freighthop 0.0.6 → 0.1.0

data/modules/postgresql/manifests/server/database.pp

@@ -0,0 +1,75 @@
+# Define for creating a database. See README.md for more details.
+define postgresql::server::database(
+  $dbname     = $title,
+  $owner      = $postgresql::server::user,
+  $tablespace = undef,
+  $encoding   = $postgresql::server::encoding,
+  $locale     = $postgresql::server::locale,
+  $istemplate = false
+) {
+  $createdb_path = $postgresql::server::createdb_path
+  $user          = $postgresql::server::user
+  $group         = $postgresql::server::group
+  $psql_path     = $postgresql::server::psql_path
+  $version       = $postgresql::server::version
+
+  # Set the defaults for the postgresql_psql resource
+  Postgresql_psql {
+    psql_user  => $user,
+    psql_group => $group,
+    psql_path  => $psql_path,
+  }
+
+  # Optionally set the locale switch. Older versions of createdb may not accept
+  # --locale, so if the parameter is undefined its safer not to pass it.
+  if ($version != '8.1') {
+    $locale_option = $locale ? {
+      undef   => '',
+      default => "--locale=${locale} ",
+    }
+    $public_revoke_privilege = 'CONNECT'
+  } else {
+    $locale_option = ''
+    $public_revoke_privilege = 'ALL'
+  }
+
+  $encoding_option = $encoding ? {
+    undef   => '',
+    default => "--encoding '${encoding}' ",
+  }
+
+  $tablespace_option = $tablespace ? {
+    undef   => '',
+    default => "--tablespace='${tablespace}' ",
+  }
+
+  $createdb_command = "${createdb_path} --owner='${owner}' --template=template0 ${encoding_option}${locale_option}${tablespace_option} '${dbname}'"
+
+  postgresql_psql { "Check for existence of db '${dbname}'":
+    command => 'SELECT 1',
+    unless  => "SELECT datname FROM pg_database WHERE datname='${dbname}'",
+    require => Class['postgresql::server::service']
+  }~>
+  exec { $createdb_command :
+    refreshonly => true,
+    user        => $user,
+    logoutput   => on_failure,
+  }~>
+
+  # This will prevent users from connecting to the database unless they've been
+  #  granted privileges.
+  postgresql_psql {"REVOKE ${public_revoke_privilege} ON DATABASE \"${dbname}\" FROM public":
+    db          => $user,
+    refreshonly => true,
+  }
+
+  Exec [ $createdb_command ]->
+  postgresql_psql {"UPDATE pg_database SET datistemplate = ${istemplate} WHERE datname = '${dbname}'":
+    unless => "SELECT datname FROM pg_database WHERE datname = '${dbname}' AND datistemplate = ${istemplate}",
+  }
+
+  # Build up dependencies on tablespace
+  if($tablespace != undef and defined(Postgresql::Server::Tablespace[$tablespace])) {
+    Postgresql::Server::Tablespace[$tablespace]->Exec[$createdb_command]
+  }
+}

data/modules/postgresql/manifests/server/database_grant.pp

@@ -0,0 +1,18 @@
+# Manage a database grant. See README.md for more details.
+define postgresql::server::database_grant(
+  $privilege,
+  $db,
+  $role,
+  $psql_db   = undef,
+  $psql_user = undef
+) {
+  postgresql::server::grant { "database:${name}":
+    role        => $role,
+    db          => $db,
+    privilege   => $privilege,
+    object_type => 'DATABASE',
+    object_name => $db,
+    psql_db     => $psql_db,
+    psql_user   => $psql_user,
+  }
+}

data/modules/postgresql/manifests/server/db.pp

@@ -0,0 +1,36 @@
+# Define for conveniently creating a role, database and assigning the correct
+# permissions. See README.md for more details.
+define postgresql::server::db (
+  $user,
+  $password,
+  $encoding   = $postgresql::server::encoding,
+  $locale     = $postgresql::server::locale,
+  $grant      = 'ALL',
+  $tablespace = undef,
+  $istemplate = false,
+  $owner      = undef
+) {
+  postgresql::server::database { $name:
+    encoding   => $encoding,
+    tablespace => $tablespace,
+    locale     => $locale,
+    istemplate => $istemplate,
+    owner      => $owner,
+  }
+
+  if ! defined(Postgresql::Server::Role[$user]) {
+    postgresql::server::role { $user:
+      password_hash => $password,
+    }
+  }
+
+  postgresql::server::database_grant { "GRANT ${user} - ${grant} - ${name}":
+    privilege => $grant,
+    db        => $name,
+    role      => $user,
+  }
+
+  if($tablespace != undef and defined(Postgresql::Server::Tablespace[$tablespace])) {
+    Postgresql::Server::Tablespace[$tablespace]->Postgresql::Server::Database[$name]
+  }
+}

