# Backup this cluster
#
# @param pg_version pg version of the cluster
-# @param pg_backup_role replication role username
# @param pg_cluster cluster name
# @param pg_port port of the postgres cluster
+# @param db_backup_role replication role username
# @param db_backup_role_password password of the replication role
# @param do_role create the role (requires setup with postgresql::server)
# @param do_hba update pg_hba (requires setup with postgresql::server)
define postgres::backup_cluster(
String $pg_version,
- String $db_backup_role = lookup('postgres::backup_cluster::db_backup_role'),
String $pg_cluster = 'main',
Integer $pg_port = 5432,
+ String $db_backup_role = lookup('postgres::backup_cluster::db_backup_role'),
String $db_backup_role_password = hkdf('/etc/puppet/secret', "postgresql-${::hostname}-${$pg_cluster}-${pg_port}-backup_role}"),
Boolean $do_role = false,
Boolean $do_hba = false,
}
}
}
+
+ # Send connections to the port to the pg-backup chain
+ # there, the register_backup_clienthost class will have
+ # realized the exported allows from the backup servers.
+ #
+ # Any non-matching traffic will fall through and it can
+ # be allowed elsewhere
ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
- description => 'Allow postgress access from backup host',
+ description => 'Check for postgres access from backup host',
port => $pg_port,
- saddr => $backup_servers_addrs,
+ target => 'pg-backup',
}
postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":