt',
+  Boolean $pl_manage_content      = true,
+  Boolean $pl_manage_extensions   = false,
+
+  # pg bouncer
+  Boolean $pl_use_pg_bouncer      = false,
+  String $pl_bouncer_listen_addr  = '0.0.0.0',
+  String $pl_bouncer_port         = '6432',
+  String $pl_bouncer_auth_mode    = 'md5',
+  String $pl_bouncer_auth_users   = '"pgbouncer" "fake"',
+  String $pl_bouncer_pool_mode    = 'transaction',
+  String $pl_bouncer_mx_cl_conn   = '100',
+  String $pl_bouncer_pool_size    = '20',
 
 ) {
   $fqdn                     = $facts['networking']['fqdn']
@@ -42,12 +78,31 @@ class postgresql_cd::params (
   $os_name                  = $facts['os']['name']
   $os_release               = $facts['os']['release']['major']
 
-  # Service
-  $pl_service               = 'postgresql'
-
   # Directories
   $pl_data_dir              = '/var/lib/pgsql/data/'
+  $pl_bouncer_dir           = '/etc/pgbouncer'
+
+  # files
+  $pl_pg_hba_conf           = "${pl_data_dir}/pg_hba.conf"
+  $pl_pg_hba_rule_conf      = 'confdroid_postgresql/server/pghba/pg_hba_rule.conf.erb'
+  $pl_pg_hba_conf_erb       = 'confdroid_postgresql/server/pghba/pg_hba.conf.erb'
+  $pl_bouncer_ini_file      = "${pl_bouncer_dir}/pgbouncer.ini"
+  $pl_bouncer_ini_erb       = 'confdroid_postgresql/server/bouncer/pgbouncer.ini.erb'
+  $pl_bouncer_auth_file     = "${pl_bouncer_dir}/userlist.txt"
+  $pl_bouncer_auth_erb      = 'confdroid_postgresql/server/bouncer/bouncer_users.erb'
+  $pl_bouncer_rule_erb      = 'confdroid_postgresql/server/bouncer/bouncer_rule.erb'
+  $pl_ca_crt_file           = "${pl_data_dir}/ca.crt"
+  $pl_ca_crt_erb            = 'confdroid_postgresql/server/ca.crt.erb'
+  $pl_server_crt_file       = "${pl_data_dir}/server.crt"
+  $pl_server_crt_erb        = 'confdroid_postgresql/server/server.crt.erb'
+  $pl_server_key_file       = "${pl_data_dir}/server.key"
+  $pl_server_key_erb        = 'confdroid_postgresql/server/server.key.erb'
+
+  # Service
+  $pl_service               = 'postgresql'
+  $pl_exporter_service      = 'postgres_exporter'
+  $pl_bouncer_service       = 'pgbouncer'
 
