Added back-up.yml
This commit is contained in:
parent
a21f4a6020
commit
216d2cfc11
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,4 +2,5 @@ vars/secrets.yml
|
|||||||
templates/conf/users_database.yml.j2
|
templates/conf/users_database.yml.j2
|
||||||
templates/conf/configuration.yml.j2
|
templates/conf/configuration.yml.j2
|
||||||
files/firefox
|
files/firefox
|
||||||
|
production
|
||||||
.hidden
|
.hidden
|
12
README.md
12
README.md
@ -1,9 +1,11 @@
|
|||||||
# Ansible playbook to deploy Docker services to Opnxng
|
# Ansible playbook for Opnxng deployment
|
||||||
|
|
||||||
An Ansible playbook to deploy Docker services to our servers.
|
An Ansible playbook to deploy Docker services to our servers and another to back up important data.
|
||||||
|
|
||||||
`ansible-playbook -i "production" "deploy.yml"`
|
`ansible-playbook -i "production" "deploy.yml"`
|
||||||
|
|
||||||
|
`ansible-playbook -i "production" "back-up.yml"`
|
||||||
|
|
||||||
## Services
|
## Services
|
||||||
|
|
||||||
The services are hosted on one Vultr and four Oracle servers. A [variables file](vars/services.yml) defines the services to be deployed or already deployed.
|
The services are hosted on one Vultr and four Oracle servers. A [variables file](vars/services.yml) defines the services to be deployed or already deployed.
|
||||||
@ -12,9 +14,11 @@ They are deployed with [Compose files](templates/compose) and load balanced acco
|
|||||||
|
|
||||||
## Configurations
|
## Configurations
|
||||||
|
|
||||||
Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2) that always include upstream changes. It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG).
|
Our SearXNG instance uses a custom [settings.yml](templates/conf/settings.yml.j2) that always include upstream changes. It is updated by hand with reference to [Pussthecat.org's configuration](https://github.com/PussTheCat-org/PussTheCat.org-Configs/tree/master/Services/SearXNG). Thanks to [TheFrenchGhosty](https://github.com/PussTheCat-org).
|
||||||
|
|
||||||
Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yml](/opnxng/ansible-opnxng-deploy). We host an Authelia and Firefox stack that is restricted to specific users only. Their related files are also kept locally.
|
Data of our Privatebin, Etherpad, and Gitea instance are backed up periodically.
|
||||||
|
|
||||||
|
Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yml](vars/secrets.example.yml). We host an Authelia and Firefox stack that is restricted to specific users only. Their related files are also kept locally.
|
||||||
|
|
||||||
## Contact
|
## Contact
|
||||||
Please contact us via [email](mailto:opnxng@tuta.io) if you discover any vulnerability or area for improvement in our infrastructure. We would truly appreciate it.
|
Please contact us via [email](mailto:opnxng@tuta.io) if you discover any vulnerability or area for improvement in our infrastructure. We would truly appreciate it.
