# define postgres::backup_cluster( $pg_version, $pg_cluster = 'main', $pg_port = 5432, $backup_servers = getfromhash($site::roles, 'postgres_backup_server'), $db_backup_role = 'debian-backup', $db_backup_role_password = hkdf('/etc/puppet/secret', "postgresql-${::hostname}-${$pg_cluster}-${pg_port}-backup_role}"), $do_role = false, $do_hba = false, ) { $datadir = "/var/lib/postgresql/${pg_version}/${pg_cluster}" file { "${datadir}/.nobackup": content => "" } ## XXX - get these from the roles and ldap # backuphost, storace $backup_servers_addrs = ['5.153.231.12/32', '93.94.130.161/32', '2001:41c8:1000:21::21:12/128', '2a02:158:380:280::161/128'] $backup_servers_addrs_joined = join($backup_servers_addrs, ' ') if $do_role { postgresql::server::role { $db_backup_role: password_hash => postgresql_password($db_backup_role, $db_backup_role_password), replication => true, } } if $do_hba { $backup_servers_addrs.each |String $address| { postgresql::server::pg_hba_rule { "debian_backup-${address}": description => 'Open up PostgreSQL for backups', type => 'hostssl', database => 'replication', user => $db_backup_role, address => $address, auth_method => 'md5', } } } @ferm::rule { "dsa-postgres-${pg_port}": description => 'Allow postgress access from backup host', domain => '(ip ip6)', rule => "&SERVICE_RANGE(tcp, ${pg_port}, ( @ipfilter((${backup_servers_addrs_joined})) ))", } postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}": pg_port => $pg_port, pg_role => $db_backup_role, pg_password => $db_backup_role_password, pg_cluster => $pg_cluster, pg_version => $pg_version, } }