   # includes must be last
-  include postgresql_cd::main::config
+  include confdroid_postgresql::main::config
 }

manifests/server/databases/db_df.pp

@@ -0,0 +1,47 @@
+## confdroid_postgresql::server::databases::db_df
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com.com)
+# @summary define manages databases
+# @see https://www.postgresql.org/docs/9.6/static/managing-databases.html
+# @param [String] pl_db_name the name of the database to be created.
+# @param [String] pl_owner_name the name of the owner for the database
+#   (optional), if none specified, the  postgresql defaults will apply.
+# @param [String] pl_db_action whether to create or drop the database.
+#   'CREATE DATABASE' creates it, 'DROP DATABASE' drops it.
+# @param [String] pl_db_extension
+##############################################################################
+define confdroid_postgresql::server::databases::db_df (
+
+  Optional[String] $pl_db_name      = undef,
+  Optional[String] $pl_owner_name   = undef,
+  Optional[String] $pl_db_action    = undef,
+  String $pl_db_extension           = 'pg_trgm',
+) {
+  $pl_manage_content = $confdroid_postgresql::params::pl_manage_content
+
+  if $pl_manage_content == true {
+    # create databases
+
+    if $pl_db_action == 'CREATE DATABASE' {
+      exec { "create_database_${name}":
+        command => template('confdroid_postgresql/server/databases/db_create_sql.erb'),
+        user    => 'postgres',
+        path    => ['/usr/bin','/bin'],
+        cwd     => '/tmp',
+        unless  => template('confdroid_postgresql/server/databases/unless_db_sql.erb'),
+      }
+    }
+
+    # Drop databases
+
+    if $pl_db_action == 'DROP DATABASE' {
+      exec { "drop_database_${name}":
+        command => template('confdroid_postgresql/server/databases/db_drop_sql.erb'),
+        user    => 'postgres',
+        path    => ['/usr/bin','/bin'],
+        cwd     => '/tmp',
+        onlyif  => template('confdroid_postgresql/server/databases/unless_drop_sql.erb'),
+      }
+    }
+  }
+}

manifests/server/initdb.pp

@@ -1,12 +1,14 @@
-## postgresql_cd::server::initdb.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
+## confdroid_postgresql::server::initdb.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
 # @summary Class initiates the database
 ###############################################################################
-class postgresql_cd::server::initdb (
+class confdroid_postgresql::server::initdb (
 
-) inherits postgresql_cd::params {
+) inherits confdroid_postgresql::params {
   if $fqdn == $pl_server_fqdn {
+    require confdroid_postgresql::main::install
+
     exec { 'init_pgsql_db':
       command => 'postgresql-setup --initdb',
       creates => "${pl_data_dir}/PG_VERSION",
@@ -14,5 +16,5 @@ class postgresql_cd::server::initdb (
     }
   }
 
-  include postgresql_cd::main::files
+  include confdroid_postgresql::main::files
 }

manifests/server/pghba/pg_hba.pp

@@ -0,0 +1,55 @@
+## confdroid_postgresql::server::pg_hba.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (arne_teuke@puppetsoft.com)
+# @summary Class manages pg_hba.conf file and line entries through define
+#   pg_hba_rule.pp
+# @example     confdroid_postgresql::server::pghba::pg_hba_rule { 'local access for role postgres':
+#      pl_auth_type        => 'local',
+#      pl_auth_database    => 'all',
+#      pl_auth_user        => 'postgres',
+#      pl_auth_method      => 'trust',
+#      pl_auth_order       => '001',
+#      pl_auth_option      => '',
+#    }
+##############################################################################
+class confdroid_postgresql::server::pghba::pg_hba (
+
+) inherits confdroid_postgresql::params {
+  if $fqdn == $pl_server_fqdn {
+    # create the pg_hba.conf file
+
+    concat { $pl_pg_hba_conf:
+      ensure => present,
+      owner  => 'postgres',
+      mode   => '0600',
+      notify => Service[$pl_service],
+    }
+
+    # manage file header
+
+    concat::fragment { 'pghba_header':
+      target  => $pl_pg_hba_conf,
+      content => template($pl_pg_hba_conf_erb),
+      order   => '000',
+    }
+
+    # manage default rules => should go into  external config set
+#    confdroid_postgresql::server::pghba::pg_hba_rule { 'local access for role postgres':
+#      pl_auth_type        => 'local',
+#      pl_auth_database    => 'all',
+#      pl_auth_user        => $ql_user_name,
+#      pl_auth_method      => 'trust',
+#      pl_auth_order       => '001',
+#      pl_auth_option      => $ql_auth_option,
+#    }
+
+#    confdroid_postgresql::server::pghba::pg_hba_rule { 'local access for all roles':
+#      pl_auth_type        => 'local',
+#      pl_auth_database    => 'all',
+#      pl_auth_user        => 'all',
+#      pl_auth_method      => 'trust',
+#      pl_auth_order       => '002',
+#      pl_auth_option      => $pl_auth_option,
+#    }
+  }
+}

