From 19e062e3ce66e68695583f6e351484ec04c420df Mon Sep 17 00:00:00 2001 From: Gabriel Detraz Date: Sun, 15 Nov 2015 02:50:44 +0100 Subject: [PATCH] =?UTF-8?q?Passage=20=C3=A0=20postgresql=209.4=20et=20moni?= =?UTF-8?q?tor=20de=20postgres=20sur=20odlyd=20et=20soyouz?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Metadata/groups.xml | 13 +- Python/etc/monit/services | 2 +- Python/etc/postgresql/9.1/main/pg_hba.conf | 185 ------------------- Python/etc/postgresql/9.1/main/pg_ident.conf | 132 ------------- 4 files changed, 6 insertions(+), 326 deletions(-) delete mode 100644 Python/etc/postgresql/9.1/main/pg_hba.conf delete mode 100644 Python/etc/postgresql/9.1/main/pg_ident.conf diff --git a/Metadata/groups.xml b/Metadata/groups.xml index 03d3e9b..ac1d93b 100644 --- a/Metadata/groups.xml +++ b/Metadata/groups.xml @@ -23,6 +23,7 @@ + @@ -221,7 +222,6 @@ - @@ -260,8 +260,7 @@ - - + @@ -1381,15 +1380,13 @@ - - - - - + + + diff --git a/Python/etc/monit/services b/Python/etc/monit/services index f7ed620..3372bac 100644 --- a/Python/etc/monit/services +++ b/Python/etc/monit/services @@ -250,7 +250,7 @@ service("openvpn-freebox", init="openvpn", extra=["depends on openvpn-odlyd"]) -pg_version = '9.1' +pg_version = '9.4' service("pgsql-server", name="postgresql", init="postgresql", diff --git a/Python/etc/postgresql/9.1/main/pg_hba.conf b/Python/etc/postgresql/9.1/main/pg_hba.conf deleted file mode 100644 index 0c6bced..0000000 --- a/Python/etc/postgresql/9.1/main/pg_hba.conf +++ /dev/null @@ -1,185 +0,0 @@ -info["owner"] = "postgres" -info["group"] = "postgres" -info["mode"] = 0640 - -include("ldap_conn") - -conn = ldap_conn - -comment_start = "#" -header("Gestion du mapping avec les base de données") - -# Ip des serveurs -def ipv4(serveur): - return str(conn.search(u'host=%s.adm.crans.org' % serveur)[0]['ipHostNumber'][0]) -def ipv6(serveur): - return str(conn.search(u'host=%s.adm.crans.org' % serveur)[0]['ip6HostNumber'][0]) - -serveurs = ['o2','zamok','asterisk','kenobi','owl','roundcube','horde','mediadrop','titanic','soyouz','redisdead','owncloud'] - -ip_serveurs = dict() -for serv in serveurs: - ip_serveurs['ipv4'+serv] = ipv4(serv) - ip_serveurs['ipv6'+serv] = ipv6(serv) - -out("""# PostgreSQL Client Authentication Configuration File -# =================================================== -# -# Refer to the "Client Authentication" section in the PostgreSQL -# documentation for a complete description of this file. A short -# synopsis follows. -# -# This file controls: which hosts are allowed to connect, how clients -# are authenticated, which PostgreSQL user names they can use, which -# databases they can access. Records take one of these forms: -# -# local DATABASE USER METHOD [OPTIONS] -# host DATABASE USER ADDRESS METHOD [OPTIONS] -# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] -# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] -# -# (The uppercase items must be replaced by actual values.) -# -# The first field is the connection type: "local" is a Unix-domain -# socket, "host" is either a plain or SSL-encrypted TCP/IP socket, -# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a -# plain TCP/IP socket. -# -# DATABASE can be "all", "sameuser", "samerole", "replication", a -# database name, or a comma-separated list thereof. The "all" -# keyword does not match "replication". Access to replication -# must be enabled in a separate record (see example below). -# -# USER can be "all", a user name, a group name prefixed with "+", or a -# comma-separated list thereof. In both the DATABASE and USER fields -# you can also write a file name prefixed with "@" to include names -# from a separate file. -# -# ADDRESS specifies the set of hosts the record matches. It can be a -# host name, or it is made up of an IP address and a CIDR mask that is -# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that -# specifies the number of significant bits in the mask. A host name -# that starts with a dot (.) matches a suffix of the actual host name. -# Alternatively, you can write an IP address and netmask in separate -# columns to specify the set of hosts. Instead of a CIDR-address, you -# can write "samehost" to match any of the server's own IP addresses, -# or "samenet" to match any address in any subnet that the server is -# directly