Merge branch 'manage_pg_hba_conf'
* manage_pg_hba_conf: Add support for optional management of pg_hba.conf
This commit is contained in:
commit
2e0455ffdf
4 changed files with 90 additions and 78 deletions
|
@ -61,6 +61,7 @@ For a more customized, less restrictive configuration:
|
|||
'listen_addresses' => '*',
|
||||
'ipv4acls' => ['hostssl all johndoe 192.168.0.0/24 cert'],
|
||||
'manage_redhat_firewall' => true,
|
||||
'manage_pg_hba_conf' => false,
|
||||
'postgres_password' => 'TPSrep0rt!',
|
||||
},
|
||||
}
|
||||
|
@ -217,6 +218,9 @@ This value defaults to `localhost`, meaning the postgres server will only accept
|
|||
####`manage_redhat_firewall`
|
||||
This value defaults to `false`. Many RedHat-based distros ship with a fairly restrictive firewall configuration which will block the port that postgres tries to listen on. If you’d like for the puppet module to open this port for you (using the [puppetlabs-firewall](http://forge.puppetlabs.com/puppetlabs/firewall) module), change this value to true. *[This parameter is likely to change in future versions. Possible changes include support for non-RedHat systems and finer-grained control over the firewall rule (currently, it simply opens up the postgres port to all TCP connections).]*
|
||||
|
||||
####`manage_pg_hba_conf`
|
||||
This value defaults to `true`. Whether or not manage the pg_hba.conf. If set to `true`, puppet will overwrite this file. If set to `false`, puppet will not modify the file.
|
||||
|
||||
####`ip_mask_allow_all_users`
|
||||
This value defaults to `127.0.0.1/32`. By default, Postgres does not allow any database user accounts to connect via TCP from remote machines. If you’d like to allow them to, you can override this setting. You might set it to `0.0.0.0/0` to allow database users to connect from any remote machine, or `192.168.0.0/16` to allow connections from any machine on your local 192.168 subnet.
|
||||
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
# redhat-based systems; this parameter is likely to change in future versions. Possible
|
||||
# changes include support for non-RedHat systems and finer-grained control over the
|
||||
# firewall rule (currently, it simply opens up the postgres port to all TCP connections).
|
||||
# [*manage_pg_hba_conf*] - boolean indicating whether or not the module manages pg_hba.conf file.
|
||||
#
|
||||
#
|
||||
# Actions:
|
||||
|
@ -41,7 +42,8 @@ class postgresql::config(
|
|||
$ipv6acls = $postgresql::params::ipv6acls,
|
||||
$pg_hba_conf_path = $postgresql::params::pg_hba_conf_path,
|
||||
$postgresql_conf_path = $postgresql::params::postgresql_conf_path,
|
||||
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall
|
||||
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall,
|
||||
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf
|
||||
) inherits postgresql::params {
|
||||
|
||||
# Basically, all this class needs to handle is passing parameters on
|
||||
|
@ -57,6 +59,7 @@ class postgresql::config(
|
|||
pg_hba_conf_path => $pg_hba_conf_path,
|
||||
postgresql_conf_path => $postgresql_conf_path,
|
||||
manage_redhat_firewall => $manage_redhat_firewall,
|
||||
manage_pg_hba_conf => $manage_pg_hba_conf,
|
||||
}
|
||||
|
||||
class { 'postgresql::config::afterservice':
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
# redhat-based systems; this parameter is likely to change in future versions. Possible
|
||||
# changes include support for non-RedHat systems and finer-grained control over the
|
||||
# firewall rule (currently, it simply opens up the postgres port to all TCP connections).
|
||||
# [*manage_pg_hba_conf*] - boolean indicating whether or not the module manages pg_hba.conf file.
|
||||
#
|
||||
# Actions:
|
||||
#
|
||||
|
@ -41,7 +42,8 @@ class postgresql::config::beforeservice(
|
|||
$listen_addresses = $postgresql::params::listen_addresses,
|
||||
$ipv4acls = $postgresql::params::ipv4acls,
|
||||
$ipv6acls = $postgresql::params::ipv6acls,
|
||||
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall
|
||||
$manage_redhat_firewall = $postgresql::params::manage_redhat_firewall,
|
||||
$manage_pg_hba_conf = $postgresql::params::manage_pg_hba_conf
|
||||
) inherits postgresql::params {
|
||||
|
||||
|
||||
|
@ -50,6 +52,7 @@ class postgresql::config::beforeservice(
|
|||
group => $postgresql::params::group,
|
||||
}
|
||||
|
||||
if $manage_pg_hba_conf {
|
||||
# Create the main pg_hba resource
|
||||
postgresql::pg_hba { 'main':
|
||||
notify => Exec['reload_postgresql'],
|
||||
|
@ -110,6 +113,7 @@ class postgresql::config::beforeservice(
|
|||
# a resources hash, and pass the result to create_resources
|
||||
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls, 'ipv6acls', 102)
|
||||
create_resources('postgresql::pg_hba_rule', $ipv6acl_resources)
|
||||
}
|
||||
|
||||
# We must set a "listen_addresses" line in the postgresql.conf if we
|
||||
# want to allow any connections from remote hosts.
|
||||
|
|
|
@ -53,6 +53,7 @@ class postgresql::params(
|
|||
$listen_addresses = 'localhost'
|
||||
$ipv4acls = []
|
||||
$ipv6acls = []
|
||||
$manage_pg_hba_conf = true
|
||||
# TODO: figure out a way to make this not platform-specific
|
||||
$manage_redhat_firewall = false
|
||||
|
||||
|
|
Loading…
Reference in a new issue