From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 26 Feb 2017 21:36:17 +0000 (+0100)
Subject: ssh-keygen on pg servers
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=fbefe2a0954ce5e66f8cd203c99f9dcaa61cffa8;p=mirror%2Fdsa-puppet.git

ssh-keygen on pg servers
---

diff --git a/modules/debian-org/lib/facter/roleaccounts.rb b/modules/debian-org/lib/facter/roleaccounts.rb
index afa6f19f1..221c376c8 100644
--- a/modules/debian-org/lib/facter/roleaccounts.rb
+++ b/modules/debian-org/lib/facter/roleaccounts.rb
@@ -1,6 +1,17 @@
 begin
     require 'etc'
 
+    Facter.add("postgresql_key") do
+        setcode do
+            key = nil
+            keyfile = '/var/lib/postgresql/.ssh/id_rsa.pub'
+            if FileTest.exist?(keyfile)
+                key = File.open(keyfile).read.chomp
+            end
+            key
+        end
+    end
+
     Facter.add("staticsync_key") do
         setcode do
             key = nil
diff --git a/modules/roles/manifests/postgresql_server.pp b/modules/roles/manifests/postgresql_server.pp
index e90c27ee0..3fbaa63d0 100644
--- a/modules/roles/manifests/postgresql_server.pp
+++ b/modules/roles/manifests/postgresql_server.pp
@@ -10,4 +10,11 @@ class roles::postgresql_server {
 	file { "/etc/dsa/pg-backup-file.conf":
 		content => template('roles/postgresql_server/pg-backup-file.conf.erb'),
 	}
+
+	if ! $::postgresql_key {
+		exec { 'create-postgresql-key':
+			command => '/bin/su - postgres -c \'mkdir -p -m 02700 .ssh && ssh-keygen -C "`whoami`@`hostname` (`date +%Y-%m-%d`)" -P "" -f .ssh/id_rsa -q\'',
+			onlyif  => '/usr/bin/getent passwd postgres > /dev/null && ! [ -e /var/lib/postgresql/.ssh/id_rsa ]'
+		}
+	}
 }