manifests/server/pghba/pg_hba_rule.pp

@@ -0,0 +1,45 @@
+## confdroid_postgresql::server::pghba::pg_hba_rule
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+# @summary define manages rule entries for pg_hba configuration file
+# @see https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html
+# @param [string] pl_auth_type  Specify the authentication type, can be
+#   'local', 'host', 'hostssl' or 'hostnossl'.
+# @param [string] pl_auth_database Specify the database for the connection
+# @param [string] pl_auth_user Specify the user for the connection
+# @param [string] pl_auth_address Specify IP address or FQDN for the
+#   connection, i.e. where to connect FROM.
+# @param [string] pl_auth_method  Specify the auth method, can be 'trust',
+#   'reject', 'md5' , 'password', 'gss', 'sspi', 'ident', 'peer', 'ldap',
+#   'radius', 'cert', 'pam','bsd'
+# @param [string] pl_auth_option After the auth-method field, there can be
+#   field(s) of the form name=value that specify options for the authentication
+#   method.
+# @param [string] pl_auth_order  Specify the  order in which the entry should
+#   appear on the list. Lower orders are higher on the list.
+# @param [string] pl_auth_description Specify a description for the entry.
+##############################################################################
+define confdroid_postgresql::server::pghba::pg_hba_rule (
+
+  Optional[String] $pl_auth_type         = undef,
+  Optional[String] $pl_auth_database     = undef,
+  Optional[String] $pl_auth_user         = undef,
+  Optional[String] $pl_auth_address      = undef,
+  Optional[String] $pl_auth_method       = undef,
+  Optional[String] $pl_auth_option       = undef,
+  Optional[String] $pl_auth_order        = undef,
+  Optional[String] $pl_auth_description  = undef,
+
+) {
+  $pl_pg_hba_conf       = $confdroid_postgresql::params::pl_pg_hba_conf
+  $pl_pg_hba_rule_conf  = $confdroid_postgresql::params::pl_pg_hba_rule_conf
+  $pl_data_dir          = $confdroid_postgresql::params::pl_data_dir
+
+# create rule fragment
+
+  concat::fragment { "pl_rule_${name}":
+    target  => $pl_pg_hba_conf,
+    content => template($pl_pg_hba_rule_conf),
+    order   => $pl_auth_order,
+  }
+}

manifests/server/roles/role_df.pp

@@ -0,0 +1,33 @@
+## confdroid_postgresql::server::roles::role_df
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
+
+# @summary define manages databases
+# @see https://www.postgresql.org/docs/9.6/static/managing-databases.html
+# @param [string] pl_role_name the name of the role to be created.
+# @param [string] pl_role_pw the password to be created
+# @param [string] pl_role_attributes  attributes for the role to be created
+# @param [string] pl_role_status what to do with the role
+##############################################################################
+define confdroid_postgresql::server::roles::role_df (
+
+  Optional[String] $pl_role_name      = undef,
+  Optional[String] $pl_role_pw        = undef,
+  String $pl_role_attributes          = 'LOGIN',
+  String $pl_role_status              = 'CREATE ROLE',
+
+) {
+  $pl_manage_content  = $confdroid_postgresql::params::pl_manage_content
+
+  if $pl_manage_content == true {
+    # create the role
+
+    exec { "role_${name}":
+      command => template('confdroid_postgresql/server/roles/role.sql.erb'),
+      user    => 'postgres',
+      path    => ['/usr/bin','/bin'],
+      cwd     => '/tmp',
+      unless  => template('confdroid_postgresql/server/roles/unless_sql.erb'),
+    }
+  }
+}

manifests/server/service.pp

@@ -1,14 +1,15 @@
-## postgresql_cd::server::service.pp
-# Module name: postgresql_cd
-# Author: Arne Teuke (arne_teuke@confdroid.com)
+## confdroid_postgresql::server::service.pp
+# Module name: confdroid_postgresql
+# Author: 12ww1160 (12ww1160@confdroid.com)
 # @summary Class manages the postgresql service
 ###############################################################################
-class postgresql_cd::server::service (
+class confdroid_postgresql::server::service (
 
