separate tls and ssh setup

onaio · Aug 13, 2024 · e34a495 · e34a495
1 parent 69b932f
commit e34a495
Show file tree

Hide file tree

Showing 25 changed files with 204 additions and 73 deletions.
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ Ansible role that installs and configures [pgbackrest](https://pgbackrest.org/).
 Requirements
 ------------
 
-- This role assumes that postgresql server has been set up and configured with archiving configurations enabled on the postgresql hosts.
+- This role assumes that postgresql server has been set up and configured with archiving configurations enabled on the postgresql hosts (pg-host).
 ````conf
 archive_command = 'pgbackrest --stanza=<stanza> archive-push %p'
 archive_mode = on
@@ -19,6 +19,8 @@ Role Variables
 --------------
 
 Check the [defaults/main.yml](./defaults/main.yml) file for the full list of default variables.
+> Ensure pgbackrest_is_pg_host and pgbackrest_is_repository_host are defined accordingly. 
+> They are both true by default, this supports the most basic set up i.e. one host for pg-host and repo-host. If more than one host is involved update the respective boolean configs.
 ````yaml
 ---
 pgbackrest_working_directory: /tmp/build
@@ -79,7 +81,7 @@ pgbackrest_log_directory: /var/log/pgbackrest
 pgbackrest_create_user: true
 pgbackrest_user: postgres
 pgbackrest_user_group: postgres
-pgbackrest_user_password: postgres
+pgbackrest_user_password: 
 pgbackrest_user_home: "/var/lib/postgresql"
 
 pgbackrest_is_pg_host: true
@@ -95,7 +97,7 @@ pgbackrest_temp_ssh_pub_key_export_directory: "/tmp/ansible-pgbackrest-ssh-keys"
 
 pgbackrest_ssh_pub_keys_to_import: []
 #  - src_host: 192.168.15.21
-#    authorized_keys_path: "{{ pgbackrest_user_home }}/.ssh/authorized_keys"
+#    authorized_keys_path: "{{ pgbackrest_user_home }}/.ssh/authorized_keys" # destination on current inventory_hostname
 #    owner: "{{ pgbackrest_user }}"
 #    group: "{{ pgbackrest_user_group }}"
 
@@ -152,7 +154,8 @@ Example Playbook
 ----------------
 
 Check for examples on the [example](./example) directory:
-- [dedicated-repository-host](./example/dedicated-repository-host) with tls.
+- [dedicated-repository-host-tls](./example/dedicated-repository-host-tls) with tls.
+- [dedicated-repository-host-ssh](./example/dedicated-repository-host-ssh) with ssh.
 - [same-repo-host-as-pg](./example/same-repo-host-as-pg).
 
 License

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -71,6 +71,8 @@ pgbackrest_user_password: ""
 pgbackrest_user_create_home: true
 pgbackrest_user_home: "/home/{{ pgbackrest_user }}"
 pgbackrest_user_ssh_key_type: ed25519
+pgbackrest_user_ssh_key_size:
+#pgbackrest_user_ssh_key_passphrase: ""
 pgbackrest_user_generate_ssh_key: true
 pgbackrest_user_ssh_key_file: ".ssh/id_{{ pgbackrest_user_ssh_key_type }}"
 pgbackrest_user_ssh_pub_key_file: ".ssh/id_{{ pgbackrest_user_ssh_key_type }}.pub"

