confdroid/confdroid_postgresql
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: confdroid:1.1.0
Branches Tags
confdroid:master
confdroid:1.1.1 confdroid:1.1.0 confdroid:1.0.1 confdroid:1.0.0
...
compare: confdroid:8e55ae1c255bbb4612065cdb1c7f6820b0aa70bd
Branches Tags
confdroid:master
confdroid:1.1.1 confdroid:1.1.0 confdroid:1.0.1 confdroid:1.0.0

12 Commits
1.1.0 ... 8e55ae1c25

Author SHA1 Message Date
12ww1160
8e55ae1c25 update url 2026-02-06 16:08:15 +01:00
12ww1160
eeb78a7717 OP#375 remove .vscode 2026-01-28 13:49:56 +01:00
12ww1160
bbb2b7a991 OP#263 update Readme 2025-12-15 14:26:22 +01:00
12ww1160
e00a4c8da1 OP#263 remove exporter option 2025-12-15 14:09:47 +01:00
12ww1160
a59dc28728 OP#263 include exporter dirs 2025-12-15 13:55:20 +01:00
12ww1160
b9efa5800f OP#263 include exporter service 2025-12-15 13:54:08 +01:00
12ww1160
974e59af4d add badge 2025-12-14 16:49:10 +01:00
12ww1160
894e870c1b add button 2025-12-14 16:45:55 +01:00
12ww1160
dca27f11d0 add TOC 2025-12-14 16:39:50 +01:00
12ww1160
51cdc98fbf OP#228 update Readme 2025-12-08 14:35:49 +01:00
12ww1160
60d9d4b237 OP#228 add tls file control 2025-12-08 14:32:52 +01:00
12ww1160
58e12e6714 OP#207fix variable relationship and add firewall rule 2025-12-05 16:21:33 +01:00
16 changed files with 100 additions and 79 deletions
Expand all files Collapse all files

4
Jenkinsfile vendored
View File

@@ -90,6 +90,7 @@ pipeline {
sh ''' sh '''
git config user.name "Jenkins Server" git config user.name "Jenkins Server"
git config user.email jenkins@confdroid.com git config user.email jenkins@confdroid.com
git rm -r --cached .vscode || echo "No .vscode to remove from git"
git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit" git add -A && git commit -am "Recommit for updates in build $BUILD_NUMBER" || echo "No changes to commit"
git push origin HEAD:master git push origin HEAD:master
''' '''
@@ -111,8 +112,9 @@ pipeline {
git branch -D development git branch -D development
git branch -D jenkins-build-$BUILD_NUMBER git branch -D jenkins-build-$BUILD_NUMBER
git rm -f Jenkinsfile git rm -f Jenkinsfile
git rm -r --cached .vscode || echo "No .vscode to remove from git"
git commit --amend --no-edit --allow-empty git commit --amend --no-edit --allow-empty
git remote add master https://gitea.confdroid.com/confdroid/confdroid_postgresql.git git remote add master https://sourcecode.confdroid.com/confdroid/confdroid_postgresql.git
git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \ git -c credential.helper="!f() { echo username=${GITEA_USER}; echo password=${GITEA_TOKEN}; }; f" \
push master --mirror push master --mirror
''' '''

