You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
222 lines
8.4 KiB
YAML
222 lines
8.4 KiB
YAML
---
|
|
|
|
- name: "Backup storage server | create system user"
|
|
become: yes
|
|
ansible.builtin.user:
|
|
name: '{{ system_user }}'
|
|
comment: "user for backup"
|
|
shell: /bin/bash
|
|
register: create_user
|
|
|
|
- name: "Create .ssh dir and backups dir"
|
|
become: yes
|
|
file:
|
|
path: '/home/{{ system_user }}/{{ item.name }}/'
|
|
mode: '{{ item.mode }}'
|
|
owner: '{{ system_user }}'
|
|
group: '{{ system_user }}'
|
|
state: directory
|
|
loop:
|
|
- name: '.ssh'
|
|
mode: '0700'
|
|
- name: 'backups'
|
|
mode: '0775'
|
|
|
|
- name: "Create/Resize LVM for datadir"
|
|
include_role:
|
|
name: lvm_with_hetzner_volumes
|
|
vars:
|
|
lvm_with_hetzner_volumes__volprefix: backup_datadir
|
|
lvm_with_hetzner_volumes__volsize: "{{ backup_lvm_hcloudvol_size }}"
|
|
lvm_with_hetzner_volumes__volcount: "{{ backup_lvm_hcloudvol_count }}"
|
|
lvm_with_hetzner_volumes__mountpath: "{{ backup_lvm_hcloudvol_mountpath }}"
|
|
|
|
- name: "Providing SSH priv.key"
|
|
no_log: true
|
|
become: yes
|
|
copy:
|
|
dest: '/home/{{ system_user }}/.ssh/id_rsa'
|
|
mode: '0400'
|
|
owner: '{{ system_user }}'
|
|
group: '{{ system_user }}'
|
|
content: '{{ backup_user_ssh_privkey_vault }}'
|
|
|
|
- name: "Providing Backup scripts"
|
|
become: yes
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: '/home/{{ system_user }}/{{ item }}'
|
|
mode: '0755'
|
|
owner: '{{ system_user }}'
|
|
group: '{{ system_user }}'
|
|
with_items:
|
|
- pull_remote_backups.sh
|
|
- push_backups_to_restore_server.sh
|
|
- mirror_bucket_from_minio_server.sh
|
|
- read_only_policy.json
|
|
- read_write_postgres_policy.json
|
|
- read_write_wordpress_policy.json
|
|
|
|
- name: Touch metrics.prom if not exists
|
|
file:
|
|
path: "/home/{{ system_user }}/metrics.prom"
|
|
state: touch
|
|
mode: '0744'
|
|
owner: '{{ system_user }}'
|
|
group: '{{ system_user }}'
|
|
|
|
- name: Touch backup_status_maria.prom if not exists
|
|
file:
|
|
path: "/home/{{ system_user }}/backup_status_maria.prom"
|
|
state: touch
|
|
mode: '0744'
|
|
owner: '{{ system_user }}'
|
|
group: '{{ system_user }}'
|
|
|
|
- name: Touch backup_status_postgres.prom if not exists
|
|
file:
|
|
path: "/home/{{ system_user }}/backup_status_postgres.prom"
|
|
state: touch
|
|
mode: '0744'
|
|
owner: '{{ system_user }}'
|
|
group: '{{ system_user }}'
|
|
|
|
- name: Create symbolic link for node_exporter text metrics
|
|
file:
|
|
src: "/home/{{ system_user }}/metrics.prom"
|
|
dest: "/var/lib/prometheus/node-exporter/offsite-metrics.prom"
|
|
state: link
|
|
|
|
- name: Create symbolic link for node_exporter text metrics backup_status_maria
|
|
file:
|
|
src: "/home/{{ system_user }}/backup_status_maria.prom"
|
|
dest: "/var/lib/prometheus/node-exporter/backup_status_maria.prom"
|
|
state: link
|
|
|
|
- name: Create symbolic link for node_exporter text metrics backup_status_postgres
|
|
file:
|
|
src: "/home/{{ system_user }}/backup_status_postgres.prom"
