Add lldap backup and templatize backup job

Now oneoff and system jobs are all using the same template
This commit is contained in:
IamTheFij 2022-07-27 17:02:29 -07:00
parent 6e074c55aa
commit 9a315eb2f7
4 changed files with 95 additions and 218 deletions

View File

@ -1,24 +1,36 @@
variable "nextcloud_backup" { job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
type = string
description = "HCL config for Restic Scheduler jobs"
}
variable "consul_backup" {
type = string
description = "HCL config for Restic Scheduler jobs"
}
job "backup" {
datacenters = ["dc1"] datacenters = ["dc1"]
%{ if batch_node == null ~}
type = "system" type = "system"
%{ else ~}
type = "batch"
parameterized {
meta_required = ["job_name"]
meta_optional = ["task", "snapshot"]
constraint {
attribute = "${node.unique.name}"
# Only node with a backup job so far
# Remove when backing up all nodes
value = "n2"
} }
meta {
task = "backup"
snapshot = "latest"
}
%{ endif ~}
%{ if batch_node == null ~}
constraint {
attribute = "$${node.unique.name}"
operator = "set_contains_any"
# Only deploy to nodes running tasks to backup
value = "n1,n2"
}
%{ else ~}
constraint {
attribute = "$${node.unique.name}"
value = "${batch_node}"
}
%{ endif ~}
group "backup" { group "backup" {
network { network {
@ -64,7 +76,7 @@ job "backup" {
} }
meta { meta {
metrics_addr = "${NOMAD_ADDR_metrics}" metrics_addr = "$${NOMAD_ADDR_metrics}"
} }
} }
@ -81,6 +93,11 @@ job "backup" {
image = "iamthefij/resticscheduler" image = "iamthefij/resticscheduler"
ports = ["metrics"] ports = ["metrics"]
args = [ args = [
%{ if batch_node != null ~}
"-once",
"-$${NOMAD_META_task}",
"$${NOMAD_META_job_name}",
%{ endif ~}
"/jobs/node-jobs.hcl", "/jobs/node-jobs.hcl",
] ]
@ -99,8 +116,8 @@ job "backup" {
} }
env = { env = {
"MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}" "MYSQL_HOST" = "$${NOMAD_UPSTREAM_IP_mysql_server}"
"MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}" "MYSQL_PORT" = "$${NOMAD_UPSTREAM_PORT_mysql_server}"
} }
template { template {
@ -132,16 +149,22 @@ CONSUL_HTTP_ADDR={{ env "attr.unique.network.ip-address" }}:8500
# Build jobs based on node # Build jobs based on node
data = <<EOF data = <<EOF
# Current node is {{ env "node.unique.name" }} # Current node is {{ env "node.unique.name" }}
# Consul backup below?
{{ if eq (env "node.unique.name") "n2" -}} {{ if eq (env "node.unique.name") "n2" -}}
# Consul backup # Consul backup
${var.consul_backup} ${file("${module_path}/jobs/consul.hcl")}
{{ end -}} {{ end -}}
{{ range service "nextcloud" }} {{ range service "nextcloud" -}}
# Nextcloud .Node {{ .Node }} # Nextcloud .Node {{ .Node }}
{{ if eq .Node (env "node.unique.name") }} {{ if eq .Node (env "node.unique.name") -}}
${var.nextcloud_backup} ${file("${module_path}/jobs/nextcloud.hcl")}
{{ end }}{{ end }} {{ end -}}
{{ end -}}
{{ range service "lldap" -}}
# Lldap .Node {{ .Node }}
{{ if eq .Node (env "node.unique.name") -}}
${file("${module_path}/jobs/lldap.hcl")}
{{ end -}}
{{ end -}}
EOF EOF
destination = "jobs/node-jobs.hcl" destination = "jobs/node-jobs.hcl"
} }

View File

@ -1,27 +1,14 @@
locals {
nextcloud_backup = file("${path.module}/jobs/nextcloud.hcl")
}
resource "nomad_job" "backups" { resource "nomad_job" "backups" {
hcl2 { jobspec = templatefile("${path.module}/backup.nomad", {
enabled = true module_path = "${path.module}",
vars = { batch_node = null,
"nextcloud_backup" = "${local.nextcloud_backup}", })
"consul_backup" = file("${path.module}/jobs/consul.hcl"),
}
}
jobspec = file("${path.module}/backup.nomad")
} }
resource "nomad_job" "backups-oneoff" { resource "nomad_job" "backups-oneoff" {
hcl2 { for_each = toset(["n1", "n2", "n3"])
enabled = true jobspec = templatefile("${path.module}/backup.nomad", {
vars = { module_path = "${path.module}",
"nextcloud_backup" = "${local.nextcloud_backup}", batch_node = each.key,
"consul_backup" = file("${path.module}/jobs/consul.hcl"), })
}
}
jobspec = file("${path.module}/oneoff.nomad")
} }