-) inherits postgresql_cd::params {
+) inherits confdroid_postgresql::params {
   if $fqdn == $pl_server_fqdn {
-    require postgresql_cd::firewall::iptables
-    require postgresql_cd::server::initdb
+    require confdroid_postgresql::firewall::iptables
+    require confdroid_postgresql::server::initdb
+    require confdroid_postgresql::server::pghba::pg_hba
 
     service { $pl_service:
       ensure     => running,

templates/pg_hba_rule.conf.erb

@@ -1,3 +0,0 @@
-# description:  <%=@name%>
-# order number: <%=@psql_auth_order%>
-<%= @pl_auth_type %>  <%= @pl_auth_database %>  <%= @pl_auth_user %> <%= @pl_auth_address %> <%=@pl_auth_method %> <%=@psql_auth_option%>

templates/postgresql.conf.erb

@@ -93,13 +93,32 @@ max_connections     = <%= @pl_max_conn %>
 #krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
 #krb_caseins_users = off
 
+# - Shared Library Preloading -
+<% if @pl_manage_extensions == true -%>
+shared_preload_libraries = '<%= @reqpackages_extensions %>'
+<% else -%>
+# shared_preload_libraries = ''
+<% end -%>
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+
 # - SSL -
 
-#ssl = off
-#ssl_ca_file = ''
-#ssl_cert_file = 'server.crt'
+<% if @pl_ssl_enabled == true -%>
+ssl 		= on
+ssl_ca_file 	= '<%= @pl_data_dir %>ca.crt'
+ssl_cert_file 	= '<%= @pl_data_dir %>server.crt'
+ssl_key_file 	= '<%= @pl_data_dir %>server.key'
+<% end -%>
+<% if @pl_ssl_enabled != true -%>
+ssl = off
+<% end -%>
+
+idle_in_transaction_session_timeout = <%= @pl_idle_timeout %>
+
 #ssl_crl_file = ''
-#ssl_key_file = 'server.key'
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
 #ssl_ecdh_curve = 'prime256v1'
@@ -657,7 +676,6 @@ log_timezone = 'Etc/UTC'
 #session_replication_role = 'origin'
 #statement_timeout = 0			# in milliseconds, 0 is disabled
 #lock_timeout = 0			# in milliseconds, 0 is disabled
-#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
 #vacuum_freeze_min_age = 50000000
 #vacuum_freeze_table_age = 150000000
 #vacuum_multixact_freeze_min_age = 5000000
@@ -698,13 +716,6 @@ lc_time = 'en_US.UTF-8'				# locale for time formatting
 # default configuration for text search
 default_text_search_config = 'pg_catalog.english'
 
-# - Shared Library Preloading -
-
-#shared_preload_libraries = ''	# (change requires restart)
-#local_preload_libraries = ''
-#session_preload_libraries = ''
-#jit_provider = 'llvmjit'		# JIT library to use
-
 # - Other Defaults -
 
 #dynamic_library_path = '$libdir'

templates/server/bouncer/bouncer_rule.erb

@@ -0,0 +1 @@
+<%= @pl_bouncer_db_name %> = host=<%= @pl_bouncer_host %> port=<%= @pl_bouncer_host_port %>  auth_user=<%= @pl_bouncer_user %> dbname=<%= @pl_bouncer_db_name %>

