modules/postgres/manifests/backup_cluster.pp

   1 #
   2 define postgres::backup_cluster(
   3   String $pg_version,
   4   String $pg_cluster = 'main',
   5   Integer $pg_port = 5432,
   6   String $db_backup_role = 'debian-backup',
   7   String $db_backup_role_password = hkdf('/etc/puppet/secret', "postgresql-${::hostname}-${$pg_cluster}-${pg_port}-backup_role}"),
   8   Boolean $do_role = false,
   9   Boolean $do_hba = false,
  10 ) {
  11   $datadir = "/var/lib/postgresql/${pg_version}/${pg_cluster}"
  12   file { "${datadir}/.nobackup":
  13     content  => ''
  14   }
  15
  16   ## XXX - get these from the roles and ldap
  17   # backuphost, storace
  18   $backup_servers_addrs = ['5.153.231.12/32', '93.94.130.161/32', '2001:41c8:1000:21::21:12/128', '2a02:158:380:280::161/128']
  19
  20   if $do_role {
  21     postgresql::server::role { $db_backup_role:
  22       password_hash => postgresql_password($db_backup_role, $db_backup_role_password),
  23       replication   => true,
  24     }
  25   }
  26   if $do_hba {
  27     $backup_servers_addrs.each |String $address| {
  28       postgresql::server::pg_hba_rule { "debian_backup-${address}":
  29         description => 'Open up PostgreSQL for backups',
  30         type        => 'hostssl',
  31         database    => 'replication',
  32         user        => $db_backup_role,
  33         address     => $address,
  34         auth_method => 'md5',
  35       }
  36     }
  37   }
  38   ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
  39     description => 'Allow postgress access from backup host',
  40     port        => $pg_port,
  41     saddr       => $backup_servers_addrs,
  42   }
  43
  44   postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
  45     pg_port     => $pg_port,
  46     pg_role     => $db_backup_role,
  47     pg_password => $db_backup_role_password,
  48     pg_cluster  => $pg_cluster,
  49     pg_version  => $pg_version,
  50   }
  51 }