diff --git a/ansible/files/pgbackrest_config/computed_globals.conf b/ansible/files/pgbackrest_config/computed_globals.conf new file mode 100644 index 000000000..a1b92e934 --- /dev/null +++ b/ansible/files/pgbackrest_config/computed_globals.conf @@ -0,0 +1,8 @@ +[global] +# process-max = 1 + +[archive-get] +# process-max = 1 + +[archive-push] +# process-max = 1 diff --git a/ansible/files/pgbackrest_config/pgbackrest.conf b/ansible/files/pgbackrest_config/pgbackrest.conf new file mode 100644 index 000000000..f11db6ed9 --- /dev/null +++ b/ansible/files/pgbackrest_config/pgbackrest.conf @@ -0,0 +1,18 @@ +[global] +archive-async = n +archive-copy = y +backup-standby = prefer +compress-type = zst +delta = y +expire-auto = n +link-all = y +log-level-console = info +log-level-file = detail +log-subprocess = y +resume = n +start-fast = y + +[supabase] +pg1-path = /var/lib/postgresql/data +pg1-socket-path = /run/postgresql +pg1-user = supabase_admin diff --git a/ansible/files/pgbackrest_config/repo1.conf b/ansible/files/pgbackrest_config/repo1.conf new file mode 100644 index 000000000..d34274932 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1.conf @@ -0,0 +1,14 @@ +[supabase] +repo1-block = y +repo1-bundle = y +# repo1-path = +repo1-retention-diff = 1 +repo1-retention-full = 28 +repo1-retention-full-type = time +repo1-retention-history = 0 +# repo1-s3-bucket= +# repo1-s3-endpoint= +repo1-s3-key-type = auto +# repo1-s3-region = +repo1-storage-upload-chunk-size = 10MiB +repo1-type = s3 diff --git a/ansible/files/pgbackrest_config/repo1_async.conf b/ansible/files/pgbackrest_config/repo1_async.conf new file mode 100644 index 000000000..e5f8846e2 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1_async.conf @@ -0,0 +1,2 @@ +[supabase] +# archive-async = y diff --git a/ansible/files/pgbackrest_config/repo1_encrypted.conf b/ansible/files/pgbackrest_config/repo1_encrypted.conf new file mode 100644 index 000000000..8b7b7bbd5 --- /dev/null +++ b/ansible/files/pgbackrest_config/repo1_encrypted.conf @@ -0,0 +1,3 @@ +[supabase] +# repo-cipher-pass = {{ generated pass }} +# repo-cipher-type = aes-256-cbc diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 5effa0fdc..09c398fd0 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -40,6 +40,12 @@ import_tasks: tasks/setup-wal-g.yml when: debpkg_mode or nixpkg_mode or stage2_nix + - name: Install pgBackRest + import_tasks: + file: tasks/setup-pgbackrest.yml + when: + - debpkg_mode or nixpkg_mode or stage2_nix + - name: Install Gotrue import_tasks: tasks/setup-gotrue.yml tags: diff --git a/ansible/tasks/setup-pgbackrest.yml b/ansible/tasks/setup-pgbackrest.yml new file mode 100644 index 000000000..ce4a859e9 --- /dev/null +++ b/ansible/tasks/setup-pgbackrest.yml @@ -0,0 +1,96 @@ +- name: Create pgBackRest group + ansible.builtin.group: + name: pgbackrest + state: present + when: + - nixpkg_mode + +- name: Create pgBackRest user + ansible.builtin.user: + comment: pgBackRest user + group: pgbackrest + groups: pgbackrest, postgres + home: /var/lib/pgbackrest + name: pgbackrest + shell: /sbin/nologin + system: true + when: + - nixpkg_mode + +- name: Configure sudoers for pgBackRest + ansible.builtin.lineinfile: + create: yes + line: "{{ item }}" + mode: '0440' + path: '/etc/sudoers.d/pgbackrest' + validate: 'visudo -cf %s' + loop: + - 'postgres ALL=(pgbackrest) NOPASSWD: /var/lib/pgbackrest/.nix-profile/bin/pgbackrest' + - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/pgbackrest' + - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' + - 'postgres ALL=(pgbackrest) NOPASSWD: /usr/bin/nix' + - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /usr/bin/bash' + - 'pgbackrest ALL=(pgbackrest) NOPASSWD: /usr/bin/nix' + +- name: Install pgBackRest + ansible.builtin.shell: | + sudo -u pgbackrest bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#pg-backrest" + become: true + become_user: pgbackrest + changed_when: true + when: + - stage2_nix + +- name: Create needed directories for pgBackRest + ansible.legacy.file: + group: postgres + mode: '0770' + owner: pgbackrest + path: "{{ backrest_dir }}" + state: directory + loop: + - /etc/pgbackrest/conf.d + - /var/lib/pgbackrest + - /var/spool/pgbackrest + - /var/log/pgbackrest + loop_control: + loop_var: backrest_dir + when: + - nixpkg_mode + +- name: Symlink pgbackrest.conf + ansible.legacy.file: + force: true + path: /etc/pgbackrest/pgbackrest.conf + src: /etc/pgbackrest.conf + state: link + +- name: Move pgBackRest files to /etc/pgbackrest + ansible.legacy.copy: + group: postgres + dest: "/etc/pgbackrest/{{ conf_item['path'] }}/{{ conf_item['name'] }}" + mode: '0644' + owner: pgbackrest + src: "files/pgbackrest_config/{{ conf_item['name'] }}" + loop: + - {name: computed_globals.conf, path: conf.d} + - {name: pgbackrest.conf, path: ''} + - {name: repo1_async.conf, path: conf.d} + - {name: repo1_encrypted.conf, path: conf.d} + - {name: repo1.conf, path: conf.d} + loop_control: + loop_var: conf_item + when: + - stage2_nix + +- name: Create pgBackRest wrapper script + ansible.builtin.copy: + content: | + #!/bin/bash + _raw_args="$@" + _sanitized_args=$(echo $_raw_args | sed -e 's/--cmd=[^ ]*//g; s/--repo-host-cmd=[^ ]*//g; s/--config=[^ ]*//g' ) + exec sudo -u pgbackrest /var/lib/pgbackrest/.nix-profile/bin/pgbackrest "$_sanitized_args" + dest: '/usr/bin/pgbackrest' + group: 'root' + mode: '0755' + owner: 'root' diff --git a/ansible/vars.yml b/ansible/vars.yml index a7e55c0a9..b72a349f4 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -10,9 +10,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.6.0.011-orioledb" - postgres17: "17.6.1.054" - postgres15: "15.14.1.054" + postgresorioledb-17: "17.6.0.011-orioledb-PSQL773" + postgres17: "17.6.1.054-PSQL773" + postgres15: "15.14.1.054-PSQL773" # Non Postgres Extensions pgbouncer_release: 1.19.0