From: Peter Palfrader Date: Fri, 1 Sep 2017 11:39:18 +0000 (+0000) Subject: pg: put postgres ssh keys onto backup server X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=872979e8aae8f604651cbc9fb2c07c5c22245714;p=mirror%2Fdsa-puppet.git pg: put postgres ssh keys onto backup server --- diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp index 4fda76054..2bda5dc9d 100644 --- a/modules/postgres/manifests/backup_server.pp +++ b/modules/postgres/manifests/backup_server.pp @@ -19,4 +19,30 @@ class postgres::backup_server { content => "20 0 * * 6 debbackup chronic /usr/local/bin/postgres-make-base-backups\n", } } + + file { '/etc/dsa/postgresql-backup': + ensure => 'directory', + } + file { '/usr/local/bin/postgres-make-backup-sshauthkeys': + content => template('postgres/backup_server/postgres-make-backup-sshauthkeys.erb'), + mode => '0555', + notify => Exec['postgres-make-backup-sshauthkeys'], + } + concat { '/etc/dsa/postgresql-backup/sshkeys-sources': + notify => Exec['postgres-make-backup-sshauthkeys'], + } + concat::fragment { 'postgresql-backup/source-sshkeys-header': + target => '/etc/dsa/postgresql-backup/sshkeys-sources', + content => @(EOF), + # + | EOF + order => '00', + } + + Concat::Fragment <<| tag == "postgresql::server::backup-source-sshkey" |>> + + exec { "postgres-make-backup-sshauthkeys": + command => "/usr/local/bin/postgres-make-backup-sshauthkeys", + refreshonly => true, + } } diff --git a/modules/postgres/templates/backup_server/postgres-make-backup-sshauthkeys.erb b/modules/postgres/templates/backup_server/postgres-make-backup-sshauthkeys.erb new file mode 100755 index 000000000..ae17363b4 --- /dev/null +++ b/modules/postgres/templates/backup_server/postgres-make-backup-sshauthkeys.erb @@ -0,0 +1,57 @@ +#!/bin/bash + +# Copyright 2017 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +set -e +set -u + +CONFFILE=/etc/dsa/postgresql-backup/sshkeys-sources +OUTFILE=/etc/ssh/userkeys/debbackup +HEAD=/etc/dsa/postgresql-backup/sshkeys-local + +: > "${OUTFILE}.new" + +if [ -e "$HEAD" ] ; then + echo "# $HEAD" >> "${OUTFILE}.new" + cat "$HEAD" >> "${OUTFILE}.new" + echo "# end of $HEAD" >> "${OUTFILE}.new" + echo "" >> "${OUTFILE}.new" +fi + +egrep -v '^(#|$)' "$CONFFILE" | + while read host ipaddr key; do + + if [[ "$host" =~ [^a-z0-9A-Z_-] ]]; then + echo >&2 "Invalid hostname $host" + continue + fi + if [[ "$ipaddr" =~ [^0-9a-fA-F:.,] ]]; then + echo >&2 "Invalid ipaddr $ipaddr" + continue + fi + + echo "command=\"/usr/local/bin/debbackup-ssh-wrap $host\",from=\"$ipaddr\",restrict $key" >> "${OUTFILE}.new" +done + +mv "${OUTFILE}.new" ${OUTFILE} +# vim:syn=sh: diff --git a/modules/postgres/templates/backup_server/postgres-make-base-backups.erb b/modules/postgres/templates/backup_server/postgres-make-base-backups.erb index 89c9ab19a..01a049495 100755 --- a/modules/postgres/templates/backup_server/postgres-make-base-backups.erb +++ b/modules/postgres/templates/backup_server/postgres-make-base-backups.erb @@ -102,3 +102,4 @@ buxtehude.debian.org 5441 debian-backup debbugs 9.6 moszumanska.debian.org 5432 debian-backup main 9.1 <%- end -%> EOF +# vim:syn=sh: diff --git a/modules/salsa/manifests/database.pp b/modules/salsa/manifests/database.pp index 97c5bc4d0..b363b7928 100644 --- a/modules/salsa/manifests/database.pp +++ b/modules/salsa/manifests/database.pp @@ -18,8 +18,21 @@ class salsa::database inherits salsa { require => Class['postgresql::server::contrib'], } + include postgres::backup_source $datadir = assert_type(String[1], $postgresql::params::datadir) + warning("foo ") file { "${datadir}/.nobackup": content => "" } + if $::postgresql_key { + $ipaddr = assert_type(String[1], join(getfromhash($site::nodeinfo, 'ldap', 'ipHostNumber'), ",")) + + @@concat::fragment { "onion::balance::instance::dsa-snippet::$name::$fqdn": + target => "/etc/dsa/postgresql-backup/sshkeys-sources", + content => @("EOF"), + ${::hostname} ${ipaddr} ${::postgresql_key} + | EOF + tag => "postgresql::server::backup-source-sshkey", + } + } }