diff --git a/example/dedicated-repository-host-ssh/README.md b/example/dedicated-repository-host-ssh/README.md
@@ -0,0 +1,3 @@
+# dedicated-repository-host-ssh
+This demonstrates how one can configure dedicated host (backup server) with a postgresql host with ssh.  
+
diff --git a/example/dedicated-repository-host-ssh/inventory/group_vars/all/vars.yml b/example/dedicated-repository-host-ssh/inventory/group_vars/all/vars.yml
@@ -0,0 +1 @@
+---
diff --git a/example/dedicated-repository-host-ssh/inventory/host_vars/pg1-host/vars.yml b/example/dedicated-repository-host-ssh/inventory/host_vars/pg1-host/vars.yml
@@ -0,0 +1,48 @@
+---
+pgbackrest_is_pg_host: true
+pgbackrest_is_repository_host: false
+
+pgbackrest_create_user: true
+pgbackrest_user: postgres
+pgbackrest_user_group: postgres
+pgbackrest_user_home: "/var/lib/postgresql"
+pgbackrest_user_password: ""
+
+pgbackrest_stanza_conf:
+  - name: main
+    content:
+      repo1-host: 192.168.15.25
+      pg1-path: /var/lib/postgresql/14/main
+      pg1-user: postgres
+      repo1-host-user: pgbackrest
+      log-level-file: detail
+
+pgbackrest_conf:
+  - name: global
+    content:
+      compress-level: 3
+
+pgbackrest_pg_host_users:
+  - name: postgres
+    group: postgres
+    password: ""
+
+pgbackrest_ssh_pub_keys_to_import:
+  - src_host: 192.168.15.25
+    authorized_keys_path: "{{ pgbackrest_user_home }}/.ssh/authorized_keys"
+    owner: "{{ pgbackrest_user }}"
+    group: "{{ pgbackrest_user_group }}"
+
+pgbackrest_cronjob:
+  - name: pgbackrest_full_backup
+    minute: "10"
+    hour: "06"
+    day: "*"
+    month: "*"
+    weekday: "0"
+    user: "{{ pgbackrest_user }}"
+    job: "pgbackrest --type=full --stanza=main backup"
+    cron_file: pgbackrest
+
+pgbackrest_pgpass_entries:
+  - "locahost:5432:postgres:pgbackrest:pgbackrest"
diff --git a/example/dedicated-repository-host-ssh/inventory/host_vars/repo1-host/vars.yml b/example/dedicated-repository-host-ssh/inventory/host_vars/repo1-host/vars.yml
@@ -0,0 +1,46 @@
+---
+pgbackrest_is_repository_host: true
+pgbackrest_is_pg_host: false
+
+pgbackrest_stanza_conf:
+  - name: main
+    content:
+      pg1-host: 192.168.15.24
+      pg1-path: /var/lib/postgresql/14/main
+      repo1-block: y
+      repo1-bundle: y
+      compress-level: 3
+      repo1-path: /var/lib/pgbackrest
+      repo1-cipher-pass: zWaf6XtpjIVZC5444yXB+cgFDFl7MxGlgkZSaoPvTGirhPygu4jOKOXf9LO4vjfO
+      repo1-cipher-type: aes-256-cbc
+      repo1-retention-full: 1
+      log-level-file: detail
+      start-fast: y
+      pg1-host-user: postgres
+
+pgbackrest_conf:
+  - name: global
+    content:
+      compress-level: 3
+
+pgbackrest_repo_host_users:
+  - name: pgbackrest
+    group: pgbackrest
+    password: ""
+
+pgbackrest_ssh_pub_keys_to_import:
+  - src_host: 192.168.15.24
+    authorized_keys_path: "{{ pgbackrest_user_home }}/.ssh/authorized_keys"
+    owner: "{{ pgbackrest_user }}"
+    group: "{{ pgbackrest_user_group }}"
+
+pgbackrest_cronjob:
+  - name: pgbackrest_full_backup
+    minute: "10"
+    hour: "06"
+    day: "*"
+    month: "*"
+    weekday: "0"
+    user: pgbackrest
+    job: "pgbackrest --type=full --stanza=main backup"
+    cron_file: pgbackrest
diff --git a/example/dedicated-repository-host-ssh/inventory/hosts b/example/dedicated-repository-host-ssh/inventory/hosts
@@ -0,0 +1,6 @@
+pg1-host ansible_host=192.168.15.24
+repo1-host ansible_host=192.168.15.25
+
+[all]
+pg1-host
+repo1-host
diff --git a/...le/dedicated-repository-host/playbook.yml → ...edicated-repository-host-ssh/playbook.yml b/...le/dedicated-repository-host/playbook.yml → ...edicated-repository-host-ssh/playbook.yml
diff --git a/example/dedicated-repository-host/README.md → ...e/dedicated-repository-host-tls/README.md b/example/dedicated-repository-host/README.md → ...e/dedicated-repository-host-tls/README.md
diff --git a/...epository-host/inventory/files/tls/ca.crt → ...itory-host-tls/inventory/files/tls/ca.crt b/...epository-host/inventory/files/tls/ca.crt → ...itory-host-tls/inventory/files/tls/ca.crt
diff --git a/...pository-host/inventory/files/tls/pg1.crt → ...tory-host-tls/inventory/files/tls/pg1.crt b/...pository-host/inventory/files/tls/pg1.crt → ...tory-host-tls/inventory/files/tls/pg1.crt
diff --git a/...pository-host/inventory/files/tls/pg1.key → ...tory-host-tls/inventory/files/tls/pg1.key b/...pository-host/inventory/files/tls/pg1.key → ...tory-host-tls/inventory/files/tls/pg1.key
diff --git a/...sitory-host/inventory/files/tls/repo1.crt → ...ry-host-tls/inventory/files/tls/repo1.crt b/...sitory-host/inventory/files/tls/repo1.crt → ...ry-host-tls/inventory/files/tls/repo1.crt
diff --git a/...sitory-host/inventory/files/tls/repo1.key → ...ry-host-tls/inventory/files/tls/repo1.key b/...sitory-host/inventory/files/tls/repo1.key → ...ry-host-tls/inventory/files/tls/repo1.key
diff --git a/...ry-host/inventory/group_vars/all/vars.yml → ...ost-tls/inventory/group_vars/all/vars.yml b/...ry-host/inventory/group_vars/all/vars.yml → ...ost-tls/inventory/group_vars/all/vars.yml
diff --git a/...ost/inventory/host_vars/pg1-host/vars.yml → ...tls/inventory/host_vars/pg1-host/vars.yml b/...ost/inventory/host_vars/pg1-host/vars.yml → ...tls/inventory/host_vars/pg1-host/vars.yml
@@ -40,11 +40,12 @@ pgbackrest_pg_host_users:
     group: postgres
     password: ""
 
