# kosmos-postgresql

## Custom resources

### `postgresql_custom_server`

Usage:

When the `tls` attribute is set to true, a TLS certificate for the FQDN
(`node['fqdn']`, for example `andromeda.kosmos.org`) is generated using Let's
Encrypt and copied to the PostgreSQL data directory and added to the
`postgresql.conf` file

#### On the primary:

```ruby
postgresql_custom_server "12" do
  role "primary"
  tls true
end
```

#### On a replica:

```ruby
postgresql_custom_server "12" do
  role "replica"
  tls true
end
```

After the initial Chef run on the replica, run Chef on the primary to add the
firewall rules and PostgreSQL access rules, then run Chef again on the replica
to set up replication.

#### Caveat

[`firewall_rules`](https://github.com/chef-cookbooks/firewall/issues/134) and
[`postgresql_access`](https://github.com/sous-chefs/postgresql/issues/648) are
declared in recipes, not resources because of the way custom resources
work currently in Chef. See the `default.rb` and `replica.rb` recipes.

The primary gives access to the `replication` db to the `replication` user
connecting from a replica, and replicas to the primary. For more information
about PostgreSQL client authentication, see the
[official docs](https://www.postgresql.org/docs/12/auth-pg-hba-conf.html)

The primary opens up the PostgreSQL port (5432 TCP) to replicas, and replicas
to the primary.