diff --git a/inventory/group_vars/libravatar b/inventory/group_vars/libravatar index e8f3eff735..b0ccf6b5bc 100644 --- a/inventory/group_vars/libravatar +++ b/inventory/group_vars/libravatar @@ -6,3 +6,4 @@ cdn_server_alias: seccdn.libravatar.org server_redirect_name: "libravatar.org libravatar.com www.libravatar.com" server_cert_name: libravatar.org cdn_server_cert_name: cdn.libravatar.org +prod_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzOpYy2W3hqlvrdpbprv1BAvxh9IsjlVizzxKBo7FvKcj6Xwk1UZXqQqQTBSgEAsuYhTiTIcHK3V4y6xwrSvVQJy0ciqBtPdrAp8z8S+2xBx4uvdc8sb2n8XQGIEkJHel6wIHE+0mCv/PoHn9OPc+bjNFQkncmb7SKbiojll7kiWGdmVzgutrwUULqXcDbsZ1u+HL8Edh7v43IwmK9nVAeA8K8W9rab1EIlFL1oh5z1rrgxV7Gv9OVLbh4NI95DFrHHNEaeH2PpWrdVAYypMSGg2rTOH+mbgYsHhCbA9KRCKkJAqXlOBymGsQuO0yFv2gTzLx+8BkJ3IrXYdhFvoLt root@libravatar.fedorainfracloud.org" diff --git a/roles/libravatar/files/cron.daily/backup b/roles/libravatar/files/cron.daily/backup new file mode 100755 index 0000000000..023964e3a4 --- /dev/null +++ b/roles/libravatar/files/cron.daily/backup @@ -0,0 +1,18 @@ +#!/bin/bash + +stgcred=root@libravatar-stg.fedorainfracloud.org +dumpfile=/tmp/libravatar-db-"$(date +'%d-%m-%Y')".dump.gz.gpg +datafile=/tmp/libravatar-data-"$(date +'%d-%m-%Y')".tar.gz.gpg +data_tmpfile=/tmp/libravatar-data-"$(date +'%d-%m-%Y')".tar.gz +ssh "$stgcred" "mkdir -p /prod-backup" + +runuser -u postgres pg_dump libravatar | gzip | gpg2 -c --batch --passphrase-file /mnt/data/.backup-passphrase -o "$dumpfile" - +scp "$dumpfile" "$stgcred":/prod-backup/"$(basename $dumpfile)" +ssh "$stgcred" "ls -r /prod-backup/libravatar-db-* | tail -n +11 | xargs rm" + +tar -C /mnt/data/ -czf "$data_tmpfile" cgi-bin/ letsencrypt/ root-ssh run-in-venv wsgi.py .backup-passphrase +gpg2 -c --batch --passphrase-file /mnt/data/.backup-passphrase -o "$datafile" "$data_tmpfile" +scp "$datafile" "$stgcred":/prod-backup/"$(basename $datafile)" +ssh "$stgcred" "ls -r /prod-backup/libravatar-data-* | tail -n +11 | xargs rm" + +rm "$dumpfile" "$datafile" "$data_tmpfile" diff --git a/roles/libravatar/files/cron.daily/libravatar b/roles/libravatar/files/cron.daily/certbot-renew old mode 100644 new mode 100755 similarity index 100% rename from roles/libravatar/files/cron.daily/libravatar rename to roles/libravatar/files/cron.daily/certbot-renew diff --git a/roles/libravatar/tasks/main.yml b/roles/libravatar/tasks/main.yml index 75984ead4a..6d628a5c22 100644 --- a/roles/libravatar/tasks/main.yml +++ b/roles/libravatar/tasks/main.yml @@ -26,8 +26,8 @@ - name: configure postfix for email encryption and not relaying to bastion command: "{{ item }}" with_items: - - postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/{{ server_name }}/fullchain.pem' - - postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/{{ server_name }}/privkey.pem' + - postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live/{{ server_cert_name }}/fullchain.pem' + - postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live/{{ server_cert_name }}/privkey.pem' - postconf -e 'smtp_use_tls = yes' - postconf -e 'relayhost =' @@ -119,11 +119,28 @@ tags: - config -- name: cron.daily job - copy: src="cron.daily/libravatar" dest="/etc/cron.daily/libravatar" mode=755 +- name: cron.daily jobs + copy: src="cron.daily/{{ item }}" dest="/etc/cron.daily/{{ item }}" mode=755 + with_items: + - "backup" + - "certbot-renew" - name: ensure service states service: state=started enabled=yes name={{ item }} with_items: - httpd - crond + - postfix + - postgresql + +############## backup related ############## + +- name: copy root's ssh keys + shell: cp /mnt/data/root-ssh/* /root/.ssh/ + when: env == "production" + +- name: put pubkey from prod to stg + lineinfile: + path: "/root/.ssh/authorized_keys" + line: "{{ prod_pubkey }}" + when: env == "staging" diff --git a/roles/libravatar/tasks/mount_fs.yml b/roles/libravatar/tasks/mount_fs.yml index 9b711b6c07..91793a2ef3 100644 --- a/roles/libravatar/tasks/mount_fs.yml +++ b/roles/libravatar/tasks/mount_fs.yml @@ -1,7 +1,7 @@ - name: mount up disk mount: name=/mnt/data src='LABEL=libravatar-data' fstype=ext4 state=mounted -- name: mount up bind mount for postgresql +- name: bind mount for postgresql mount: src=/mnt/data/pgsql name=/var/lib/pgsql fstype=auto opts=bind state=mounted - name: bind mount for letsencrypt