From 216d2cfc110f98c9cf11e94dbedf58252171acdf Mon Sep 17 00:00:00 2001 From: Opnxng Date: Sat, 11 Nov 2023 21:15:57 +0800 Subject: [PATCH] Added back-up.yml --- .gitignore | 1 + README.md | 12 ++- back-up.yml | 211 ++++++++++++++++++++++++++++++++++++++++++++++++++++ production | 30 -------- 4 files changed, 220 insertions(+), 34 deletions(-) create mode 100755 back-up.yml delete mode 100644 production diff --git a/.gitignore b/.gitignore index 3615dc7..cbbaa72 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,5 @@ vars/secrets.yml templates/conf/users_database.yml.j2 templates/conf/configuration.yml.j2 files/firefox +production .hidden \ No newline at end of file diff --git a/README.md b/README.md index 9a93870..50c5196 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,11 @@ -# Ansible playbook to deploy Docker services to Opnxng +# Ansible playbook for Opnxng deployment -An Ansible playbook to deploy Docker services to our servers. +An Ansible playbook to deploy Docker services to our servers and another to back up important data. `ansible-playbook -i "production" "deploy.yml"` +`ansible-playbook -i "production" "back-up.yml"` + ## Services The services are hosted on one Vultr and four Oracle servers. A [variables file](vars/services.yml) defines the services to be deployed or already deployed. @@ -12,9 +14,11 @@ They are deployed with [Compose files](templates/compose) and load balanced acco ## Configurations -Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2) that always include upstream changes. It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). +Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2) that always include upstream changes. It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). Thanks to [TheFrenchGhosty](https://github.com/PussTheCat-org). -Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yml](/opnxng/ansible-opnxng-deploy). We host an Authelia and Firefox stack that is restricted to specific users only. Their related files are also kept locally. +Data of our Privatebin, Etherpad, and Gitea instance are backed up periodically. + +Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yml](vars/secrets.example.yml). We host an Authelia and Firefox stack that is restricted to specific users only. Their related files are also kept locally. ## Contact Please contact us via [email](mailto:opnxng@tuta.io) if you discover any vulnerability or area for improvement in our infrastructure. We would truly appreciate it. \ No newline at end of file diff --git a/back-up.yml b/back-up.yml new file mode 100755 index 0000000..505fa2e --- /dev/null +++ b/back-up.yml @@ -0,0 +1,211 @@ +--- +- name: Back up + hosts: all + gather_facts: false + become: true + vars_files: + - vars/secrets.yml + tasks: + +# ---------------------------------------------------------------------------------------------------- + + - name: Get current date + shell: date +%Y-%m-%d + run_once: true + register: current_date + +# ---------------------------------------------------------------------------------------------------- + + - name: Stop Privatebin + command: docker stop privatebin + when: inventory_hostname == 'oracle1' + + - name: Set permissions of privatebin directory + file: + path: "{{ docker_dir }}/privatebin/data" + state: directory + owner: 1000 + group: 1000 + mode: 0755 + recurse: yes + when: inventory_hostname == 'oracle1' + + - name: Compress privatebin directory + shell: "zip -r --password {{ backup_zip_password }} privatebin_{{ current_date.stdout }}.zip data" + args: + chdir: "{{ docker_dir }}/privatebin/" + when: inventory_hostname == 'oracle1' + + - name: Set permissions of privatebin directory + file: + path: "{{ docker_dir }}/privatebin/data" + state: directory + owner: 65534 + group: 82 + mode: 0700 + recurse: yes + when: inventory_hostname == 'oracle1' + + - name: Start Privatebin + command: docker start privatebin + when: inventory_hostname == 'oracle1' + + - name: Copy privatebin.zip + copy: + src: "{{ oracle1_nfs_docker_dir_on_control_host }}/privatebin/privatebin_{{ current_date.stdout }}.zip" + dest: "{{ backup_path_on_control_host }}/" + owner: 0 + group: 0 + mode: 0644 + when: inventory_hostname == 'oracle1' + delegate_to: "{{ control_host }}" + + - name: Remove privatebin.zip on remote server + file: + path: "{{ docker_dir }}/privatebin/privatebin_{{ current_date.stdout }}.zip" + state: absent + when: inventory_hostname == 'oracle1' + + # To Restore: + # cd ./Docker/privatebin + # sudo unzip privatebin_2023-11-11.zip + # sudo chown -R 65534:82 {{ docker_dir }}/privatebin/data + +# ---------------------------------------------------------------------------------------------------- + + - name: Backup Etherpaddb + command: "docker exec -e PGPASSWORD={{ etherpad_db_pass }} etherpaddb sh -c 'PGPASSWORD={{ etherpad_db_pass }} pg_dump -Ft -U etherpad etherpad > /backups/etherpaddb_{{ current_date.stdout }}.tar'" + when: inventory_hostname == 'oracle3' + + - name: Prune Etherpaddb on remote server + command: find {{ docker_dir }}/etherpad/backups -type f -mtime +2 -delete + when: inventory_hostname == 'oracle3' + + - name: Copy Etherpaddb backups + copy: + src: "{{ oracle3_nfs_docker_dir_on_control_host }}/etherpad/backups/" + dest: "{{ backup_path_on_control_host }}/" + owner: 0 + group: 0 + mode: 0644 + when: inventory_hostname == 'oracle3' + delegate_to: "{{ control_host }}" + +# ---------------------------------------------------------------------------------------------------- + + - name: Stop gitea + command: docker stop gitea + when: inventory_hostname == 'oracle3' + + - name: Stop gitea-db + command: docker stop gitea-db + when: inventory_hostname == 'oracle3' + + - name: Compress gitea directory + archive: + path: "{{ docker_dir }}/gitea/data/" + dest: "{{ docker_dir }}/gitea/gitea_{{ current_date.stdout }}.tar" + format: tar + when: inventory_hostname == 'oracle3' + + - name: Copy gitea.tar + copy: + src: "{{ oracle3_nfs_docker_dir_on_control_host }}/gitea/gitea_{{ current_date.stdout }}.tar" + dest: "{{ backup_path_on_control_host }}/gitea_{{ current_date.stdout }}.tar" + owner: 0 + group: 0 + mode: 0644 + when: inventory_hostname == 'oracle3' + delegate_to: "{{ control_host }}" + + - name: Remove gitea.tar on remote server + file: + path: "{{ docker_dir }}/gitea/gitea_{{ current_date.stdout }}.tar" + state: absent + when: inventory_hostname == 'oracle3' + + - name: Start gitea + command: docker start gitea + when: inventory_hostname == 'oracle3' + + - name: Start gitea-db + command: docker start gitea-db + when: inventory_hostname == 'oracle3' + +# ---------------------------------------------------------------------------------------------------- + + # - name: Stop ntfy + # command: docker stop ntfy + # when: inventory_hostname == 'oracle3' + + # - name: Compress ntfy directory + # archive: + # path: "{{ docker_dir }}/ntfy/" + # dest: "{{ docker_dir }}/ntfy.tar" + # format: tar + # become: true + # when: inventory_hostname == 'oracle3' + + # - name: Copy ntfy.tar + # copy: + # src: "{{ oracle3_nfs_docker_dir_on_control_host }}/ntfy.tar" + # dest: "{{ backup_path_on_control_host }}/ntfy.tar" + # owner: 1000 + # group: 1000 + # mode: 0755 + # when: inventory_hostname == 'oracle3' + # delegate_to: "{{ control_host }}" + + # - name: Remove ntfy.tar + # file: + # path: "{{ docker_dir }}/ntfy.tar" + # state: absent + # when: inventory_hostname == 'oracle3' + + # - name: Start ntfy + # command: docker start ntfy + # when: inventory_hostname == 'oracle3' + +# ---------------------------------------------------------------------------------------------------- + + - name: Remove old weekly files from send + command: find {{ docker_dir }}/send/uploads/ -name 7-\* -mmin +10130 -exec rm {} \; + when: inventory_hostname == 'oracle1' + + - name: Remove old daily files from send + command: find {{ docker_dir }}/send/uploads/ -name 1-\* -mmin +1500 -exec rm {} \; + when: inventory_hostname == 'oracle1' + + # - name: Compress send directory + # archive: + # path: "{{ docker_dir }}/send" + # dest: "{{ docker_dir }}/send.tar" + # format: tar + # delegate_to: oracle1 + # tags: never + # when: inventory_hostname == 'oracle1' + + # - name: Copy send.tar + # copy: + # src: "{{ oracle1_nfs_docker_dir_on_control_host }}/send.tar" + # dest: "{{ backup_path_on_control_host }}/send.tar" + # owner: 1000 + # group: 1000 + # mode: 0755 + # tags: never + # when: inventory_hostname == 'oracle1' + # delegate_to: "{{ control_host }}" + + # - name: Remove send.tar + # file: + # path: "{{ docker_dir }}/send.tar" + # state: absent + # tags: never + # when: inventory_hostname == 'oracle1' + +# ---------------------------------------------------------------------------------------------------- + + - name: Prune outdated backups + command: find "{{ backup_path_on_control_host }}/" -type f -mtime +90 -delete + run_once: true + delegate_to: "{{ control_host }}" \ No newline at end of file diff --git a/production b/production deleted file mode 100644 index 63c202d..0000000 --- a/production +++ /dev/null @@ -1,30 +0,0 @@ -oracle: - hosts: - oracle1: - ansible_host: [REDACTED] - oracle2: - ansible_host: [REDACTED] - oracle3: - ansible_host: [REDACTED] - oracle4: - ansible_host: [REDACTED] - vars: - ansible_ssh_private_key_file: [REDACTED] - ansible_user: [REDACTED] - ansible_ssh_port: [REDACTED] - pipelining: true - ansible_ssh_common_args: "-o StrictHostKeyChecking=no" - ansible_python_interpreter: /usr/bin/python3 - -# ---------------------------------------------------------------------------------------------------- - -cloudcompute: - hosts: - vultr: - ansible_host: [REDACTED] - ansible_ssh_private_key_file: [REDACTED] - ansible_user: [REDACTED] - ansible_ssh_port: [REDACTED] - pipelining: true - ansible_ssh_common_args: "-o StrictHostKeyChecking=no" - ansible_python_interpreter: /usr/bin/python3 \ No newline at end of file