25
README.md
View File

@@ -1,6 +1,21 @@
# Readme # Readme
[![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_postgresql)](https://jenkins.confdroid.com/job/postfresql_cd/) [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=confdroid_postgresql)](https://jenkins.confdroid.com/job/postfresql_cd/)
[![Security Hotspots](https://sonarqube.confdroid.com/api/project_badges/measure?project=confdroid_postgresql&metric=security_hotspots&token=sqb_34cadd0d17dba89c9735fca0b6cd96c55e22950d)](https://sonarqube.confdroid.com/dashboard?id=confdroid_postgresql)
- [Readme](#readme)
- [Synopsis](#synopsis)
- [WARNING](#warning)
- [Features](#features)
- [Repo Documentation](#repo-documentation)
- [Dependencies](#dependencies)
- [Deployment](#deployment)
- [SELINUX](#selinux)
- [Known Problems](#known-problems)
- [Support](#support)
- [Tests](#tests)
- [Contact Us](#contact-us)
- [Disclaimer](#disclaimer)
## Synopsis ## Synopsis
@@ -12,6 +27,8 @@ PostgreSQL is a powerful modern open source SQL database server.
***Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production*** ***Attention: Never use this puppet module on systems which have been previously configured manually. It is impossible to predict how and what would have been configured, hence previous configurations outside the scope of this module may be overwritten! Automated configurations require a test environment to verify that the module suits the purpose intended by the user, as well as tune the parameters, before deploying into live production***
[!["Buy Me A Coffee"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/grizzly_coda)
## Features ## Features
Installation Installation
@@ -30,6 +47,7 @@ Optional:
* manage roles and databases via define (set `$pl_manage_content` to true) * manage roles and databases via define (set `$pl_manage_content` to true)
* manage extensions (set `pl_manage_extensions`to `true`) * manage extensions (set `pl_manage_extensions`to `true`)
* install and manage pg_bouncer (set `pl_use_pg_bouncer`to `true`) * install and manage pg_bouncer (set `pl_use_pg_bouncer`to `true`)
* enable SL / TLS manage TLS certificates (set `pl_ssl_enabled`to `true` and populate content externally through variables)
## Repo Documentation ## Repo Documentation
@@ -65,8 +83,10 @@ All files and directories are configured with correct selinux context. If selinu
## Support ## Support
This module has been developed for and tested with
* OS: Rocky 9 * OS: Rocky 9
* Puppet 6 - 8 * Puppet 8
## Tests ## Tests
@@ -79,7 +99,8 @@ All files and directories are configured with correct selinux context. If selinu
## Contact Us ## Contact Us
[contact Us](https://confdroid.com/contact/) * [contact Us](https://confdroid.com/contact/)
* [Feedback Portal](https://feedback.confdroid.com)
## Disclaimer ## Disclaimer

10
manifests/bouncer/bouncer.pp
View File

@@ -3,11 +3,11 @@
# Author: 12ww1160 (12ww1160@confdroid.com) # Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class manages the pgbouncer service # @summary Class manages the pgbouncer service
# @example confdroid_postgresql::bouncer::bouncer_rule { 'test connection': # @example confdroid_postgresql::bouncer::bouncer_rule { 'test connection':
# pl_bouncer_db_name => 'test', # pl_bouncer_db_name => 'test',
# pl_bouncer_host => '127.0.0.7', # pl_bouncer_host => '127.0.0.7',
# pl_bouncer_port => '5432', # pl_bouncer_host_port => '5432',
# pl_bouncer_user => 'test_user', # pl_bouncer_user => 'test_user',
# pl_bouncer_order => '001', # pl_bouncer_order => '001',
# } # }
############################################################################### ###############################################################################
class confdroid_postgresql::bouncer::bouncer ( class confdroid_postgresql::bouncer::bouncer (

12
manifests/bouncer/bouncer_rule.pp
View File

@@ -5,18 +5,18 @@
# @see https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html # @see https://www.postgresql.org/docs/9.6/static/auth-pg-hba-conf.html
# @param [String] pl_bouncer_db_name db name for the bouncer rule # @param [String] pl_bouncer_db_name db name for the bouncer rule
# @param [String] pl_bouncer_host IP of the db host to bounce to # @param [String] pl_bouncer_host IP of the db host to bounce to
# @param [String] pl_bouncer_port port of the db host to bounce to # @param [String] pl_bouncer_host_port port of the db host to bounce to
# @param [String] pl_bouncer_user user for the connection. Must be defined in # @param [String] pl_bouncer_user user for the connection. Must be defined in
# userlist.txt # userlist.txt
# @param [String] pl_bouncer_order the order in which the rule should appear # @param [String] pl_bouncer_order the order in which the rule should appear
############################################################################## ##############################################################################
define confdroid_postgresql::bouncer::bouncer_rule ( define confdroid_postgresql::bouncer::bouncer_rule (
String $pl_bouncer_db_name = undef, String $pl_bouncer_db_name = undef,
String $pl_bouncer_host = '127.0.0.1', String $pl_bouncer_host = '127.0.0.1',
String $pl_bouncer_port = '5432', String $pl_bouncer_host_port = '5432',
String $pl_bouncer_user = undef, String $pl_bouncer_user = undef,
String $pl_bouncer_order = undef, String $pl_bouncer_order = undef,
) { ) {
$pl_bouncer_ini_file = $confdroid_postgresql::params::pl_bouncer_ini_file $pl_bouncer_ini_file = $confdroid_postgresql::params::pl_bouncer_ini_file

