Ajoute un rôle backup (surtout pour la bêta)

docs/backup.md

@@ -246,7 +246,7 @@ backup2extbackup()
 
 Les logs des sauvegardes sont dans le dossier `/var/log/zds/`.  Ils sont
 archivés par les instructions `logrotate` du fichier
-[`/etc/logrotate.d/zds-backup`](../roles/backup/files/logrotate-zds-backup).
+[`/etc/logrotate.d/zds-backup`](../roles/backup/templates/logrotate_zds-backup.j2).
 
 
 ## Perdre des données, cela n'arrive pas qu'aux autres !

playbook.yml

@@ -4,6 +4,8 @@
   roles:
     - role: common
       tags: bootstrap
+    - role: backup
+      tags: bootstrap
     - role: elasticsearch
       tags: bootstrap
     - role: mysql

roles/backup/tasks/main.yml

@@ -0,0 +1,60 @@
+- name: install borg
+  ansible.builtin.get_url:
+    url: https://github.com/borgbackup/borg/releases/download/1.1.17/borg-linux64
+    dest: /usr/local/bin/borg
+    mode: u=rwx,g=rx,o=rx
+
+- name: generate logrotate config file for backup logs
+  ansible.builtin.template:
+    src: "logrotate_zds-backup.j2"
+    dest: "/etc/logrotate.d/zds-backup"
+    mode: u=rw,g=r,o=r
+
+# On beta server:
+- name: create backup users on beta server
+  ansible.builtin.user:
+    name: "{{ item }}"
+    home: "/home/{{ item }}"
+    password: '!' # will do --disabled-password of adduser
+  with_items:
+    - zds-prod
+    - zds-matomo
+  when: env == "beta"
+
+- name: create .ssh folders for backup users on beta server
+  ansible.builtin.file:
+    path: "/home/{{ item }}/.ssh"
+    state: directory
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    mode: u=rwx,g=,o=
+  with_items:
+    - zds-prod
+    - zds-matomo
+  when: env == "beta"
+
+- name: create .ssh/authorized_keys files for backup users on beta server
+  ansible.builtin.file:
+    path: "/home/{{ item }}/.ssh/authorized_keys"
+    state: touch
+    owner: "{{ item }}"
+    group: "{{ item }}"
+    mode: u=rw,g=,o=
+  with_items:
+    - zds-prod
+    - zds-matomo
+  when: env == "beta"
+
+- name: create backup cleaning script on beta server
+  ansible.builtin.template:
+    src: beta/cleaning.sh.j2
+    dest: /root/bin/backup_cleaning.sh
+    mode: u=rwx,g=r,o=
+  when: env == "beta"
+
+- name: create script to restore backup on beta server
+  ansible.builtin.template:
+    src: beta/restore-from-prod.sh.j2
+    dest: /root/bin/restore-from-prod.sh
+    mode: u=rwx,g=r,o=
+  when: env == "beta"

roles/backup/files/beta/cleaning.sh → roles/backup/templates/beta/cleaning.sh.j2

@@ -4,15 +4,15 @@ set -e
 
 echo "Starting script ($(date))"
 
-DATA_DB_RULES="--keep-within 30d -w 8 -m 3"
+DATA_DB_RULES="--keep-within 30d -w 6 -m 3"
 echo "** data ** ($(date))"
 sudo -u zds-prod /usr/local/bin/borg prune $DATA_DB_RULES --list --stats /opt/sauvegarde/data/
 echo "** db ** ($(date))"
 sudo -u zds-prod /usr/local/bin/borg prune $DATA_DB_RULES --list --stats /opt/sauvegarde/db-borg/
 echo "** matomo ** ($(date))"
 sudo -u zds-matomo /usr/local/bin/borg prune -m 1 --keep-within 9d --list --stats /opt/sauvegarde/matomo/
 
-curl -s -m 10 --retry 5 $(cat /root/healthchecks-backup-cleaning-url)
+curl -s -m 10 --retry 5 {{ secrets.healthcheck_urls.backup_cleaning }}
 echo # to make a newline after the "OK" written by curl
 
 echo "End of script ($(date))"

roles/backup/files/beta/restore-from-prod.sh → roles/backup/templates/beta/restore-from-prod.sh.j2

