Add lldap backup and templatize backup job

Now oneoff and system jobs are all using the same template
2022-07-27 17:02:29 -07:00 · 2022-07-27 17:02:29 -07:00 · 9a315eb2f7
commit 9a315eb2f7
parent 6e074c55aa
4 changed files with 95 additions and 218 deletions
--- a/nomad/backups/backup.nomad
+++ b/nomad/backups/backup.nomad
@ -1,24 +1,36 @@
-variable "nextcloud_backup" {
-  type = string
-  description = "HCL config for Restic Scheduler jobs"
-}
-
-variable "consul_backup" {
-  type = string
-  description = "HCL config for Restic Scheduler jobs"
-}
-
-job "backup" {
+job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
  datacenters = ["dc1"]
+  %{ if batch_node == null ~}
  type = "system"
+  %{ else ~}
+  type = "batch"
+
+  parameterized {
+    meta_required = ["job_name"]
+    meta_optional = ["task", "snapshot"]

-  constraint {
-    attribute = "${node.unique.name}"
-    # Only node with a backup job so far
-    # Remove when backing up all nodes
-    value = "n2"
  }

+  meta {
+    task = "backup"
+    snapshot = "latest"
+  }
+  %{ endif ~}
+
+  %{ if batch_node == null ~}
+  constraint {
+    attribute = "$${node.unique.name}"
+    operator = "set_contains_any"
+    # Only deploy to nodes running tasks to backup
+    value = "n1,n2"
+  }
+  %{ else ~}
+  constraint {
+    attribute = "$${node.unique.name}"
+    value = "${batch_node}"
+  }
+  %{ endif ~}
+
  group "backup" {

    network {
@ -64,7 +76,7 @@ job "backup" {
      }

      meta {
-        metrics_addr = "${NOMAD_ADDR_metrics}"
+        metrics_addr = "$${NOMAD_ADDR_metrics}"
      }
    }

@ -81,6 +93,11 @@ job "backup" {
        image = "iamthefij/resticscheduler"
        ports = ["metrics"]
        args = [
+          %{ if batch_node != null ~}
+          "-once",
+          "-$${NOMAD_META_task}",
+          "$${NOMAD_META_job_name}",
+          %{ endif ~}
          "/jobs/node-jobs.hcl",
        ]

@ -99,8 +116,8 @@ job "backup" {
      }

      env = {
-        "MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
-        "MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
+        "MYSQL_HOST" = "$${NOMAD_UPSTREAM_IP_mysql_server}"
+        "MYSQL_PORT" = "$${NOMAD_UPSTREAM_PORT_mysql_server}"
      }

      template {
@ -132,16 +149,22 @@ CONSUL_HTTP_ADDR={{ env "attr.unique.network.ip-address" }}:8500
        # Build jobs based on node
        data = <<EOF
 # Current node is {{ env "node.unique.name" }}
-# Consul backup below?
 {{ if eq (env "node.unique.name") "n2" -}}
 # Consul backup
-${var.consul_backup}
+${file("${module_path}/jobs/consul.hcl")}
 {{ end -}}
-{{ range service "nextcloud" }}
+{{ range service "nextcloud" -}}
 # Nextcloud .Node {{ .Node }}
-{{ if eq .Node (env "node.unique.name") }}
-${var.nextcloud_backup}
-{{ end }}{{ end }}
+{{ if eq .Node (env "node.unique.name") -}}
+${file("${module_path}/jobs/nextcloud.hcl")}
+{{ end -}}
+{{ end -}}
+{{ range service "lldap" -}}
+# Lldap .Node {{ .Node }}
+{{ if eq .Node (env "node.unique.name") -}}
+${file("${module_path}/jobs/lldap.hcl")}
+{{ end -}}
+{{ end -}}
        EOF
        destination = "jobs/node-jobs.hcl"
      }
--- a/nomad/backups/backups.tf
+++ b/nomad/backups/backups.tf
@ -1,27 +1,14 @@
-locals {
-  nextcloud_backup = file("${path.module}/jobs/nextcloud.hcl")
-}
-
 resource "nomad_job" "backups" {
-  hcl2 {
-    enabled = true
-    vars = {
-      "nextcloud_backup" = "${local.nextcloud_backup}",
-      "consul_backup"    = file("${path.module}/jobs/consul.hcl"),
-    }
-  }
-
-  jobspec = file("${path.module}/backup.nomad")
+  jobspec = templatefile("${path.module}/backup.nomad", {
+    module_path = "${path.module}",
+    batch_node  = null,
+  })
 }

