Make local backup of pg_hba.conf file before modification

pillar.example

@@ -19,12 +19,6 @@ postgres:
   postgresconf: |
     listen_addresses = '*'  # listen on all interfaces
 
-  # Backup extension for postgresql.conf file, defaults to ``.bak``.
-  # Set to False to stop creation of backup on postgresql.conf changes.
-  {%- if 'status.time' in salt.keys() %}
-  postgresconf_backup: ".backup@{{ salt['status.time']('%y-%m-%d_%H:%M:%S') }}"
-  {%- endif %}
-
   # Path to the `pg_hba.conf` file Jinja template on Salt Fileserver
   pg_hba.conf: salt://postgres/templates/pg_hba.conf.j2
 
@@ -48,6 +42,12 @@ postgres:
     - ['local', 'db1', 'localUser']
     - ['host', 'db2', 'remoteUser', '192.168.33.0/24']
 
+  # Backup extension for configuration files, defaults to ``.bak``.
+  # Set ``False`` to stop creation of backups when config files change.
+  {%- if 'status.time' in salt.keys() %}
+  config_backup: ".backup@{{ salt['status.time']('%y-%m-%d_%H:%M:%S') }}"
+  {%- endif %}
+
   # PostgreSQL service name
   service: postgresql
 

postgres/defaults.yaml

@@ -20,7 +20,6 @@ postgres:
 
   conf_dir: /var/lib/pgsql/data
   postgresconf: ""
-  postgresconf_backup: '.bak'
 
   pg_hba.conf: salt://postgres/templates/pg_hba.conf.j2
   acls:
@@ -31,6 +30,8 @@ postgres:
     # IPv6 local connections:
     - ['host', 'all', 'all', '::1/128', 'md5']
 
+  config_backup: '.bak'
+
   service: postgresql
 
   bake_image: False

postgres/server/init.sls

@@ -8,8 +8,6 @@
   {%- do includes.append('postgres.upstream') %}
 {%- endif %}
 
-{%- set pkgs = [postgres.pkg] + postgres.pkgs_extra %}
-
 {%- if includes -%}
 
 include:
@@ -17,6 +15,8 @@ include:
 
 {%- endif %}
 
+{%- set pkgs = [postgres.pkg] + postgres.pkgs_extra %}
+
 # Install, configure and start PostgreSQL server
 
 postgresql-server:
@@ -82,7 +82,7 @@ postgresql-conf:
         {{ postgres.postgresconf|indent(8) }}
     - show_changes: True
     - append_if_not_found: True
-    - backup: {{ postgres.postgresconf_backup }}
+    - backup: {{ postgres.config_backup }}
     - require:
       - file: postgresql-config-dir
     - watch_in:
@@ -90,9 +90,23 @@ postgresql-conf:
 
 {%- endif %}
 
+{%- set pg_hba_path = salt['file.join'](postgres.conf_dir, 'pg_hba.conf') %}
+
+postgresql-pg_hba-backup:
+  file.copy:
+    - name: {{ pg_hba_path ~ postgres.config_backup }}
+    - source: {{ pg_hba_path }}
+    - force: True
+    - user: {{ postgres.user }}
+    - group: {{ postgres.group }}
+    - mode: 600
+    - onlyif: test -f {{ pg_hba_path }}
+    - prereq:
+      - file: postgresql-pg_hba
+
 postgresql-pg_hba:
   file.managed:
-    - name: {{ postgres.conf_dir }}/pg_hba.conf
+    - name: {{ pg_hba_path }}
     - user: {{ postgres.user }}
     - group: {{ postgres.group }}
     - mode: 600