templates/server/bouncer/bouncer_users.erb

@@ -0,0 +1 @@
+<%= @pl_bouncer_auth_users %>

templates/server/bouncer/pgbouncer.ini.erb

@@ -0,0 +1,11 @@
+[pgbouncer]
+listen_addr = <%= @pl_bouncer_listen_addr %>
+listen_port = <%= @pl_bouncer_port %>
+auth_type = <%= @pl_bouncer_auth_mode %>
+auth_file = <%= @pl_bouncer_auth_file %>
+pool_mode = <%= @pl_bouncer_pool_mode %>
+max_client_conn = <%= @pl_bouncer_mx_cl_conn %>
+default_pool_size = <%= @pl_bouncer_pool_size %>
+ignore_startup_parameters = extra_float_digits
+
+[databases]

templates/server/bouncer/pgbouncer.ini.orig

@@ -0,0 +1,405 @@
+;;;
+;;; PgBouncer configuration file
+;;;
+
+;; database name = connect string
+;;
+;; connect string params:
+;;   dbname= host= port= user= password= auth_user=
+;;   client_encoding= datestyle= timezone=
+;;   pool_size= reserve_pool_size= max_db_connections=
+;;   pool_mode= connect_query= application_name=
+[databases]
+
+;; foodb over Unix socket
+;foodb =
+
+;; redirect bardb to bazdb on localhost
+;bardb = host=localhost dbname=bazdb
+
+;; access to dest database will go with single user
+;forcedb = host=localhost port=300 user=baz password=foo client_encoding=UNICODE datestyle=ISO connect_query='SELECT 1'
+
+;; use custom pool sizes
+;nondefaultdb = pool_size=50 reserve_pool_size=10
+
+;; use auth_user with auth_query if user not present in auth_file
+;; auth_user must exist in auth_file
+; foodb = auth_user=bar
+
+;; run auth_query on a specific database.
+; bardb = auth_dbname=foo max_db_client_connections=10
+
+;; fallback connect string
+;* = host=testserver
+
+;; User-specific configuration
+[users]
+
+;user1 = pool_size=5 reserve_pool_size=2 pool_mode=transaction max_user_connections=10 max_user_client_connections=20
+
+;; Configuration section
+[pgbouncer]
+
+;;;
+;;; Administrative settings
+;;;
+
+logfile = /var/log/pgbouncer/pgbouncer.log
+pidfile = /var/run/pgbouncer/pgbouncer.pid
+
+;;;
+;;; Where to wait for clients
+;;;
+
+;; IP address or * which means all IPs
+listen_addr = localhost
+listen_port = 6432
+
+;; Unix socket is also used for -R.
+;; On Debian it should be /var/run/postgresql
+;unix_socket_dir = /tmp
+;unix_socket_mode = 0777
+;unix_socket_group =
+
+;; The peer id used to identify this pgbouncer process in a group of pgbouncer
+;; processes that are peered together. When set to 0 pgbouncer peering is disabled
+;peer_id = 0
+
+;;; Notify client that they are queued after this many seconds
+;;; Disabled when set to 0
+;query_wait_notify = 5
+
+;;;
+;;; TLS settings for accepting clients
+;;;
+
+;; disable, allow, require, verify-ca, verify-full
+;client_tls_sslmode = disable
+
+;; Path to file that contains trusted CA certs
+;client_tls_ca_file = <system default>
+
+;; Private key and cert to present to clients.
+;; Required for accepting TLS connections from clients.
+;client_tls_key_file =
+;client_tls_cert_file =
+
+;; default, secure, fast, normal, <ciphersuite string>
+;client_tls_ciphers = default
+
+; TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256
+; TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_SHA256
+;client_tls13_ciphers =
+
+;; all, secure, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
+;client_tls_protocols = secure
+
+;; none, auto, legacy
+;client_tls_dheparams = auto
+
+;; none, auto, <curve name>
+;client_tls_ecdhcurve = auto
+
+;;;
+;;; TLS settings for connecting to backend databases
+;;;
+
+;; disable, allow, prefer, require, verify-ca, verify-full
+;server_tls_sslmode = prefer
+
+;; Path to that contains trusted CA certs
+;server_tls_ca_file = <system default>
+
+;; Private key and cert to present to backend.
+;; Needed only if backend server require client cert.
+;server_tls_key_file =
+;server_tls_cert_file =
+
+;; all, secure, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
+;server_tls_protocols = secure
+
+;; default, secure, fast, normal, <ciphersuite string>
+;server_tls_ciphers = default
+
+;; See client_tls13_ciphers.
+;server_tls13_ciphers =
+
+;;;
+;;; Authentication settings
+;;;
+
