#
# do not let other hosts directly build our authorized_keys file,
# instead go via a script that somewhat validates intput
- file { '/usr/local/bin/postgres-make-backup-sshauthkeys':
- ensure => absent,
+ file { '/usr/local/bin/debbackup-ssh-wrap':
+ source => 'puppet:///modules/postgres/backup_server/debbackup-ssh-wrap',
+ mode => '0555'
}
file { '/usr/local/bin/postgres-make-one-base-backup':
source => 'puppet:///modules/postgres/backup_server/postgres-make-one-base-backup',
mode => '0555'
}
- file { "/etc/ssh/userkeys/${postgres::backup_server::globals::backup_unix_user}":
- content => template('postgres/backup_server/sshkeys-manual.erb'),
- }
ssh::authorized_key_collect { 'postgres::backup_server':
target_user => $postgres::backup_server::globals::backup_unix_user,
collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
mode => '0400'
}
Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
+
+ ####
+ # Let us connect to the clusters we want
+ #
+ # We export this, and the backup clients collect it
+ @@ferm::rule::simple { "pg-backup_server::${::fqdn}":
+ tag => 'postgres::backup_server::to-client',
+ description => 'Allow access access from backup host',
+ chain => 'pg-backup',
+ saddr => $base::public_addresses,
+ }
}