module-postgresql/manifests/config.pp

# Class: postgresql::config
#
# Parameters:
#
#   [*postgres_password*]            - postgres db user password.
#   [*ip_mask_deny_postgres_user*]   - ip mask for denying remote access for postgres user; defaults to '0.0.0.0/0',
#                                       meaning that all TCP access for postgres user is denied.
#   [*ip_mask_allow_all_users*]      - ip mask for allowing remote access for other users (besides postgres);
#                                       defaults to '127.0.0.1/32', meaning only allow connections from localhost
#   [*listen_addresses*]             - what IP address(es) to listen on; comma-separated list of addresses; defaults to
#                                       'localhost', '*' = all
#   [*ipv4acls*]                     - list of strings for access control for connection method, users, databases, IPv4
#                                       addresses; see postgresql documentation about pg_hba.conf for information
#   [*ipv6acls*]                     - list of strings for access control for connection method, users, databases, IPv6
#                                       addresses; see postgresql documentation about pg_hba.conf for information
#   [*pg_hba_conf_path*]             - path to pg_hba.conf file
#   [*postgresql_conf_path*]         - path to postgresql.conf file
#   [*manage_redhat_firewall*]       - boolean indicating whether or not the module should open a port in the firewall on
#                                       redhat-based systems; this parameter is likely to change in future versions.  Possible
#                                       changes include support for non-RedHat systems and finer-grained control over the
#                                       firewall rule (currently, it simply opens up the postgres port to all TCP connections).
#
#
# Actions:
#
# Requires:
#
# Usage:
#
#   class { 'postgresql::config':
#     postgres_password         => 'postgres',
#     ip_mask_allow_all_users   => '0.0.0.0/0',
#   }
#
class postgresql::config(
  $postgres_password            = undef,
  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
  $listen_addresses             = $postgresql::params::listen_addresses,
  $ipv4acls                     = $postgresql::params::ipv4acls,
  $ipv6acls                     = $postgresql::params::ipv6acls,
  $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
  $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall
) inherits postgresql::params {

  # Basically, all this class needs to handle is passing parameters on
  #  to the "beforeservice" and "afterservice" classes, and ensure
  #  the proper ordering.

  class { 'postgresql::config::beforeservice':
    ip_mask_deny_postgres_user    => $ip_mask_deny_postgres_user,
    ip_mask_allow_all_users       => $ip_mask_allow_all_users,
    listen_addresses              => $listen_addresses,
    ipv4acls                      => $ipv4acls,
    ipv6acls                      => $ipv6acls,
    pg_hba_conf_path              => $pg_hba_conf_path,
    postgresql_conf_path          => $postgresql_conf_path,
    manage_redhat_firewall        => $manage_redhat_firewall,
  }

  class { 'postgresql::config::afterservice':
    postgres_password        => $postgres_password,
  }

  Class['postgresql::config'] ->
      Class['postgresql::config::beforeservice'] ->
      Service['postgresqld'] ->
      Class['postgresql::config::afterservice']


