From 5be1dd45409f0d4c7668ff7a32c35a5f51a5581b Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Mon, 29 Apr 2024 10:52:57 +0300 Subject: [PATCH 1/2] fix how backup rotation script is transferred to the target server, make backup directory configurable, transfer backup.sh to the target server using provisioning scripts --- infrastructure/server-setup/backups.yml | 6 ++++-- infrastructure/server-setup/production.yml | 3 +++ infrastructure/server-setup/qa.yml | 1 - infrastructure/server-setup/staging.yml | 3 +++ infrastructure/server-setup/tasks/backups/crontab.yml | 9 ++++++++- 5 files changed, 18 insertions(+), 4 deletions(-) diff --git a/infrastructure/server-setup/backups.yml b/infrastructure/server-setup/backups.yml index d3be49ba9..66661f13f 100644 --- a/infrastructure/server-setup/backups.yml +++ b/infrastructure/server-setup/backups.yml @@ -140,7 +140,7 @@ - name: Copy rotate_backups.sh file to external_backup_server_user's home directory copy: - src: infrastructure/backups/rotate_backups.sh + src: ../backups/rotate_backups.sh dest: '{{ external_backup_server_user_home }}/rotate_backups.sh' owner: '{{ external_backup_server_user }}' mode: 0755 @@ -153,5 +153,7 @@ name: 'rotate backups' minute: '0' hour: '0' - job: 'bash {{ external_backup_server_user_home }}/rotate_backups.sh --backup_dir=/home/backup/backups --amount_to_keep={{ amount_of_backups_to_keep }} >> /var/log/opencrvs-rotate-backups.log 2>&1' + job: 'bash {{ external_backup_server_user_home }}/rotate_backups.sh --backup_dir={{ external_backup_server_remote_directory }} --amount_to_keep={{ amount_of_backups_to_keep }} >> /var/log/opencrvs-rotate-backups.log 2>&1' state: "{{ 'present' if (amount_of_backups_to_keep) else 'absent' }}" + tags: + - backups diff --git a/infrastructure/server-setup/production.yml b/infrastructure/server-setup/production.yml index 7730a1af8..7694a407f 100644 --- a/infrastructure/server-setup/production.yml +++ b/infrastructure/server-setup/production.yml @@ -50,3 +50,6 @@ backups: hosts: farajaland-qa: ansible_host: '165.22.110.53' + vars: + # @todo how many days to store backups for? + amount_of_backups_to_keep: 3 diff --git a/infrastructure/server-setup/qa.yml b/infrastructure/server-setup/qa.yml index 9ccf2ac5f..3c35b4f79 100644 --- a/infrastructure/server-setup/qa.yml +++ b/infrastructure/server-setup/qa.yml @@ -53,7 +53,6 @@ all: additional_keys_for_provisioning_user: - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDk15q1EI7FXqX9sgSpO7u89ZjcZV00k2yyq/9YNLk2XWHE54qPhOdaPPgJyuIhgDGQB20uDow/E8mIkPHNstX/Gp0GXn06L7fd/BfwFmFWi0YhLwvX5RaYjm1vIkCLDZrYQiH/GBP9GKMJv3DGORA1tWhFBKIerDwtDTBFC0ysT/nmHSEq1xYb5cSj55UaSyIQUjd1UgqO98OhzItXX4ZWeUil5gEC014dZxNMwM08F6X1XGsy5u6CP4CtpcMGk3fWQz+AdcL0nHZoLjXnIMBNLTyBjThQvupZFhLkKvqOxwQkzEBPjfaQQadnFg0N4rpMrUYqakkpAhgdwmemv13jZk41m5jofS+C4R2uBAb6dbPI0YiRgqaj1kSBGgEEPNhtT9Y0+nrJhmrypLxD0TnDl+hI/EfNpJd4TravCyjpsxUsLRpBp9A3rPAxkHrAt59r0rdCsp57KZ2dGPXJU0QPC30XJrVg05cOQdzPvfJn2Qsx+2JFW2cR4X+R2bWD6k9g8ItFq87DfN2LIeXArffkG735sCR12HCKkyyA8bS6HVr/nAxohb5UvN1HafLmL61gwbsv3OtVkpxT+SNqoXutDkqHW3+efu27dsGLdXsYyQxELZoKkJLJJW4ToU6jTvb3v9wqIEHjayBdGERH06SdXN38BFUMIa44MJVC61h/uw== runner@fv-az1386-243 