data/modules/postgresql/manifests/server/firewall.pp

@@ -0,0 +1,21 @@
+# PRIVATE CLASS: do not use directly
+class postgresql::server::firewall {
+  $ensure             = $postgresql::server::ensure
+  $manage_firewall    = $postgresql::server::manage_firewall
+  $firewall_supported = $postgresql::server::firewall_supported
+
+  if ($manage_firewall and $firewall_supported) {
+    if ($ensure == 'present' or $ensure == true) {
+      # TODO: get rid of hard-coded port
+      firewall { '5432 accept - postgres':
+        port   => '5432',
+        proto  => 'tcp',
+        action => 'accept',
+      }
+    } else {
+      firewall { '5432 accept - postgres':
+        ensure => absent,
+      }
+    }
+  }
+}

data/modules/postgresql/manifests/server/grant.pp

@@ -0,0 +1,81 @@
+# Define for granting permissions to roles. See README.md for more details.
+define postgresql::server::grant (
+  $role,
+  $db,
+  $privilege   = undef,
+  $object_type = 'database',
+  $object_name = $db,
+  $psql_db     = $postgresql::server::user,
+  $psql_user   = $postgresql::server::user
+) {
+  $group     = $postgresql::server::group
+  $psql_path = $postgresql::server::psql_path
+
+  ## Munge the input values
+  $_object_type = upcase($object_type)
+  $_privilege   = upcase($privilege)
+
+  ## Validate that the object type is known
+  validate_string($_object_type,
+    #'COLUMN',
+    'DATABASE',
+    #'FOREIGN SERVER',
+    #'FOREIGN DATA WRAPPER',
+    #'FUNCTION',
+    #'PROCEDURAL LANGUAGE',
+    #'SCHEMA',
+    #'SEQUENCE',
+    'TABLE',
+    #'TABLESPACE',
+    #'VIEW',
+  )
+
+  ## Validate that the object type's privilege is acceptable
+  case $_object_type {
+    'DATABASE': {
+      validate_string($_privilege,'CREATE','CONNECT','TEMPORARY','TEMP','ALL',
+        'ALL PRIVILEGES')
+      $unless_function = 'has_database_privilege'
+      $on_db = $psql_db
+    }
+    'TABLE': {
+      validate_string($_privilege,'SELECT','INSERT','UPDATE','REFERENCES',
+        'ALL','ALL PRIVILEGES')
+      $unless_function = 'has_table_privilege'
+      $on_db = $db
+    }
+    default: {
+      fail("Missing privilege validation for object type ${_object_type}")
+    }
+  }
+
+  # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
+  #  we need a way to test for it--and has_database_privilege does not
+  #  recognize 'ALL' as a valid privilege name. So we probably need to
+  #  hard-code a mapping between 'ALL' and the list of actual privileges that
+  #  it entails, and loop over them to check them.  That sort of thing will
+  #  probably need to wait until we port this over to ruby, so, for now, we're
+  #  just going to assume that if they have "CREATE" privileges on a database,
+  #  then they have "ALL".  (I told you that it was terrible!)
+  $unless_privilege = $_privilege ? {
+    'ALL'   => 'CREATE',
+    default => $_privilege,
+  }
+  $grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\""
+  postgresql_psql { $grant_cmd:
+    db         => $on_db,
+    psql_user  => $psql_user,
+    psql_group => $group,
+    psql_path  => $psql_path,
+    unless     => "SELECT 1 WHERE ${unless_function}('${role}', '${object_name}', '${unless_privilege}')",
+    require    => Class['postgresql::server']
+  }
+
+  if($role != undef and defined(Postgresql::Server::Role[$role])) {
+    Postgresql::Server::Role[$role]->Postgresql_psql[$grant_cmd]
+  }
+
+  if($db != undef and defined(Postgresql::Server::Database[$db])) {
+    Postgresql::Server::Database[$db]->Postgresql_psql[$grant_cmd]
+  }
+}