|
211
back-up.yml
Executable file
211
back-up.yml
Executable file
@ -0,0 +1,211 @@
|
|||||||
|
---
|
||||||
|
- name: Back up
|
||||||
|
hosts: all
|
||||||
|
gather_facts: false
|
||||||
|
become: true
|
||||||
|
vars_files:
|
||||||
|
- vars/secrets.yml
|
||||||
|
tasks:
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Get current date
|
||||||
|
shell: date +%Y-%m-%d
|
||||||
|
run_once: true
|
||||||
|
register: current_date
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Stop Privatebin
|
||||||
|
command: docker stop privatebin
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
- name: Set permissions of privatebin directory
|
||||||
|
file:
|
||||||
|
path: "{{ docker_dir }}/privatebin/data"
|
||||||
|
state: directory
|
||||||
|
owner: 1000
|
||||||
|
group: 1000
|
||||||
|
mode: 0755
|
||||||
|
recurse: yes
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
- name: Compress privatebin directory
|
||||||
|
shell: "zip -r --password {{ backup_zip_password }} privatebin_{{ current_date.stdout }}.zip data"
|
||||||
|
args:
|
||||||
|
chdir: "{{ docker_dir }}/privatebin/"
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
- name: Set permissions of privatebin directory
|
||||||
|
file:
|
||||||
|
path: "{{ docker_dir }}/privatebin/data"
|
||||||
|
state: directory
|
||||||
|
owner: 65534
|
||||||
|
group: 82
|
||||||
|
mode: 0700
|
||||||
|
recurse: yes
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
- name: Start Privatebin
|
||||||
|
command: docker start privatebin
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
- name: Copy privatebin.zip
|
||||||
|
copy:
|
||||||
|
src: "{{ oracle1_nfs_docker_dir_on_control_host }}/privatebin/privatebin_{{ current_date.stdout }}.zip"
|
||||||
|
dest: "{{ backup_path_on_control_host }}/"
|
||||||
|
owner: 0
|
||||||
|
group: 0
|
||||||
|
mode: 0644
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
delegate_to: "{{ control_host }}"
|
||||||
|
|
||||||
|
- name: Remove privatebin.zip on remote server
|
||||||
|
file:
|
||||||
|
path: "{{ docker_dir }}/privatebin/privatebin_{{ current_date.stdout }}.zip"
|
||||||
|
state: absent
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
# To Restore:
|
||||||
|
# cd ./Docker/privatebin
|
||||||
|
# sudo unzip privatebin_2023-11-11.zip
|
||||||
|
# sudo chown -R 65534:82 {{ docker_dir }}/privatebin/data
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Backup Etherpaddb
|
||||||
|
command: "docker exec -e PGPASSWORD={{ etherpad_db_pass }} etherpaddb sh -c 'PGPASSWORD={{ etherpad_db_pass }} pg_dump -Ft -U etherpad etherpad > /backups/etherpaddb_{{ current_date.stdout }}.tar'"
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
- name: Prune Etherpaddb on remote server
|
||||||
|
command: find {{ docker_dir }}/etherpad/backups -type f -mtime +2 -delete
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
- name: Copy Etherpaddb backups
|
||||||
|
copy:
|
||||||
|
src: "{{ oracle3_nfs_docker_dir_on_control_host }}/etherpad/backups/"
|
||||||
|
dest: "{{ backup_path_on_control_host }}/"
|
||||||
|
owner: 0
|
||||||
|
group: 0
|
||||||
|
mode: 0644
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
delegate_to: "{{ control_host }}"
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Stop gitea
|
||||||
|
command: docker stop gitea
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
- name: Stop gitea-db
|
||||||
|
command: docker stop gitea-db
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
- name: Compress gitea directory
|
||||||
|
archive:
|
||||||
|
path: "{{ docker_dir }}/gitea/data/"
|
||||||
|
dest: "{{ docker_dir }}/gitea/gitea_{{ current_date.stdout }}.tar"
|
||||||
|
format: tar
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
- name: Copy gitea.tar
|
||||||
|
copy:
|
||||||
|
src: "{{ oracle3_nfs_docker_dir_on_control_host }}/gitea/gitea_{{ current_date.stdout }}.tar"
|
||||||
|
dest: "{{ backup_path_on_control_host }}/gitea_{{ current_date.stdout }}.tar"
|
||||||
|
owner: 0
|
||||||
|
group: 0
|
||||||
|
mode: 0644
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
delegate_to: "{{ control_host }}"
|
||||||