View File

@ -0,0 +1,38 @@
job "lldap" {
schedule = "* * * * *"
config {
# TODO: Backup to a meaningful location, this is just for testing
repo = "/local/repo"
# Read from secret file
passphrase = env("BACKUP_PASSPHRASE")
}
# Remove when using a proper backup destination
task "Create dir for repo" {
pre_script {
on_backup = "echo 'Backing up something'"
}
pre_script {
on_backup = "mkdir -p /local/repo"
}
}
sqlite "Backup database" {
path = "/data/lldap/users.db"
dump_to = "/data/lldap/users.db.bak"
}
backup {
paths = ["/data/lldap"]
# Because path is absolute
restore_opts {
Target = "/"
}
}
forget {
KeepLast = 2
Prune = true
}
}

View File

@ -1,171 +0,0 @@
variable "nextcloud_backup" {
type = string
description = "HCL config for Restic Scheduler jobs"
}
variable "consul_backup" {
type = string
description = "HCL config for Restic Scheduler jobs"
}
job "backup-oneoff-n2" {
datacenters = ["dc1"]
type = "batch"
parameterized {
meta_required = ["job_name"]
meta_optional = ["task", "snapshot"]
}
meta {
task = "backup"
snapshot = "latest"
}
constraint {
attribute = "${node.unique.name}"
# Only node with a backup job so far
# Remove when backing up all nodes
value = "n2"
}
group "backup" {
network {
mode = "bridge"
port "metrics" {
to = 8080
}
}
volume "all-volumes" {
type = "host"
read_only = true
source = "all-volumes"
}
service {
port = "metrics"
# Add connect to mysql
connect {
sidecar_service {
proxy {
local_service_port = 8080
upstreams {
destination_name = "mysql-server"
local_bind_port = 6060
}
config {
protocol = "tcp"
}
}
}
sidecar_task {
resources {
cpu = 50
memory = 50
}
}
}
meta {
metrics_addr = "${NOMAD_ADDR_metrics}"
}
}
task "backup" {
driver = "docker"
volume_mount {
volume = "all-volumes"
destination = "/data"
read_only = true
}
config {
image = "iamthefij/resticscheduler"
ports = ["metrics"]
args = [
"-once",
"-${NOMAD_META_task}",
"${NOMAD_META_job_name}",
# TODO: add restore arg here
"/jobs/node-jobs.hcl",
]
mount {
type = "bind"
target = "/jobs"
source = "jobs"
}
}
vault {
policies = [
"access-tables",
"nomad-task",
]
}
env = {
"MYSQL_HOST" = "${NOMAD_UPSTREAM_IP_mysql_server}"
"MYSQL_PORT" = "${NOMAD_UPSTREAM_PORT_mysql_server}"
}
template {
# Probably want to use database credentials that have access to dump all tables
data = <<EOF
{{ with secret "kv/data/nextcloud" }}
MYSQL_DATABASE={{ .Data.data.db_name }}
MYSQL_USER={{ .Data.data.db_user }}
MYSQL_PASSWORD={{ .Data.data.db_pass }}
{{ end }}
{{ with secret "kv/data/backups" }}
BACKUP_PASSPHRASE={{ .Data.data.backup_passphrase }}
{{ end }}
EOF
destination = "secrets/db.env"
env = true
}
template {
data = <<EOH
CONSUL_HTTP_ADDR={{ env "attr.unique.network.ip-address" }}:8500
EOH
destination = "local/consul.env"
env = true
}
template {
# Build jobs based on node
data = <<EOF
# Current node is {{ env "node.unique.name" }}
# Consul backup below?
{{ if eq (env "node.unique.name") "n2" -}}
# Consul backup
${var.consul_backup}
{{ end -}}
{{ range service "nextcloud" }}
# Nextcloud .Node {{ .Node }}
{{ if eq .Node (env "node.unique.name") }}
${var.nextcloud_backup}
{{ end }}{{ end }}
EOF
destination = "jobs/node-jobs.hcl"
}
resources {
cpu = 50
memory = 256
}
}
}
}