90 lines
3.6 KiB
Ruby
90 lines
3.6 KiB
Ruby
#
|
|
# Cookbook Name:: postgresql
|
|
# Recipe:: server
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
::Chef::Recipe.send(:include, Opscode::OpenSSL::Password)
|
|
|
|
include_recipe "postgresql::client"
|
|
|
|
# randomly generate postgres password, unless using solo - see README
|
|
if Chef::Config[:solo]
|
|
missing_attrs = %w{
|
|
postgres
|
|
}.select do |attr|
|
|
node['postgresql']['password'][attr].nil?
|
|
end.map { |attr| "node['postgresql']['password']['#{attr}']" }
|
|
|
|
if !missing_attrs.empty?
|
|
Chef::Log.fatal([
|
|
"You must set #{missing_attrs.join(', ')} in chef-solo mode.",
|
|
"For more information, see https://github.com/opscode-cookbooks/postgresql#chef-solo-note"
|
|
].join(' '))
|
|
raise
|
|
end
|
|
else
|
|
# TODO: The "secure_password" is randomly generated plain text, so it
|
|
# should be converted to a PostgreSQL specific "encrypted password" if
|
|
# it should actually install a password (as opposed to disable password
|
|
# login for user 'postgres'). However, a random password wouldn't be
|
|
# useful if it weren't saved as clear text in Chef Server for later
|
|
# retrieval.
|
|
unless node.key?('postgresql') && node['postgresql'].key?('password') && node['postgresql']['password'].key?('postgres')
|
|
node.set_unless['postgresql']['password']['postgres'] = secure_password
|
|
node.save
|
|
end
|
|
end
|
|
|
|
# Include the right "family" recipe for installing the server
|
|
# since they do things slightly differently.
|
|
case node['platform_family']
|
|
when "rhel", "fedora", "suse"
|
|
include_recipe "postgresql::server_redhat"
|
|
when "debian"
|
|
include_recipe "postgresql::server_debian"
|
|
end
|
|
|
|
# Versions prior to 9.2 do not have a config file option to set the SSL
|
|
# key and cert path, and instead expect them to be in a specific location.
|
|
if node['postgresql']['version'].to_f < 9.2 && node['postgresql']['config'].attribute?('ssl_cert_file')
|
|
link ::File.join(node['postgresql']['config']['data_directory'], 'server.crt') do
|
|
to node['postgresql']['config']['ssl_cert_file']
|
|
end
|
|
end
|
|
|
|
if node['postgresql']['version'].to_f < 9.2 && node['postgresql']['config'].attribute?('ssl_key_file')
|
|
link ::File.join(node['postgresql']['config']['data_directory'], 'server.key') do
|
|
to node['postgresql']['config']['ssl_key_file']
|
|
end
|
|
end
|
|
|
|
# NOTE: Consider two facts before modifying "assign-postgres-password":
|
|
# (1) Passing the "ALTER ROLE ..." through the psql command only works
|
|
# if passwordless authorization was configured for local connections.
|
|
# For example, if pg_hba.conf has a "local all postgres ident" rule.
|
|
# (2) It is probably fruitless to optimize this with a not_if to avoid
|
|
# setting the same password. This chef recipe doesn't have access to
|
|
# the plain text password, and testing the encrypted (md5 digest)
|
|
# version is not straight-forward.
|
|
bash "assign-postgres-password" do
|
|
user 'postgres'
|
|
code <<-EOH
|
|
echo "ALTER ROLE postgres ENCRYPTED PASSWORD '#{node['postgresql']['password']['postgres']}';" | psql -p #{node['postgresql']['config']['port']}
|
|
EOH
|
|
action :run
|
|
not_if "ls #{node['postgresql']['config']['data_directory']}/recovery.conf"
|
|
only_if { node['postgresql']['assign_postgres_password'] }
|
|
end
|