@@ -115,9 +115,9 @@ done
 readonly BACKUP_ROOT=/opt/sauvegarde
 readonly BORG_DB=$BACKUP_ROOT/db-borg
 readonly BORG_DATA=$BACKUP_ROOT/data
-readonly ZDS_ROOT=/opt/zds
+readonly ZDS_ROOT={{ workdir }}
 readonly ZDS_WRAPPER=$ZDS_ROOT/wrapper
-readonly HETRIX_URL_FILE=/root/hetrix-maintenance-url
+readonly HETRIX_URL="{{ secrets.hetrix_urls.maintenance }}"
 readonly BACKUP_DB_TMP=/root/db-tmp # rather work on / than /opt/sauvegarde: there is more free space
 readonly BACKUP_DB_TMP_FULL=$BACKUP_DB_TMP/var/backups/mysql # rather work on / than /opt/sauvegarde: there is more free space
 
@@ -196,13 +196,12 @@ fi
 if [ $stop_website -eq 1 ]
 then
 	print_info "stop-website" --bold
-	if [ -e $HETRIX_URL_FILE ]
-	then
-		print_info "Enable maintenance mode in Hetrix..."
-		# See https://hetrixtools.com/dashboard/api-explorer/ and "v2 Uptime Maintenance Mode":
-		curl $(cat $HETRIX_URL_FILE)3/
-		echo
-	fi
+
+	print_info "Enable maintenance mode in Hetrix..."
+	# See https://hetrixtools.com/dashboard/api-explorer/ and "v2 Uptime Maintenance Mode":
+	curl ${HETRIX_URL}3/
+	echo
+
 	cd $ZDS_ROOT/webroot
 	print_info "Enable maintenance page..."
 	ln -s errors/maintenance.html
@@ -243,7 +242,7 @@ fi
 if [ $update_mysql -eq 1 ]
 then
 	print_info "update-mysql" --bold
-	echo "ALTER USER 'zds'@'localhost' IDENTIFIED BY '$(sed -n '/databases.default/,/^password =/{p;/^password =/q}' /opt/zds/config.toml | tail -n 1 | sed -e 's/.*"\(.*\)"/\1/')'" | mysql
+	echo "ALTER USER 'zds'@'localhost' IDENTIFIED BY '$(sed -n '/databases.default/,/^password =/{p;/^password =/q}' $ZDS_ROOT/config.toml | tail -n 1 | sed -e 's/.*"\(.*\)"/\1/')'" | mysql
 fi
 
 # Restore the website data:
@@ -259,7 +258,7 @@ then
 	cd / # mandatory for the following borg command
 	print_info "Restore backup with borg..."
 	borg list --last 1 $BORG_DATA
-	borg extract --verbose --progress $BORG_DATA::$(borg list --last 1 --format '{archive}{NL}' $BORG_DATA) opt/zds/data
+	borg extract --verbose --progress $BORG_DATA::$(borg list --last 1 --format '{archive}{NL}' $BORG_DATA) ${ZDS_ROOT:1}/data
 fi
 
 if [ $update_zds -eq 1 ]
@@ -283,12 +282,10 @@ then
 	systemctl start zds-watchdog
 	print_info "Disable maintenance page..."
 	rm $ZDS_ROOT/webroot/maintenance.html
-	if [ -e $HETRIX_URL_FILE ]
-	then
-		print_info "Disable maintenance mode in Hetrix..."
-		curl $(cat $HETRIX_URL_FILE)1/
-		echo
-	fi
+
+	print_info "Disable maintenance mode in Hetrix..."
+	curl ${HETRIX_URL}1/
+	echo
 fi
 
 

roles/backup/files/logrotate-zds-backup → roles/backup/templates/logrotate_zds-backup.j2

@@ -1,8 +1,8 @@
-/var/log/zds/backups*.log {
+{{ logdir }}/backups*.log {
         rotate 52
         compress
-	size 2M
+        size 2M
         missingok
         notifempty
-	delaycompress
+        delaycompress
 }