From: Peter Palfrader <peter@palfrader.org>
Date: Fri, 1 Sep 2017 17:14:50 +0000 (+0000)
Subject: Start with puppetizing postgres cluster backup configuration.  for now, only deal... 
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=1cb97228cc59907f5eacbd5927e74c715000ac6c;p=mirror%2Fdsa-puppet.git

Start with puppetizing postgres cluster backup configuration.  for now, only deal with melartin
---

diff --git a/modules/postgres/manifests/backup_cluster.pp b/modules/postgres/manifests/backup_cluster.pp
new file mode 100644
index 000000000..83edaf17f
--- /dev/null
+++ b/modules/postgres/manifests/backup_cluster.pp
@@ -0,0 +1,55 @@
+#
+define postgres::backup_cluster(
+	$pg_version,
+	$pg_cluster = 'main',
+	$pg_port = 5432,
+	$backup_servers = getfromhash($site::roles, 'postgres_backup_server'),
+	$db_backup_role = 'debian-backup',
+	$db_backup_role_password = hkdf('/etc/puppet/secret', "postgresql-${::hostname}-${$pg_cluster}-${pg_port}-backup_role}"),
+	$do_role = false,
+	$do_hba = false,
+) {
+	warning("foo ${backup_servers}")
+
+	$datadir = "/var/lib/postgresql/${pg_version}/${pg_cluster}"
+	file { "${datadir}/.nobackup":
+		content  => ""
+	}
+
+	## XXX - get these from the roles and ldap
+	# backuphost, storace
+	$backup_servers_addrs = ['5.153.231.12/32', '93.94.130.161/32', '2001:41c8:1000:21::21:12/128', '2a02:158:380:280::161/128']
+	$backup_servers_addrs_joined = join($backup_servers_addrs, ' ')
+
+	if $do_role {
+		postgresql::server::role { $db_backup_role:
+			password_hash => postgresql_password($db_backup_role, $db_backup_role_password),
+			replication => true,
+		}
+	}
+	if $do_hba {
+		$backup_servers_addrs.each |String $address| {
+			postgresql::server::pg_hba_rule { "debian_backup-${address}":
+				description => 'Open up PostgreSQL for backups',
+				type        => 'hostssl',
+				database    => 'replication',
+				user        => $db_backup_role,
+				address     => $address,
+				auth_method => 'md5',
+			}
+		}
+	}
+	@ferm::rule { "dsa-postgres-${pg_port}":
+		description => 'Allow postgress access from backup host',
+		domain      => '(ip ip6)',
+		rule        => "&SERVICE_RANGE(tcp, ${pg_port}, ( @ipfilter((${backup_servers_addrs_joined})) ))",
+	}
+
+	postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${::pg_port}":
+		pg_port => $pg_port,
+		pg_role => $db_backup_role,
+		pg_password => $db_backup_role_password,
+		pg_cluster => $pg_cluster,
+		pg_version => $pg_version,
+	}
+}
diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp
index 42c2364ee..3d9308ed2 100644
--- a/modules/postgres/manifests/backup_server.pp
+++ b/modules/postgres/manifests/backup_server.pp
@@ -1,4 +1,17 @@
+#
+class postgres::backup_server::globals {
+	$make_base_backups = '/usr/local/bin/postgres-make-base-backups'
+	$pgpassfile = '/home/debbackup/.pgpass'
+	$sshkeys_sources = '/etc/dsa/postgresql-backup/sshkeys-sources'
+
+	$tag_base_backup = "postgresql::server::backup-source-make-base-backup-entry"
+	$tag_source_sshkey = "postgresql::server::backup-source-sshkey"
+	$tag_source_pgpassline = "postgresql::server::backup-source-pgpassline"
+}
+
 class postgres::backup_server {
+	include postgres::backup_server::globals
+
 	package { 'postgresql-client-9.1':
 		ensure => installed
 	}
@@ -6,20 +19,36 @@ class postgres::backup_server {
 		ensure => installed
 	}
 