+;; any, trust, plain, md5, cert, hba, ldap, pam
+auth_type = md5
+auth_file = /etc/pgbouncer/userlist.txt
+
+;; Path to HBA-style auth config
+;auth_hba_file =
+
+;; Path to Pg-ident-style map file
+;auth_ident_file =
+
+;; LDAP connection options when "auth_type = ldap"
+;auth_ldap_options =
+
+;; Query to use to fetch password from database.  Result
+;; must have 2 columns - username and password hash.
+;auth_query = SELECT rolname, CASE WHEN rolvaliduntil < pg_catalog.now() THEN NULL ELSE rolpassword END FROM pg_authid WHERE rolname=$1 AND rolcanlogin
+
+;; Authentication database that can be set globally to run "auth_query".
+;auth_dbname =
+
+;;;
+;;; Users allowed into database 'pgbouncer'
+;;;
+
+;; comma-separated list of users who are allowed to change settings
+admin_users = postgres
+
+;; comma-separated list of users who are just allowed to use SHOW command
+stats_users = stats, postgres
+
+;;;
+;;; Pooler personality questions
+;;;
+
+;; When server connection is released back to pool:
+;;   session      - after client disconnects (default)
+;;   transaction  - after transaction finishes
+;;   statement    - after statement finishes
+;pool_mode = session
+
+;; Number of prepared statements to cache on a server connection (zero value
+;; disables support of prepared statements).
+;max_prepared_statements = 0
+
+;; The number of computational iterations to be performed when
+;; encrypting a password using SCRAM-SHA-256.
+;scram_iterations = 4096
+
+;; Query for cleaning connection immediately after releasing from
+;; client.  No need to put ROLLBACK here, pgbouncer does not reuse
+;; connections where transaction is left open.
+;server_reset_query = DISCARD ALL
+
+;; Whether server_reset_query should run in all pooling modes.  If it
+;; is off, server_reset_query is used only for session-pooling.
+;server_reset_query_always = 0
+
+;; Comma-separated list of parameters to track per client.  The
+;; Postgres parameters listed here will be cached per client by
+;; pgbouncer and restored in server every time the client runs a query.
+;track_extra_parameters = IntervalStyle
+
+;; Comma-separated list of parameters to ignore when given in startup
+;; packet.  Newer JDBC versions require the extra_float_digits here.
+;ignore_startup_parameters = extra_float_digits
+
+;; When taking idle server into use, this query is run first.
+;server_check_query = select 1
+
+;; If server was used more recently that this many seconds ago,
+;; skip the check query.  Value 0 may or may not run in immediately.
+;server_check_delay = 30
+
+;; Close servers in session pooling mode after a RECONNECT, RELOAD,
+;; etc. when they are idle instead of at the end of the session.
+;server_fast_close = 0
+
+;; Use <appname - host> as application_name on server.
+;application_name_add_host = 0
+
+;; Period for updating aggregated stats.
+;stats_period = 60
+
+;;;
+;;; Connection limits
+;;;
+
+;; Total number of clients that can connect
+;max_client_conn = 100
+
+;; Default pool size.  20 is good number when transaction pooling
+;; is in use, in session pooling it needs to be the number of
+;; max clients you want to handle at any moment
+;default_pool_size = 20
+
+;; Minimum number of server connections to keep in pool.
+;min_pool_size = 0
+
+; how many additional connection to allow in case of trouble
+;reserve_pool_size = 0
+
+;; If a clients needs to wait more than this many seconds, use reserve
+;; pool.
+;reserve_pool_timeout = 5
+
+;; Maximum number of server connections for a database
+;max_db_connections = 0
+
+;; Maximum number of server connections for a user
+;max_user_connections = 0
+
+;; If off, then server connections are reused in LIFO manner
+;server_round_robin = 0
+
+;;;
+;;; Logging
+;;;
+
+;; Syslog settings
+;syslog = 0
+;syslog_facility = daemon
+;syslog_ident = pgbouncer
+
+;; log if client connects or server connection is made
+;log_connections = 1
+
+;; log if and why connection was closed
+;log_disconnections = 1
+
+;; log error messages pooler sends to clients
+;log_pooler_errors = 1
+
+;; write aggregated stats into log
