diff --git a/ansible/files/pgbackrest_config/computed_globals.conf b/ansible/files/pgbackrest_config/computed_globals.conf new file mode 100644 index 000000000..a1b92e934 --- /dev/null +++ b/ansible/files/pgbackrest_config/computed_globals.conf @@ -0,0 +1,8 @@ +[global] +# process-max = 1 + +[archive-get] +# process-max = 1 + +[archive-push] +# process-max = 1 diff --git a/ansible/files/pgbackrest_config/pgbackrest.conf b/ansible/files/pgbackrest_config/pgbackrest.conf new file mode 100644 index 000000000..92cefc13f --- /dev/null +++ b/ansible/files/pgbackrest_config/pgbackrest.conf @@ -0,0 +1,17 @@ +[global] +archive-async = n +archive-copy = y +backup-standby = prefer +compress-type = zst +delta = y +expire-auto = n +link-all = y +log-level-console = info +log-level-file = detail +log-subprocess = y +resume = n +start-fast = y +[supabase] +pg1-path = /var/lib/postgresql/data +pg1-socket-path = /run/postgresql +pg1-user = supabase_admin diff --git a/ansible/files/pgbackrest_config/repo1.conf b/ansible/files/pgbackrest_config/repo1.conf new file mode 100644 index 000000000..d34274932 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1.conf @@ -0,0 +1,14 @@ +[supabase] +repo1-block = y +repo1-bundle = y +# repo1-path = +repo1-retention-diff = 1 +repo1-retention-full = 28 +repo1-retention-full-type = time +repo1-retention-history = 0 +# repo1-s3-bucket= +# repo1-s3-endpoint= +repo1-s3-key-type = auto +# repo1-s3-region = +repo1-storage-upload-chunk-size = 10MiB +repo1-type = s3 diff --git a/ansible/files/pgbackrest_config/repo1_async.conf b/ansible/files/pgbackrest_config/repo1_async.conf new file mode 100644 index 000000000..e5f8846e2 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1_async.conf @@ -0,0 +1,2 @@ +[supabase] +# archive-async = y diff --git a/ansible/files/pgbackrest_config/repo1_encrypted.conf b/ansible/files/pgbackrest_config/repo1_encrypted.conf new file mode 100644 index 000000000..8b7b7bbd5 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1_encrypted.conf @@ -0,0 +1,3 @@ +[supabase] +# repo-cipher-pass = {{ generated pass }} +# repo-cipher-type = aes-256-cbc diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 1dfb3f6dd..691bf8bcd 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -40,6 +40,10 @@ import_tasks: tasks/setup-wal-g.yml when: debpkg_mode or nixpkg_mode or stage2_nix + - name: Install pgBackRest + import_tasks: tasks/setup-pgbackrest.yml + when: debpkg_mode or nixpkg_mode or stage2_nix + - name: Install Gotrue import_tasks: tasks/setup-gotrue.yml tags: diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml new file mode 100644 index 000000000..817b61e34 --- /dev/null +++ b/ansible/tasks/setup-pgbackrest.yml @@ -0,0 +1,84 @@ +- name: Create pgBackRest group + ansible.builtin.group: + name: pgbackrest + state: present + when: nixpkg_mode + +- name: Create pgBackRest user + ansible.builtin.user: + comment: pgBackRest user + group: pgbackrest + groups: pgbackrest, postgres + home: /var/lib/pgbackrest + name: pgbackrest + shell: /sbin/nologin + system: true + when: nixpkg_mode + +- name: Install pgBackRest + become: true + become_user: pgbackrest + ansible.builtin.shell: | + sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" + changed_when: true + when: stage2_nix + +- name: Create needed directories for pgBackRest + ansible.legacy.file: + group: postgres + mode: '0770' + owner: pgbackrest + path: "{{ backrest_dir }}" + state: directory + loop: + - /etc/pgbackrest/conf.d + - /var/lib/pgbackrest + - /var/spool/pgbackrest + - /var/log/pgbackrest + loop_control: + loop_var: backrest_dir + when: nixpkg_mode + +- name: Symlink pgbackrest.conf + ansible.legacy.file: + force: true + path: /etc/pgbackrest/pgbackrest.conf + src: /etc/pgbackrest.conf + state: link + +- name: Move pgBackRest files to /etc/pgbackrest + ansible.legacy.copy: + group: postgres + dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" + mode: '0644' + owner: pgbackrest + src: "files/pgbackrest_config/{{ conf_item['name'] }}" + loop: + - {name: computed_globals.conf, path: conf.d} + - {name: pgbackrest.conf, path: ''} + - {name: repo1_async.conf, path: conf.d} + - {name: repo1_encrypted.conf, path: conf.d} + - {name: repo1.conf, path: conf.d} + loop_control: + loop_var: conf_item + when: stage2_nix + +- name: Configure sudoers for pgBackRest + ansible.builtin.lineinfile: + create: yes + line: 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' + mode: '0440' + path: '/etc/sudoers.d/pgbackrest' + validate: 'visudo -cf %s' + +- name: Create pgBackRest wrapper script + ansible.builtin.copy: + content: | + #!/bin/bash + _raw_args="$@" + _sanitized_args=$(echo $_raw_args | sed -e 's/--cmd=[^ ]*//g; s/--repo-host-cmd=[^ ]*//g; s/--config=[^ ]*//g' ) + exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$_sanitized_args" + dest: '/usr/bin/pgbackrest' + group: 'root' + mode: '0755' + owner: 'root'