X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fpostgres%2Fmanifests%2Fbackup_server.pp;h=6d9b79289a0fcb9f095312faf24b16fb8803f16e;hb=b3d748149a3204479e9cb6787a7caf668488d8f8;hp=b5a4ef7d73496ea90151580673f2ed221730970a;hpb=1e828473d383842b6d6157b253cd69a0147f22ab;p=mirror%2Fdsa-puppet.git diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp index b5a4ef7d7..6d9b79289 100644 --- a/modules/postgres/manifests/backup_server.pp +++ b/modules/postgres/manifests/backup_server.pp @@ -1,141 +1,121 @@ -# -class postgres::backup_server::globals { - $make_base_backups = '/usr/local/bin/postgres-make-base-backups' - $pgpassfile = '/home/debbackup/.pgpass' - $sshkeys_sources = '/etc/dsa/postgresql-backup/sshkeys-sources' - - $tag_base_backup = "postgresql::server::backup-source-make-base-backup-entry" - $tag_source_sshkey = "postgresql::server::backup-source-sshkey" - $tag_source_pgpassline = "postgresql::server::backup-source-pgpassline" -} - +# postgres backup server class postgres::backup_server { - include postgres::backup_server::globals + include postgres::backup_server::globals - package { 'postgresql-client-9.1': - ensure => installed - } - package { 'postgresql-client-9.4': - ensure => installed - } + $make_base_backups = '/usr/local/bin/postgres-make-base-backups' - concat { $postgres::backup_server::globals::make_base_backups: - mode => '0555', - } - concat::fragment { 'make-base-backups-header': - target => $postgres::backup_server::globals::make_base_backups, - content => template('postgres/backup_server/postgres-make-base-backups.erb'), - order => '00', - } - Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_base_backup |>> - concat::fragment { 'make-base-backups-tail': - target => $postgres::backup_server::globals::make_base_backups, - content => @(EOTEMPLATE), - # EOF by make-base-backups-tail fragment - EOF - | EOTEMPLATE - order => '99', - } - if $::hostname in [backuphost] { - file { '/etc/cron.d/puppet-postgres-make-base-backups': - content => "20 1 * * 0 debbackup chronic ${$postgres::backup_server::globals::make_base_backups}\n", - } - } else { - file { '/etc/cron.d/puppet-postgres-make-base-backups': - content => "20 0 * * 6 debbackup chronic ${$postgres::backup_server::globals::make_base_backups}\n", - } - } + ensure_packages ( [ + 'libhash-merge-simple-perl', + 'libyaml-perl', + 'python-yaml', + 'pigz', + 'postgresql-client', + 'postgresql-client-9.6', + ], { + ensure => 'installed' + }) - # Maintain authorized_keys file on backup servers for WAL shipping - # - # do not let other hosts directly build our authorized_keys file, - # instead go via a script that somewhat validates intput - file { '/etc/dsa/postgresql-backup': - ensure => 'directory', - } - file { '/usr/local/bin/postgres-make-backup-sshauthkeys': - content => template('postgres/backup_server/postgres-make-backup-sshauthkeys.erb'), - mode => '0555', - notify => Exec['postgres-make-backup-sshauthkeys'], - } - file { '/etc/dsa/postgresql-backup/sshkeys-manual': - content => template('postgres/backup_server/sshkeys-manual.erb'), - notify => Exec['postgres-make-backup-sshauthkeys'], - } - concat { $postgres::backup_server::globals::sshkeys_sources: - notify => Exec['postgres-make-backup-sshauthkeys'], - } - concat::fragment { 'postgresql-backup/source-sshkeys-header': - target => $postgres::backup_server::globals::sshkeys_sources , - content => @(EOF), - # - | EOF - order => '00', - } - Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_sshkey |>> - exec { "postgres-make-backup-sshauthkeys": - command => "/usr/local/bin/postgres-make-backup-sshauthkeys", - refreshonly => true, - } + #### + # Regularly pull base backups + # + concat { $postgres::backup_server::globals::base_backup_clusters: + ensure_newline => true, + } + Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_base_backup |>> - # Maintain .pgpass file on backup servers - concat { $postgres::backup_server::globals::pgpassfile: - owner => 'debbackup', - group => 'debbackup', - mode => '0400' - } - concat::fragment{ 'pgpass-local': - target => $postgres::backup_server::globals::pgpassfile, - source => '/home/debbackup/.pgpass-local', - order => '00' - } - Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>> -} + file { $make_base_backups: + mode => '0555', + content => template('postgres/backup_server/postgres-make-base-backups.erb'), + } + file { '/var/lib/dsa/postgres-make-base-backups': + ensure => directory, + owner => $postgres::backup_server::globals::backup_unix_user, + mode => '0755', + } + concat::fragment { 'puppet-crontab--postgres-make_base_backups': + target => '/etc/cron.d/puppet-crontab', + content => @("EOF") + */30 * * * * ${postgres::backup_server::globals::backup_unix_user} sleep $(( RANDOM \% 1200 )); chronic ${make_base_backups} + | EOF + } -define postgres::backup_server::register_backup_clienthost ( - $sshpubkey = $::postgresql_key, - $ipaddrlist = join(getfromhash($site::nodeinfo, 'ldap', 'ipHostNumber'), ","), - $hostname = $::hostname, -) { - include postgres::backup_server::globals + #### + # Maintain authorized_keys file on backup servers for WAL shipping + # + # do not let other hosts directly build our authorized_keys file, + # instead go via a script that somewhat validates intput + file { '/etc/dsa/postgresql-backup': + ensure => 'directory', + } + file { '/usr/local/bin/postgres-make-backup-sshauthkeys': + content => template('postgres/backup_server/postgres-make-backup-sshauthkeys.erb'), + mode => '0555', + notify => Exec['postgres-make-backup-sshauthkeys'], + } + file { '/usr/local/bin/postgres-make-one-base-backup': + source => 'puppet:///modules/postgres/backup_server/postgres-make-one-base-backup', + mode => '0555' + } + file { '/etc/dsa/postgresql-backup/sshkeys-manual': + content => template('postgres/backup_server/sshkeys-manual.erb'), + notify => Exec['postgres-make-backup-sshauthkeys'], + } + concat { $postgres::backup_server::globals::sshkeys_sources: + notify => Exec['postgres-make-backup-sshauthkeys'], + } + concat::fragment { 'postgresql-backup/source-sshkeys-header': + target => $postgres::backup_server::globals::sshkeys_sources , + content => @(EOF), + # + | EOF + order => '00', + } + Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_sshkey |>> + exec { 'postgres-make-backup-sshauthkeys': + command => '/usr/local/bin/postgres-make-backup-sshauthkeys', + refreshonly => true, + } + ssh::authorized_key_collect { 'postgres::backup_server': + target_user => $postgres::backup_server::globals::backup_unix_user, + collect_tag => $postgres::backup_server::globals::tag_source_sshkey, + } - if $sshpubkey { - $addr = assert_type(String[1], $ipaddrlist) - @@concat::fragment { "postgresql::server::backup-source-clienthost::$name::$fqdn": - target => $postgres::backup_server::globals::sshkeys_sources , - content => @("EOF"), - ${hostname} ${addr} ${sshpubkey} - | EOF - tag => $postgres::backup_server::globals::tag_source_sshkey, - } - } -} + #### + # Maintain /etc/nagios/dsa-check-backuppg.conf + # + file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d': + ensure => 'directory', + purge => true, + force => true, + recurse => true, + notify => Exec['update dsa-check-backuppg.conf'], + } + file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/globals.conf': + content => template('postgres/backup_server/dsa-check-backuppg-globals.conf.erb'), + notify => Exec['update dsa-check-backuppg.conf'] + } + File<<| tag == $postgres::backup_server::globals::tag_dsa_check_backupp |>> + exec { 'update dsa-check-backuppg.conf': + command => @(EOF), + perl -MYAML=LoadFile,Dump -MHash::Merge::Simple=merge -E 'say Dump(merge(map{LoadFile($_)}@ARGV))' /etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/*.conf > /etc/nagios/dsa-check-backuppg.conf + | EOF + provider => shell, + refreshonly => true, + } + + file { '/etc/sudoers.d/backup-server': + mode => '0440', + content => template('postgres/backup_server/sudoers.erb'), + } -define postgres::backup_server::register_backup_cluster ( - $hostname = $::fqdn, - $pg_port, - $pg_role, - $pg_password, - $pg_cluster, - $pg_version, -) { - include postgres::backup_server::globals - # foobar.debian.org:5432:*:debian-backup:swordfish - @@concat::fragment { "postgresql::server::backup-source-pgpassline::$hostname::$pg_port::$pg_role": - target => $postgres::backup_server::globals::pgpassfile, - content => @("EOF"), - ${hostname}:${pg_port}:*:${pg_role}:${pg_password} - | EOF - tag => $postgres::backup_server::globals::tag_source_pgpassline, - } - # - # vittoria.debian.org 5432 debian-backup main 9.6 - @@concat::fragment { "postgresql::server::backup-source-make-base-backup-entry::$hostname::$pg_port::$pg_role": - target => $postgres::backup_server::globals::make_base_backups, - content => @("EOF"), - ${hostname} ${pg_port} ${pg_role} ${pg_cluster} ${pg_version} - | EOF - tag => $postgres::backup_server::globals::tag_base_backup, - } + #### + # Maintain .pgpass file on backup servers + # # + concat { $postgres::backup_server::globals::pgpassfile: + owner => $postgres::backup_server::globals::backup_unix_user, + group => $postgres::backup_server::globals::backup_unix_group, + mode => '0400' + } + Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>> }