data/modules/postgresql/manifests/server/initdb.pp

@@ -0,0 +1,52 @@
+# PRIVATE CLASS: do not call directly
+class postgresql::server::initdb {
+  $ensure       = $postgresql::server::ensure
+  $needs_initdb = $postgresql::server::needs_initdb
+  $initdb_path  = $postgresql::server::initdb_path
+  $datadir      = $postgresql::server::datadir
+  $encoding     = $postgresql::server::encoding
+  $locale       = $postgresql::server::locale
+  $group        = $postgresql::server::group
+  $user         = $postgresql::server::user
+
+  if($ensure == 'present' or $ensure == true) {
+    # Make sure the data directory exists, and has the correct permissions.
+    file { $datadir:
+      ensure => directory,
+      owner  => $user,
+      group  => $group,
+      mode   => '0700',
+    }
+
+    if($needs_initdb) {
+      # Build up the initdb command.
+      #
+      # We optionally add the locale switch if specified. Older versions of the
+      # initdb command don't accept this switch. So if the user didn't pass the
+      # parameter, lets not pass the switch at all.
+      $ic_base = "${initdb_path} --encoding '${encoding}' --pgdata '${datadir}'"
+      $initdb_command = $locale ? {
+        undef   => $ic_base,
+        default => "${ic_base} --locale '${locale}'"
+      }
+
+      # This runs the initdb command, we use the existance of the PG_VERSION
+      # file to ensure we don't keep running this command.
+      exec { 'postgresql_initdb':
+        command   => $initdb_command,
+        creates   => "${datadir}/PG_VERSION",
+        user      => $user,
+        group     => $group,
+        logoutput => on_failure,
+        before    => File[$datadir],
+      }
+    }
+  } else {
+    # Purge data directory if ensure => absent
+    file { $datadir:
+      ensure  => absent,
+      recurse => true,
+      force   => true,
+    }
+  }
+}

data/modules/postgresql/manifests/server/install.pp

@@ -0,0 +1,49 @@
+# PRIVATE CLASS: do not call directly
+class postgresql::server::install {
+  $package_ensure      = $postgresql::server::package_ensure
+  $package_name        = $postgresql::server::package_name
+  $client_package_name = $postgresql::server::client_package_name
+
+  # This is necessary to ensure that the extra client package that was
+  # installed automatically by the server package is removed and all
+  # of its dependencies are removed also. Without this later installation
+  # of the native Ubuntu packages will fail.
+  if($::operatingsystem == 'Ubuntu' and $package_ensure == 'absent') {
+    # This is an exec, because we want to invoke autoremove.
+    #
+    # An alternative would be to have a full list of packages, but that seemed
+    # more problematic to maintain, not to mention the conflict with the
+    # client class will create duplicate resources.
+    exec { 'apt-get-autoremove-postgresql-client-XX':
+      command   => "apt-get autoremove --purge --yes ${client_package_name}",
+      onlyif    => "dpkg -l ${client_package_name} | grep -e '^ii'",
+      logoutput => on_failure,
+      path      => '/usr/bin:/bin:/usr/sbin/:/sbin',
+    }
+
+    # This will clean up anything we miss
+    exec { 'apt-get-autoremove-postgresql-client-brute':
+      command   => "dpkg -P postgresql*",
+      onlyif    => "dpkg -l postgresql* | grep -e '^ii'",
+      logoutput => on_failure,
+      path      => '/usr/bin:/bin:/usr/sbin/:/sbin',
+    }
+  }
+
+  $_package_ensure = $package_ensure ? {
+    true     => 'present',
+    false    => 'purged',
+    'absent' => 'purged',
+    default => $package_ensure,
+  }
+
+  package { 'postgresql-server':
+    ensure => $_package_ensure,
+    name   => $package_name,
+
+    # This is searched for to create relationships with the package repos, be
+    # careful about its removal
+    tag    => 'postgresql',
+  }
+
+}

