Move backup replication hba_entry to backup_cluster

[mirror/dsa-puppet.git] / modules / postgres / manifests / backup_server.pp

diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp
index 4e55a10..84f4c0d 100644 (file)
--- a/modules/postgres/manifests/backup_server.pp
+++ b/modules/postgres/manifests/backup_server.pp
@@ -52,9 +52,6 @@ class postgres::backup_server {
     source => 'puppet:///modules/postgres/backup_server/postgres-make-one-base-backup',
     mode   => '0555'
   }
-  file { "/etc/ssh/userkeys/${postgres::backup_server::globals::backup_unix_user}":
-    content => template('postgres/backup_server/sshkeys-manual.erb'),
-  }
   ssh::authorized_key_collect { 'postgres::backup_server':
     target_user => $postgres::backup_server::globals::backup_unix_user,
     collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
@@ -101,4 +98,18 @@ class postgres::backup_server {
     mode  => '0400'
   }
   Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
+
+  ####
+  # Let us connect to the clusters we want
+  #
+  # We export this, and the backup clients collect it
+  #
+  # this rule is only needed for clusters that we do not manage
+  # with postgres::cluster.  Hopefully these will go away with time
+  @@ferm::rule::simple { "pg-backup_server::${::fqdn}":
+    tag         => 'postgres::backup_server::to-client',
+    description => 'Allow access access from backup host',
+    chain       => 'pg-backup',
+    saddr       => $base::public_addresses,
+  }
 }