X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fpostgres%2Fmanifests%2Fbackup_server%2Fregister_backup_clienthost.pp;h=5dff84554170b7b1ce207be8fc1aa737d0f3fa74;hb=d348da25beaad1ff77c3f94b8b1b53fc29f6b3ef;hp=7580845e03f3f883a33cd8ef24127966cbb3610e;hpb=dc2858047a151e2fbe466678c21d6533a5c245bf;p=mirror%2Fdsa-puppet.git

diff --git a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
index 7580845e0..5dff84554 100644
--- a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
+++ b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
@@ -1,12 +1,20 @@
 # register this host at the backup servers
 #
 # This class set up the ssh authorization on the backup servers
-# so this client can push WAL segments.
+# so this client can push WAL segments.  Furthermore, the
+# client will be allowed to read other hosts backups -- specify
+# the list of allowed target hosts via params.
+#
+# @param allow_read_basedir  directory under which files can be read
+# @param allow_read_hosts    subdirectories under base to allow
 define postgres::backup_server::register_backup_clienthost (
+  String $allow_read_basedir = '/srv/backups/pg',
+  Array[Stdlib::Fqdn] $allow_read_hosts = lookup( { 'name' => 'postgres::backup_server::register_backup_clienthost::allow_read_hosts', 'default_value' => [] } ),
 ) {
   include postgres::backup_server::globals
 
-  $ssh_command = "/usr/local/bin/debbackup-ssh-wrap ${::hostname}"
+  $allowstr = $allow_read_hosts.map |$host| { "--read-allow=${allow_read_basedir}/${host}" }.join(' ')
+  $ssh_command = "/usr/local/bin/debbackup-ssh-wrap ${allowstr} ${::hostname}"
 
   ssh::authorized_key_add { 'register_backup_clienthost':
     target_user => $postgres::backup_server::globals::backup_unix_user,