+;log_stats = 1
+
+;; Logging verbosity.  Same as -v switch on command line.
+;verbose = 0
+
+;;;
+;;; Timeouts
+;;;
+
+;; Close server connection if its been connected longer.
+;server_lifetime = 3600
+
+;; Close server connection if its not been used in this time.  Allows
+;; to clean unnecessary connections from pool after peak.
+;server_idle_timeout = 600
+
+;; Cancel connection attempt if server does not answer takes longer.
+;server_connect_timeout = 15
+
+;; If server login failed (server_connect_timeout or auth failure)
+;; then wait this many second before trying again.
+;server_login_retry = 15
+
+;; Dangerous.  Server connection is closed if query does not return in
+;; this time.  Should be used to survive network problems, _not_ as
+;; statement_timeout. (default: 0)
+;query_timeout = 0
+
+;; Dangerous.  Client connection is closed if the query is not
+;; assigned to a server in this time.  Should be used to limit the
+;; number of queued queries in case of a database or network
+;; failure. (default: 120)
+;query_wait_timeout = 120
+
+;; Dangerous.  Client connection is closed if the cancellation request
+;; is not assigned to a server in this time.  Should be used to limit
+;; the time a client application blocks on a queued cancel request in
+;; case of a database or network failure. (default: 10)
+;cancel_wait_timeout = 10
+
+;; Dangerous.  Client connection is closed if no activity in this
+;; time.  Should be used to survive network problems. (default: 0)
+;client_idle_timeout = 0
+
+;; Disconnect clients who have not managed to log in after connecting
+;; in this many seconds.
+;client_login_timeout = 60
+
+;; Clean automatically created database entries (via "*") if they stay
+;; unused in this many seconds.
+;autodb_idle_timeout = 3600
+
+;; Close connections which are in "IDLE in transaction" state longer
+;; than this many seconds.
+;idle_transaction_timeout = 0
+
+;; How long SUSPEND/-R waits for buffer flush before closing
+;; connection.
+;suspend_timeout = 10
+
+;;;
+;;; Low-level tuning options
+;;;
+
+;; buffer for streaming packets
+;pkt_buf = 4096
+
+;; man 2 listen
+;listen_backlog = 128
+
+;; Max number pkt_buf to process in one event loop.
+;sbuf_loopcnt = 5
+
+;; Maximum PostgreSQL protocol packet size.
+;max_packet_size = 2147483647
+
+;; Set SO_REUSEPORT socket option
+;so_reuseport = 0
+
+;; networking options, for info: man 7 tcp
+
+;; Linux: Notify program about new connection only if there is also
+;; data received.  (Seconds to wait.)  On Linux the default is 45, on
+;; other OS'es 0.
+;tcp_defer_accept = 0
+
+;; In-kernel buffer size (Linux default: 4096)
+;tcp_socket_buffer = 0
+
+;; whether tcp keepalive should be turned on (0/1)
+;tcp_keepalive = 1
+
+;; The following options are Linux-specific.  They also require
+;; tcp_keepalive=1.
+
+;; Count of keepalive packets
+;tcp_keepcnt = 0
+
+;; How long the connection can be idle before sending keepalive
+;; packets
+;tcp_keepidle = 0
+
+;; The time between individual keepalive probes
+;tcp_keepintvl = 0
+
+;; How long may transmitted data remain unacknowledged before TCP
+;; connection is closed (in milliseconds)
+;tcp_user_timeout = 0
+
+;; DNS lookup caching time
+;dns_max_ttl = 15
+
+;; DNS zone SOA lookup period
+;dns_zone_check_period = 0
+
+;; DNS negative result caching time
+;dns_nxdomain_ttl = 15
+
+;; Custom resolv.conf file, to set custom DNS servers or other options
+;; (default: empty = use OS settings)
+;resolv_conf = /etc/pgbouncer/resolv.conf
+
+;;;
+;;; Random stuff
+;;;
+
+;; Hackish security feature.  Helps against SQL injection: when PQexec
+;; is disabled, multi-statement cannot be made.
+;disable_pqexec = 0
+
+;; Config file to use for next RELOAD/SIGHUP
+;; By default contains config file from command line.
+;conffile
+
+;; Windows service name to register as.  job_name is alias for
+;; service_name, used by some Skytools scripts.
+;service_name = pgbouncer
+;job_name = pgbouncer
+
+;; Read additional config from other file
+;%include /etc/pgbouncer/pgbouncer-other.ini

