Add a postgresql_client role
The role is empty but is used to explicitly define servers that have access rights to all PostgreSQL databases and users
This commit is contained in:
parent
6f696d7634
commit
ee9c241a4d
|
|
@ -1,10 +1,12 @@
|
|||
name "ejabberd"
|
||||
|
||||
default_run_list = %w(
|
||||
role[postgresql_client]
|
||||
kosmos-ejabberd::default
|
||||
)
|
||||
|
||||
production_run_list = %w(
|
||||
role[postgresql_client]
|
||||
kosmos-ejabberd::default
|
||||
kosmos-ejabberd::letsencrypt
|
||||
kosmos-ejabberd::backup
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
name "gitea"
|
||||
|
||||
run_list %w(
|
||||
role[postgresql_client]
|
||||
kosmos_gitea::default
|
||||
kosmos_gitea::backup
|
||||
)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
# This role is used by the kosmos-postgresql::default recipe to add access
|
||||
# rules to every server that is a PostgreSQL client
|
||||
name "postgresql_client"
|
||||
|
||||
run_list []
|
||||
|
|
@ -48,6 +48,24 @@ systemctl start postgresql@12-main
|
|||
only_if { ::File.exist? "/var/lib/postgresql/10/main" }
|
||||
end
|
||||
|
||||
# Services that connect to PostgreSQL need to have the postgresql_client role
|
||||
# as part of their run list. See the gitea and ejabberd roles.
|
||||
postgresql_clients = search(:node, "roles:postgresql_client AND chef_environment:#{node.chef_environment}") || []
|
||||
|
||||
postgresql_clients.each do |client|
|
||||
ip = ip_for(client)
|
||||
hostname = client[:hostname]
|
||||
|
||||
postgresql_access "#{hostname} all" do
|
||||
access_type "host"
|
||||
access_db "all"
|
||||
access_user "all"
|
||||
access_addr "#{ip}/32"
|
||||
access_method "md5"
|
||||
notifies :reload, "service[#{postgresql_service}]", :immediately
|
||||
end
|
||||
end
|
||||
|
||||
postgresql_replicas.each do |replica|
|
||||
postgresql_access "#{replica[:hostname]} replication" do
|
||||
access_type "host"
|
||||
|
|
@ -58,25 +76,6 @@ postgresql_replicas.each do |replica|
|
|||
notifies :reload, "service[#{postgresql_service}]", :immediately
|
||||
end
|
||||
|
||||
gitea_servers = search(:node, "role:gitea AND chef_environment:#{node.chef_environment}") || []
|
||||
ejabberd_servers = search(:node, "role:ejabberd AND chef_environment:#{node.chef_environment}") || []
|
||||
|
||||
servers = (gitea_servers + ejabberd_servers).uniq
|
||||
|
||||
servers.each do |server|
|
||||
ip = ip_for(server)
|
||||
hostname = server[:hostname]
|
||||
|
||||
postgresql_access "#{hostname} all" do
|
||||
access_type "host"
|
||||
access_db "all"
|
||||
access_user "all"
|
||||
access_addr "#{ip}/32"
|
||||
access_method "md5"
|
||||
notifies :reload, "service[#{postgresql_service}]", :immediately
|
||||
end
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "firewall"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue