v1.0

2026-01-29 12:55:01 +01:00
commit 65edf17dc7
15 changed files with 435 additions and 0 deletions
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,8 @@
+- name: Basic packages
+  apt:
+    name:
+      - vim
+      - curl
+      - gnupg
+      - rsync
+    update_cache: yes
--- a/roles/mailarchiver_db/tasks/main.yml
+++ b/roles/mailarchiver_db/tasks/main.yml
@@ -0,0 +1,20 @@
+- name: Create db user
+  become_user: postgres
+  postgresql_user:
+    name: mailuser
+    password: "{{ mailuser_password }}"
+
+- name: Create database
+  become_user: postgres
+  postgresql_db:
+    name: mailarchiver
+    owner: mailuser
+
+- name: Grant schema rights
+  become_user: postgres
+  postgresql_query:
+    db: mailarchiver
+    query: |
+      GRANT ALL ON SCHEMA public TO mailuser;
+      ALTER DEFAULT PRIVILEGES IN SCHEMA public
+      GRANT ALL ON TABLES TO mailuser;
--- a/roles/pgbackrest/tasks/main.yml
+++ b/roles/pgbackrest/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: Install pgBackRest
+  apt:
+    name: pgbackrest
+    state: present
+
+- name: Repo dir
+  file:
+    path: /pgbackrest
+    state: directory
+    owner: postgres
+    mode: "750"
+  when: inventory_hostname in groups['replica']
+
+- name: Config
+  template:
+    src: pgbackrest.conf.j2
+    dest: /etc/pgbackrest.conf
+
+- name: Create stanza
+  become_user: postgres
+  command: pgbackrest --stanza=main stanza-create
+  when: inventory_hostname in groups['primary']
+
+- name: Full backup weekly
+  cron:
+    name: "pgbackrest full"
+    weekday: 0
+    hour: 2
+    minute: 0
+    job: "pgbackrest --stanza=main backup --type=full"
+
+- name: Incremental backup daily
+  cron:
+    name: "pgbackrest incr"
+    hour: 2
+    minute: 0
+    job: "pgbackrest --stanza=main backup --type=incr"
--- a/roles/pgbackrest/templates/pgbackrest.conf.j2
+++ b/roles/pgbackrest/templates/pgbackrest.conf.j2
@@ -0,0 +1,11 @@
+[main]
+pg1-path=/var/lib/postgresql/16/main
+
+[global]
+{% if inventory_hostname in groups['primary'] %}
+repo1-host=pg2
+{% endif %}
+repo1-path=/pgbackrest
+repo1-retention-full=2
+repo1-retention-diff=7
+start-fast=y
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -0,0 +1,47 @@
+- name: Install PostgreSQL
+  apt:
+    name:
+      - postgresql-{{ pg_version }}
+      - postgresql-contrib
+    update_cache: yes
+
+- name: Stop postgres before config
+  service:
+    name: postgresql
+    state: stopped
+
+- name: postgresql.conf
+  template:
+    src: postgresql.conf.j2
+    dest: /etc/postgresql/{{ pg_version }}/main/postgresql.conf
+
+- name: pg_hba.conf
+  template:
+    src: pg_hba.conf.j2
+    dest: /etc/postgresql/{{ pg_version }}/main/pg_hba.conf
+
+- name: TLS cert dir
+  file:
+    path: /etc/postgresql/ssl
+    state: directory
+    owner: postgres
+    mode: "700"
+
+- name: Copy TLS cert
+  copy:
+    src: pg.crt
+    dest: /etc/postgresql/ssl/pg.crt
+    owner: postgres
+    mode: "600"
+
+- name: Copy TLS key
+  copy:
+    src: pg.key
+    dest: /etc/postgresql/ssl/pg.key
+    owner: postgres
+    mode: "600"
+
+- name: Start postgres
+  service:
+    name: postgresql
+    state: started
--- a/roles/postgres/tasks/templates/pg_hba.conf.j2
+++ b/roles/postgres/tasks/templates/pg_hba.conf.j2
@@ -0,0 +1,3 @@
+local   all             postgres                                peer
+host    all             all             10.0.0.0/24             md5
+host    replication     replicator      10.0.0.2/32             md5
--- a/roles/postgres/tasks/templates/postgresql.conf.j2
+++ b/roles/postgres/tasks/templates/postgresql.conf.j2
@@ -0,0 +1,13 @@
+listen_addresses = '*'
+
+shared_buffers = 2GB
+effective_cache_size = 6GB
+work_mem = 64MB
+maintenance_work_mem = 1GB
+
+wal_compression = on
+checkpoint_timeout = 15min
+max_wal_size = 64GB
+
+archive_mode = on
+archive_command = 'pgbackrest --stanza=main archive-push %p'
--- a/roles/replication/tasks/main.yml
+++ b/roles/replication/tasks/main.yml
@@ -0,0 +1,28 @@
+- name: Create replicator user (on primary)
+  delegate_to: pg1
+  become_user: postgres
+  postgresql_user:
+    name: replicator
+    password: "{{ replicator_password }}"
+    role_attr_flags: REPLICATION,LOGIN
+
+- name: Stop postgres
+  service:
+    name: postgresql
+    state: stopped
+
+- name: Remove old data
+  file:
+    path: "{{ pg_data }}"
+    state: absent
+
+- name: Base backup
+  become_user: postgres
+  command: >
+    pg_basebackup -h pg1 -D {{ pg_data }}
+    -U replicator -Fp -Xs -P -R
+
+- name: Start postgres
+  service:
+    name: postgresql
+    state: started
--- a/roles/restore_primary/tasks/main.yml
+++ b/roles/restore_primary/tasks/main.yml
@@ -0,0 +1,19 @@
+- name: Stop postgres on primary
+  service:
+    name: postgresql
+    state: stopped
+
+- name: Remove old data on primary
+  file:
+    path: "{{ pg_data }}"
+    state: absent
+
+- name: Restore base backup from replica
+  become_user: postgres
+  command: >
+    pg_basebackup -h pg2 -D {{ pg_data }} -U replicator -Fp -Xs -P -R
+
+- name: Start postgres on primary
+  service:
+    name: postgresql
+    state: started