From 5be45c37e642a02c0b8ef9c00e1e9cbebfdfd65e Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Wed, 29 Oct 2025 14:00:07 -0400 Subject: [PATCH 1/6] feat(ansible): add pgBackRest tasks and configurations --- .../pgbackrest_config/computed_globals.conf | 8 ++ .../files/pgbackrest_config/pgbackrest.conf | 17 +++++ ansible/files/pgbackrest_config/repo1.conf | 14 ++++ .../files/pgbackrest_config/repo1_async.conf | 2 + .../pgbackrest_config/repo1_encrypted.conf | 3 + ansible/playbook.yml | 4 + ansible/tasks/setup-pgbackrest.yml | 74 +++++++++++++++++++ 7 files changed, 122 insertions(+) create mode 100644 ansible/files/pgbackrest_config/computed_globals.conf create mode 100644 ansible/files/pgbackrest_config/pgbackrest.conf create mode 100644 ansible/files/pgbackrest_config/repo1.conf create mode 100644 ansible/files/pgbackrest_config/repo1_async.conf create mode 100644 ansible/files/pgbackrest_config/repo1_encrypted.conf create mode 100644 ansible/tasks/setup-pgbackrest.yml diff --git a/ansible/files/pgbackrest_config/computed_globals.conf b/ansible/files/pgbackrest_config/computed_globals.conf new file mode 100644 index 000000000..a1b92e934 --- /dev/null +++ b/ansible/files/pgbackrest_config/computed_globals.conf @@ -0,0 +1,8 @@ +[global] +# process-max = 1 + +[archive-get] +# process-max = 1 + +[archive-push] +# process-max = 1 diff --git a/ansible/files/pgbackrest_config/pgbackrest.conf b/ansible/files/pgbackrest_config/pgbackrest.conf new file mode 100644 index 000000000..92cefc13f --- /dev/null +++ b/ansible/files/pgbackrest_config/pgbackrest.conf @@ -0,0 +1,17 @@ +[global] +archive-async = n +archive-copy = y +backup-standby = prefer +compress-type = zst +delta = y +expire-auto = n +link-all = y +log-level-console = info +log-level-file = detail +log-subprocess = y +resume = n +start-fast = y +[supabase] +pg1-path = /var/lib/postgresql/data +pg1-socket-path = /run/postgresql +pg1-user = supabase_admin diff --git a/ansible/files/pgbackrest_config/repo1.conf b/ansible/files/pgbackrest_config/repo1.conf new file mode 100644 index 000000000..d34274932 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1.conf @@ -0,0 +1,14 @@ +[supabase] +repo1-block = y +repo1-bundle = y +# repo1-path = +repo1-retention-diff = 1 +repo1-retention-full = 28 +repo1-retention-full-type = time +repo1-retention-history = 0 +# repo1-s3-bucket= +# repo1-s3-endpoint= +repo1-s3-key-type = auto +# repo1-s3-region = +repo1-storage-upload-chunk-size = 10MiB +repo1-type = s3 diff --git a/ansible/files/pgbackrest_config/repo1_async.conf b/ansible/files/pgbackrest_config/repo1_async.conf new file mode 100644 index 000000000..e5f8846e2 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1_async.conf @@ -0,0 +1,2 @@ +[supabase] +# archive-async = y diff --git a/ansible/files/pgbackrest_config/repo1_encrypted.conf b/ansible/files/pgbackrest_config/repo1_encrypted.conf new file mode 100644 index 000000000..8b7b7bbd5 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1_encrypted.conf @@ -0,0 +1,3 @@ +[supabase] +# repo-cipher-pass = {{ generated pass }} +# repo-cipher-type = aes-256-cbc diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 0991a813a..f0115d61a 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -40,6 +40,10 @@ import_tasks: tasks/setup-wal-g.yml when: debpkg_mode or nixpkg_mode or stage2_nix + - name: Install pgBackRest + import_tasks: tasks/setup-pgbackrest.yml + when: debpkg_mode or nixpkg_mode or stage2_nix + - name: Install Gotrue import_tasks: tasks/setup-gotrue.yml tags: diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml new file mode 100644 index 000000000..52725e48d --- /dev/null +++ b/ansible/tasks/setup-pgbackrest.yml @@ -0,0 +1,74 @@ +- name: Create pgBackRest group + group: + name: pgbackrest + state: present + when: nixpkg_mode + +- name: Create pgBackRest user + user: + name: pgbackrest + comment: pgBackRest user + group: pgbackrest + groups: pgbackrest, postgres + shell: /sbin/nologin + system: true + home: /var/lib/pgbackrest + when: nixpkg_mode + +- name: Install pgBackRest + become: yes + shell: | + sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" + when: stage2_nix + +- name: Create needed directories for pgBackRest + file: + path: "{{ backrest_dir }}" + state: directory + owner: pgbackrest + group: postgres + mode: '0770' + loop: + - /etc/pgbackrest/conf.d + - /var/lib/pgbackrest + - /var/spool/pgbackrest + - /var/log/pgbackrest + loop_control: + loop_var: backrest_dir + when: nixpkg_mode + +- name: Symlink pgbackrest.conf + file: + path: /etc/pgbackrest/pgbackrest.conf + src: /etc/pgbackrest.conf + type: link + force: true + +- name: Move pgBackRest files to /etc/pgbackrest + copy: + dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" + group: postgres + mode: '0644' + owner: pgbackrest + src: "files/pgbackrest_config/{{ conf_item['name'] }}" + loop: + - {name: computed_globals.conf, path: conf.d} + - {name: pgbackrest.conf, path: ''} + - {name: repo1_async.conf, path: conf.d} + - {name: repo1_encrypted.conf, path: conf.d} + - {name: repo1.conf, path: conf.d} + loop_control: + loop_var: conf_item + when: stage2_nix + +- name: Symlink pgBackRest binary + file: + path: /usr/bin/pgbackrest + src: /var/lib/postgresql/.nix.profile/bin/pgbackrest + type: link + +- name: Sticky bit the pgBackRest binary + file: + path: /var/lib/postgresql/nix.profile/bin/pgbackrest + mode: '4755' + become: true From 32ffedef3fd6132d9e56118fe41fe8252adb7790 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Wed, 29 Oct 2025 14:57:51 -0400 Subject: [PATCH 2/6] fix(setup-pgbackrest.yml): update nix install path --- ansible/tasks/setup-pgbackrest.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index 52725e48d..ffa8ef4b0 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -16,7 +16,8 @@ when: nixpkg_mode - name: Install pgBackRest - become: yes + become: true + become_user: pgbackrest shell: | sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" when: stage2_nix @@ -28,12 +29,12 @@ owner: pgbackrest group: postgres mode: '0770' - loop: + loop: - /etc/pgbackrest/conf.d - /var/lib/pgbackrest - /var/spool/pgbackrest - /var/log/pgbackrest - loop_control: + loop_control: loop_var: backrest_dir when: nixpkg_mode @@ -45,7 +46,7 @@ force: true - name: Move pgBackRest files to /etc/pgbackrest - copy: + copy: dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" group: postgres mode: '0644' @@ -62,13 +63,13 @@ when: stage2_nix - name: Symlink pgBackRest binary - file: + file: path: /usr/bin/pgbackrest - src: /var/lib/postgresql/.nix.profile/bin/pgbackrest + src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest type: link - name: Sticky bit the pgBackRest binary - file: - path: /var/lib/postgresql/nix.profile/bin/pgbackrest + file: + path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest mode: '4755' become: true From 16c6474b22c5d17053175d1bf076fa5b004e1c21 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Wed, 29 Oct 2025 15:01:10 -0400 Subject: [PATCH 3/6] fix(setup-pgbackrest.yml): fix file module --- ansible/tasks/setup-pgbackrest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index ffa8ef4b0..d89212d4b 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -42,7 +42,7 @@ file: path: /etc/pgbackrest/pgbackrest.conf src: /etc/pgbackrest.conf - type: link + state: link force: true - name: Move pgBackRest files to /etc/pgbackrest @@ -66,7 +66,7 @@ file: path: /usr/bin/pgbackrest src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest - type: link + state: link - name: Sticky bit the pgBackRest binary file: From 9bb0eb88ce2e1645d264fe7671106e074fe1de0e Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Wed, 29 Oct 2025 15:25:48 -0400 Subject: [PATCH 