-pgbackrest_ssh_pub_keys_to_import:
-  - src_host: 192.168.15.22
-    authorized_keys_path: "{{ pgbackrest_user_home }}/.ssh/authorized_keys"
-    owner: "{{ pgbackrest_user }}"
-    group: "{{ pgbackrest_user_group }}"
+#uncomment below then use *-host-type as ssh to switch to ssh
+#pgbackrest_ssh_pub_keys_to_import:
+#  - src_host: 192.168.15.22
+#    authorized_keys_path: "{{ pgbackrest_user_home }}/.ssh/authorized_keys"
+#    owner: "{{ pgbackrest_user }}"
+#    group: "{{ pgbackrest_user_group }}"
 
 pgbackrest_cronjob:
   - name: pgbackrest_full_backup

diff --git a/...t/inventory/host_vars/repo1-host/vars.yml → ...s/inventory/host_vars/repo1-host/vars.yml b/...t/inventory/host_vars/repo1-host/vars.yml → ...s/inventory/host_vars/repo1-host/vars.yml
@@ -1,5 +1,6 @@
 ---
 pgbackrest_is_repository_host: true
+pgbackrest_is_pg_host: false
 
 pgbackrest_stanza_conf:
   - name: main
@@ -40,11 +41,12 @@ pgbackrest_repo_host_users:
     group: pgbackrest
     password: ""
 
-pgbackrest_ssh_pub_keys_to_import:
-  - src_host: 192.168.15.21
-    authorized_keys_path: "{{ pgbackrest_user_home }}/.ssh/authorized_keys"
-    owner: "{{ pgbackrest_user }}"
-    group: "{{ pgbackrest_user_group }}"
+#uncomment below then use *-host-type as ssh to switch to ssh
+#pgbackrest_ssh_pub_keys_to_import:
+#  - src_host: 192.168.15.21
+#    authorized_keys_path: "{{ pgbackrest_user_home }}/.ssh/authorized_keys"
+#    owner: "{{ pgbackrest_user }}"
+#    group: "{{ pgbackrest_user_group }}"
 
