From: Peter Palfrader Date: Sat, 28 Sep 2019 19:13:27 +0000 (+0200) Subject: Try to modernize pg wal shipping ssh setup, step 2 X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=dc2858047a151e2fbe466678c21d6533a5c245bf;p=mirror%2Fdsa-puppet.git Try to modernize pg wal shipping ssh setup, step 2 --- diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp index 6d9b79289..6d4914493 100644 --- a/modules/postgres/manifests/backup_server.pp +++ b/modules/postgres/manifests/backup_server.pp @@ -44,36 +44,15 @@ class postgres::backup_server { # # do not let other hosts directly build our authorized_keys file, # instead go via a script that somewhat validates intput - file { '/etc/dsa/postgresql-backup': - ensure => 'directory', - } file { '/usr/local/bin/postgres-make-backup-sshauthkeys': - content => template('postgres/backup_server/postgres-make-backup-sshauthkeys.erb'), - mode => '0555', - notify => Exec['postgres-make-backup-sshauthkeys'], + ensure => absent, } file { '/usr/local/bin/postgres-make-one-base-backup': source => 'puppet:///modules/postgres/backup_server/postgres-make-one-base-backup', mode => '0555' } - file { '/etc/dsa/postgresql-backup/sshkeys-manual': + file { "/etc/ssh/userkeys/${postgres::backup_server::globals::backup_unix_user}": content => template('postgres/backup_server/sshkeys-manual.erb'), - notify => Exec['postgres-make-backup-sshauthkeys'], - } - concat { $postgres::backup_server::globals::sshkeys_sources: - notify => Exec['postgres-make-backup-sshauthkeys'], - } - concat::fragment { 'postgresql-backup/source-sshkeys-header': - target => $postgres::backup_server::globals::sshkeys_sources , - content => @(EOF), - # - | EOF - order => '00', - } - Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_sshkey |>> - exec { 'postgres-make-backup-sshauthkeys': - command => '/usr/local/bin/postgres-make-backup-sshauthkeys', - refreshonly => true, } ssh::authorized_key_collect { 'postgres::backup_server': target_user => $postgres::backup_server::globals::backup_unix_user, @@ -83,6 +62,9 @@ class postgres::backup_server { #### # Maintain /etc/nagios/dsa-check-backuppg.conf # + file { '/etc/dsa/postgresql-backup': + ensure => 'directory', + } file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d': ensure => 'directory', purge => true, diff --git a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp index b27b7ed61..7580845e0 100644 --- a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp +++ b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp @@ -1,8 +1,8 @@ +# register this host at the backup servers # +# This class set up the ssh authorization on the backup servers +# so this client can push WAL segments. define postgres::backup_server::register_backup_clienthost ( - $sshpubkey = $::postgres_key, - $ipaddrlist = join(getfromhash($deprecated::nodeinfo, 'ldap', 'ipHostNumber'), ","), - $hostname = $::hostname, ) { include postgres::backup_server::globals @@ -15,15 +15,4 @@ define postgres::backup_server::register_backup_clienthost ( from => $base::public_addresses, collect_tag => $postgres::backup_server::globals::tag_source_sshkey, } - - if $sshpubkey { - $addr = assert_type(String[1], $ipaddrlist) - @@concat::fragment { "postgresql::server::backup-source-clienthost::$name::$fqdn": - target => $postgres::backup_server::globals::sshkeys_sources , - content => @("EOF"), - ${hostname} ${addr} ${sshpubkey} - | EOF - tag => $postgres::backup_server::globals::tag_source_sshkey, - } - } } diff --git a/modules/postgres/templates/backup_server/postgres-make-backup-sshauthkeys.erb b/modules/postgres/templates/backup_server/postgres-make-backup-sshauthkeys.erb deleted file mode 100755 index 715e49360..000000000 --- a/modules/postgres/templates/backup_server/postgres-make-backup-sshauthkeys.erb +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/bash - -# Copyright 2017 Peter Palfrader -# -# Permission is hereby granted, free of charge, to any person obtaining -# a copy of this software and associated documentation files (the -# "Software"), to deal in the Software without restriction, including -# without limitation the rights to use, copy, modify, merge, publish, -# distribute, sublicense, and/or sell copies of the Software, and to -# permit persons to whom the Software is furnished to do so, subject to -# the following conditions: -# -# The above copyright notice and this permission notice shall be -# included in all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - -set -e -set -u - -CONFFILE=/etc/dsa/postgresql-backup/sshkeys-sources -OUTFILE=/etc/ssh/userkeys/debbackup -HEAD=/etc/dsa/postgresql-backup/sshkeys-manual - -cat > "${OUTFILE}.new" << EOF -# ################### -# This file was created using postgres-make-backup-sshauthkeys. -# Do not edit this manually but edit its sources and run the script (or let puppet run it for you). -##################### -EOF - -if [ -e "$HEAD" ] ; then - echo "# $HEAD" >> "${OUTFILE}.new" - cat "$HEAD" >> "${OUTFILE}.new" - echo "# end of $HEAD" >> "${OUTFILE}.new" - echo "" >> "${OUTFILE}.new" -fi - -egrep -v '^(#|$)' "$CONFFILE" | - while read host ipaddr key; do - - if [[ "$host" =~ [^a-z0-9A-Z_-] ]]; then - echo >&2 "Invalid hostname $host" - continue - fi - if [[ "$ipaddr" =~ [^0-9a-fA-F:.,] ]]; then - echo >&2 "Invalid ipaddr $ipaddr" - continue - fi - - echo "command=\"/usr/local/bin/debbackup-ssh-wrap $host\",from=\"$ipaddr\",restrict $key" >> "${OUTFILE}.new" -done - -mv "${OUTFILE}.new" ${OUTFILE} -# vim:syn=sh: