modules/postgres/manifests/backup_server.pp

   1 # postgres backup server
   2 class postgres::backup_server {
   3   include postgres::backup_server::globals
   4
   5   $make_base_backups = '/usr/local/bin/postgres-make-base-backups'
   6
   7   ensure_packages ( [
   8     'libhash-merge-simple-perl',
   9     'libyaml-perl',
  10     'python-yaml',
  11     'pigz',
  12     'postgresql-client',
  13     'postgresql-client-9.6',
  14   ], {
  15     ensure => 'installed'
  16   })
  17
  18   ####
  19   # Regularly pull base backups
  20   #
  21   concat { $postgres::backup_server::globals::base_backup_clusters:
  22     ensure_newline => true,
  23   }
  24   Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_base_backup |>>
  25
  26   file { $make_base_backups:
  27     mode    => '0555',
  28     content => template('postgres/backup_server/postgres-make-base-backups.erb'),
  29   }
  30   file { '/var/lib/dsa/postgres-make-base-backups':
  31     ensure => directory,
  32     owner  => $postgres::backup_server::globals::backup_unix_user,
  33     mode   => '0755',
  34   }
  35   concat::fragment { 'puppet-crontab--postgres-make_base_backups':
  36     target  => '/etc/cron.d/puppet-crontab',
  37     content => @("EOF")
  38       */30 * * * * ${postgres::backup_server::globals::backup_unix_user} sleep $(( RANDOM \% 1200 )); chronic ${make_base_backups}
  39       | EOF
  40   }
  41
  42   ####
  43   # Maintain authorized_keys file on backup servers for WAL shipping
  44   #
  45   # do not let other hosts directly build our authorized_keys file,
  46   # instead go via a script that somewhat validates intput
  47   file { '/usr/local/bin/postgres-make-backup-sshauthkeys':
  48     ensure => absent,
  49   }
  50   file { '/usr/local/bin/postgres-make-one-base-backup':
  51     source => 'puppet:///modules/postgres/backup_server/postgres-make-one-base-backup',
  52     mode   => '0555'
  53   }
  54   file { "/etc/ssh/userkeys/${postgres::backup_server::globals::backup_unix_user}":
  55     content => template('postgres/backup_server/sshkeys-manual.erb'),
  56   }
  57   ssh::authorized_key_collect { 'postgres::backup_server':
  58     target_user => $postgres::backup_server::globals::backup_unix_user,
  59     collect_tag => $postgres::backup_server::globals::tag_source_sshkey,
  60   }
  61
  62   ####
  63   # Maintain /etc/nagios/dsa-check-backuppg.conf
  64   #
  65   file { '/etc/dsa/postgresql-backup':
  66     ensure => 'directory',
  67   }
  68   file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d':
  69     ensure  => 'directory',
  70     purge   => true,
  71     force   => true,
  72     recurse => true,
  73     notify  => Exec['update dsa-check-backuppg.conf'],
  74   }
  75   file { '/etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/globals.conf':
  76     content => template('postgres/backup_server/dsa-check-backuppg-globals.conf.erb'),
  77     notify  => Exec['update dsa-check-backuppg.conf']
  78   }
  79   File<<| tag == $postgres::backup_server::globals::tag_dsa_check_backupp |>>
  80   exec { 'update dsa-check-backuppg.conf':
  81     command     => @(EOF),
  82         perl -MYAML=LoadFile,Dump -MHash::Merge::Simple=merge -E 'say Dump(merge(map{LoadFile($_)}@ARGV))' /etc/dsa/postgresql-backup/dsa-check-backuppg.conf.d/*.conf > /etc/nagios/dsa-check-backuppg.conf
  83         | EOF
  84     provider    => shell,
  85     refreshonly => true,
  86   }
  87
  88   file { '/etc/sudoers.d/backup-server':
  89     mode    => '0440',
  90     content => template('postgres/backup_server/sudoers.erb'),
  91   }
  92
  93
  94   ####
  95   # Maintain .pgpass file on backup servers
  96   # #
  97   concat { $postgres::backup_server::globals::pgpassfile:
  98     owner => $postgres::backup_server::globals::backup_unix_user,
  99     group => $postgres::backup_server::globals::backup_unix_group,
 100     mode  => '0400'
 101   }
 102   Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
 103 }