 pgbackrest_cronjob:
   - name: pgbackrest_full_backup

diff --git a/...dedicated-repository-host/inventory/hosts → ...cated-repository-host-tls/inventory/hosts b/...dedicated-repository-host/inventory/hosts → ...cated-repository-host-tls/inventory/hosts
diff --git a/example/dedicated-repository-host-tls/playbook.yml b/example/dedicated-repository-host-tls/playbook.yml
@@ -0,0 +1,6 @@
+---
+- name: Set Up host
+  hosts: pg1-host,repo1-host
+  become: true
+  roles:
+    - role: ../../../ansible-pgbackrest
diff --git a/example/same-repo-host-as-pg/inventory/group_vars/all/vars.yml b/example/same-repo-host-as-pg/inventory/group_vars/all/vars.yml
@@ -57,7 +57,7 @@ pgbackrest_log_directory: /var/log/pgbackrest
 pgbackrest_create_user: true
 pgbackrest_user: postgres
 pgbackrest_user_group: postgres
-pgbackrest_user_password: postgres
+pgbackrest_user_password: ""
 pgbackrest_user_home: "/var/lib/postgresql"
 
 pgbackrest_is_pg_host: true

diff --git a/tasks/configure.yml b/tasks/configure.yml
@@ -33,33 +33,6 @@
     - pgbackrest-configuration-create-config-directory
     - pgbackrest-configuration
 
-- name: Configuration | create pgbackrest cert directory
-  ansible.builtin.file:
-    path: "{{ pgbackrest_cert_directory }}"
-    state: directory
-    mode: '0750'
-    owner: "{{ pgbackrest_user }}"
-    group: "{{ pgbackrest_user_group }}"
-  when: pgbackrest_setup_certificate
-  tags:
-    - pgbackrest-configuration-create-cert-directory
-    - pgbackrest-configuration
-
-- name: Configuration | import pgbackrest certificates
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "{{ pgbackrest_cert_directory }}"
-    owner: "{{ pgbackrest_user }}"
-    group: "{{ pgbackrest_user_group }}"
-    mode: "0600"
-  when: pgbackrest_setup_certificate
-  with_items:
-    - "{{ pgbackrest_certificate_ca }}"
-    - "{{ pgbackrest_certificate_files }}"
-  tags:
-    - pgbackrest-configuration-import-pgbackrest-certificates
-    - pgbackrest-configuration
-
 - name: Configuration | update pgbackrest.conf
   ansible.builtin.template:
     src: "{{ pgbackrest_conf_template }}"
@@ -99,27 +72,3 @@
   tags:
     - pgbackrest-configuration-run-create-cronjob
     - pgbackrest-configuration
-
-- name: Configuration | setup pgbackrest.service
-  ansible.builtin.template:
-    src: "{{ pgbackrest_service_template }}"
-    dest: "{{ pgbackrest_service_path }}"
-    owner: "{{ pgbackrest_user }}"
-    group: "{{ pgbackrest_user_group }}"
-    mode: 0640
-  when: pgbackrest_setup_certificate
-  tags:
-    - pgbackrest-configuration-set-up-pgbackrest-service
-    - pgbackrest-configuration
-
-- name: Configuration | start pgbackrest.service
-  ansible.builtin.systemd_service:
-    state: started
-    daemon_reload: true
-    enabled: true
-    name: pgbackrest
-  when: pgbackrest_setup_certificate
-  tags:
-    - pgbackrest-configuration-set-up-pgbackrest-service
-    - pgbackrest-configuration-set-up-start-pgbackrest-service
-    - pgbackrest-configuration
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -2,13 +2,14 @@
 # tasks file for role
 - name: Setup-user
   ansible.builtin.import_tasks: setup-user.yml
+  when: pgbackrest_create_user
   tags:
     - pgbackrest
     - pgbackrest-setup-user
 
