projects
/
mirror
/
dsa-puppet.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
c2ca031
)
firwalling for pg basebackup
author
Peter Palfrader
<peter@palfrader.org>
Sat, 28 Sep 2019 20:18:02 +0000
(22:18 +0200)
committer
Peter Palfrader
<peter@palfrader.org>
Sat, 28 Sep 2019 20:18:02 +0000
(22:18 +0200)
modules/postgres/manifests/backup_cluster.pp
patch
|
blob
|
history
modules/postgres/manifests/backup_server.pp
patch
|
blob
|
history
modules/postgres/manifests/backup_server/register_backup_clienthost.pp
patch
|
blob
|
history
diff --git
a/modules/postgres/manifests/backup_cluster.pp
b/modules/postgres/manifests/backup_cluster.pp
index
102f264
..
bd6ef09
100644
(file)
--- a/
modules/postgres/manifests/backup_cluster.pp
+++ b/
modules/postgres/manifests/backup_cluster.pp
@@
-43,10
+43,17
@@
define postgres::backup_cluster(
}
}
}
}
}
}
+
+ # Send connections to the port to the pg-backup chain
+ # there, the register_backup_clienthost class will have
+ # realized the exported allows from the backup servers.
+ #
+ # Any non-matching traffic will fall through and it can
+ # be allowed elsewhere
ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
- description => '
Allow postgres
s access from backup host',
+ description => '
Check for postgre
s access from backup host',
port => $pg_port,
port => $pg_port,
-
saddr => $backup_servers_addrs
,
+
target => 'pg-backup'
,
}
postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
}
postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
diff --git
a/modules/postgres/manifests/backup_server.pp
b/modules/postgres/manifests/backup_server.pp
index
bf8efa0
..
34a68b6
100644
(file)
--- a/
modules/postgres/manifests/backup_server.pp
+++ b/
modules/postgres/manifests/backup_server.pp
@@
-98,4
+98,15
@@
class postgres::backup_server {
mode => '0400'
}
Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
mode => '0400'
}
Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
+
+ ####
+ # Let us connect to the clusters we want
+ #
+ # We export this, and the backup clients collect it
+ @@ferm::rule::simple { "pg-backup_server::${::fqdn}":
+ tag => 'postgres::backup_server::to-client',
+ description => 'Allow access access from backup host',
+ chain => 'pg-backup',
+ saddr => $base::public_addresses,
+ }
}
}
diff --git
a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
index
5dff845
..
8c288dd
100644
(file)
--- a/
modules/postgres/manifests/backup_server/register_backup_clienthost.pp
+++ b/
modules/postgres/manifests/backup_server/register_backup_clienthost.pp
@@
-23,4
+23,6
@@
define postgres::backup_server::register_backup_clienthost (
from => $base::public_addresses,
collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
}
from => $base::public_addresses,
collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
}
+
+ Ferm::Rule::Simple <<| tag == 'postgres::backup_server::to-client' |>>
}
}