connected to. -# -# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", -# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that -# "password" sends passwords in clear text; "md5" is preferred since -# it sends encrypted passwords. -# -# OPTIONS are a set of options for the authentication in the format -# NAME=VALUE. The available options depend on the different -# authentication methods -- refer to the "Client Authentication" -# section in the documentation for a list of which options are -# available for which authentication methods. -# -# Database and user names containing spaces, commas, quotes and other -# special characters must be quoted. Quoting one of the keywords -# "all", "sameuser", "samerole" or "replication" makes the name lose -# its special character, and just match a database or username with -# that name. -# -# This file is read on server startup and when the postmaster receives -# a SIGHUP signal. If you edit the file on a running system, you have -# to SIGHUP the postmaster for the changes to take effect. You can -# use "pg_ctl reload" to do that. - -#Attention; do not REMOVE this line -# Database administrative login by Unix domain socket -local all postgres peer -""") - -if has("pgsql-server-test"): - out("""host all all 127.0.0.1/32 trust -host django all 127.0.0.1/32 ident map=intranet""") - -else: - out("""# TYPE DATABASE USER ADDRESS METHOD -host Syslog rsyslog 127.0.0.1/32 md5 - -#Intranet : venant d'o2, on autorise l'ecriture""") - - out("""host django crans """ + ip_serveurs['ipv4o2'] + """/32 ident map=django""") - out("""host django crans """ + ip_serveurs['ipv6o2'] + """/128 ident map=django""") - - out(""" -# Asterisk a besoin d'écrire depuis asterisk et depuis zamok""") - - out("""host django crans """ + ip_serveurs['ipv4asterisk'] + """/32 ident map=django""") - out("""host django crans """ + ip_serveurs['ipv4zamok'] + """/32 ident map=django""") - - out(""" -# Tout le reste sur adm est django_ro et crans_ro, pas besoin d'écrire""") - - out("""host django crans_ro 10.231.136.0/24 ident map=django_ro""") - out("""host django crans_ro 2a01:240:fe3d:c804::/64 ident map=django_ro""") - - out(""" -# kenobi""") - out("""host etherpad crans """ + ip_serveurs['ipv4kenobi'] + """/32 ident map=etherpad""") - - out(""" -# On autorise tout pour owl TODO : à proprifier""") - out("""host roundcube roundcube """ + ip_serveurs['ipv4owl'] + """/32 ident map=webmail""") - out("""host roundcube roundcube """ + ip_serveurs['ipv6owl'] + """/128 ident map=webmail""") - out("""host all all """ + ip_serveurs['ipv4owl'] + """/32 ident""") - out("""host all all """ + ip_serveurs['ipv6owl'] + """/128 ident""") - - out(""" -# Roundcube a accès à sa base""") - out("""host roundcube roundcube """ + ip_serveurs['ipv4roundcube'] + """/32 ident map=webmail""") - out("""host roundcube roundcube """ + ip_serveurs['ipv6roundcube'] + """/128 ident map=webmail""") - - out(""" -# sql grey pour zamok""") - out("""host sqlgrey sqlgrey """ + ip_serveurs['ipv4zamok'] + """/32 ident""") - out("""host sqlgrey sqlgrey """ + ip_serveurs['ipv6zamok'] + """/128 ident""") - - out(""" -#Base de horde pour root et www-data""") - out("""host horde5 www-data """ + ip_serveurs['ipv4horde'] + """/32 ident map=horde""") - out("""host horde5 www-data """ + ip_serveurs['ipv6horde'] + """/128 ident map=horde""") - out("""host horde5 root """ + ip_serveurs['ipv4horde'] + """/32 ident map=horde""") - out("""host horde5 root """ + ip_serveurs['ipv6horde'] + """/128 ident map=horde""") - - - out(""" -#mediadrop""") - out("""host mediadrop mediadrop """ + ip_serveurs['ipv4mediadrop'] + """/32 ident map=mediadrop""") - out("""host mediadrop mediadrop """ + ip_serveurs['ipv6mediadrop'] + """/128 ident map=mediadrop""") - - out(""" -# SQLgrey depuis titanic""") - out("""host sqlgrey sqlgrey """ + ip_serveurs['ipv4titanic'] + """/32 ident""") - out("""host sqlgrey sqlgrey """ + ip_serveurs['ipv6titanic'] + """/128 ident""") - - out(""" -# SQLgrey depuis soyouz""") - out("""host sqlgrey sqlgrey """ + ip_serveurs['ipv4soyouz'] + """/32 ident""") - - out(""" -# SQLgrey depuis redisdead""") - out("""host sqlgrey sqlgrey """ + ip_serveurs['ipv4redisdead'] + """/32 ident""") - out("""host sqlgrey sqlgrey """ + ip_serveurs['ipv6redisdead'] + """/128 ident""") - - out(""" -# SQLgrey