firwalling for pg basebackup

[mirror/dsa-puppet.git] / modules / postgres / manifests / backup_server.pp

diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp
index 6d49144..34a68b6 100644 (file)
--- a/modules/postgres/manifests/backup_server.pp
+++ b/modules/postgres/manifests/backup_server.pp
@@ -44,16 +44,14 @@ class postgres::backup_server {
   #
   # do not let other hosts directly build our authorized_keys file,
   # instead go via a script that somewhat validates intput
-  file { '/usr/local/bin/postgres-make-backup-sshauthkeys':
-    ensure => absent,
+  file { '/usr/local/bin/debbackup-ssh-wrap':
+    source => 'puppet:///modules/postgres/backup_server/debbackup-ssh-wrap',
+    mode   => '0555'
   }
   file { '/usr/local/bin/postgres-make-one-base-backup':
     source => 'puppet:///modules/postgres/backup_server/postgres-make-one-base-backup',
     mode   => '0555'
   }
-  file { "/etc/ssh/userkeys/${postgres::backup_server::globals::backup_unix_user}":
-    content => template('postgres/backup_server/sshkeys-manual.erb'),
-  }
   ssh::authorized_key_collect { 'postgres::backup_server':
     target_user => $postgres::backup_server::globals::backup_unix_user,
     collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
@@ -100,4 +98,15 @@ class postgres::backup_server {
     mode  => '0400'
   }
   Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
+
+  ####
+  # Let us connect to the clusters we want
+  #
+  # We export this, and the backup clients collect it
+  @@ferm::rule::simple { "pg-backup_server::${::fqdn}":
+    tag         => 'postgres::backup_server::to-client',
+    description => 'Allow access access from backup host',
+    chain       => 'pg-backup',
+    saddr       => $base::public_addresses,
+  }
 }