diff --git a/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh b/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh new file mode 100644 index 0000000..e168680 --- /dev/null +++ b/global/overlay/etc/puppet/modules/cdn/files/db/init-cdn-db.sh @@ -0,0 +1,10 @@ +#!/bin/bash +set -e + +. /conf/init-cdn-db.conf + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE USER cdn WITH PASSWORD \'"$cdn_password"\'; + CREATE DATABASE cdn; + GRANT ALL PRIVILEGES ON DATABASE cdn TO cdn; +EOSQL diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/db.pp b/global/overlay/etc/puppet/modules/cdn/manifests/db.pp index 9c07454..d566755 100644 --- a/global/overlay/etc/puppet/modules/cdn/manifests/db.pp +++ b/global/overlay/etc/puppet/modules/cdn/manifests/db.pp @@ -6,31 +6,71 @@ class cdn::db( $db_secrets = lookup({ 'name' => 'cdn::db-secrets', 'default_value' => undef }) - file { '/opt/sunet-cdn': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - } + if $db_secrets { + file { '/opt/sunet-cdn': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } - file { '/opt/sunet-cdn/compose': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0750', - } + file { '/opt/sunet-cdn/compose': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0750', + } - sunet::nftables::docker_expose { 'expose postgres-db' : - allow_clients => '127.0.0.1', - port => 5432, - iif => $facts['networking']['primary'], - } + file { '/opt/sunet-cdn/db': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0750', + } - sunet::docker_compose { 'sunet-cdn-db': - content => template('cdn/db/docker-compose.yml.erb'), - service_name => 'cdn-db', - compose_dir => '/opt/sunet-cdn/compose', - compose_filename => 'docker-compose.yml', - description => 'SUNET CDN DB', + # User/group 999 matches postgres user in container + file { '/opt/sunet-cdn/db/conf': + ensure => directory, + owner => '999', + group => '999', + mode => '0750', + } + + file { '/opt/sunet-cdn/db/docker-entrypoint-initdb.d': + ensure => directory, + owner => '999', + group => '999', + mode => '0750', + } + + file { '/opt/sunet-cdn/db/conf/init-cdn-db.conf': + ensure => directory, + owner => '999', + group => '999', + mode => '0640', + content => template('cdn/db/init-cdn-db.conf.erb'), + } + + file { '/opt/sunet-cdn/db/docker-entrypoint-initdb.d/init-cdn-db.sh': + ensure => directory, + owner => '999', + group => '999', + mode => '0750', + content => file('cdn/db/init-cdn-db.sh'), + } + + sunet::nftables::docker_expose { 'postgres-db' : + allow_clients => '127.0.0.1', + port => 5432, + iif => $facts['networking']['primary'], + } + + sunet::docker_compose { 'sunet-cdn-db': + content => template('cdn/db/docker-compose.yml.erb'), + service_name => 'cdn-db', + compose_dir => '/opt/sunet-cdn/compose', + compose_filename => 'docker-compose.yml', + description => 'SUNET CDN DB', + } } } diff --git a/global/overlay/etc/puppet/modules/cdn/templates/db/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/cdn/templates/db/docker-compose.yml.erb index 47d5bc0..eb9d9f5 100644 --- a/global/overlay/etc/puppet/modules/cdn/templates/db/docker-compose.yml.erb +++ b/global/overlay/etc/puppet/modules/cdn/templates/db/docker-compose.yml.erb @@ -5,5 +5,7 @@ services: - POSTGRES_PASSWORD=<%= @db_secrets['postgres_password'] %> volumes: - postgres_data:/var/lib/postgresql/data + - /opt/sunet-cdn/db/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.dh + - /opt/sunet-cdn/db/conf:/conf volumes: postgres_data: diff --git a/global/overlay/etc/puppet/modules/cdn/templates/db/init-cdn-db.conf.erb b/global/overlay/etc/puppet/modules/cdn/templates/db/init-cdn-db.conf.erb new file mode 100644 index 0000000..d05486b --- /dev/null +++ b/global/overlay/etc/puppet/modules/cdn/templates/db/init-cdn-db.conf.erb @@ -0,0 +1,2 @@ +# File sourced by init-cdn-db.sh +cdn_password="<%= @db_secrets['cdn_password'] %>"