From b541b17d44294a322eee4e2e9989f3de17fe004f Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sat, 4 Jul 2026 14:41:07 +0100 Subject: [PATCH] Configure encryption for pgbackrest on database servers --- cookbooks/postgresql/templates/default/pgbackrest.conf.erb | 6 ++++++ roles/db.rb | 2 ++ 2 files changed, 8 insertions(+) diff --git a/cookbooks/postgresql/templates/default/pgbackrest.conf.erb b/cookbooks/postgresql/templates/default/pgbackrest.conf.erb index dbd181d48..f86cfc73d 100644 --- a/cookbooks/postgresql/templates/default/pgbackrest.conf.erb +++ b/cookbooks/postgresql/templates/default/pgbackrest.conf.erb @@ -6,6 +6,12 @@ repo1-path=<%= node[:postgresql][:pgbackrest][:repo_path] %> repo1-block=y repo1-bundle=y repo1-retention-full=<%= node[:postgresql][:pgbackrest][:repo_retention_full] %> +<% if node[:postgresql][:pgbackrest][:repo_cipher_type] -%> +repo1-cipher-type=<%= node[:postgresql][:pgbackrest][:repo_cipher_type] %> +<% end -%> +<% if node[:postgresql][:pgbackrest][:repo_cipher_pass] -%> +repo1-cipher-pass=<%= @credentials[node[:postgresql][:pgbackrest][:repo_cipher_pass]] %> +<% end -%> <% if node[:postgresql][:pgbackrest][:repo_s3_bucket] -%> repo1-s3-bucket=<%= node[:postgresql][:pgbackrest][:repo_s3_bucket] %> <% end -%> diff --git a/roles/db.rb b/roles/db.rb index de3385fbd..d72c4004e 100644 --- a/roles/db.rb +++ b/roles/db.rb @@ -35,6 +35,8 @@ default_attributes( :credentials_item => "aws", :repo_type => "s3", :repo_path => "/", + :repo_cipher_type => "aes-256-cbc", + :repo_cipher_pass => "wal_encryption_key", :repo_s3_bucket => "openstreetmap-wal-prod-85d400", :repo_s3_endpoint => "s3.eu-north-1.amazonaws.com", :repo_s3_key => "wal_prod_access_key_id", -- 2.47.3