+# Backup this cluster
#
+# This define causes the cluster to be registered on the backupservers.
+#
+# Furthermore, if this cluster is managed with postgresql::server and
+# do_role and do_hba are set, we create the role and modify the pg_hba.conf file.
+#
+# Since postgresql::server only supports a single cluster per host, we are moving
+# towards our own postgres::cluster, and this define also exports a hba rule for
+# those (regardless of the do_hba setting). If the cluster is managed with
+# postgres::cluster and has its manage_hba option set, this will then cause the
+# backup hosts to be allowed to replacate.
+#
+# Regarless of how the cluster is managed, firewall rules are set up to allow
+# access from the backup hosts.
+#
+# @param pg_version pg version of the cluster
+# @param pg_cluster cluster name
+# @param pg_port port of the postgres cluster
+# @param db_backup_role replication role username
+# @param db_backup_role_password password of the replication role
+# @param do_role create the role (requires setup with postgresql::server)
+# @param do_hba update pg_hba (requires setup with postgresql::server)
define postgres::backup_cluster(
- $pg_version,
- $pg_cluster = 'main',
- $pg_port = 5432,
- $backup_servers = getfromhash($site::roles, 'postgres_backup_server'),
- $db_backup_role = 'debian-backup',
- $db_backup_role_password = hkdf('/etc/puppet/secret', "postgresql-${::hostname}-${$pg_cluster}-${pg_port}-backup_role}"),
- $do_role = false,
- $do_hba = false,
+ String $pg_version,
+ String $pg_cluster = 'main',
+ Integer $pg_port = 5432,
+ String $db_backup_role = lookup('postgres::backup_cluster::db_backup_role'),
+ String $db_backup_role_password = hkdf('/etc/puppet/secret', "postgresql-${::hostname}-${$pg_cluster}-${pg_port}-backup_role}"),
+ Boolean $do_role = false,
+ Boolean $do_hba = false,
) {
- $datadir = "/var/lib/postgresql/${pg_version}/${pg_cluster}"
- file { "${datadir}/.nobackup":
- content => ""
- }
+ $datadir = "/var/lib/postgresql/${pg_version}/${pg_cluster}"
+ file { "${datadir}/.nobackup":
+ content => ''
+ }
+
+ ## XXX - get these from the roles and ldap
+ # backuphost, storace
+ $backup_servers_addrs = ['5.153.231.12/32', '93.94.130.161/32', '2001:41c8:1000:21::21:12/128', '2a02:158:380:280::161/128']
- ## XXX - get these from the roles and ldap
- # backuphost, storace
- $backup_servers_addrs = ['5.153.231.12/32', '93.94.130.161/32', '2001:41c8:1000:21::21:12/128', '2a02:158:380:280::161/128']
- $backup_servers_addrs_joined = join($backup_servers_addrs, ' ')
+ if $do_role {
+ postgresql::server::role { $db_backup_role:
+ password_hash => postgresql_password($db_backup_role, $db_backup_role_password),
+ replication => true,
+ }
+ }
+ if $do_hba {
+ $backup_servers_addrs.each |String $address| {
+ postgresql::server::pg_hba_rule { "debian_backup-${address}":
+ description => 'Open up PostgreSQL for backups',
+ type => 'hostssl',
+ database => 'replication',
+ user => $db_backup_role,
+ address => $address,
+ auth_method => 'md5',
+ }
+ }
+ }
- if $do_role {
- postgresql::server::role { $db_backup_role:
- password_hash => postgresql_password($db_backup_role, $db_backup_role_password),
- replication => true,
- }
- }
- if $do_hba {
- $backup_servers_addrs.each |String $address| {
- postgresql::server::pg_hba_rule { "debian_backup-${address}":
- description => 'Open up PostgreSQL for backups',
- type => 'hostssl',
- database => 'replication',
- user => $db_backup_role,
- address => $address,
- auth_method => 'md5',
- }
- }
- }
- @ferm::rule { "dsa-postgres-${pg_port}":
- description => 'Allow postgress access from backup host',
- domain => '(ip ip6)',
- rule => "&SERVICE_RANGE(tcp, ${pg_port}, ( @ipfilter((${backup_servers_addrs_joined})) ))",
- }
+ # Send connections to the port to the pg-backup chain
+ # there, the register_backup_clienthost class will have
+ # realized the exported allows from the backup servers.
+ #
+ # Any non-matching traffic will fall through and it can
+ # be allowed elsewhere
+ #
+ # this rule is only needed for clusters that we do not manage
+ # with postgres::cluster. Hopefully these will go away with time
+ ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
+ description => 'Check for postgres access from backup host',
+ port => $pg_port,
+ target => 'pg-backup',
+ }
- postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
- pg_port => $pg_port,
- pg_role => $db_backup_role,
- pg_password => $db_backup_role_password,
- pg_cluster => $pg_cluster,
- pg_version => $pg_version,
- }
+ postgres::cluster::hba_entry { 'backup-replication':
+ pg_version => $pg_version,
+ pg_cluster => $pg_cluster,
+ pg_port => $pg_port,
+ database => 'replication',
+ user => db_backup_role,
+ address => $backup_servers_addrs,
+ }
+ postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
+ pg_port => $pg_port,
+ pg_role => $db_backup_role,
+ pg_password => $db_backup_role_password,
+ pg_cluster => $pg_cluster,
+ pg_version => $pg_version,
+ }
}
projects / mirror / dsa-puppet.git / blobdiff