projects / mirror / dsa-puppet.git / blob
? search:


4e55a10a28660edbef3a3233e534cc7203044fbc
[mirror/dsa-puppet.git] / modules / postgres / manifests / backup_server.pp
1 # postgres backup server
2 class postgres::backup_server {
3   include postgres::backup_server::globals
4
5   $make_base_backups = '/usr/local/bin/postgres-make-base-backups'
6
7   ensure_packages ( [
8     'libhash-merge-simple-perl',
9     'libyaml-perl',
10     'python-yaml',
11     'pigz',
12     'postgresql-client',
13     'postgresql-client-9.6',
14   ], {
15     ensure => 'installed'
16   })
17
18   ####
19   # Regularly pull base backups
20   #
21   concat { $postgres::backup_server::globals::base_backup_clusters:
22     ensure_newline => true,
23   }
24   Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_base_backup |>>
25
26   file { $make_base_backups:
27     mode    => '0555',
28     content => template('postgres/backup_server/postgres-make-base-backups.erb'),
29   }
30   file { '/var/lib/dsa/postgres-make-base-backups':
31     ensure => directory,
32     owner  => $postgres::backup_server::globals::backup_unix_user,
33     mode   => '0755',
34   }
35   concat::fragment { 'puppet-crontab--postgres-make_base_backups':
36     target  => '/etc/cron.d/puppet-crontab',
37     content => @("EOF")
38       */30 * * * * ${postgres::backup_server::globals::backup_unix_user} sleep $(( RANDOM \% 1200 )); chronic ${make_base_backups}
39       | EOF
40   }
41
42   ####
43   # Maintain authorized_keys file on backup servers for WAL shipping
44   #
45   # do not let other hosts directly build our authorized_keys file,
46   # instead go via a script that somewhat validates intput
47   file { '/usr/local/bin/debbackup-ssh-wrap':
48     source => 'puppet:///modules/postgres/backup_server/debbackup-ssh-wrap',
49     mode   => '0555'
50   }
51   file { '/usr/local/bin/postgres-make-one-base-backup':
52     source => 'puppet:///modules/postgres/backup_server/postgres-make-one-base-backup',
53     mode   => '0555'
54   }
55   file { "/etc/ssh/userkeys/${postgres::backup_server::globals::backup_unix_user}":
56     content => template('postgres/backup_server/sshkeys-manual.erb'),
57   }
58   ssh::authorized_key_collect { 'postgres::backup_server':
59     target_user => $postgres::backup_server::globals::backup_unix_user,
60     collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
61   }
62
63   ####
64   # Maintain /etc/nagios/dsa-check-backuppg.conf
65   #
66   file { '/etc/dsa/postgresql-backup':
67     ensure => 'directory',
68   }
69   file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d':
70     ensure  => 'directory',
71     purge   => true,
72     force   => true,
73     recurse => true,
74     notify  => Exec['update dsa-check-backuppg.conf'],
75   }
76   file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/globals.conf':
77     content => template('postgres/backup_server/dsa-check-backuppg-globals.conf.erb'),
78     notify  => Exec['update dsa-check-backuppg.conf']
79   }
80   File<<| tag == $postgres::backup_server::globals::tag_dsa_check_backupp |>>
81   exec { 'update dsa-check-backuppg.conf':
82     command     => @(EOF),
83         perl -MYAML=LoadFile,Dump -MHash::Merge::Simple=merge -E 'say Dump(merge(map{LoadFile($_)}@ARGV))' /etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/*.conf > /etc/nagios/dsa-check-backuppg.conf
84         | EOF
85     provider    => shell,
86     refreshonly => true,
87   }
88
89   file { '/etc/sudoers.d/backup-server':
90     mode    => '0440',
91     content => template('postgres/backup_server/sudoers.erb'),
92   }
93
94
95   ####
96   # Maintain .pgpass file on backup servers
97   # #
98   concat { $postgres::backup_server::globals::pgpassfile:
99     owner => $postgres::backup_server::globals::backup_unix_user,
100     group => $postgres::backup_server::globals::backup_unix_group,
101     mode  => '0400'
102   }
103   Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
104 }
Unnamed repository; edit this file 'description' to name the repository.