From 5f91790bd21c8af7e0ef19ab966cfa464dc1112a Mon Sep 17 00:00:00 2001 From: bartoszbetka Date: Fri, 28 Jun 2019 11:24:42 +0200 Subject: [PATCH] Add nginx endpoint that allows downloading encrypted postgres backups --- sheetstorm-deployment/configure-sheetstorm-server.yml | 7 +++++++ sheetstorm-deployment/consts.yml | 1 + .../configure_nginx/templates/sheetstorm-local.j2 | 8 ++++++++ .../configure_nginx/templates/sheetstorm-remote.j2 | 11 +++++++++++ .../roles/postgres_backup/templates/pg_backup.sh.j2 | 2 +- 5 files changed, 28 insertions(+), 1 deletion(-) diff --git a/sheetstorm-deployment/configure-sheetstorm-server.yml b/sheetstorm-deployment/configure-sheetstorm-server.yml index d6e64bf00..5c845e4db 100644 --- a/sheetstorm-deployment/configure-sheetstorm-server.yml +++ b/sheetstorm-deployment/configure-sheetstorm-server.yml @@ -4,6 +4,7 @@ - consts.yml - versions.yml - ../../sheetstorm-config/var.yml + - ../../sheetstorm-secret/var.yml vars: server_configuration: remote roles: @@ -48,5 +49,11 @@ user: root job: /usr/bin/certbot renew --quiet + - name: Add secret file that contain credentials to nginx endpoint with postgresql backups + copy: + src: "{{ sheetstorm_secret_dir}}/htpasswd" + dest: "/etc/nginx/htpasswd" + mode: 0644 + - include_role: name: configure_nginx diff --git a/sheetstorm-deployment/consts.yml b/sheetstorm-deployment/consts.yml index d8655257e..7bcc8c275 100644 --- a/sheetstorm-deployment/consts.yml +++ b/sheetstorm-deployment/consts.yml @@ -9,3 +9,4 @@ static_file_dir: "{{ sheetstorm_dir }}/sheetstorm/static/" django_fixtures_dir: "{{ sheetstorm_dir }}/sheetstorm/fixtures" sheetstorm_virtualenv_dir: "{{ home_dir }}/virtualenv" postgres_backup_public_key_dir: "{{ home_dir }}/.key" +postgres_backup_dir: "{{ home_dir }}/postgresql_backup" diff --git a/sheetstorm-deployment/roles/configure_nginx/templates/sheetstorm-local.j2 b/sheetstorm-deployment/roles/configure_nginx/templates/sheetstorm-local.j2 index 79d6d62d6..f9c195a31 100644 --- a/sheetstorm-deployment/roles/configure_nginx/templates/sheetstorm-local.j2 +++ b/sheetstorm-deployment/roles/configure_nginx/templates/sheetstorm-local.j2 @@ -25,6 +25,14 @@ server { } + location /postgres-backup/ { + allow 172.30.2.1; + deny all; + + limit_except GET { deny all; } + alias {{ postgres_backup_dir }}/; + } + location /static/ { alias {{ static_file_dir }}; } diff --git a/sheetstorm-deployment/roles/configure_nginx/templates/sheetstorm-remote.j2 b/sheetstorm-deployment/roles/configure_nginx/templates/sheetstorm-remote.j2 index bac374e39..9d16a0138 100644 --- a/sheetstorm-deployment/roles/configure_nginx/templates/sheetstorm-remote.j2 +++ b/sheetstorm-deployment/roles/configure_nginx/templates/sheetstorm-remote.j2 @@ -22,6 +22,17 @@ server { proxy_pass $sheetstorm_backend; } + + location /postgres-backup/ { + allow {{ allow_ip_to_postgres_backup_endpoint }}; + deny all; + auth_basic "closed site"; + auth_basic_user_file htpasswd; + + limit_except GET { deny all; } + alias {{ postgres_backup_dir }}/; + } + location /static/ { alias {{ static_file_dir }}; } diff --git a/sheetstorm-deployment/roles/postgres_backup/templates/pg_backup.sh.j2 b/sheetstorm-deployment/roles/postgres_backup/templates/pg_backup.sh.j2 index 9e53d2128..f6572e3d2 100755 --- a/sheetstorm-deployment/roles/postgres_backup/templates/pg_backup.sh.j2 +++ b/sheetstorm-deployment/roles/postgres_backup/templates/pg_backup.sh.j2 @@ -1,7 +1,7 @@ #!/bin/bash -e database_name="$1" -POSTGRESQL_BACKUP_DIR=~/postgresql_backup +POSTGRESQL_BACKUP_DIR={{ postgres_backup_dir }} DATE=$(date +"%Y-%m-%d-%H:%M") SHEETSTORM_VERSION="$(cd {{ sheetstorm_dir}}/; git describe --always --abbrev=16)"