templates/server/ca.crt.erb

@@ -0,0 +1 @@
+<%= @pl_ca_crt %>

templates/server/databases/db_create_sql.erb

@@ -0,0 +1,2 @@
+psql -U postgres -tc "SELECT 1 FROM pg_database WHERE datname = '<%= @pl_db_name %>'" | grep -q 1 || psql -U postgres -c "CREATE DATABASE <%= @pl_db_name %> OWNER '<%= @pl_owner_name %>' "
+psql -U postgres <%= @pl_db_name %> -c 'create extension if not exists <%= @pl_db_extension %>'

templates/server/databases/db_drop_sql.erb

@@ -0,0 +1 @@
+dropdb -U postgres <%= @pl_db_name %> --if-exists

templates/server/databases/unless_db_sql.erb

@@ -0,0 +1 @@
+psql -U postgres -c  "SELECT datname FROM pg_database WHERE datname='<%= @pl_db_name %>' " | grep -q 1

templates/server/databases/unless_drop_sql.erb

@@ -0,0 +1 @@
+psql -U postgres -c  "SELECT datname FROM pg_database WHERE datname='<%= @pl_db_name %>' " | grep -q 1

templates/server/pghba/pg_hba.conf.erb

@@ -17,4 +17,4 @@ local   replication     all                                     md5
 host    replication     all             127.0.0.1/32            md5
 host    replication     all             ::1/128                 md5
 
-host    all             all             0.0.0.0/0               md5
+# custom rules below

templates/server/pghba/pg_hba_rule.conf.erb

@@ -0,0 +1,3 @@
+
+# description:  <%=@name%>
+<%= @pl_auth_type %>  <%= @pl_auth_database %>  <%= @pl_auth_user %> <%= @pl_auth_address %> <%=@pl_auth_method %> <%=@ql_auth_option%>

templates/server/roles/role.sql.erb

@@ -0,0 +1 @@
+psql -U postgres -c "<%= @pl_role_status %> <%= @pl_role_name %> WITH <%= @pl_role_attributes %>  PASSWORD '<%= @pl_role_pw %>'"

templates/server/roles/unless_sql.erb

@@ -0,0 +1 @@
+psql -U postgres -c  "SELECT usename FROM pg_user WHERE usename='<%= @pl_role_name %>' " | grep -o 1

templates/server/server.crt.erb

@@ -0,0 +1 @@
+<%= @pl_server_crt %>

templates/server/server.key.erb

@@ -0,0 +1 @@
+<%= @pl_server_key %>