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMiGYD2au1bsyZGfCCrOQUKkW1wIGbwHOef0u4BIvI30pXH6tL3rFM3lKa+7ejP6OBQznhRCPZCMIYMDLas9CGoAJxG4fv91iBcrk4i9J4Q+dhHm2PZv8Nq1d36jW5a4mwmDThR/ZRSFLKkaKl61k7iL8eCULakmYlVP618tk3f0mZ/jXsbUrBYt3YeVHvajPK2HVq0SpvoLQIHn2rtlEXzdAHEW1aD1dJLm2AtbHe1NWH7tJMjcWNjoiQGbuA/FYI4lVuJywmgYU/er7GcO2jnejLRWgXtBrpFSvPs4s34BpxNX/EnAvGyjM09f71LjZFtUT4EKz7x/Ct3CXgLGOe0UfTE68ZPVrySzIKZhrkXKEM7gvCrXroFRKY7S/2RcK/l4tFOgspRw9mXvhnDvv0SDdRzhQ5tSVmjk95C8vviDvypmZfBgtrAbBcQquDS/mrpu3CXgcj5Uhkpot7+fehIQo2qhq1I9wbTsD137JsOgZFYl93X1zE51G4eaHXtNNx7v9Sga/4dlOkQoxDkypw3fL2pR44xqJip+vE374aWYDrxa5NN64M1vt1bZqSvwyRyntbBL0P/oi2X30mO8I2pUDc0LZLzUeIqrVYiQc6CS+KB0kIHlAxQQdtPP4DC0AaRdyv5GTJ7+lF4urDjfj7YlZppX+t9n6qvQdqzjfvnQ== runner@fv-az982-41 - amount_of_backups_to_keep: 3 docker-manager-first: hosts: farajaland-qa: diff --git a/infrastructure/server-setup/staging.yml b/infrastructure/server-setup/staging.yml index 1d34f18ec..e866d947e 100644 --- a/infrastructure/server-setup/staging.yml +++ b/infrastructure/server-setup/staging.yml @@ -52,3 +52,6 @@ backups: hosts: farajaland-qa: ansible_host: '165.22.110.53' + vars: + # @todo how many days to store backups for? + amount_of_backups_to_keep: 3 diff --git a/infrastructure/server-setup/tasks/backups/crontab.yml b/infrastructure/server-setup/tasks/backups/crontab.yml index c226c96b2..1370e3180 100644 --- a/infrastructure/server-setup/tasks/backups/crontab.yml +++ b/infrastructure/server-setup/tasks/backups/crontab.yml @@ -1,10 +1,17 @@ +- name: Copy backups.sh file to external_backup_server_user's home directory + copy: + src: ../backups/backup.sh + dest: '{{ crontab_user_home }}/backup.sh' + owner: 'root' + mode: 0755 + - name: 'Setup crontab to backup the opencrvs data' cron: user: '{{ crontab_user }}' name: 'backup opencrvs' minute: '0' hour: '0' - job: 'cd / && bash /opt/opencrvs/infrastructure/backups/backup.sh --passphrase={{ backup_encryption_passphrase }} --ssh_user={{ external_backup_server_user }} --ssh_host={{ external_backup_server_ip }} --ssh_port={{ external_backup_server_ssh_port }} --remote_dir={{ external_backup_server_remote_directory }} --replicas=1 >> /var/log/opencrvs-backup.log 2>&1' + job: 'bash {{ crontab_user_home }}/backup.sh --passphrase={{ backup_encryption_passphrase }} --ssh_user={{ external_backup_server_user }} --ssh_host={{ external_backup_server_ip }} --ssh_port={{ external_backup_server_ssh_port }} --remote_dir={{ external_backup_server_remote_directory }} --replicas=1 >> /var/log/opencrvs-backup.log 2>&1' state: "{{ 'present' if (external_backup_server_ip is defined and backup_encryption_passphrase and (enable_backups | default(false))) else 'absent' }}" ## From 411c3c73a78387de9d04e772e30c63912e89e65f Mon Sep 17 00:00:00 2001 From: Riku Rouvila Date: Mon, 29 Apr 2024 10:53:35 +0300 Subject: [PATCH 2/2] configure staging to take backups. backups are stored to a separate directory from production --- infrastructure/server-setup/group_vars/all.yml | 1 - infrastructure/server-setup/production.yml | 11 ++++++----- infrastructure/server-setup/staging.yml | 9 +++++---- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/infrastructure/server-setup/group_vars/all.yml b/infrastructure/server-setup/group_vars/all.yml index 1529c0347..cf2927713 100644 --- a/infrastructure/server-setup/group_vars/all.yml +++ b/infrastructure/server-setup/group_vars/all.yml @@ -10,5 +10,4 @@ ansible_python_interpreter: /usr/bin/python3 encrypt_data: False swap_file_path: /swapfile swap_file_size_mb: 8000 -external_backup_server_remote_directory: /home/backup/backups external_backup_server_user: 'backup' diff --git a/infrastructure/server-setup/production.yml b/infrastructure/server-setup/production.yml index 7694a407f..3b3dc7252 100644 --- a/infrastructure/server-setup/production.yml +++ b/infrastructure/server-setup/production.yml @@ -12,11 +12,13 @@ all: # This configuration variable blocks all access to the server, including SSH, except from the IP addresses specified below. # This should always be set when configuring a production server if there is no other firewall in front of the server. # SSH and other services should never be exposed to the public internet. + only_allow_access_from_addresses: + - 165.22.110.53 + # Enable backups enable_backups: true + external_backup_server_remote_directory: /home/backup/backups # external_backup_server_ssh_port: Defined in --extra-vars by the provisioning pipeline # external_backup_server_ip: Defined in --extra-vars by the provisioning pipeline - only_allow_access_from_addresses: - - 165.22.110.53 users: # If you need to remove access from someone, do not remove them from this list, but instead set their state: absent - name: riku @@ -50,6 +52,5 @@ backups: hosts: farajaland-qa: ansible_host: '165.22.110.53' - vars: - # @todo how many days to store backups for? - amount_of_backups_to_keep: 3 + # @todo how many days to store backups for? + amount_of_backups_to_keep: 3 diff --git a/infrastructure/server-setup/staging.yml b/infrastructure/server-setup/staging.yml index e866d947e..1a4af906d 100644 --- a/infrastructure/server-setup/staging.yml +++ b/infrastructure/server-setup/staging.yml @@ -13,7 +13,9 @@ all: # SSH and other services should never be exposed to the public internet. only_allow_access_from_addresses: - 165.22.110.53 - enable_backups: false + # Enable backups but write them to a different location from where production writes them + enable_backups: true + external_backup_server_remote_directory: /home/backup/staging-backups periodic_restore_from_backup: true # external_backup_server_ssh_port: Defined in --extra-vars by the provisioning pipeline # external_backup_server_ip: Defined in --extra-vars by the provisioning pipeline @@ -52,6 +54,5 @@ backups: hosts: farajaland-qa: ansible_host: '165.22.110.53' - vars: - # @todo how many days to store backups for? - amount_of_backups_to_keep: 3 + # @todo how many days to store backups for? + amount_of_backups_to_keep: 3