}
Improve configuration for initial postgres install This commit adds some configuration management for postgres, to allow users to get a more complete setup from their initial install. Prior to this commit, we were basically only ensuring that the package was installed and the service was running. Now, we support limited configuration for the pg_hba.conf file to enable md5 authentication for remote hosts, and for the postgresql.conf file to specify the listener addresses where TCP connections should be accepted. Without these two changes the initial postgres configuration doesn't allow any connections from outside of the local host. This commit also adds an option for opening up the postgres port in the firewall on redhat-based systems, and an option to allow setting the password for the 'postgres' database user. As of this commit, this module now has dependencies on puppetlabs-stdlib (version > 2.3.4, which includes the new 'match' parameter for the 'file_line' resource type), and on puppetlabs-firewall. 2012-06-08 23:00:24 +02:00			`# Class: postgresql::config`
			`#`
			`# Parameters:`
			`#`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`# [postgres_password] - postgres db user password.`
			`# [ip_mask_deny_postgres_user] - ip mask for denying remote access for postgres user; defaults to '0.0.0.0/0',`
			`# meaning that all TCP access for postgres user is denied.`
			`# [ip_mask_allow_all_users] - ip mask for allowing remote access for other users (besides postgres);`
			`# defaults to '127.0.0.1/32', meaning only allow connections from localhost`
			`# [listen_addresses] - what IP address(es) to listen on; comma-separated list of addresses; defaults to`
			`# 'localhost', '*' = all`
ACLs functioning, added examples in README and test, comments in config manifests 2012-10-22 21:34:24 +02:00			`# [ipv4acls] - list of strings for access control for connection method, users, databases, IPv4`
			`# addresses; see postgresql documentation about pg_hba.conf for information`
			`# [ipv6acls] - list of strings for access control for connection method, users, databases, IPv6`
			`# addresses; see postgresql documentation about pg_hba.conf for information`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`# [pg_hba_conf_path] - path to pg_hba.conf file`
			`# [postgresql_conf_path] - path to postgresql.conf file`
			`# [manage_redhat_firewall] - boolean indicating whether or not the module should open a port in the firewall on`
			`# redhat-based systems; this parameter is likely to change in future versions. Possible`
			`# changes include support for non-RedHat systems and finer-grained control over the`
			`# firewall rule (currently, it simply opens up the postgres port to all TCP connections).`
Improve configuration for initial postgres install This commit adds some configuration management for postgres, to allow users to get a more complete setup from their initial install. Prior to this commit, we were basically only ensuring that the package was installed and the service was running. Now, we support limited configuration for the pg_hba.conf file to enable md5 authentication for remote hosts, and for the postgresql.conf file to specify the listener addresses where TCP connections should be accepted. Without these two changes the initial postgres configuration doesn't allow any connections from outside of the local host. This commit also adds an option for opening up the postgres port in the firewall on redhat-based systems, and an option to allow setting the password for the 'postgres' database user. As of this commit, this module now has dependencies on puppetlabs-stdlib (version > 2.3.4, which includes the new 'match' parameter for the 'file_line' resource type), and on puppetlabs-firewall. 2012-06-08 23:00:24 +02:00			`#`
			`#`
			`# Actions:`
			`#`
			`# Requires:`
			`#`
			`# Usage:`
			`#`
			`# class { 'postgresql::config':`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`# postgres_password => 'postgres',`
			`# ip_mask_allow_all_users => '0.0.0.0/0',`
Improve configuration for initial postgres install This commit adds some configuration management for postgres, to allow users to get a more complete setup from their initial install. Prior to this commit, we were basically only ensuring that the package was installed and the service was running. Now, we support limited configuration for the pg_hba.conf file to enable md5 authentication for remote hosts, and for the postgresql.conf file to specify the listener addresses where TCP connections should be accepted. Without these two changes the initial postgres configuration doesn't allow any connections from outside of the local host. This commit also adds an option for opening up the postgres port in the firewall on redhat-based systems, and an option to allow setting the password for the 'postgres' database user. As of this commit, this module now has dependencies on puppetlabs-stdlib (version > 2.3.4, which includes the new 'match' parameter for the 'file_line' resource type), and on puppetlabs-firewall. 2012-06-08 23:00:24 +02:00			`# }`
			`#`
			`class postgresql::config(`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`$postgres_password = undef,`
mis-spelt param names 2012-10-04 12:16:40 +02:00			`$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,`
			`$ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users,`
Add postgresql::db convenience type, improve security This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely. 2012-06-09 18:23:11 +02:00			`$listen_addresses = $postgresql::params::listen_addresses,`
first commit of acls 2012-10-22 07:27:35 +02:00			`$ipv4acls = $postgresql::params::ipv4acls,`
			`$ipv6acls = $postgresql::params::ipv6acls,`
Merge platform.pp back into params.pp Nan showed me a trick that will let us keep all of that param stuff inside of params.pp, make it a parameterized class, and still support the ability for users to specify a custom (non-system-default) pg version. This commit takes the first step towards that pattern by consolidating platform.pp and params.pp. (Everything old is new again!) 2012-12-04 05:42:20 +01:00			`$pg_hba_conf_path = $postgresql::params::pg_hba_conf_path,`
