1175ea20d6
This commit adds a postgresql::db type for convenience; it mirrors the 'db' type from the mysql module, which allows you to create a database instance and user plus grant privileges to that user all in one succint resource. This commit also improves security in the following ways: * Revoke "CONNECT" privilege from the 'public' role for newly created databases; without this, any database created via this module will allow connections from any database user, and will allow them to do things like create tables. * Change to a 'reject'-based policy for dealing with remote connections by the postgres user in pg_hba.conf. Prior to this commit, if you tried to restrict access to the postgres user by IP, the rule would simply not match for disallowed IPs; then it would fall through to the rule for "all" users, which could still match and thus allow the postgres user to connect remotely.
22 lines
615 B
Puppet
22 lines
615 B
Puppet
class { 'postgresql::server':
|
|
config_hash => {
|
|
'ip_mask_deny_postgres_user' => '0.0.0.0/32',
|
|
'ip_mask_allow_all_users' => '0.0.0.0/0',
|
|
'listen_addresses' => '*',
|
|
'manage_redhat_firewall' => true,
|
|
'postgres_password' => 'postgres',
|
|
},
|
|
}
|
|
|
|
postgresql::database{ ['test1', 'test2', 'test3']:
|
|
# TODO: ensure not yet supported
|
|
#ensure => present,
|
|
charset => 'utf8',
|
|
require => Class['postgresql::server'],
|
|
}
|
|
postgresql::database{ 'test4':
|
|
# TODO: ensure not yet supported
|
|
#ensure => present,
|
|
charset => 'latin1',
|
|
require => Class['postgresql::server'],
|
|
}
|