4/6] fix(setup-pgbackrest.yml): errant indentation fix --- ansible/tasks/setup-pgbackrest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index d89212d4b..a0395107f 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -70,6 +70,6 @@ - name: Sticky bit the pgBackRest binary file: - path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest + path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest mode: '4755' become: true From 56e3d228265c2c84f7390073c7af99af24f6aea0 Mon Sep 17 00:00:00 2001 From: Douglas J Hunley Date: Thu, 30 Oct 2025 10:17:15 -0400 Subject: [PATCH 5/6] fix(setup-pgbackrest): adjust as per Sam --- ansible/tasks/setup-pgbackrest.yml | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index a0395107f..73935705b 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -62,14 +62,20 @@ loop_var: conf_item when: stage2_nix -- name: Symlink pgBackRest binary - file: - path: /usr/bin/pgbackrest - src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest - state: link +- name: Configure sudoers for pgBackRest + ansible.builtin.lineinfile: + create: yes + line: 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' + mode: '0440' + path: '/etc/sudoers.d/pgbackrest' + validate: 'visudo -cf %s' -- name: Sticky bit the pgBackRest binary - file: - path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest - mode: '4755' - become: true +- name: Create pgBackRest wrapper script + ansible.builtin.copy: + content: | + #!/bin/bash + exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$@" + dest: '/usr/bin/pgbackrest' + group: 'root' + mode: '0755' + owner: 'root' From 6b71d69def7c84d60cf3367adc2f0ffeb61b4255 Mon Sep 17 00:00:00 2001 From: Jim Chanco Jr Date: Thu, 30 Oct 2025 10:57:13 -0400 Subject: [PATCH 6/6] style(setup-pgbackrest.yml): ansible-lint --- ansible/tasks/setup-pgbackrest.yml | 33 +++++++++++++++--------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml index a0395107f..0d29b29cd 100644 --- a/ansible/tasks/setup-pgbackrest.yml +++ b/ansible/tasks/setup-pgbackrest.yml @@ -1,34 +1,35 @@ - name: Create pgBackRest group - group: + ansible.builtin.group: name: pgbackrest state: present when: nixpkg_mode - name: Create pgBackRest user - user: - name: pgbackrest + ansible.builtin.user: comment: pgBackRest user group: pgbackrest groups: pgbackrest, postgres + home: /var/lib/pgbackrest + name: pgbackrest shell: /sbin/nologin system: true - home: /var/lib/pgbackrest when: nixpkg_mode - name: Install pgBackRest become: true become_user: pgbackrest - shell: | + ansible.builtin.shell: | sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" + changed_when: true when: stage2_nix - name: Create needed directories for pgBackRest - file: - path: "{{ backrest_dir }}" - state: directory - owner: pgbackrest + ansible.legacy.file: group: postgres mode: '0770' + owner: pgbackrest + path: "{{ backrest_dir }}" + state: directory loop: - /etc/pgbackrest/conf.d - /var/lib/pgbackrest @@ -39,16 +40,16 @@ when: nixpkg_mode - name: Symlink pgbackrest.conf - file: + ansible.legacy.file: + force: true path: /etc/pgbackrest/pgbackrest.conf src: /etc/pgbackrest.conf state: link - force: true - name: Move pgBackRest files to /etc/pgbackrest - copy: - dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" + ansible.legacy.copy: group: postgres + dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" mode: '0644' owner: pgbackrest src: "files/pgbackrest_config/{{ conf_item['name'] }}" @@ -63,13 +64,13 @@ when: stage2_nix - name: Symlink pgBackRest binary - file: + ansible.legacy.file: path: /usr/bin/pgbackrest src: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest state: link - name: Sticky bit the pgBackRest binary - file: - path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest + ansible.legacy.file: mode: '4755' + path: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest become: true