			`$postgresql_conf_path = $postgresql::params::postgresql_conf_path,`
Remove trailing commas. This makes the module work on Puppet 2.7.1 (from Ubuntu 11.10). 2012-08-25 03:20:27 +02:00			`$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall`
Improve configuration for initial postgres install This commit adds some configuration management for postgres, to allow users to get a more complete setup from their initial install. Prior to this commit, we were basically only ensuring that the package was installed and the service was running. Now, we support limited configuration for the pg_hba.conf file to enable md5 authentication for remote hosts, and for the postgresql.conf file to specify the listener addresses where TCP connections should be accepted. Without these two changes the initial postgres configuration doesn't allow any connections from outside of the local host. This commit also adds an option for opening up the postgres port in the firewall on redhat-based systems, and an option to allow setting the password for the 'postgres' database user. As of this commit, this module now has dependencies on puppetlabs-stdlib (version > 2.3.4, which includes the new 'match' parameter for the 'file_line' resource type), and on puppetlabs-firewall. 2012-06-08 23:00:24 +02:00			`) inherits postgresql::params {`
Merge ::paths and ::packages into one class, called ::platform. 2012-11-30 23:08:48 +01:00
Removed references to $postgresql::paths in class params. 2012-11-29 18:42:38 +01:00			`# Basically, all this class needs to handle is passing parameters on`
			`# to the "beforeservice" and "afterservice" classes, and ensure`
			`# the proper ordering.`
Improve configuration for initial postgres install This commit adds some configuration management for postgres, to allow users to get a more complete setup from their initial install. Prior to this commit, we were basically only ensuring that the package was installed and the service was running. Now, we support limited configuration for the pg_hba.conf file to enable md5 authentication for remote hosts, and for the postgresql.conf file to specify the listener addresses where TCP connections should be accepted. Without these two changes the initial postgres configuration doesn't allow any connections from outside of the local host. This commit also adds an option for opening up the postgres port in the firewall on redhat-based systems, and an option to allow setting the password for the 'postgres' database user. As of this commit, this module now has dependencies on puppetlabs-stdlib (version > 2.3.4, which includes the new 'match' parameter for the 'file_line' resource type), and on puppetlabs-firewall. 2012-06-08 23:00:24 +02:00
Removed references to $postgresql::paths in class params. 2012-11-29 18:42:38 +01:00			`class { 'postgresql::config::beforeservice':`
			`ip_mask_deny_postgres_user => $ip_mask_deny_postgres_user,`
			`ip_mask_allow_all_users => $ip_mask_allow_all_users,`
			`listen_addresses => $listen_addresses,`
			`ipv4acls => $ipv4acls,`
			`ipv6acls => $ipv6acls,`
Merge platform.pp back into params.pp Nan showed me a trick that will let us keep all of that param stuff inside of params.pp, make it a parameterized class, and still support the ability for users to specify a custom (non-system-default) pg version. This commit takes the first step towards that pattern by consolidating platform.pp and params.pp. (Everything old is new again!) 2012-12-04 05:42:20 +01:00			`pg_hba_conf_path => $pg_hba_conf_path,`
			`postgresql_conf_path => $postgresql_conf_path,`
Removed references to $postgresql::paths in class params. 2012-11-29 18:42:38 +01:00			`manage_redhat_firewall => $manage_redhat_firewall,`
			`}`
Improve configuration for initial postgres install This commit adds some configuration management for postgres, to allow users to get a more complete setup from their initial install. Prior to this commit, we were basically only ensuring that the package was installed and the service was running. Now, we support limited configuration for the pg_hba.conf file to enable md5 authentication for remote hosts, and for the postgresql.conf file to specify the listener addresses where TCP connections should be accepted. Without these two changes the initial postgres configuration doesn't allow any connections from outside of the local host. This commit also adds an option for opening up the postgres port in the firewall on redhat-based systems, and an option to allow setting the password for the 'postgres' database user. As of this commit, this module now has dependencies on puppetlabs-stdlib (version > 2.3.4, which includes the new 'match' parameter for the 'file_line' resource type), and on puppetlabs-firewall. 2012-06-08 23:00:24 +02:00
Removed references to $postgresql::paths in class params. 2012-11-29 18:42:38 +01:00			`class { 'postgresql::config::afterservice':`
			`postgres_password => $postgres_password,`
			`}`

			`Class['postgresql::config'] ->`
			`Class['postgresql::config::beforeservice'] ->`
			`Service['postgresqld'] ->`
			`Class['postgresql::config::afterservice']`
Improve configuration for initial postgres install This commit adds some configuration management for postgres, to allow users to get a more complete setup from their initial install. Prior to this commit, we were basically only ensuring that the package was installed and the service was running. Now, we support limited configuration for the pg_hba.conf file to enable md5 authentication for remote hosts, and for the postgresql.conf file to specify the listener addresses where TCP connections should be accepted. Without these two changes the initial postgres configuration doesn't allow any connections from outside of the local host. This commit also adds an option for opening up the postgres port in the firewall on redhat-based systems, and an option to allow setting the password for the 'postgres' database user. As of this commit, this module now has dependencies on puppetlabs-stdlib (version > 2.3.4, which includes the new 'match' parameter for the 'file_line' resource type), and on puppetlabs-firewall. 2012-06-08 23:00:24 +02:00

			`}`