From 4bcaf3d333799e8d54ce7e63d34d6dce1850b2ce Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 28 Sep 2019 21:30:55 +0200
Subject: [PATCH] Try to configure --read-allow via hiera

---
 data/nodes/bmdb1.debian.org.yaml                     |  2 ++
 .../backup_server/register_backup_clienthost.pp      | 12 ++++++++++--
 .../templates/backup_server/sshkeys-manual.erb       |  4 ----
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/data/nodes/bmdb1.debian.org.yaml b/data/nodes/bmdb1.debian.org.yaml
index b640495d6..b50c65318 100644
--- a/data/nodes/bmdb1.debian.org.yaml
+++ b/data/nodes/bmdb1.debian.org.yaml
@@ -1,3 +1,5 @@
 ---
 classes:
   - roles::postgresql::server
+
+postgres::backup_server::register_backup_clienthost::allow_read_hosts: ['fasolo']
diff --git a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
index 7580845e0..5dff84554 100644
--- a/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
+++ b/modules/postgres/manifests/backup_server/register_backup_clienthost.pp
@@ -1,12 +1,20 @@
 # register this host at the backup servers
 #
 # This class set up the ssh authorization on the backup servers
-# so this client can push WAL segments.
+# so this client can push WAL segments.  Furthermore, the
+# client will be allowed to read other hosts backups -- specify
+# the list of allowed target hosts via params.
+#
+# @param allow_read_basedir  directory under which files can be read
+# @param allow_read_hosts    subdirectories under base to allow
 define postgres::backup_server::register_backup_clienthost (
+  String $allow_read_basedir = '/srv/backups/pg',
+  Array[Stdlib::Fqdn] $allow_read_hosts = lookup( { 'name' => 'postgres::backup_server::register_backup_clienthost::allow_read_hosts', 'default_value' => [] } ),
 ) {
   include postgres::backup_server::globals
 
-  $ssh_command = "/usr/local/bin/debbackup-ssh-wrap ${::hostname}"
+  $allowstr = $allow_read_hosts.map |$host| { "--read-allow=${allow_read_basedir}/${host}" }.join(' ')
+  $ssh_command = "/usr/local/bin/debbackup-ssh-wrap ${allowstr} ${::hostname}"
 
   ssh::authorized_key_add { 'register_backup_clienthost':
     target_user => $postgres::backup_server::globals::backup_unix_user,
diff --git a/modules/postgres/templates/backup_server/sshkeys-manual.erb b/modules/postgres/templates/backup_server/sshkeys-manual.erb
index 9a88c3ed7..cd70d2101 100644
--- a/modules/postgres/templates/backup_server/sshkeys-manual.erb
+++ b/modules/postgres/templates/backup_server/sshkeys-manual.erb
@@ -2,7 +2,3 @@
 # postgresql backups:
 command="/usr/local/bin/debbackup-ssh-wrap lw07 --read-allow=/srv/backups/pg/sallinen",restrict,from="185.17.185.187,2001:1af8:4020:b030:deb::187" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiLZIqnyKrsfoT1sQdbuUsOoqW1t71Sv8hpJj9yLzrSFq/YCnho9G2Q/LJm4sMB4W64uQMUX6oLsqsgIBbOZw71CBRou41zwS/D+7+sjiPy1aVXp+L+fAXqLdemCUYqXAm0bGTLboGmlDSG3/r3v3B2+vqwAoHaC/GwuoNgvHq+sfxZPo/9cDRlTyE0ktyxwdUN+czxyLtDPqz3CucOHX03p8F3lNEwFUCGIVAkP4zxZsiEjD+eCbWam0bVFoWnfXYcmf2GYKEy2PQp0ksXmbsnRIblW5zoKdEXeDjwSStFHtjqkJw2TdPLUGSXljCgy9OCXYVMUrFnXw2Ak88KYpV postgres@lw07 (20140713)
 command="/usr/local/bin/debbackup-ssh-wrap snapshotdb-manda-01 --read-allow=/srv/backups/pg/sallinen",restrict,from="82.195.75.73,2001:41b8:202:deb::311:73" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC53Sx/qzFL+GNrT01fP9tXpd9CjaOZuhLVHIOpoDQM5Nrr4DgbWA3vTghHpdpRHt18EmzWEmclTk3qej/vN6vBIG4cMc8EfpvEvXOLW2qQzMMrx5UeergUX76ie41B8yOCd9lf6H3G+rLqfBR6xEws39WgwTBRT86mKpolYDCJHX1Q8i85eJ/mw9FjHUENZYSxO4k5KBas2/G03+e+/J4TvgjyGbqCxc1RvmiMLE+cnfmeaprZuUbKkL0Df/mV2osuKStfG9ise/qtL0Kv318bsnYvXPDMdFWtFsR1lX2MpHfCFYWJd4bHtNOGSlixYbHcFlNFlSDessfLgpoKwWi3 postgres@snapshotdb-manda-01 (2019-05-23)
-
-
-## XXX this is only here because of the --read-allow
-command="/usr/local/bin/debbackup-ssh-wrap bmdb1 --read-allow=/srv/backups/pg/fasolo",restrict,from="5.153.231.10,2001:41c8:1000:21::21:10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFGdCqZ9/q5T5IgQ2RBUJ/4iIRFPkC+djquRlQEBjCLDZsnNrZC89K4u5IPMe0hCJCy+vp0mjKgzndLS3eyTuc0S8X8ukz8DawPY2smev72bKpf+2YEq/Eeyd42xoF0BbFSatM7GNWXJk+TyPXs2Pn8EGxVnVtDC5Z7VAxK+5qCr17duQG2NQbTawKiF2e+S2ohSsLZi4WUKx/lj/cUl3fmp0m7ZCwmEMImr/jUnm0eGw1k/1QKvqorajfjKpxs5dFPqfuvr9XaKs9mL2HtMH0OEbarDl+3kT4803X5xLT9b0kbWO9c9sAQRUmN9tPtZGiU5ShcBO7I0iKuQwDpxSr postgres@bmdb1 (20130706)
-- 
2.20.1