-	file { '/usr/local/bin/postgres-make-base-backups':
+	concat { $postgres::backup_server::globals::make_base_backups:
+	}
+	concat::fragment { 'make-base-backups-header':
+		target => $postgres::backup_server::globals::make_base_backups,
 		content => template('postgres/backup_server/postgres-make-base-backups.erb'),
-		mode   => '0555',
+		order  => '00',
+	}
+	Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_base_backup |>>
+	concat::fragment { 'make-base-backups-tail':
+		target => $postgres::backup_server::globals::make_base_backups,
+		content  => @(EOTEMPLATE),
+				# EOF by make-base-backups-tail fragment
+				EOF
+				| EOTEMPLATE
+		order  => '99',
 	}
 	if $::hostname in [backuphost] {
 		file { '/etc/cron.d/puppet-postgres-make-base-backups':
-			content  => "20 1 * * 0 debbackup chronic /usr/local/bin/postgres-make-base-backups\n",
+			content  => "20 1 * * 0 debbackup chronic ${$postgres::backup_server::globals::make_base_backups}\n",
 		}
 	} else  {
 		file { '/etc/cron.d/puppet-postgres-make-base-backups':
-			content  => "20 0 * * 6 debbackup chronic /usr/local/bin/postgres-make-base-backups\n",
+			content  => "20 0 * * 6 debbackup chronic ${$postgres::backup_server::globals::make_base_backups}\n",
 		}
 	}
 
