libravatar: fix cert path for postfix, add backup config

2019-03-09 20:58:02 +01:00 · 2019-03-09 20:58:02 +01:00 · 9a596b78cc
commit 9a596b78cc
parent c07ff326a4
5 changed files with 41 additions and 5 deletions
--- a/inventory/group_vars/libravatar
+++ b/inventory/group_vars/libravatar
@ -6,3 +6,4 @@ cdn_server_alias: seccdn.libravatar.org
 server_redirect_name: "libravatar.org libravatar.com www.libravatar.com"
 server_cert_name: libravatar.org
 cdn_server_cert_name: cdn.libravatar.org
+prod_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzOpYy2W3hqlvrdpbprv1BAvxh9IsjlVizzxKBo7FvKcj6Xwk1UZXqQqQTBSgEAsuYhTiTIcHK3V4y6xwrSvVQJy0ciqBtPdrAp8z8S+2xBx4uvdc8sb2n8XQGIEkJHel6wIHE+0mCv/PoHn9OPc+bjNFQkncmb7SKbiojll7kiWGdmVzgutrwUULqXcDbsZ1u+HL8Edh7v43IwmK9nVAeA8K8W9rab1EIlFL1oh5z1rrgxV7Gv9OVLbh4NI95DFrHHNEaeH2PpWrdVAYypMSGg2rTOH+mbgYsHhCbA9KRCKkJAqXlOBymGsQuO0yFv2gTzLx+8BkJ3IrXYdhFvoLt root@libravatar.fedorainfracloud.org"
--- a/roles/libravatar/files/cron.daily/backup
+++ b/roles/libravatar/files/cron.daily/backup
@ -0,0 +1,18 @@
+#!/bin/bash
+
+stgcred=root@libravatar-stg.fedorainfracloud.org
+dumpfile=/tmp/libravatar-db-"$(date +'%d-%m-%Y')".dump.gz.gpg
+datafile=/tmp/libravatar-data-"$(date +'%d-%m-%Y')".tar.gz.gpg
+data_tmpfile=/tmp/libravatar-data-"$(date +'%d-%m-%Y')".tar.gz
+ssh "$stgcred" "mkdir -p /prod-backup"
+
+runuser -u postgres pg_dump libravatar | gzip | gpg2 -c --batch --passphrase-file /mnt/data/.backup-passphrase -o "$dumpfile" -
+scp "$dumpfile" "$stgcred":/prod-backup/"$(basename $dumpfile)"
+ssh "$stgcred" "ls -r /prod-backup/libravatar-db-* | tail -n +11 | xargs rm"
+
+tar -C /mnt/data/ -czf "$data_tmpfile" cgi-bin/ letsencrypt/ root-ssh run-in-venv wsgi.py .backup-passphrase
+gpg2 -c --batch --passphrase-file /mnt/data/.backup-passphrase -o "$datafile" "$data_tmpfile"
+scp "$datafile" "$stgcred":/prod-backup/"$(basename $datafile)"
+ssh "$stgcred" "ls -r /prod-backup/libravatar-data-* | tail -n +11 | xargs rm"
+
+rm "$dumpfile" "$datafile" "$data_tmpfile"
--- a/roles/libravatar/files/cron.daily/certbot-renew
+++ b/roles/libravatar/files/cron.daily/certbot-renew
--- a/roles/libravatar/tasks/main.yml
+++ b/roles/libravatar/tasks/main.yml
@ -26,8 +26,8 @@
 - name: configure postfix for email encryption and not relaying to bastion
  command: "{{ item }}"
  with_items:
-  - postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/{{ server_name }}/fullchain.pem'
-  - postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/{{ server_name }}/privkey.pem'
+  - postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/{{ server_cert_name }}/fullchain.pem'
+  - postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/{{ server_cert_name }}/privkey.pem'
  - postconf -e 'smtp_use_tls = yes'
  - postconf -e 'relayhost ='

@ -119,11 +119,28 @@
  tags:
  - config

- name: cron.daily job
-  copy: src="cron.daily/libravatar" dest="/etc/cron.daily/libravatar" mode=755
+- name: cron.daily jobs
+  copy: src="cron.daily/{{ item }}" dest="/etc/cron.daily/{{ item }}" mode=755
+  with_items:
+  - "backup"
+  - "certbot-renew"

 - name: ensure service states
  service: state=started enabled=yes name={{ item }}
  with_items:
  - httpd
  - crond
+  - postfix
+  - postgresql
+
+############## backup related ##############
+
+- name: copy root's ssh keys
+  shell: cp /mnt/data/root-ssh/* /root/.ssh/
+  when: env == "production"
+
+- name: put pubkey from prod to stg
+  lineinfile:
+    path: "/root/.ssh/authorized_keys"
+    line: "{{ prod_pubkey }}"
+  when: env == "staging"
--- a/roles/libravatar/tasks/mount_fs.yml
+++ b/roles/libravatar/tasks/mount_fs.yml
@ -1,7 +1,7 @@
 - name: mount up disk
  mount: name=/mnt/data src='LABEL=libravatar-data' fstype=ext4 state=mounted

- name: mount up bind mount for postgresql
+- name: bind mount for postgresql
  mount: src=/mnt/data/pgsql name=/var/lib/pgsql fstype=auto opts=bind state=mounted

 - name: bind mount for letsencrypt