From 60761867cccbfa7f472fb13fdd2d704d4cb32b92 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 28 Sep 2019 19:53:19 +0200
Subject: [PATCH] migrate away from old postgres_backup_server role

---
 data/common.yaml                             |  4 ----
 data/nodes/backuphost.debian.org.yaml        |  3 +++
 data/nodes/storace.debian.org.yaml           |  1 +
 modules/ferm/manifests/per_host.pp           |  1 -
 modules/ferm/templates/defs.conf.erb         | 15 ---------------
 modules/postgres/manifests/backup_cluster.pp |  8 +++-----
 modules/roles/manifests/init.pp              |  4 ----
 7 files changed, 7 insertions(+), 29 deletions(-)
 create mode 100644 data/nodes/backuphost.debian.org.yaml

diff --git a/data/common.yaml b/data/common.yaml
index 73e3c95c6..3e45e0978 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -71,10 +71,6 @@ apt::sources::debian::location: 'https://deb.debian.org/debian/'
 # all of these should be retired in favour of including the class role
 # with the host. weasel, 2019-09
 roles:
-  postgres_backup_server:
-    # XXX - used by ferm templates/defs.conf.erb
-    - backuphost.debian.org
-    - storace.debian.org
   postgresql_server:
     # these use pg-receive-file-from-backup which is defined in the
     # postgres::backup_source class.  This should be
diff --git a/data/nodes/backuphost.debian.org.yaml b/data/nodes/backuphost.debian.org.yaml
new file mode 100644
index 000000000..92b2b6298
--- /dev/null
+++ b/data/nodes/backuphost.debian.org.yaml
@@ -0,0 +1,3 @@
+---
+classes:
+  - postgres::backup_server
diff --git a/data/nodes/storace.debian.org.yaml b/data/nodes/storace.debian.org.yaml
index 2c5eac0a3..ca972f82a 100644
--- a/data/nodes/storace.debian.org.yaml
+++ b/data/nodes/storace.debian.org.yaml
@@ -1,4 +1,5 @@
 ---
 classes:
   - bacula::storage
+  - postgres::backup_server
   - profile::ipsec::fasolo_storace
diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index 4a0fe1325..7a15b86c4 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -149,7 +149,6 @@ class ferm::per_host {
         rule        => @("EOF"/$)
           &SERVICE_RANGE(tcp, 5440, (
             ${ join(getfromhash($deprecated::allnodeinfo, 'sor.debian.org', 'ipHostNumber'), " ") }
-            \$HOST_PGBACKUPHOST
           ))
           | EOF
       }
diff --git a/modules/ferm/templates/defs.conf.erb b/modules/ferm/templates/defs.conf.erb
index 926584941..348d08b9a 100644
--- a/modules/ferm/templates/defs.conf.erb
+++ b/modules/ferm/templates/defs.conf.erb
@@ -20,19 +20,7 @@
 }
 
 <%
-  rolehost={}
   allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
-  roles = scope.lookupvar('deprecated::roles')
-
-  %w{postgres_backup_server}.each do |role|
-    rolehost[role] = []
-    roles[role].each do |node|
-        next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
-        rolehost[role] << allnodeinfo[node]['ipHostNumber']
-    end
-    rolehost[role].flatten!.sort.uniq
-  end
-
   dbs = []
   allnodeinfo.keys.sort.each do |node|
       next unless allnodeinfo[node].has_key?('ipHostNumber')
@@ -41,9 +29,6 @@
   dbs.flatten!
 %>
 
-@def $HOST_PGBACKUPHOST = (<%= rolehost['postgres_backup_server'].uniq.join(' ') %>);
-
-
 <%
 def getfastlyranges()
     begin
diff --git a/modules/postgres/manifests/backup_cluster.pp b/modules/postgres/manifests/backup_cluster.pp
index f1cc44ad1..10a43464b 100644
--- a/modules/postgres/manifests/backup_cluster.pp
+++ b/modules/postgres/manifests/backup_cluster.pp
@@ -7,7 +7,6 @@ define postgres::backup_cluster(
   String $db_backup_role_password = hkdf('/etc/puppet/secret', "postgresql-${::hostname}-${$pg_cluster}-${pg_port}-backup_role}"),
   Boolean $do_role = false,
   Boolean $do_hba = false,
-  $backup_servers = getfromhash($deprecated::roles, 'postgres_backup_server'),
 ) {
   $datadir = "/var/lib/postgresql/${pg_version}/${pg_cluster}"
   file { "${datadir}/.nobackup":
@@ -17,7 +16,6 @@ define postgres::backup_cluster(
   ## XXX - get these from the roles and ldap
   # backuphost, storace
   $backup_servers_addrs = ['5.153.231.12/32', '93.94.130.161/32', '2001:41c8:1000:21::21:12/128', '2a02:158:380:280::161/128']
-  $backup_servers_addrs_joined = join($backup_servers_addrs, ' ')
 
   if $do_role {
     postgresql::server::role { $db_backup_role:
@@ -37,10 +35,10 @@ define postgres::backup_cluster(
       }
     }
   }
-  ferm::rule { "dsa-postgres-${pg_port}":
+  ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
     description => 'Allow postgress access from backup host',
-    domain      => '(ip ip6)',
-    rule        => "&SERVICE_RANGE(tcp, ${pg_port}, ( @ipfilter((${backup_servers_addrs_joined})) ))",
+    port        => $pg_port,
+    saddr       => $backup_servers_addrs,
   }
 
   postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 9e5e649eb..6122e78ce 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -1,10 +1,6 @@
 # = Class: roles
 #
 class roles {
-  if has_role('postgres_backup_server') {
-    include postgres::backup_server
-  }
-
   if has_role('postgresql_server') {
     include postgres::backup_source
   }
-- 
2.20.1