+	# Maintain authorized_keys file on backup servers for WAL shipping
+	#
+	# do not let other hosts directly build our authorized_keys file,
+	# instead go via a script that somewhat validates intput
 	file { '/etc/dsa/postgresql-backup':
 		ensure => 'directory',
 	}
@@ -32,21 +61,80 @@ class postgres::backup_server {
 		content => template('postgres/backup_server/sshkeys-manual.erb'),
 		notify  => Exec['postgres-make-backup-sshauthkeys'],
 	}
-	concat { '/etc/dsa/postgresql-backup/sshkeys-sources':
+	concat { $postgres::backup_server::globals::sshkeys_sources:
 		notify  => Exec['postgres-make-backup-sshauthkeys'],
 	}
 	concat::fragment { 'postgresql-backup/source-sshkeys-header':
-		target => '/etc/dsa/postgresql-backup/sshkeys-sources',
+		target => $postgres::backup_server::globals::sshkeys_sources ,
 		content  => @(EOF),
 				# <name> <ip addresses> <key>
 				| EOF
 		order  => '00',
 	}
-
-	Concat::Fragment <<| tag == "postgresql::server::backup-source-sshkey" |>>
-
+	Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_sshkey |>>
 	exec { "postgres-make-backup-sshauthkeys":
 		command => "/usr/local/bin/postgres-make-backup-sshauthkeys",
 		refreshonly => true,
 	}
+
+	# Maintain .pgpass file on backup servers
+	concat { $postgres::backup_server::globals::pgpassfile:
+		owner => 'debbackup',
+		group => 'debbackup',
+		mode  => '0400'
+	}
+	concat::fragment{ 'pgpass-local':
+		target => $postgres::backup_server::globals::pgpassfile,
+		source => '/home/debbackup/.pgpass-local',
+		order  => '00'
+	}
+	Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
+}
+
+define postgres::backup_server::register_backup_clienthost (
+	$sshpubkey = $::postgresql_key,
+	$ipaddrlist = join(getfromhash($site::nodeinfo, 'ldap', 'ipHostNumber'), ","),
+	$hostname = $::hostname,
+) {
+	include postgres::backup_server::globals
+
+	if $sshpubkey {
+		$addr = assert_type(String[1], $ipaddrlist)
+		@@concat::fragment { "postgresql::server::backup-source-clienthost::$name::$fqdn":
+			target => $postgres::backup_server::globals::sshkeys_sources ,
+			content  => @("EOF"),
+					${hostname} ${addr} ${sshpubkey}
+					| EOF
+			tag     => $postgres::backup_server::globals::tag_source_sshkey,
+		}
+	}
+}
+
+define postgres::backup_server::register_backup_cluster (
+	$hostname = $::fqdn,
+	$pg_port,
+	$pg_role,
+	$pg_password,
+	$pg_cluster,
+	$pg_version,
+) {
+	include postgres::backup_server::globals
+
+	# foobar.debian.org:5432:*:debian-backup:swordfish
+	@@concat::fragment { "postgresql::server::backup-source-pgpassline::$hostname::$pg_port::$pg_role":
+		target => $postgres::backup_server::globals::pgpassfile,
+		content => @("EOF"),
+				${hostname}:${pg_port}:*:${pg_role}:${pg_password}
+				| EOF
+		tag     => $postgres::backup_server::globals::tag_source_pgpassline,
+	}
+	#
+	# vittoria.debian.org	5432	debian-backup		main		9.6
+	@@concat::fragment { "postgresql::server::backup-source-make-base-backup-entry::$hostname::$pg_port::$pg_role":
+		target => $postgres::backup_server::globals::make_base_backups,
+		content => @("EOF"),
+				${hostname}	${pg_port}	${pg_role}	${pg_cluster}	${pg_version}
+				| EOF
+		tag     => $postgres::backup_server::globals::tag_base_backup,
+	}
 }
diff --git a/modules/postgres/manifests/backup_source.pp b/modules/postgres/manifests/backup_source.pp
index 81d4a8ee1..be48b370c 100644
--- a/modules/postgres/manifests/backup_source.pp
+++ b/modules/postgres/manifests/backup_source.pp
@@ -1,3 +1,4 @@
+#
 class postgres::backup_source {
 	file { "/usr/local/bin/pg-backup-file":
 		mode    => '0555',
@@ -17,4 +18,14 @@ class postgres::backup_source {
 			onlyif  => '/usr/bin/getent passwd postgres > /dev/null && ! [ -e /var/lib/postgresql/.ssh/id_rsa ]'
 		}
 	}
+
+
+	if $::hostname in [melartin] {
+		postgres::backup_cluster { $::hostname:
+			pg_version => '9.6',
+		}
+
+		postgres::backup_server::register_backup_clienthost { "backup-clienthost-${::fqdn}}":
+		}
+	}
 }
diff --git a/modules/postgres/manifests/init.pp b/modules/postgres/manifests/init.pp
index 534e21f9d..a3015dbfa 100644
--- a/modules/postgres/manifests/init.pp
+++ b/modules/postgres/manifests/init.pp
@@ -1,3 +1,4 @@
+#
 class postgres {
 	$ensure = ($::postgres) ? {
 		true    => 'present',
diff --git a/modules/postgres/templates/backup_server/postgres-make-base-backups.erb b/modules/postgres/templates/backup_server/postgres-make-base-backups.erb
index 01a049495..655603551 100755
--- a/modules/postgres/templates/backup_server/postgres-make-base-backups.erb
+++ b/modules/postgres/templates/backup_server/postgres-make-base-backups.erb
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 # run a bunch of full postgresql backups
+# vim:syn=sh:
 
 
 # Copyright 2014 Peter Palfrader
@@ -67,6 +68,7 @@ thishost=$(hostname -f)
 
 while read host port username  cluster version; do
 	[ "${host#\#}" = "$host" ] || continue
+	[ -z "$host" ] && continue
 
 	if [ -n "$forcehostport" ] && [ "$forcehostport" != "$host:$port" ]; then
 		[ "$verbose" -gt 0 ] && echo "Skipping $host:$port $version/$cluster."
@@ -101,5 +103,6 @@ buxtehude.debian.org	5441	debian-backup		debbugs		9.6
 <%- if @hostname != "backuphost" -%>
 moszumanska.debian.org	5432	debian-backup		main		9.1
 <%- end -%>
-EOF
-# vim:syn=sh:
+#
+# puppet notice:  this is just a partial file.  The tail EOF comes
+# from a different concat fragment