21
manifests/exporter/dirs.pp
View File

@@ -1,21 +0,0 @@
## confdroid_postgresql::exporter::dirs.pp
# Module name: confdroid_postgresql
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class manages the postgresql exporter dirs
###############################################################################
class confdroid_postgresql::exporter::dirs (
) inherits confdroid_postgresql::params {
if ($fqdn == $pl_server_fqdn) and ($pl_use_exporter == true) {
file { $pl_install_dir:
ensure => directory,
owner => 'postgres',
group => 'postgres',
mode => '0755',
selrange => s0,
selrole => object_r,
seltype => usr_t,
seluser => system_u,
}
}
}

12
manifests/exporter/files.pp
View File

@@ -1,12 +0,0 @@
## confdroid_postgresql::exporter::files.pp
# Module name: confdroid_postgresql
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class manages the postgresql exporter files
###############################################################################
class confdroid_postgresql::exporter::files (
) inherits confdroid_postgresql::params {
if ($fqdn == $pl_server_fqdn) and ($pl_use_exporter == true) {
require confdroid_postgresql::exporter::dirs
}
}

19
manifests/exporter/service.pp
View File

@@ -1,19 +0,0 @@
## confdroid_postgresql::exporter::service.pp
# Module name: confdroid_postgresql
# Author: 12ww1160 (12ww1160@confdroid.com)
# @summary Class manages the postgresql exporter service
###############################################################################
class confdroid_postgresql::exporter::service (
) inherits confdroid_postgresql::params {
if ($fqdn == $pl_server_fqdn) and ($pl_use_exporter == true) {
require confdroid_postgresql::exporter::files
# service { $pl_exporter_service:
# ensure => running,
# hasstatus => true,
# hasrestart => true,
# enable => true,
# }
}
}

8
manifests/firewall/iptables.pp
View File

@@ -13,5 +13,13 @@ class confdroid_postgresql::firewall::iptables (
dport => $pl_fw_port, dport => $pl_fw_port,
jump => 'accept', jump => 'accept',
} }
if $pl_use_pg_bouncer == true {
firewall { "${pl_fw_rule_order}${pl_bouncer_port} tcp port ${pl_bouncer_port}":
source => $pl_source_range,
proto => 'tcp',
dport => $pl_bouncer_port,
jump => 'accept',
}
}
} }
} }

3
manifests/main/config.pp
View File

@@ -10,9 +10,6 @@ class confdroid_postgresql::main::config (
if $fqdn == $pl_server_fqdn { if $fqdn == $pl_server_fqdn {
include confdroid_postgresql::server::service include confdroid_postgresql::server::service
# if $pl_use_exporter == true {
# include confdroid_postgresql::exporter::service
# }
if $pl_use_pg_bouncer == true { if $pl_use_pg_bouncer == true {
include confdroid_postgresql::bouncer::service include confdroid_postgresql::bouncer::service
} }

42
manifests/main/files.pp
View File

@@ -22,5 +22,47 @@ class confdroid_postgresql::main::files (
content => template('confdroid_postgresql/postgresql.conf.erb'), content => template('confdroid_postgresql/postgresql.conf.erb'),
notify => Service[$pl_service], notify => Service[$pl_service],
} }
if $pl_ssl_enabled == true {
# manage tls certs
## ca.crt
file { $pl_ca_crt_file:
ensure => file,
owner => 'postgres',
group => 'postgres',
mode => '0400',
selrange => s0,
selrole => object_r,
seltype => postgresql_db_t,
seluser => unconfined_u,
content => template($pl_ca_crt_erb),
notify => Service[$pl_service],
}
## server.crt
file { $pl_server_crt_file:
ensure => file,
owner => 'postgres',
group => 'postgres',
mode => '0400',
selrange => s0,
selrole => object_r,
seltype => postgresql_db_t,
seluser => unconfined_u,
content => template($pl_server_crt_erb),
notify => Service[$pl_service],
}
## server.key
file { $pl_server_key_file:
ensure => file,
owner => 'postgres',
group => 'postgres',
mode => '0400',
selrange => s0,
selrole => object_r,
seltype => postgresql_db_t,
seluser => unconfined_u,
content => template($pl_server_key_erb),
notify => Service[$pl_service],
}
}
} }
} }

