# all of these should be retired in favour of including the class role
# with the host. weasel, 2019-09
roles:
- postgres_backup_server:
- # XXX - used by ferm templates/defs.conf.erb
- - backuphost.debian.org
- - storace.debian.org
postgresql_server:
# these use pg-receive-file-from-backup which is defined in the
# postgres::backup_source class. This should be
--- /dev/null
+---
+classes:
+ - postgres::backup_server
---
classes:
- bacula::storage
+ - postgres::backup_server
- profile::ipsec::fasolo_storace
rule => @("EOF"/$)
&SERVICE_RANGE(tcp, 5440, (
${ join(getfromhash($deprecated::allnodeinfo, 'sor.debian.org', 'ipHostNumber'), " ") }
- \$HOST_PGBACKUPHOST
))
| EOF
}
}
<%
- rolehost={}
allnodeinfo = scope.lookupvar('deprecated::allnodeinfo')
- roles = scope.lookupvar('deprecated::roles')
-
- %w{postgres_backup_server}.each do |role|
- rolehost[role] = []
- roles[role].each do |node|
- next unless allnodeinfo.has_key?(node) and allnodeinfo[node].has_key?('ipHostNumber')
- rolehost[role] << allnodeinfo[node]['ipHostNumber']
- end
- rolehost[role].flatten!.sort.uniq
- end
-
dbs = []
allnodeinfo.keys.sort.each do |node|
next unless allnodeinfo[node].has_key?('ipHostNumber')
dbs.flatten!
%>
-@def $HOST_PGBACKUPHOST = (<%= rolehost['postgres_backup_server'].uniq.join(' ') %>);
-
-
<%
def getfastlyranges()
begin
String $db_backup_role_password = hkdf('/etc/puppet/secret', "postgresql-${::hostname}-${$pg_cluster}-${pg_port}-backup_role}"),
Boolean $do_role = false,
Boolean $do_hba = false,
- $backup_servers = getfromhash($deprecated::roles, 'postgres_backup_server'),
) {
$datadir = "/var/lib/postgresql/${pg_version}/${pg_cluster}"
file { "${datadir}/.nobackup":
## XXX - get these from the roles and ldap
# backuphost, storace
$backup_servers_addrs = ['5.153.231.12/32', '93.94.130.161/32', '2001:41c8:1000:21::21:12/128', '2a02:158:380:280::161/128']
- $backup_servers_addrs_joined = join($backup_servers_addrs, ' ')
if $do_role {
postgresql::server::role { $db_backup_role:
}
}
}
- ferm::rule { "dsa-postgres-${pg_port}":
+ ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
description => 'Allow postgress access from backup host',
- domain => '(ip ip6)',
- rule => "&SERVICE_RANGE(tcp, ${pg_port}, ( @ipfilter((${backup_servers_addrs_joined})) ))",
+ port => $pg_port,
+ saddr => $backup_servers_addrs,
}
postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
# = Class: roles
#
class roles {
- if has_role('postgres_backup_server') {
- include postgres::backup_server
- }
-
if has_role('postgresql_server') {
include postgres::backup_source
}
projects / mirror / dsa-puppet.git / commitdiff