# Backup this cluster
#
+# This define causes the cluster to be registered on the backupservers.
+#
+# Furthermore, if this cluster is managed with postgresql::server and
+# do_role and do_hba are set, we create the role and modify the pg_hba.conf file.
+#
+# Since postgresql::server only supports a single cluster per host, we are moving
+# towards our own postgres::cluster, and this define also exports a hba rule for
+# those (regardless of the do_hba setting). If the cluster is managed with
+# postgres::cluster and has its manage_hba option set, this will then cause the
+# backup hosts to be allowed to replacate.
+#
+# Regarless of how the cluster is managed, firewall rules are set up to allow
+# access from the backup hosts.
+#
# @param pg_version pg version of the cluster
# @param pg_cluster cluster name
# @param pg_port port of the postgres cluster
# @param db_backup_role replication role username
# @param db_backup_role_password password of the replication role
# @param do_role create the role (requires setup with postgresql::server)
-# @param do_hba update pg_hba (requires setup with postgresql::server)
+# @param do_hba update pg_hba (requires setup with postgresql::server)
define postgres::backup_cluster(
String $pg_version,
String $pg_cluster = 'main',
#
# Any non-matching traffic will fall through and it can
# be allowed elsewhere
+ #
+ # this rule is only needed for clusters that we do not manage
+ # with postgres::cluster. Hopefully these will go away with time
ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
description => 'Check for postgres access from backup host',
port => $pg_port,
target => 'pg-backup',
}
+ postgres::cluster::hba_entry { 'backup-replication':
+ pg_version => $pg_version,
+ pg_cluster => $pg_cluster,
+ pg_port => $pg_port,
+ database => 'replication',
+ user => db_backup_role,
+ address => $backup_servers_addrs,
+ }
postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
pg_port => $pg_port,
pg_role => $db_backup_role,
# Let us connect to the clusters we want
#
# We export this, and the backup clients collect it
+ #
+ # this rule is only needed for clusters that we do not manage
+ # with postgres::cluster. Hopefully these will go away with time
@@ferm::rule::simple { "pg-backup_server::${::fqdn}":
tag => 'postgres::backup_server::to-client',
description => 'Allow access access from backup host',
user => 'bacula-storace-reader',
address => ['93.94.130.161', '2a02:158:380:280::161'],
}
-
- postgres::cluster::hba_entry { 'replication':
- pg_version => $pg_version,
- pg_cluster => $pg_cluster,
- pg_port => $pg_port,
- database => 'replication',
- user => 'debian-backup',
- address => ['5.153.231.12', '2001:41c8:1000:21::21:12', '93.94.130.161', '2a02:158:380:280::161'],
- }
}
projects / mirror / dsa-puppet.git / commitdiff