first commit of acls

2012-10-21 22:27:35 -07:00 · 2012-10-21 22:27:35 -07:00 · 399709a483
commit 399709a483
parent 847a5919dd
5 changed files with 17 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -30,6 +30,7 @@ class { 'postgresql::server':
        'ip_mask_deny_postgres_user' => '0.0.0.0/32',
        'ip_mask_allow_all_users'    => '0.0.0.0/0',
        'listen_addresses'           => '*',
+        'ipv4acls'                   => [ 'hostssl all johndoe 192.168.0.0/24 cert', ]
        'manage_redhat_firewall'     => true,
        'postgres_password'          => 'TPSrep0rt!',
    },
--- a/manifests/config.pp
+++ b/manifests/config.pp
@ -33,6 +33,8 @@ class postgresql::config(
  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
  $listen_addresses             = $postgresql::params::listen_addresses,
+  $ipv4acls                     = $postgresql::params::ipv4acls,
+  $ipv6acls                     = $postgresql::params::ipv6acls,
  $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
  $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall
@ -46,6 +48,8 @@ class postgresql::config(
      ip_mask_deny_postgres_user    => $ip_mask_deny_postgres_user,
      ip_mask_allow_all_users       => $ip_mask_allow_all_users,
      listen_addresses              => $listen_addresses,
+      ipv4acls                      => $ipv4acls,
+      ipv6acls                      => $ipv6acls,
      pg_hba_conf_path              => $pg_hba_conf_path,
      postgresql_conf_path          => $postgresql_conf_path,
      manage_redhat_firewall        => $manage_redhat_firewall,
--- a/manifests/config/beforeservice.pp
+++ b/manifests/config/beforeservice.pp
@ -33,6 +33,8 @@ class postgresql::config::beforeservice(
  $ip_mask_deny_postgres_user   = $postgresql::params::ip_mask_deny_postgres_user,
  $ip_mask_allow_all_users      = $postgresql::params::ip_mask_allow_all_users,
  $listen_addresses             = $postgresql::params::listen_addresses,
+  $ipv4acls                     = $postgresql::params::ipv4acls,
+  $ipv6acls                     = $postgresql::params::ipv6acls,
  $pg_hba_conf_path             = $postgresql::params::pg_hba_conf_path,
  $postgresql_conf_path         = $postgresql::params::postgresql_conf_path,
  $manage_redhat_firewall       = $postgresql::params::manage_redhat_firewall
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -16,6 +16,8 @@ class postgresql::params {
  $ip_mask_deny_postgres_user   = '0.0.0.0/0'
  $ip_mask_allow_all_users      = '127.0.0.1/32'
  $listen_addresses             = 'localhost'
+  $ipv4acls                     = []
+  $ipv6acls                     = []
  # TODO: figure out a way to make this not platform-specific
  $manage_redhat_firewall       = false

--- a/templates/pg_hba.conf.erb
+++ b/templates/pg_hba.conf.erb
@ -83,6 +83,14 @@ local   all         all                               ident <%= "sameuser" if @p
 # IPv4 local connections:
 host    all         postgres    <%= @ip_mask_deny_postgres_user + "\t" %>      reject
 host    all         all         <%= @ip_mask_allow_all_users + "\t" %>      md5
+
+<% @ipv4acls.each do |acl| -%>
+	<%= acl %>
+<% end -%>
 # IPv6 local connections:
 host    all         all         ::1/128               md5

+<% @ipv6acls.each do |acl| -%>
+	<%= acl %>
+<% end -%>
+