data/modules/postgresql/manifests/server/passwd.pp

@@ -0,0 +1,34 @@
+# PRIVATE CLASS: do not call directly
+class postgresql::server::passwd {
+  $ensure            = $postgresql::server::ensure
+  $postgres_password = $postgresql::server::postgres_password
+  $user              = $postgresql::server::user
+  $group             = $postgresql::server::group
+
+  if($ensure == 'present' or $ensure == true) {
+    if ($postgres_password != undef) {
+      # NOTE: this password-setting logic relies on the pg_hba.conf being
+      #  configured to allow the postgres system user to connect via psql
+      #  without specifying a password ('ident' or 'trust' security). This is
+      #  the default for pg_hba.conf.
+      $escaped = postgresql_escape($postgres_password)
+      $env = "env PGPASSWORD='${postgres_password}'"
+      exec { 'set_postgres_postgrespw':
+        # This command works w/no password because we run it as postgres system
+        # user
+        command     => "psql -c 'ALTER ROLE \"${user}\" PASSWORD ${escaped}'",
+        user        => $user,
+        group       => $group,
+        logoutput   => true,
+        cwd         => '/tmp',
+        # With this command we're passing -h to force TCP authentication, which
+        # does require a password.  We specify the password via the PGPASSWORD
+        # environment variable. If the password is correct (current), this
+        # command will exit with an exit code of 0, which will prevent the main
+        # command from running.
+        unless      => "${env} psql -h localhost -c 'select 1' > /dev/null",
+        path        => '/usr/bin:/usr/local/bin:/bin',
+      }
+    }
+  }
+}

data/modules/postgresql/manifests/server/pg_hba_rule.pp

@@ -0,0 +1,54 @@
+# This resource manages an individual rule that applies to the file defined in
+# $target. See README.md for more details.
+define postgresql::server::pg_hba_rule(
+  $type,
+  $database,
+  $user,
+  $auth_method,
+  $address     = undef,
+  $description = 'none',
+  $auth_option = undef,
+  $order       = '150',
+
+  # Needed for testing primarily, support for multiple files is not really
+  # working.
+  $target      = $postgresql::server::pg_hba_conf_path
+) {
+
+  if $postgresql::server::manage_pga_conf == false {
+      fail('postgresql::server::manage_pga_conf has been disabled, so this resource is now unused and redundant, either enable that option or remove this resource from your manifests')
+  } else {
+    validate_re($type, '^(local|host|hostssl|hostnossl)$',
+    "The type you specified [${type}] must be one of: local, host, hostssl, hostnosssl")
+
+    if($type =~ /^host/ and $address == undef) {
+      fail('You must specify an address property when type is host based')
+    }
+
+    $allowed_auth_methods = $postgresql::server::version ? {
+      '9.3' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+      '9.2' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+      '9.1' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam'],
+      '9.0' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'radius', 'cert', 'pam'],
+      '8.4' => ['trust', 'reject', 'md5', 'sha1', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'cert', 'pam'],
+      '8.3' => ['trust', 'reject', 'md5', 'sha1', 'crypt', 'password', 'gss', 'sspi', 'krb5', 'ident', 'ldap', 'pam'],
+      '8.2' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'ldap', 'pam'],
+      '8.1' => ['trust', 'reject', 'md5', 'crypt', 'password', 'krb5', 'ident', 'pam'],
+      default => ['trust', 'reject', 'md5', 'password', 'gss', 'sspi', 'krb5', 'ident', 'peer', 'ldap', 'radius', 'cert', 'pam', 'crypt']
+    }
+
+    $auth_method_regex = join(['^(', join($allowed_auth_methods, '|'), ')$'],'')
+    validate_re($auth_method, $auth_method_regex,
+    join(["The auth_method you specified [${auth_method}] must be one of: ", join($allowed_auth_methods, ', ')],''))
+
+    # Create a rule fragment
+    $fragname = "pg_hba_rule_${name}"
+    concat::fragment { $fragname:
+      target  => $target,
+      content => template('postgresql/pg_hba_rule.conf'),
+      order   => $order,
+      owner   => $::id,
+      mode    => '0600',
+    }
+  }
+}

