# postgres backup server class postgres::backup_server { include postgres::backup_server::globals $make_base_backups = '/usr/local/bin/postgres-make-base-backups' ensure_packages ( [ 'libhash-merge-simple-perl', 'libyaml-perl', 'python-yaml', 'pigz', 'postgresql-client', 'postgresql-client-9.6', ], { ensure => 'installed' }) #### # Regularly pull base backups # concat { $postgres::backup_server::globals::base_backup_clusters: ensure_newline => true, } Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_base_backup |>> file { $make_base_backups: mode => '0555', content => template('postgres/backup_server/postgres-make-base-backups.erb'), } file { '/var/lib/dsa/postgres-make-base-backups': ensure => directory, owner => $postgres::backup_server::globals::backup_unix_user, mode => '0755', } concat::fragment { 'puppet-crontab--postgres-make_base_backups': target => '/etc/cron.d/puppet-crontab', content => @("EOF") */30 * * * * ${postgres::backup_server::globals::backup_unix_user} sleep $(( RANDOM \% 1200 )); chronic ${make_base_backups} | EOF } #### # Maintain authorized_keys file on backup servers for WAL shipping # # do not let other hosts directly build our authorized_keys file, # instead go via a script that somewhat validates intput file { '/etc/dsa/postgresql-backup': ensure => 'directory', } file { '/usr/local/bin/postgres-make-backup-sshauthkeys': content => template('postgres/backup_server/postgres-make-backup-sshauthkeys.erb'), mode => '0555', notify => Exec['postgres-make-backup-sshauthkeys'], } file { '/usr/local/bin/postgres-make-one-base-backup': source => 'puppet:///modules/postgres/backup_server/postgres-make-one-base-backup', mode => '0555' } file { '/etc/dsa/postgresql-backup/sshkeys-manual': content => template('postgres/backup_server/sshkeys-manual.erb'), notify => Exec['postgres-make-backup-sshauthkeys'], } concat { $postgres::backup_server::globals::sshkeys_sources: notify => Exec['postgres-make-backup-sshauthkeys'], } concat::fragment { 'postgresql-backup/source-sshkeys-header': target => $postgres::backup_server::globals::sshkeys_sources , content => @(EOF), # | EOF order => '00', } Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_sshkey |>> exec { 'postgres-make-backup-sshauthkeys': command => '/usr/local/bin/postgres-make-backup-sshauthkeys', refreshonly => true, } ssh::authorized_key_collect { 'postgres::backup_server': target_user => $postgres::backup_server::globals::backup_unix_user, collect_tag => $postgres::backup_server::globals::tag_source_sshkey, } #### # Maintain /etc/nagios/dsa-check-backuppg.conf # file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d': ensure => 'directory', purge => true, force => true, recurse => true, notify => Exec['update dsa-check-backuppg.conf'], } file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/globals.conf': content => template('postgres/backup_server/dsa-check-backuppg-globals.conf.erb'), notify => Exec['update dsa-check-backuppg.conf'] } File<<| tag == $postgres::backup_server::globals::tag_dsa_check_backupp |>> exec { 'update dsa-check-backuppg.conf': command => @(EOF), perl -MYAML=LoadFile,Dump -MHash::Merge::Simple=merge -E 'say Dump(merge(map{LoadFile($_)}@ARGV))' /etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/*.conf > /etc/nagios/dsa-check-backuppg.conf | EOF provider => shell, refreshonly => true, } file { '/etc/sudoers.d/backup-server': mode => '0440', content => template('postgres/backup_server/sudoers.erb'), } #### # Maintain .pgpass file on backup servers # # concat { $postgres::backup_server::globals::pgpassfile: owner => $postgres::backup_server::globals::backup_unix_user, group => $postgres::backup_server::globals::backup_unix_group, mode => '0400' } Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>> }