--- - name: "Backup storage server | create system user" become: yes ansible.builtin.user: name: '{{ system_user }}' comment: "user for backup" shell: /bin/bash register: create_user - name: "Create .ssh dir and backups dir" become: yes file: path: '/home/{{ system_user }}/{{ item.name }}/' mode: '{{ item.mode }}' owner: '{{ system_user }}' group: '{{ system_user }}' state: directory loop: - name: '.ssh' mode: '0700' - name: 'backups' mode: '0775' - name: "Create/Resize LVM for datadir" include_role: name: lvm_with_hetzner_volumes vars: lvm_with_hetzner_volumes__volprefix: backup_datadir lvm_with_hetzner_volumes__volsize: "{{ backup_lvm_hcloudvol_size }}" lvm_with_hetzner_volumes__volcount: "{{ backup_lvm_hcloudvol_count }}" lvm_with_hetzner_volumes__mountpath: "{{ backup_lvm_hcloudvol_mountpath }}" - name: "Providing SSH priv.key" no_log: true become: yes copy: dest: '/home/{{ system_user }}/.ssh/id_rsa' mode: '0400' owner: '{{ system_user }}' group: '{{ system_user }}' content: '{{ backup_user_ssh_privkey_vault }}' - name: "Providing Backup scripts" become: yes copy: src: '{{ item }}' dest: '/home/{{ system_user }}/{{ item }}' mode: '0755' owner: '{{ system_user }}' group: '{{ system_user }}' with_items: - pull_remote_backups.sh - push_backups_to_restore_server.sh - mirror_bucket_from_minio_server.sh - read_only_policy.json - read_write_postgres_policy.json - read_write_wordpress_policy.json - name: Touch metrics.prom if not exists file: path: "/home/{{ system_user }}/metrics.prom" state: touch mode: '0744' owner: '{{ system_user }}' group: '{{ system_user }}' - name: Touch backup_status_maria.prom if not exists file: path: "/home/{{ system_user }}/backup_status_maria.prom" state: touch mode: '0744' owner: '{{ system_user }}' group: '{{ system_user }}' - name: Touch backup_status_postgres.prom if not exists file: path: "/home/{{ system_user }}/backup_status_postgres.prom" state: touch mode: '0744' owner: '{{ system_user }}' group: '{{ system_user }}' - name: Create symbolic link for node_exporter text metrics file: src: "/home/{{ system_user }}/metrics.prom" dest: "/var/lib/prometheus/node-exporter/offsite-metrics.prom" state: link - name: Create symbolic link for node_exporter text metrics backup_status_maria file: src: "/home/{{ system_user }}/backup_status_maria.prom" dest: "/var/lib/prometheus/node-exporter/backup_status_maria.prom" state: link - name: Create symbolic link for node_exporter text metrics backup_status_postgres file: src: "/home/{{ system_user }}/backup_status_postgres.prom" dest: "/var/lib/prometheus/node-exporter/backup_status_postgres.prom" state: link - name: Recursively change ownership of backups directory ansible.builtin.file: path: /home/{{ system_user }}/backups state: directory recurse: yes owner: '{{ system_user }}' group: '{{ system_user }}' - name: Download minio client become: yes ansible.builtin.get_url: url: https://dl.min.io/client/mc/release/linux-amd64/mc dest: /usr/bin/mcli mode: '0755' - name: "Set MinIO alias for {{ item.stage }}_admin" # noqa command-instead-of-shell no-changed-when become: true become_user: '{{ system_user }}' ansible.builtin.shell: 'mcli alias set {{ item.stage }}_admin {{ item.url }} {{ item.admin_accesskey }} {{ item.admin_secretkey }}' loop: "{{ minio_stage_dicts }}" - name: "Add MinIO read only users {{ item.read_only_accesskey }}" # noqa command-instead-of-shell no-changed-when become: true become_user: '{{ system_user }}' ansible.builtin.shell: 'mcli admin user add {{ item.stage }}_admin {{ item.read_only_accesskey }} {{ item.read_only_secretkey }}' loop: "{{ minio_stage_dicts }}" - name: "Add MinIO read write user {{ item.read_write_accesskey }}" # noqa command-instead-of-shell no-changed-when become: true become_user: '{{ system_user }}' ansible.builtin.shell: 'mcli admin user add {{ item.stage }}_admin {{ item.read_write_accesskey }} {{ item.read_write_secretkey }}' loop: "{{ minio_stage_dicts }}" - name: "Create MinIO read only policy" # noqa command-instead-of-shell no-changed-when become: true become_user: '{{ system_user }}' ansible.builtin.shell: 'mcli admin policy create {{ item.stage }}_admin read_only_policy /home/{{ system_user }}/read_only_policy.json' loop: "{{ minio_stage_dicts }}" - name: "Attach MinIO read only policy to user {{ item.read_only_accesskey }}" # noqa command-instead-of-shell no-changed-when become: true become_user: '{{ system_user }}' ansible.builtin.shell: 'mcli admin policy attach {{ item.stage }}_admin read_only_policy --user {{ item.read_only_accesskey }}' loop: "{{ minio_stage_dicts }}" register: policy_read_only_result failed_when: "'policy is already attached' not in policy_read_only_result.stderr and policy_read_only_result.rc == 1" - name: "Create MinIO read write policy per bucket" # noqa command-instead-of-shell no-changed-when become: true become_user: '{{ system_user }}' ansible.builtin.shell: 'mcli admin policy create {{ item.stage }}_admin read_write_{{ item.bucket }}_policy /home/{{ system_user }}/read_write_{{ item.bucket }}_policy.json' loop: "{{ minio_stage_dicts }}" - name: "Attach MinIO read write policy to user {{ item.read_write_accesskey }}" # noqa command-instead-of-shell no-changed-when become: true become_user: '{{ system_user }}' ansible.builtin.shell: 'mcli admin policy attach {{ item.stage }}_admin read_write_{{ item.bucket }}_policy --user {{ item.read_write_accesskey }}' loop: "{{ minio_stage_dicts }}" register: policy_read_write_result failed_when: "'policy is already attached' not in policy_read_write_result.stderr and policy_read_write_result.rc == 1" # wird abgelöst durch mirror_bucket_from_minio_server.sh # - name: Create Cron Job for pull_from_minio_server.sh script # ansible.builtin.cron: # name: "pull minio backups for {{ item.stage }}" # hour: "{{ item.hour }}" # minute: "{{ item.minute }}" # user: '{{ system_user }}' # job: "/home/{{ system_user }}/pull_from_minio_server.sh {{ item.url }} {{ item.stage }} {{ item.minio_accesskey }} {{ item.minio_secretkey }}" # loop: "{{ minio_stage_dicts }}" # wird abgelöst durch mirror_bucket_from_minio_server.sh # - name: Create Cron Job for keycloak_pull_from_minio_server.sh script # ansible.builtin.cron: # name: "pull minio backups for keycloak" # hour: "2" # minute: "30" # user: '{{ system_user }}' # job: "/home/{{ system_user }}/keycloak_pull_from_minio_server.sh {{ minio_keycloak_url }} {{ minio_keycloak_accesskey }} {{ minio_keycloak_secretkey }}" - name: "Create Cron Job for each bucket with mirror_bucket_from_minio_server.sh script" ansible.builtin.cron: name: "pull minio backups for {{ item.stage }} and bucket {{ item.bucket }}" hour: "{{ item.hour }}" minute: "{{ item.minute }}" user: '{{ system_user }}' job: "/home/{{ system_user }}/mirror_bucket_from_minio_server.sh {{ item.url }} {{ item.stage }} {{ item.read_only_accesskey }} {{ item.read_only_secretkey }} {{ item.bucket }}" loop: "{{ minio_stage_dicts }}" - name: Touch metrics_{{ item.stage }}_{{ item.bucket }}.prom if not exists file: path: "/home/{{ system_user }}/metrics_{{ item.stage }}_{{ item.bucket }}.prom" state: touch mode: '0744' owner: '{{ system_user }}' group: '{{ system_user }}' loop: "{{ minio_stage_dicts }}" - name: Create symbolic link for node_exporter text {{ item.stage }} metrics file: src: "/home/{{ system_user }}/metrics_{{ item.stage }}_{{ item.bucket }}.prom" dest: "/var/lib/prometheus/node-exporter/metrics_{{ item.stage }}_{{ item.bucket }}.prom" state: link loop: "{{ minio_stage_dicts }}" # wird nicht mehr benötigt wenn umgestellt auf mirror_bucket_from_minio_server.sh # - name: Touch metrics_keycloak.prom if not exists # file: # path: "/home/{{ system_user }}/metrics_keycloak.prom" # state: touch # mode: '0744' # owner: '{{ system_user }}' # group: '{{ system_user }}' # wird nicht mehr benötigt wenn umgestellt auf mirror_bucket_from_minio_server.sh # - name: Create symbolic link for node_exporter text nsodev metrics # file: # src: "/home/{{ system_user }}/metrics_keycloak.prom" # dest: "/var/lib/prometheus/node-exporter/metrics_keycloak.prom" # state: link