kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity

Add a postgresql_client role

Browse Source 
The role is empty but is used to explicitly define servers that have
access rights to all PostgreSQL databases and users
This commit is contained in:
Greg Karékinian 2020-06-12 16:54:58 +02:00
parent 6f696d7634
commit ee9c241a4d
4 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/ejabberd.rb
View File

@ -1,10 +1,12 @@
name "ejabberd" name "ejabberd"
default_run_list = %w( default_run_list = %w(
role[postgresql_client]
kosmos-ejabberd::default kosmos-ejabberd::default
) )
production_run_list = %w( production_run_list = %w(
role[postgresql_client]
kosmos-ejabberd::default kosmos-ejabberd::default
kosmos-ejabberd::letsencrypt kosmos-ejabberd::letsencrypt
kosmos-ejabberd::backup kosmos-ejabberd::backup

1
roles/gitea.rb
View File

@ -1,6 +1,7 @@
name "gitea" name "gitea"
run_list %w( run_list %w(
role[postgresql_client]
kosmos_gitea::default kosmos_gitea::default
kosmos_gitea::backup kosmos_gitea::backup
) )

5
roles/postgresql_client.rb Normal file
View File

@ -0,0 +1,5 @@
# This role is used by the kosmos-postgresql::default recipe to add access
# rules to every server that is a PostgreSQL client
name "postgresql_client"
run_list []

37
site-cookbooks/kosmos-postgresql/recipes/default.rb
View File

@ -48,6 +48,24 @@ systemctl start postgresql@12-main
only_if { ::File.exist? "/var/lib/postgresql/10/main" } only_if { ::File.exist? "/var/lib/postgresql/10/main" }
end end
# Services that connect to PostgreSQL need to have the postgresql_client role
# as part of their run list. See the gitea and ejabberd roles.
postgresql_clients = search(:node, "roles:postgresql_client AND chef_environment:#{node.chef_environment}") || []
postgresql_clients.each do |client|
ip = ip_for(client)
hostname = client[:hostname]
postgresql_access "#{hostname} all" do
access_type "host"
access_db "all"
access_user "all"
access_addr "#{ip}/32"
access_method "md5"
notifies :reload, "service[#{postgresql_service}]", :immediately
end
end
postgresql_replicas.each do |replica| postgresql_replicas.each do |replica|
postgresql_access "#{replica[:hostname]} replication" do postgresql_access "#{replica[:hostname]} replication" do
access_type "host" access_type "host"
@ -58,25 +76,6 @@ postgresql_replicas.each do |replica|
notifies :reload, "service[#{postgresql_service}]", :immediately notifies :reload, "service[#{postgresql_service}]", :immediately
end end
gitea_servers = search(:node, "role:gitea AND chef_environment:#{node.chef_environment}") || []
ejabberd_servers = search(:node, "role:ejabberd AND chef_environment:#{node.chef_environment}") || []
servers = (gitea_servers + ejabberd_servers).uniq
servers.each do |server|
ip = ip_for(server)
hostname = server[:hostname]
postgresql_access "#{hostname} all" do
access_type "host"
access_db "all"
access_user "all"
access_addr "#{ip}/32"
access_method "md5"
notifies :reload, "service[#{postgresql_service}]", :immediately
end
end
unless node.chef_environment == "development" unless node.chef_environment == "development"
include_recipe "firewall" include_recipe "firewall"