 resource "nomad_job" "backups-oneoff" {
-  hcl2 {
-    enabled = true
-    vars = {
-      "nextcloud_backup" = "${local.nextcloud_backup}",
-      "consul_backup"    = file("${path.module}/jobs/consul.hcl"),
-    }
-  }
-
-  jobspec = file("${path.module}/oneoff.nomad")
+  for_each = toset(["n1", "n2", "n3"])
+  jobspec = templatefile("${path.module}/backup.nomad", {
+    module_path = "${path.module}",
+    batch_node  = each.key,
+  })
 }
--- a/nomad/backups/jobs/lldap.hcl
+++ b/nomad/backups/jobs/lldap.hcl
@ -0,0 +1,38 @@
+job "lldap" {
+  schedule = "* * * * *"
+
+  config {
+    # TODO: Backup to a meaningful location, this is just for testing
+    repo = "/local/repo"
+    # Read from secret file
+    passphrase = env("BACKUP_PASSPHRASE")
+  }
+
+  # Remove when using a proper backup destination
+  task "Create dir for repo" {
+    pre_script {
+      on_backup = "echo 'Backing up something'"
+    }
+    pre_script {
+      on_backup = "mkdir -p /local/repo"
+    }
+  }
+
+  sqlite "Backup database" {
+    path        = "/data/lldap/users.db"
+    dump_to        = "/data/lldap/users.db.bak"
+  }
+
+  backup {
+    paths = ["/data/lldap"]
+    # Because path is absolute
+    restore_opts {
+      Target = "/"
+    }
+  }
+
+  forget {
+    KeepLast = 2
+    Prune = true
+  }
+}
--- a/nomad/backups/oneoff.nomad
+++ b/nomad/backups/oneoff.nomad
@ -1,171 +0,0 @@
-variable "nextcloud_backup" {
-  type = string
-  description = "HCL config for Restic Scheduler jobs"
-}
-
-variable "consul_backup" {
-  type = string
-  description = "HCL config for Restic Scheduler jobs"
-}
-
-job "backup-oneoff-n2" {
-  datacenters = ["dc1"]
-  type = "batch"
-
-  parameterized {
-    meta_required = ["job_name"]
-    meta_optional = ["task", "snapshot"]
-
-  }
-
-  meta {
-    task = "backup"
-    snapshot = "latest"
-  }
-
-
-  constraint {
-    attribute = "${node.unique.name}"
-    # Only node with a backup job so far
-    # Remove when backing up all nodes
-    value = "n2"
-  }
-
-  group "backup" {
-
-    network {
-      mode = "bridge"
-
-      port "metrics" {
-        to = 8080
-      }
-    }
-
-    volume "all-volumes" {
-      type = "host"
-      read_only = true
-      source = "all-volumes"
-    }
-
-    service {
-      port = "metrics"
-
-      # Add connect to mysql
-      connect {
-        sidecar_service {
-          proxy {
-            local_service_port = 8080
-
-            upstreams {
-              destination_name = "mysql-server"
-              local_bind_port = 6060
-            }
-
-            config {
-              protocol = "tcp"
-            }
-          }
-        }
-
-        sidecar_task {
-          resources {
-            cpu    = 50
-            memory = 50
-          }
-        }
-      }
-
-      meta {
-        metrics_addr = "${NOMAD_ADDR_metrics}"
-      }
-    }
-
-    task "backup" {
-      driver = "docker"
-
-      volume_mount {
-        volume = "all-volumes"
-        destination = "/data"
-        read_only = true
-      }
-
-      config {
-        image = "iamthefij/resticscheduler"
-        ports = ["metrics"]
-        args = [
-          "-once",
-          "-${NOMAD_META_task}",
-          "${NOMAD_META_job_name}",
-          # TODO: add restore arg here
-          "/jobs/node-jobs.hcl",
-        ]
-
-        mount {
-          type = "bind"
-          target = "/jobs"
-          source = "jobs"
-        }
-      }
-
-      vault {
-        policies = [
-          "access-tables",
-          "nomad-task",
-        ]
-      }
-
-      env = {
-        "MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
-        "MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
-      }
-
-      template {
-        # Probably want to use database credentials that have access to dump all tables
-        data = <<EOF
-{{ with secret "kv/data/nextcloud" }}
-MYSQL_DATABASE={{ .Data.data.db_name }}
-MYSQL_USER={{ .Data.data.db_user }}
-MYSQL_PASSWORD={{ .Data.data.db_pass }}
-{{ end }}
-{{ with secret "kv/data/backups" }}
-BACKUP_PASSPHRASE={{ .Data.data.backup_passphrase }}
-{{ end }}
-        EOF
-        destination = "secrets/db.env"
-        env = true
-      }
-
-      template {
-        data = <<EOH
-CONSUL_HTTP_ADDR={{ env "attr.unique.network.ip-address" }}:8500
-        EOH
-        destination = "local/consul.env"
-        env = true
-      }
-
-
-      template {
-        # Build jobs based on node
-        data = <<EOF
-# Current node is {{ env "node.unique.name" }}
-# Consul backup below?
-{{ if eq (env "node.unique.name") "n2" -}}
-# Consul backup
-${var.consul_backup}
-{{ end -}}
-{{ range service "nextcloud" }}
-# Nextcloud .Node {{ .Node }}
-{{ if eq .Node (env "node.unique.name") }}
-${var.nextcloud_backup}
-{{ end }}{{ end }}
-        EOF
-        destination = "jobs/node-jobs.hcl"
-      }
-
-      resources {
-        cpu = 50
-        memory = 256
-      }
-    }
-  }
-}