 - name: Setup-ssh
   ansible.builtin.import_tasks: setup-ssh.yml
-  when: not pgbackrest_setup_certificate
+  when: not pgbackrest_setup_certificate and (not (pgbackrest_is_pg_host and pgbackrest_is_repository_host))
   tags:
     - pgbackrest
     - pgbackrest-setup-ssh
@@ -25,6 +26,13 @@
     - pgbackrest
     - pgbackrest-configure
 
+- name: Setup-tls
+  ansible.builtin.import_tasks: setup-tls.yml
+  when: pgbackrest_setup_certificate
+  tags:
+    - pgbackrest
+    - pgbackrest-setup-tls
+
 - name: Post-install
   ansible.builtin.import_tasks: post-install.yml
   tags:

diff --git a/tasks/setup-ssh.yml b/tasks/setup-ssh.yml
@@ -20,10 +20,24 @@
     - pgbackrest-set-up-ssh-create-ssh-directory
     - pgbackrest-set-up-ssh
 
+- name: Set up ssh | generate an keypair
+  community.crypto.openssh_keypair:
+    path: "{{ pgbackrest_user_home }}/{{ pgbackrest_user_ssh_key_file }}"
+    size: "{{ pgbackrest_user_ssh_key_size }}"
+    type: "{{ pgbackrest_user_ssh_key_type }}"
+    owner: "{{ pgbackrest_user }}"
+    group: "{{ pgbackrest_user_group }}"
+    mode: 0600
+    passphrase: "{{ pgbackrest_user_ssh_key_passphrase | default(omit) }}"
+  when: pgbackrest_user_generate_ssh_key and not pgbackrest_setup_certificate
+  tags:
+    - pgbackrest-set-up-ssh-create-ssh-keypair
+    - pgbackrest-set-up-ssh
+
 - name: Set up ssh | fetch ssh public key from source host
   ansible.builtin.fetch:
     src: "{{ pgbackrest_user_home }}/{{ pgbackrest_user_ssh_pub_key_file }}"
-    dest: "{{ pgbackrest_temp_ssh_pub_key_export_directory }}/{{ inventory_hostname }}.pub"
+    dest: "{{ pgbackrest_temp_ssh_pub_key_export_directory }}/{{ ansible_host }}.pub"
     flat: true
   tags:
     - pgbackrest-set-up-ssh-fetch-public-ssh-key

diff --git a/tasks/setup-tls.yml b/tasks/setup-tls.yml
@@ -0,0 +1,47 @@
+---
+- name: Set up tls | create pgbackrest cert directory
+  ansible.builtin.file:
+    path: "{{ pgbackrest_cert_directory }}"
+    state: directory
+    mode: '0750'
+    owner: "{{ pgbackrest_user }}"
+    group: "{{ pgbackrest_user_group }}"
+  tags:
+    - pgbackrest-set-up-tls-create-cert-directory
+    - pgbackrest-set-up-tls
+
+- name: Set up tls | import pgbackrest certificates
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ pgbackrest_cert_directory }}"
+    owner: "{{ pgbackrest_user }}"
+    group: "{{ pgbackrest_user_group }}"
+    mode: "0600"
+  with_items:
+    - "{{ pgbackrest_certificate_ca }}"
+    - "{{ pgbackrest_certificate_files }}"
+  tags:
+    - pgbackrest-set-up-tls-import-pgbackrest-certificates
+    - pgbackrest-set-up-tls
+
+- name: Set up tls | setup pgbackrest.service
+  ansible.builtin.template:
+    src: "{{ pgbackrest_service_template }}"
+    dest: "{{ pgbackrest_service_path }}"
+    owner: "{{ pgbackrest_user }}"
+    group: "{{ pgbackrest_user_group }}"
+    mode: 0640
+  tags:
+    - pgbackrest-set-up-tls-set-up-pgbackrest-service
+    - pgbackrest-set-up-tls
+
+- name: Set up tls | start pgbackrest.service
+  ansible.builtin.systemd_service:
+    state: started
+    daemon_reload: true
+    enabled: true
+    name: pgbackrest
+  tags:
+    - pgbackrest-set-up-tls-set-up-pgbackrest-service
+    - pgbackrest-set-up-tls-set-up-start-pgbackrest-service
+    - pgbackrest-set-up-tls