From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 28 Sep 2019 18:58:10 +0000 (+0200)
Subject: Replace debbackup with parameterized username in most places
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-puppet.git;a=commitdiff_plain;h=fa67a3c70b0ad6f46691ee1495dfa7f249143d52

Replace debbackup with parameterized username in most places
---

diff --git a/data/common.yaml b/data/common.yaml
index 4abd2a244..9fc2b8997 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -31,6 +31,7 @@ roles::dns_primary::allow_access:
   - '2a01:3f0:0:27::24'
   - '2a01:3f0:0:28::25'
 postgres::backup_cluster::db_backup_role: 'debian-backup'
+postgres::backup_server::global::backup_unix_user: 'debbackup'
 # bacula
 #
 bacula::email_all: 'bacula-reports@admin.debian.org'
diff --git a/modules/postgres/manifests/backup_server.pp b/modules/postgres/manifests/backup_server.pp
index a4c6689db..4d78c99aa 100644
--- a/modules/postgres/manifests/backup_server.pp
+++ b/modules/postgres/manifests/backup_server.pp
@@ -29,13 +29,13 @@ class postgres::backup_server {
   }
   file { '/var/lib/dsa/postgres-make-base-backups':
     ensure => directory,
-    owner  => 'debbackup',
+    owner  => $postgres::backup_server::globals::backup_unix_user,
     mode   => '0755',
   }
   concat::fragment { 'puppet-crontab--postgres-make_base_backups':
     target  => '/etc/cron.d/puppet-crontab',
     content => @("EOF")
-      */30 * * * * debbackup sleep $(( RANDOM \% 1200 )); chronic ${make_base_backups}
+      */30 * * * * ${postgres::backup_server::globals::backup_unix_user} sleep $(( RANDOM \% 1200 )); chronic ${make_base_backups}
       | EOF
   }
 
@@ -109,14 +109,9 @@ class postgres::backup_server {
   # Maintain .pgpass file on backup servers
   # #
   concat { $postgres::backup_server::globals::pgpassfile:
-    owner => 'debbackup',
-    group => 'debbackup',
+    owner => $postgres::backup_server::globals::backup_unix_user,
+    group => $postgres::backup_server::globals::backup_unix_group,
     mode  => '0400'
   }
-  concat::fragment{ 'pgpass-local':
-    target => $postgres::backup_server::globals::pgpassfile,
-    source => '/home/debbackup/.pgpass-local',
-    order  => '00'
-  }
   Concat::Fragment <<| tag == $postgres::backup_server::globals::tag_source_pgpassline |>>
 }
diff --git a/modules/postgres/manifests/backup_server/globals.pp b/modules/postgres/manifests/backup_server/globals.pp
index bdac82221..327ed6eca 100644
--- a/modules/postgres/manifests/backup_server/globals.pp
+++ b/modules/postgres/manifests/backup_server/globals.pp
@@ -1,9 +1,13 @@
 # Global definitions for the postgres::backup_server setup
 #
+# @param backup_unix_user      unix user on the backup host
+# @param backup_unix_group     group of unix user on the backup host
 # @param pgpassfile            pg password file for pg_basebackup runs
 # @param base_backup_clusters  where to store the list of clusters to make base backups of
 class postgres::backup_server::globals(
-  String $pgpassfile = '/home/debbackup/.pgpass',
+  String $backup_unix_user,
+  String $backup_unix_group = $backup_unix_user,
+  String $pgpassfile = "/home/${backup_unix_user}/.pgpass",
   String $sshkeys_sources = '/etc/dsa/postgresql-backup/sshkeys-sources',
   String $base_backup_clusters = '/etc/dsa/postgresql-backup/base-backup-clusters',
 ) {
diff --git a/modules/postgres/templates/backup_server/postgres-make-base-backups.erb b/modules/postgres/templates/backup_server/postgres-make-base-backups.erb
index fc564110d..2141833a2 100755
--- a/modules/postgres/templates/backup_server/postgres-make-base-backups.erb
+++ b/modules/postgres/templates/backup_server/postgres-make-base-backups.erb
@@ -42,7 +42,7 @@ STATEDIR=/var/lib/dsa/postgres-make-base-backups
 set -u
 
 if [ "$(id -u)" = 0 ]; then
-    echo >&2 "Do not run me as root.  Probably you want sudo -u debbackup."
+    echo >&2 "Do not run me as root.  Probably you want sudo -u <%= @backup_unix_user %>."
     exit 1
 fi
 
diff --git a/modules/postgres/templates/backup_server/sudoers.erb b/modules/postgres/templates/backup_server/sudoers.erb
index de633ca49..3b31cbfe6 100644
--- a/modules/postgres/templates/backup_server/sudoers.erb
+++ b/modules/postgres/templates/backup_server/sudoers.erb
@@ -1,3 +1,3 @@
 # edit with visudo!
 
-nagios		ALL=(debbackup)		NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg ""
+nagios		ALL=(<%= @backup_unix_user %>)		NOPASSWD: /usr/lib/nagios/plugins/dsa-check-backuppg ""
diff --git a/modules/roles/TODO b/modules/roles/TODO
index 282bf2914..fd128d836 100644
--- a/modules/roles/TODO
+++ b/modules/roles/TODO
@@ -7,3 +7,6 @@
   using exim::vdomain
 
 - move the postgres::backup_server stuff out of the salsa/database manifest
+
+- postgres/templates/backup_source/pg-backup-file.conf.erb:
+  get username from params, hosts from rolehosts