1 class role::backup::postgresql inherits role::backup {
2 # This manifest is supposed to be part of the backup server
4 $password_seed = lookup("base_installation::puppet_pass_seed")
6 $user = lookup("role::backup::user")
7 $group = lookup("role::backup::group")
11 $ldap_cn = lookup("base_installation::ldap_cn")
12 $ldap_password = generate_password(24, $password_seed, "ldap")
13 $pg_slot = regsubst($ldap_cn, '-', "_", "G")
15 ensure_packages(["postgresql"])
17 $pg_backup_hosts = lookup("role::backup::postgresql::backup_hosts", { "default_value" => [] })
19 $pg_backup_hosts.each |$pg_backup_host| {
20 $pg_path = "$mountpoint/$pg_backup_host/postgresql"
21 $pg_host = "$pg_backup_host"
24 file { "$mountpoint/$pg_backup_host":
35 require => File["$mountpoint/$pg_backup_host"],
38 exec { "pg_basebackup $pg_path":
41 creates => "$pg_path/PG_VERSION",
42 environment => ["PGPASSWORD=$ldap_password"],
43 command => "/usr/bin/pg_basebackup -w -h $pg_host -U $ldap_cn -D $pg_path -S $pg_slot",
45 Concat["$pg_path/pg_hba.conf"],
46 Concat["$pg_path/recovery.conf"],
47 File["$pg_path/postgresql.conf"],
51 concat { "$pg_path/pg_hba.conf":
57 postgresql::server::pg_hba_rule { "$pg_backup_host - local access as postgres user":
58 description => 'Allow local access to postgres user',
62 auth_method => 'ident',
64 target => "$pg_path/pg_hba.conf",
65 postgresql_version => "10",
67 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost access as postgres user":
68 description => 'Allow localhost access to postgres user',
72 address => "127.0.0.1/32",
75 target => "$pg_path/pg_hba.conf",
76 postgresql_version => "10",
78 postgresql::server::pg_hba_rule { "$pg_backup_host - localhost ip6 access as postgres user":
79 description => 'Allow localhost access to postgres user',
86 target => "$pg_path/pg_hba.conf",
87 postgresql_version => "10",
89 postgresql::server::pg_hba_rule { "$pg_backup_host - deny access to postgresql user":
90 description => 'Deny remote access to postgres user',
94 address => "0.0.0.0/0",
95 auth_method => 'reject',
97 target => "$pg_path/pg_hba.conf",
98 postgresql_version => "10",
101 postgresql::server::pg_hba_rule { "$pg_backup_host - local access":
102 description => 'Allow local access with password',
106 auth_method => 'md5',
108 target => "$pg_path/pg_hba.conf",
109 postgresql_version => "10",
112 postgresql::server::pg_hba_rule { "$pg_backup_host - local access with same name":
113 description => 'Allow local access with same name',
117 auth_method => 'ident',
119 target => "$pg_path/pg_hba.conf",
120 postgresql_version => "10",
123 $primary_conninfo = "host=$pg_host port=$pg_port user=$ldap_cn password=$ldap_password sslmode=require"
124 $primary_slot_name = regsubst($ldap_cn, '-', "_", "G")
127 concat { "$pg_path/recovery.conf":
133 concat::fragment { "$pg_path/recovery.conf":
134 target => "$pg_path/recovery.conf",
135 content => template('postgresql/recovery.conf.erb'),
138 file { "$pg_path/postgresql.conf":
142 content => template("role/backup/postgresql.conf.erb"),
145 service { "postgresql_backup@$pg_backup_host":
149 File["/etc/systemd/system/postgresql_backup@.service"],
150 Concat["$pg_path/pg_hba.conf"],
151 Concat["$pg_path/recovery.conf"],
152 File["$pg_path/postgresql.conf"],
157 file { "/etc/systemd/system/postgresql_backup@.service":
161 content => template("role/backup/postgresql_backup@.service.erb"),