data/modules/postgresql/manifests/server/plperl.pp

@@ -0,0 +1,27 @@
+# This class installs the PL/Perl procedural language for postgresql. See
+# README.md for more details.
+class postgresql::server::plperl(
+  $package_ensure = 'present',
+  $package_name   = $postgresql::server::plperl_package_name
+) {
+  package { 'postgresql-plperl':
+    ensure => $package_ensure,
+    name   => $package_name,
+    tag    => 'postgresql',
+  }
+
+  if($package_ensure == 'present' or $package_ensure == true) {
+    anchor { 'postgresql::server::plperl::start': }->
+    Class['postgresql::server::install']->
+    Package['postgresql-plperl']->
+    Class['postgresql::server::service']->
+    anchor { 'postgresql::server::plperl::end': }
+  } else {
+    anchor { 'postgresql::server::plperl::start': }->
+    Class['postgresql::server::service']->
+    Package['postgresql-plperl']->
+    Class['postgresql::server::install']->
+    anchor { 'postgresql::server::plperl::end': }
+  }
+
+}

data/modules/postgresql/manifests/server/reload.pp

@@ -0,0 +1,15 @@
+# PRIVATE CLASS: do not use directly
+class postgresql::server::reload {
+  $ensure         = $postgresql::server::ensure
+  $service_name   = $postgresql::server::service_name
+  $service_status = $postgresql::server::service_status
+
+  if($ensure == 'present' or $ensure == true) {
+    exec { 'postgresql_reload':
+      path        => '/usr/bin:/usr/sbin:/bin:/sbin',
+      command     => "service ${service_name} reload",
+      onlyif      => $service_status,
+      refreshonly => true,
+    }
+  }
+}

data/modules/postgresql/manifests/{role.pp → server/role.pp}

@@ -1,39 +1,25 @@
-# puppet-postgresql
-# For all details and documentation:
-# http://github.com/inkling/puppet-postgresql
-#
-# Copyright 2012- Inkling Systems, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-define postgresql::role(
+# Define for creating a database role. See README.md for more information
+define postgresql::server::role(
   $password_hash    = false,
   $createdb         = false,
   $createrole       = false,
-  $db               = 'postgres',
-  $login            = false,
+  $db               = $postgresql::server::user,
+  $login            = true,
   $superuser        = false,
   $replication      = false,
   $connection_limit = '-1',
   $username         = $title
 ) {
-  include postgresql::params
+  $psql_user  = $postgresql::server::user
+  $psql_group = $postgresql::server::group
+  $psql_path  = $postgresql::server::psql_path
+  $version    = $postgresql::server::version
 
-  $login_sql       = $login       ? { true => 'LOGIN'       , default => 'NOLOGIN' }
-  $createrole_sql  = $createrole  ? { true => 'CREATEROLE'  , default => 'NOCREATEROLE' }
-  $createdb_sql    = $createdb    ? { true => 'CREATEDB'    , default => 'NOCREATEDB' }
-  $superuser_sql   = $superuser   ? { true => 'SUPERUSER'   , default => 'NOSUPERUSER' }
-  $replication_sql = $replication ? { true => 'REPLICATION' , default => '' }
+  $login_sql       = $login       ? { true => 'LOGIN',       default => 'NOLOGIN' }
+  $createrole_sql  = $createrole  ? { true => 'CREATEROLE',  default => 'NOCREATEROLE' }
+  $createdb_sql    = $createdb    ? { true => 'CREATEDB',    default => 'NOCREATEDB' }
+  $superuser_sql   = $superuser   ? { true => 'SUPERUSER',   default => 'NOSUPERUSER' }
+  $replication_sql = $replication ? { true => 'REPLICATION', default => '' }
   if ($password_hash != false) {
     $password_sql = "ENCRYPTED PASSWORD '${password_hash}'"
   } else {
@@ -42,15 +28,15 @@ define postgresql::role(
 
   Postgresql_psql {
     db         => $db,
-    psql_user  => $postgresql::params::user,
-    psql_group => $postgresql::params::group,
-    psql_path  => $postgresql::params::psql_path,
-    require    => Postgresql_psql["CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"],
+    psql_user  => $psql_user,
+    psql_group => $psql_group,
+    psql_path  => $psql_path,
+    require    => [ Postgresql_psql["CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}"], Class['postgresql::server'] ],
   }
 
   postgresql_psql {"CREATE ROLE \"${username}\" ${password_sql} ${login_sql} ${createrole_sql} ${createdb_sql} ${superuser_sql} ${replication_sql} CONNECTION LIMIT ${connection_limit}":
     unless  => "SELECT rolname FROM pg_roles WHERE rolname='${username}'",
-    require => undef,
+    require => Class['Postgresql::Server'],
   }
 
   postgresql_psql {"ALTER ROLE \"${username}\" ${superuser_sql}":
@@ -69,7 +55,7 @@ define postgresql::role(
     unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolcanlogin=${login}",
   }
 
