}
}
}
+
+ # Send connections to the port to the pg-backup chain
+ # there, the register_backup_clienthost class will have
+ # realized the exported allows from the backup servers.
+ #
+ # Any non-matching traffic will fall through and it can
+ # be allowed elsewhere
ferm::rule::simple { "dsa-postgres-backup-${pg_port}":
- description => 'Allow postgress access from backup host',
+ description => 'Check for postgres access from backup host',
port => $pg_port,
- saddr => $backup_servers_addrs,
+ target => 'pg-backup',
}
postgres::backup_server::register_backup_cluster { "backup-role-${::fqdn}}-${pg_port}":
mode => '0400'
}
Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
+
+ ####
+ # Let us connect to the clusters we want
+ #
+ # We export this, and the backup clients collect it
+ @@ferm::rule::simple { "pg-backup_server::${::fqdn}":
+ tag => 'postgres::backup_server::to-client',
+ description => 'Allow access access from backup host',
+ chain => 'pg-backup',
+ saddr => $base::public_addresses,
+ }
}
projects / mirror / dsa-puppet.git / commitdiff