|
|
dest: "/var/lib/prometheus/node-exporter/backup_status_postgres.prom"
|
|
state: link
|
|
|
|
- name: Recursively change ownership of backups directory
|
|
ansible.builtin.file:
|
|
path: /home/{{ system_user }}/backups
|
|
state: directory
|
|
recurse: yes
|
|
owner: '{{ system_user }}'
|
|
group: '{{ system_user }}'
|
|
|
|
- name: Download minio client
|
|
become: yes
|
|
ansible.builtin.get_url:
|
|
url: https://dl.min.io/client/mc/release/linux-amd64/mc
|
|
dest: /usr/bin/mcli
|
|
mode: '0755'
|
|
|
|
- name: "Set MinIO alias for {{ item.stage }}_admin" # noqa command-instead-of-shell no-changed-when
|
|
become: true
|
|
become_user: '{{ system_user }}'
|
|
ansible.builtin.shell: 'mcli alias set {{ item.stage }}_admin {{ item.url }} {{ item.admin_accesskey }} {{ item.admin_secretkey }}'
|
|
loop: "{{ minio_stage_dicts }}"
|
|
|
|
- name: "Add MinIO read only users {{ item.read_only_accesskey }}" # noqa command-instead-of-shell no-changed-when
|
|
become: true
|
|
become_user: '{{ system_user }}'
|
|
ansible.builtin.shell: 'mcli admin user add {{ item.stage }}_admin {{ item.read_only_accesskey }} {{ item.read_only_secretkey }}'
|
|
loop: "{{ minio_stage_dicts }}"
|
|
|
|
- name: "Add MinIO read write user {{ item.read_write_accesskey }}" # noqa command-instead-of-shell no-changed-when
|
|
become: true
|
|
become_user: '{{ system_user }}'
|
|
ansible.builtin.shell: 'mcli admin user add {{ item.stage }}_admin {{ item.read_write_accesskey }} {{ item.read_write_secretkey }}'
|
|
loop: "{{ minio_stage_dicts }}"
|
|
|
|
- name: "Create MinIO read only policy" # noqa command-instead-of-shell no-changed-when
|
|
become: true
|
|
become_user: '{{ system_user }}'
|
|
ansible.builtin.shell: 'mcli admin policy create {{ item.stage }}_admin read_only_policy /home/{{ system_user }}/read_only_policy.json'
|
|
loop: "{{ minio_stage_dicts }}"
|
|
|
|
- name: "Attach MinIO read only policy to user {{ item.read_only_accesskey }}" # noqa command-instead-of-shell no-changed-when
|
|
become: true
|
|
become_user: '{{ system_user }}'
|
|
ansible.builtin.shell: 'mcli admin policy attach {{ item.stage }}_admin read_only_policy --user {{ item.read_only_accesskey }}'
|
|
loop: "{{ minio_stage_dicts }}"
|
|
register: policy_read_only_result
|
|
failed_when: "'policy is already attached' not in policy_read_only_result.stderr and policy_read_only_result.rc == 1"
|
|
|
|
- name: "Create MinIO read write policy per bucket" # noqa command-instead-of-shell no-changed-when
|
|
become: true
|
|
become_user: '{{ system_user }}'
|
|
ansible.builtin.shell: 'mcli admin policy create {{ item.stage }}_admin read_write_{{ item.bucket }}_policy /home/{{ system_user }}/read_write_{{ item.bucket }}_policy.json'
|
|
loop: "{{ minio_stage_dicts }}"
|
|
|
|
- name: "Attach MinIO read write policy to user {{ item.read_write_accesskey }}" # noqa command-instead-of-shell no-changed-when
|
|
become: true
|
|
become_user: '{{ system_user }}'
|
|