12
manifests/params.pp
View File

@@ -23,8 +23,6 @@
# @param [String] pl_ca_crt the name of the CA crt # @param [String] pl_ca_crt the name of the CA crt
# @param [Boolean] pl_manage_content whether to manage roles and databases # @param [Boolean] pl_manage_content whether to manage roles and databases
# @param [Boolean] pl_manage_extensions whether to manage extensions # @param [Boolean] pl_manage_extensions whether to manage extensions
# @param [Boolean] pl_use_exporter whether to use the postgresql-exporter
# @param [String] pl_install_dir the path for the postgres-exporter files
# @param [String] pl_idle_timeout idle_in_transaction_session_timeout # @param [String] pl_idle_timeout idle_in_transaction_session_timeout
# @param [Boolean] pl_use_pg_bouncer whether to use the pc_bouncer # @param [Boolean] pl_use_pg_bouncer whether to use the pc_bouncer
# @param [String] pl_bouncer_listen_addr bouncer listen address # @param [String] pl_bouncer_listen_addr bouncer listen address
@@ -64,10 +62,6 @@ class confdroid_postgresql::params (
Boolean $pl_manage_content = true, Boolean $pl_manage_content = true,
Boolean $pl_manage_extensions = false, Boolean $pl_manage_extensions = false,
# postgresql exporter
Boolean $pl_use_exporter = false,
String $pl_install_dir = '/opt/postgres-exporter',
# pg bouncer # pg bouncer
Boolean $pl_use_pg_bouncer = false, Boolean $pl_use_pg_bouncer = false,
String $pl_bouncer_listen_addr = '0.0.0.0', String $pl_bouncer_listen_addr = '0.0.0.0',
@@ -97,6 +91,12 @@ class confdroid_postgresql::params (
$pl_bouncer_auth_file = "${pl_bouncer_dir}/userlist.txt" $pl_bouncer_auth_file = "${pl_bouncer_dir}/userlist.txt"
$pl_bouncer_auth_erb = 'confdroid_postgresql/server/bouncer/bouncer_users.erb' $pl_bouncer_auth_erb = 'confdroid_postgresql/server/bouncer/bouncer_users.erb'
$pl_bouncer_rule_erb = 'confdroid_postgresql/server/bouncer/bouncer_rule.erb' $pl_bouncer_rule_erb = 'confdroid_postgresql/server/bouncer/bouncer_rule.erb'
$pl_ca_crt_file = "${pl_data_dir}/ca.crt"
$pl_ca_crt_erb = 'confdroid_postgresql/server/ca.crt.erb'
$pl_server_crt_file = "${pl_data_dir}/server.crt"
$pl_server_crt_erb = 'confdroid_postgresql/server/server.crt.erb'
$pl_server_key_file = "${pl_data_dir}/server.key"
$pl_server_key_erb = 'confdroid_postgresql/server/server.key.erb'
# Service # Service
$pl_service = 'postgresql' $pl_service = 'postgresql'

6
templates/postgresql.conf.erb
View File

@@ -108,9 +108,9 @@ shared_preload_libraries = '<%= @reqpackages_extensions %>'
<% if @pl_ssl_enabled == true -%> <% if @pl_ssl_enabled == true -%>
ssl = on ssl = on
ssl_ca_file = '<%= @pl_data_dir %><%= @pl_ca_crt -%>' ssl_ca_file = '<%= @pl_data_dir %>ca.crt'
ssl_cert_file = '<%= @pl_data_dir %><%= @pl_server_crt -%>' ssl_cert_file = '<%= @pl_data_dir %>server.crt'
ssl_key_file = '<%= @pl_data_dir %><%= @pl_server_key -%>' ssl_key_file = '<%= @pl_data_dir %>server.key'
<% end -%> <% end -%>
<% if @pl_ssl_enabled != true -%> <% if @pl_ssl_enabled != true -%>
ssl = off ssl = off

2
templates/server/bouncer/bouncer_rule.erb
View File

@@ -1 +1 @@
<%= @pl_bouncer_db_name %> = host=<%= @pl_bouncer_host %> port=<%= @pl_bouncer_port %> auth_user=<%= @pl_bouncer_user %> dbname=<%= @pl_bouncer_db_name %> <%= @pl_bouncer_db_name %> = host=<%= @pl_bouncer_host %> port=<%= @pl_bouncer_host_port %> auth_user=<%= @pl_bouncer_user %> dbname=<%= @pl_bouncer_db_name %>

1
templates/server/ca.crt.erb Normal file
View File

@@ -0,0 +1 @@
<%= @pl_ca_crt %>

1
templates/server/server.crt.erb Normal file
View File

@@ -0,0 +1 @@
<%= @pl_server_crt %>

1
templates/server/server.key.erb Normal file
View File

@@ -0,0 +1 @@
<%= @pl_server_key %>