X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fpostgres%2Fmanifests%2Fbackup_server%2Fregister_backup_clienthost.pp;h=fc4cc0c1bb69621e1f7f81b9a737bd76522e88dd;hb=7f9dfc2720855047ffada44ed914fc3b30a41079;hp=b27b7ed6166bad6f20ea90db16a3c56a10a681c4;hpb=b3d748149a3204479e9cb6787a7caf668488d8f8;p=mirror%2Fdsa-puppet.git

diff --git a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
index b27b7ed61..fc4cc0c1b 100644
--- a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
+++ b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
@@ -1,12 +1,20 @@
+# register this host at the backup servers
 #
-define postgres::backup_server::register_backup_clienthost (
-  $sshpubkey = $::postgres_key,
-  $ipaddrlist = join(getfromhash($deprecated::nodeinfo, 'ldap', 'ipHostNumber'), ","),
-  $hostname = $::hostname,
+# This class set up the ssh authorization on the backup servers
+# so this client can push WAL segments.  Furthermore, the
+# client will be allowed to read other hosts backups -- specify
+# the list of allowed target hosts via params.
+#
+# @param allow_read_basedir  directory under which files can be read
+# @param allow_read_hosts    subdirectories under base to allow
+class postgres::backup_server::register_backup_clienthost (
+  String $allow_read_basedir = '/srv/backups/pg',
+  Array[Stdlib::Fqdn] $allow_read_hosts = [],
 ) {
   include postgres::backup_server::globals
 
-  $ssh_command = "/usr/local/bin/debbackup-ssh-wrap ${::hostname}"
+  $allowstr = $allow_read_hosts.map |$host| { "--read-allow=${allow_read_basedir}/${host}" }.join(' ')
+  $ssh_command = "/usr/local/bin/debbackup-ssh-wrap ${allowstr} ${::hostname}"
 
   ssh::authorized_key_add { 'register_backup_clienthost':
     target_user => $postgres::backup_server::globals::backup_unix_user,
@@ -15,15 +23,4 @@ define postgres::backup_server::register_backup_clienthost (
     from        => $base::public_addresses,
     collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
   }
-
-  if $sshpubkey {
-    $addr = assert_type(String[1], $ipaddrlist)
-    @@concat::fragment { "postgresql::server::backup-source-clienthost::$name::$fqdn":
-      target => $postgres::backup_server::globals::sshkeys_sources ,
-      content  => @("EOF"),
-          ${hostname} ${addr} ${sshpubkey}
-          | EOF
-      tag     => $postgres::backup_server::globals::tag_source_sshkey,
-    }
-  }
 }