Migrate S3 backups from AWS, fix automatic cleanups

The cleanups were broken in that every single archive was also copied to a shared folder and never deleted from there. Co-authored-by: Greg Karékinian <greg@karekinian.com>
2024-10-16 12:29:58 +02:00
parent 15096ca17b
commit eb06926606
10 changed files with 49 additions and 28 deletions
--- a/site-cookbooks/backup/attributes/default.rb
+++ b/site-cookbooks/backup/attributes/default.rb
@@ -42,5 +42,5 @@ default['backup']['orbit']['keep'] = 10
 default['backup']['cron']['hour'] = "05"
 default['backup']['cron']['minute'] = "7"

-default['backup']['s3']['keep'] = 15
-default['backup']['s3']['bucket'] = "kosmos-dev-backups"
+default['backup']['s3']['keep'] = 10
+default['backup']['s3']['bucket'] = "kosmos-backups"
--- a/site-cookbooks/backup/recipes/default.rb
+++ b/site-cookbooks/backup/recipes/default.rb
@@ -28,6 +28,7 @@ template "#{backup_dir}/config.rb" do
  sensitive true
  variables s3_access_key_id: backup_data["s3_access_key_id"],
            s3_secret_access_key: backup_data["s3_secret_access_key"],
+            s3_endpoint: backup_data["s3_endpoint"],
            s3_region: backup_data["s3_region"],
            encryption_password: backup_data["encryption_password"],
            mail_from: "backups@kosmos.org",
--- a/site-cookbooks/backup/templates/default/config.rb.erb
+++ b/site-cookbooks/backup/templates/default/config.rb.erb
@@ -23,6 +23,10 @@ Storage::S3.defaults do |s3|
  s3.secret_access_key = "<%= @s3_secret_access_key %>"
  s3.region            = "<%= @s3_region %>"
  s3.bucket            = "<%= node['backup']['s3']['bucket'] %>"
+  s3.fog_options       = {
+    endpoint: "<%= @s3_endpoint %>",
+    aws_signature_version: 2
+  }
 end

 Encryptor::OpenSSL.defaults do |encryption|
@@ -88,7 +92,6 @@ end

 preconfigure 'KosmosBackup' do
  split_into_chunks_of 250 # megabytes
-  store_with S3
  compress_with Bzip2
  encrypt_with OpenSSL
  notify_by Mail do |mail|
--- a/site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb
@@ -10,12 +10,14 @@ include_recipe "kosmos-bitcoin::aws-client"
 package "inotify-tools"

 backup_script_path = "/opt/lnd-channel-backup-s3.sh"
+backup_credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')

 template backup_script_path do
  source "lnd-channel-backup-s3.sh.erb"
  mode '0740'
  variables lnd_dir: node['lnd']['lnd_dir'],
            bitcoin_network: node['bitcoin']['network'],
+            s3_endpoint: backup_credentials['s3_endpoint'],
            s3_bucket: node['backup']['s3']['bucket'],
            s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
  notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
--- a/site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb
@@ -3,5 +3,5 @@ set -xe -o pipefail

 while true; do
  inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
-  aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
+  aws --endpoint <%= @s3_endpoint %> s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
 done
--- a/site-cookbooks/kosmos-mastodon/recipes/backup.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/backup.rb
@@ -6,13 +6,12 @@
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')

 unless node.chef_environment == "development"
-  unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
-    node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
-    node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
-      username: "mastodon",
-      password: postgresql_data_bag_item['mastodon_user_password']
-    }
-  end
+  node.override['backup']['s3']['keep'] = 1
+  node.override["backup"]["postgresql"]["host"] = "pg.kosmos.local"
+  node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
+    username: "mastodon",
+    password: postgresql_data_bag_item['mastodon_user_password']
+  }

  include_recipe "backup"
 end
--- a/site-cookbooks/kosmos_gitea/recipes/backup.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/backup.rb
@@ -8,5 +8,6 @@
 unless node.chef_environment == "development"
  # backup the data dir and the config files
  node.override["backup"]["archives"]["gitea"] = [node["gitea"]["working_directory"]]
+  node.override['backup']['s3']['keep'] = 2
  include_recipe "backup"
 end