-  if(versioncmp($postgresql::params::version, '9.1') >= 0) {
+  if(versioncmp($version, '9.1') >= 0) {
     postgresql_psql {"ALTER ROLE \"${username}\" ${replication_sql}":
       unless => "SELECT rolname FROM pg_roles WHERE rolname='${username}' and rolreplication=${replication}",
     }

data/modules/postgresql/manifests/server/service.pp

@@ -0,0 +1,40 @@
+# PRIVATE CLASS: do not call directly
+class postgresql::server::service {
+  $ensure           = $postgresql::server::ensure
+  $service_name     = $postgresql::server::service_name
+  $service_provider = $postgresql::server::service_provider
+  $service_status   = $postgresql::server::service_status
+  $user             = $postgresql::server::user
+  $default_database = $postgresql::server::default_database
+
+  $service_ensure = $ensure ? {
+    present => true,
+    absent  => false,
+    default => $ensure
+  }
+
+  service { 'postgresqld':
+    ensure    => $service_ensure,
+    name      => $service_name,
+    enable    => $service_ensure,
+    provider  => $service_provider,
+    hasstatus => true,
+    status    => $service_status,
+  }
+
+  if($service_ensure) {
+    # This blocks the class before continuing if chained correctly, making
+    # sure the service really is 'up' before continuing.
+    #
+    # Without it, we may continue doing more work before the database is
+    # prepared leading to a nasty race condition.
+    postgresql::validate_db_connection { 'validate_service_is_running':
+      run_as          => $user,
+      database_name   => $default_database,
+      sleep           => 1,
+      tries           => 60,
+      create_db_first => false,
+      require         => Service['postgresqld'],
+    }
+  }
+}

data/modules/postgresql/manifests/{table_grant.pp → server/table_grant.pp}

@@ -1,5 +1,6 @@
-# Resource postgresql::table_grant
-define postgresql::table_grant(
+# This resource wraps the grant resource to manage table grants specifically.
+# See README.md for more details.
+define postgresql::server::table_grant(
   $privilege,
   $table,
   $db,
@@ -7,8 +8,7 @@ define postgresql::table_grant(
   $psql_db   = undef,
   $psql_user = undef
 ) {
-  include postgresql::params
-  postgresql::grant { "table:${name}":
+  postgresql::server::grant { "table:${name}":
     role        => $role,
     db          => $db,
     privilege   => $privilege,

data/modules/postgresql/manifests/server/tablespace.pp

@@ -0,0 +1,42 @@
+# This module creates tablespace. See README.md for more details.
+define postgresql::server::tablespace(
+  $location,
+  $owner   = undef,
+  $spcname = $title
+) {
+  $user      = $postgresql::server::user
+  $group     = $postgresql::server::group
+  $psql_path = $postgresql::server::psql_path
+
+  Postgresql_psql {
+    psql_user  => $user,
+    psql_group => $group,
+    psql_path  => $psql_path,
+  }
+
+  if ($owner == undef) {
+    $owner_section = ''
+  } else {
+    $owner_section = "OWNER \"${owner}\""
+  }
+
+  $create_tablespace_command = "CREATE TABLESPACE \"${spcname}\" ${owner_section} LOCATION '${location}'"
+
+  file { $location:
+    ensure => directory,
+    owner  => $user,
+    group  => $group,
+    mode   => '0700',
+  }
+
+  $create_ts = "Create tablespace '${spcname}'"
+  postgresql_psql { "Create tablespace '${spcname}'":
+    command => $create_tablespace_command,
+    unless  => "SELECT spcname FROM pg_tablespace WHERE spcname='${spcname}'",
+    require => [Class['postgresql::server'], File[$location]],
+  }
+
+  if($owner != undef and defined(Postgresql::Server::Role[$owner])) {
+    Postgresql::Server::Role[$owner]->Postgresql_psql[$create_ts]
+  }
+}