From e05f51247811005920b22ddd97c1fa15ea35e6d0 Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Tue, 12 Sep 2023 19:35:38 +0200
Subject: [PATCH] backup foreman

using `+/usr/bin/foreman-maintain` makes systemd execute the binary as
root, not as the user the main execution happens as

See https://www.freedesktop.org/software/systemd/man/systemd.service.html#Command%20lines
---
 puppet/data/common.yaml                      |  1 +
 puppet/modules/profiles/manifests/foreman.pp | 28 ++++++++++++++++++++
 puppet/spec/classes/profiles_foreman_spec.rb |  7 +++++
 3 files changed, 36 insertions(+)

diff --git a/puppet/data/common.yaml b/puppet/data/common.yaml
index 49b1c4e0f..5cbbb51b4 100644
--- a/puppet/data/common.yaml
+++ b/puppet/data/common.yaml
@@ -21,6 +21,7 @@ profiles::backup::receiver::targets:
   - controller01
   - discourse01
   - puppet01
+  - foreman01
 
 profiles::backup::sender::host: '%{alias("backup_servicename")}'
 profiles::backup::sender::ssh_key: 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNfA651gsxAgFzWdBjFbTTXgZ+mIovdHE2TZShmyDJ9h6On+qQ3WOGVXflyrocM93vR4diZT80bnyIpLZtIf5RY='
diff --git a/puppet/modules/profiles/manifests/foreman.pp b/puppet/modules/profiles/manifests/foreman.pp
index 229c6153c..749cfb93f 100644
--- a/puppet/modules/profiles/manifests/foreman.pp
+++ b/puppet/modules/profiles/manifests/foreman.pp
@@ -11,4 +11,32 @@
   puppet::config::main { 'dns_alt_names':
     value => $foreman::serveraliases,
   }
+
+  package {'rubygem-foreman_maintain':
+    ensure => present,
+  }
+
+  $backup_base_path = '/var/backups'
+  $backup_path = "${backup_base_path}/foreman"
+
+  file { $backup_base_path:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+  file { $backup_path:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0750',
+  }
+
+  include profiles::backup::sender
+
+  restic::repository { 'foreman':
+    backup_cap_dac_read_search => true,
+    backup_path                => $backup_path,
+    backup_pre_cmd             => ["+/usr/bin/foreman-maintain backup online --assumeyes --preserve-directory ${backup_path}"],
+  }
 }
diff --git a/puppet/spec/classes/profiles_foreman_spec.rb b/puppet/spec/classes/profiles_foreman_spec.rb
index 69b3ad773..99839de31 100644
--- a/puppet/spec/classes/profiles_foreman_spec.rb
+++ b/puppet/spec/classes/profiles_foreman_spec.rb
@@ -4,6 +4,13 @@
   on_supported_os.each do |os, os_facts|
     context "on #{os}" do
       let(:facts) { os_facts }
+      let(:pre_condition) do
+        <<~PUPPET
+        class { 'restic':
+          password => 'SuperSecret',
+        }
+        PUPPET
+      end
 
       it { is_expected.to compile.with_all_deps }
     end