ansible.builtin.shell: 'mcli admin policy attach {{ item.stage }}_admin read_write_{{ item.bucket }}_policy --user {{ item.read_write_accesskey }}'
|
|
loop: "{{ minio_stage_dicts }}"
|
|
register: policy_read_write_result
|
|
failed_when: "'policy is already attached' not in policy_read_write_result.stderr and policy_read_write_result.rc == 1"
|
|
|
|
# wird abgelöst durch mirror_bucket_from_minio_server.sh
|
|
# - name: Create Cron Job for pull_from_minio_server.sh script
|
|
# ansible.builtin.cron:
|
|
# name: "pull minio backups for {{ item.stage }}"
|
|
# hour: "{{ item.hour }}"
|
|
# minute: "{{ item.minute }}"
|
|
# user: '{{ system_user }}'
|
|
# job: "/home/{{ system_user }}/pull_from_minio_server.sh {{ item.url }} {{ item.stage }} {{ item.minio_accesskey }} {{ item.minio_secretkey }}"
|
|
# loop: "{{ minio_stage_dicts }}"
|
|
|
|
# wird abgelöst durch mirror_bucket_from_minio_server.sh
|
|
# - name: Create Cron Job for keycloak_pull_from_minio_server.sh script
|
|
# ansible.builtin.cron:
|
|
# name: "pull minio backups for keycloak"
|
|
# hour: "2"
|
|
# minute: "30"
|
|
# user: '{{ system_user }}'
|
|
# job: "/home/{{ system_user }}/keycloak_pull_from_minio_server.sh {{ minio_keycloak_url }} {{ minio_keycloak_accesskey }} {{ minio_keycloak_secretkey }}"
|
|
|
|
- name: "Create Cron Job for each bucket with mirror_bucket_from_minio_server.sh script"
|
|
ansible.builtin.cron:
|
|
name: "pull minio backups for {{ item.stage }} and bucket {{ item.bucket }}"
|
|
hour: "{{ item.hour }}"
|
|
minute: "{{ item.minute }}"
|
|
user: '{{ system_user }}'
|
|
job: "/home/{{ system_user }}/mirror_bucket_from_minio_server.sh {{ item.url }} {{ item.stage }} {{ item.read_only_accesskey }} {{ item.read_only_secretkey }} {{ item.bucket }}"
|
|
loop: "{{ minio_stage_dicts }}"
|
|
|
|
- name: Touch metrics_{{ item.stage }}_{{ item.bucket }}.prom if not exists
|
|
file:
|
|
path: "/home/{{ system_user }}/metrics_{{ item.stage }}_{{ item.bucket }}.prom"
|
|
state: touch
|
|
mode: '0744'
|
|
owner: '{{ system_user }}'
|
|
group: '{{ system_user }}'
|
|
loop: "{{ minio_stage_dicts }}"
|
|
|
|
- name: Create symbolic link for node_exporter text {{ item.stage }} metrics
|
|
file:
|
|
src: "/home/{{ system_user }}/metrics_{{ item.stage }}_{{ item.bucket }}.prom"
|
|
dest: "/var/lib/prometheus/node-exporter/metrics_{{ item.stage }}_{{ item.bucket }}.prom"
|
|
state: link
|
|
loop: "{{ minio_stage_dicts }}"
|
|
|
|
# wird nicht mehr benötigt wenn umgestellt auf mirror_bucket_from_minio_server.sh
|
|
# - name: Touch metrics_keycloak.prom if not exists
|
|
# file:
|
|
# path: "/home/{{ system_user }}/metrics_keycloak.prom"
|
|
# state: touch
|
|
# mode: '0744'
|
|
# owner: '{{ system_user }}'
|
|
# group: '{{ system_user }}'
|
|
|
|
# wird nicht mehr benötigt wenn umgestellt auf mirror_bucket_from_minio_server.sh
|
|
# - name: Create symbolic link for node_exporter text nsodev metrics
|
|
# file:
|
|
# src: "/home/{{ system_user }}/metrics_keycloak.prom"
|
|
# dest: "/var/lib/prometheus/node-exporter/metrics_keycloak.prom"
|
|
# state: link
|