local""") - out("""local sqlgrey sqlgrey ident map=sqlgrey""") - - out(""" -# Base de correspondance mac_prises pour surveillance""") - out("""host mac_prises crans 10.231.136.0/24 ident map=mac_prises""") - out("""host mac_prises crans 2a01:240:fe3d:c804::/64 ident map=mac_prises""") - out("""local mac_prises crans ident map=mac_prises""") - - out(""" -#Base pour owncloud""") - out("""host owncloud owncloud """ + ip_serveurs['ipv4owncloud'] + """/24 md5""") - out("""host owncloud owncloud """ + ip_serveurs['ipv6owncloud'] + """/128 md5""") - - - diff --git a/Python/etc/postgresql/9.1/main/pg_ident.conf b/Python/etc/postgresql/9.1/main/pg_ident.conf deleted file mode 100644 index 9969293..0000000 --- a/Python/etc/postgresql/9.1/main/pg_ident.conf +++ /dev/null @@ -1,132 +0,0 @@ -info["owner"] = "postgres" -info["group"] = "postgres" -info["mode"] = 0640 - - -include("ldap_conn") - -conn = ldap_conn - -comment_start = "#" -header("Gestion des acces ident pour les utilisateurs") - -# Liste des nounous/apprentis -adm_objects = conn.search(u'droits=nounou') -nounous = [adm['uid'][0] for adm in adm_objects] -apprentis_objects = conn.search(u'droits=apprenti') -apprentis = [appr['uid'][0] for appr in apprentis_objects] - -out("""#PostgreSQL User Name Maps -# ========================= -# -# Refer to the PostgreSQL documentation, chapter "Client -# Authentication" for a complete description. A short synopsis -# follows. -# -# This file controls PostgreSQL user name mapping. It maps external -# user names to their corresponding PostgreSQL user names. Records -# are of the form: -# -# MAPNAME SYSTEM-USERNAME PG-USERNAME -# -# (The uppercase quantities must be replaced by actual values.) -# -# MAPNAME is the (otherwise freely chosen) map name that was used in -# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the -# client. PG-USERNAME is the requested PostgreSQL user name. The -# existence of a record specifies that SYSTEM-USERNAME may connect as -# PG-USERNAME. -# -# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a -# regular expression. Optionally this can contain a capture (a -# parenthesized subexpression). The substring matching the capture -# will be substituted for 1 (backslash-one) if present in -# PG-USERNAME. -# -# Multiple maps may be specified in this file and used by pg_hba.conf. -# -# No map names are defined in the default configuration. If all -# system user names and PostgreSQL user names are the same, you don't -# need anything in this file. -# -# This file is read on server startup and when the postmaster receives -# a SIGHUP signal. If you edit the file on a running system, you have -# to SIGHUP the postmaster for the changes to take effect. You can -# use "pg_ctl reload" to do that. - -# Put your actual configuration here""") - -if has("pgsql-server-test"): - out("""# MAPNAME SYSTEM-USERNAME PG-USERNAME -intranet www-data crans_ro -intranet www-data crans""") - for nounou in nounous: - out("""intranet """ + str(nounou) + """ crans""") - for apprenti in apprentis: - out("""intranet """ + str(apprenti) + """ crans""") - -else: - - #Syslog - out("""# MAPNAME SYSTEM-USERNAME PG-USERNAME -syslog postgres rsyslog -syslog root rsyslog""") - - #Ensuite les nounous - - for nounou in nounous: - out("""syslog """ + str(nounou) + """ crans""") - - #Db django rw - out(""" -django www-data crans -django asterisk crans -django respbats crans -django root crans""") - - # Etherpad - out(""" -etherpad etherpad crans""") - - - # mac_prises - out(""" -mac_prises root crans""") - for nounou in nounous: - out("""mac_prises """ + str(nounou) + """ crans""") - - - #Filtrage - out("""filtrage root crans""") - - #Sqlgrey - out("""sqlgrey postgres sqlgrey""") - - # cluebringer - out("""cluebringer www-data cluebringer -cluebringer cluebringer cluebringer""") - - #Webmail - out("""webmail www-data roundcube""") - - #horde - out("""horde www-data www-data""") - - #Mediadrop - - out("""mediadrop root mediadrop -mediadrop www-data mediadrop""") - - #Db django ro - out(""" -django_ro respbats crans_ro -django_ro freerad crans_ro -django_ro arpwatch crans_ro -django_ro munin crans_ro -django_ro asterisk crans_ro -django_ro www-data crans_ro -django_ro root crans_ro""") - - for nounou in nounous: - out("""django_ro """ + str(nounou) + """ crans_ro""") -