|
|
||||||
|
- name: Remove gitea.tar on remote server
|
||||||
|
file:
|
||||||
|
path: "{{ docker_dir }}/gitea/gitea_{{ current_date.stdout }}.tar"
|
||||||
|
state: absent
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
- name: Start gitea
|
||||||
|
command: docker start gitea
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
- name: Start gitea-db
|
||||||
|
command: docker start gitea-db
|
||||||
|
when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
# - name: Stop ntfy
|
||||||
|
# command: docker stop ntfy
|
||||||
|
# when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
# - name: Compress ntfy directory
|
||||||
|
# archive:
|
||||||
|
# path: "{{ docker_dir }}/ntfy/"
|
||||||
|
# dest: "{{ docker_dir }}/ntfy.tar"
|
||||||
|
# format: tar
|
||||||
|
# become: true
|
||||||
|
# when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
# - name: Copy ntfy.tar
|
||||||
|
# copy:
|
||||||
|
# src: "{{ oracle3_nfs_docker_dir_on_control_host }}/ntfy.tar"
|
||||||
|
# dest: "{{ backup_path_on_control_host }}/ntfy.tar"
|
||||||
|
# owner: 1000
|
||||||
|
# group: 1000
|
||||||
|
# mode: 0755
|
||||||
|
# when: inventory_hostname == 'oracle3'
|
||||||
|
# delegate_to: "{{ control_host }}"
|
||||||
|
|
||||||
|
# - name: Remove ntfy.tar
|
||||||
|
# file:
|
||||||
|
# path: "{{ docker_dir }}/ntfy.tar"
|
||||||
|
# state: absent
|
||||||
|
# when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
# - name: Start ntfy
|
||||||
|
# command: docker start ntfy
|
||||||
|
# when: inventory_hostname == 'oracle3'
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Remove old weekly files from send
|
||||||
|
command: find {{ docker_dir }}/send/uploads/ -name 7-\* -mmin +10130 -exec rm {} \;
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
- name: Remove old daily files from send
|
||||||
|
command: find {{ docker_dir }}/send/uploads/ -name 1-\* -mmin +1500 -exec rm {} \;
|
||||||
|
when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
# - name: Compress send directory
|
||||||
|
# archive:
|
||||||
|
# path: "{{ docker_dir }}/send"
|
||||||
|
# dest: "{{ docker_dir }}/send.tar"
|
||||||
|
# format: tar
|
||||||
|
# delegate_to: oracle1
|
||||||
|
# tags: never
|
||||||
|
# when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
# - name: Copy send.tar
|
||||||
|
# copy:
|
||||||
|
# src: "{{ oracle1_nfs_docker_dir_on_control_host }}/send.tar"
|
||||||
|
# dest: "{{ backup_path_on_control_host }}/send.tar"
|
||||||
|
# owner: 1000
|
||||||
|
# group: 1000
|
||||||
|
# mode: 0755
|
||||||
|
# tags: never
|
||||||
|
# when: inventory_hostname == 'oracle1'
|
||||||
|
# delegate_to: "{{ control_host }}"
|
||||||
|
|
||||||
|
# - name: Remove send.tar
|
||||||
|
# file:
|
||||||
|
# path: "{{ docker_dir }}/send.tar"
|
||||||
|
# state: absent
|
||||||
|
# tags: never
|
||||||
|
# when: inventory_hostname == 'oracle1'
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Prune outdated backups
|
||||||
|
command: find "{{ backup_path_on_control_host }}/" -type f -mtime +90 -delete
|
||||||
|
run_once: true
|
||||||
|
delegate_to: "{{ control_host }}"
|
30
production
30
production
@ -1,30 +0,0 @@
|
|||||||
oracle:
|
|
||||||
hosts:
|
|
||||||
oracle1:
|
|
||||||
ansible_host: [REDACTED]
|
|
||||||
oracle2:
|
|
||||||
ansible_host: [REDACTED]
|
|
||||||
oracle3:
|
|
||||||
ansible_host: [REDACTED]
|
|
||||||
oracle4:
|
|
||||||
ansible_host: [REDACTED]
|
|
||||||
vars:
|
|
||||||
ansible_ssh_private_key_file: [REDACTED]
|
|
||||||
ansible_user: [REDACTED]
|
|
||||||
ansible_ssh_port: [REDACTED]
|
|
||||||
pipelining: true
|
|
||||||
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
|
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
cloudcompute:
|
|
||||||
hosts:
|
|
||||||
vultr:
|
|
||||||
ansible_host: [REDACTED]
|
|
||||||
ansible_ssh_private_key_file: [REDACTED]
|
|
||||||
ansible_user: [REDACTED]
|
|
||||||
ansible_ssh_port: [REDACTED]
|
|
||||||
pipelining: true
|
|
||||||
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
|
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
|
Loading…
Reference in New Issue
Block a user