Initial infra setup: Terraform, Ansible, backup roles

2026-03-31 08:11:12 -05:00
commit d6ff4746d0
31 changed files with 792 additions and 0 deletions
--- a/ansible/roles/backup/defaults/main.yml
+++ b/ansible/roles/backup/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+backup_bucket: "lunarfront-infra"
+backup_spaces_region: "nyc3"
+backup_schedule: "0 3 * * *"  # 3am daily
+
+backup_dirs:
+  - src: /var/lib/gitea/data
+    dest: backups/gitea
+  - src: /var/lib/vaultwarden/data
+    dest: backups/vaultwarden
+
+# Set in vault
+spaces_access_key: ""
+spaces_secret_key: ""
--- a/ansible/roles/backup/tasks/main.yml
+++ b/ansible/roles/backup/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: Install rclone
+  apt:
+    name: rclone
+    state: present
+    update_cache: true
+
+- name: Create rclone config directory
+  file:
+    path: /root/.config/rclone
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Deploy rclone config
+  template:
+    src: rclone.conf.j2
+    dest: /root/.config/rclone/rclone.conf
+    owner: root
+    group: root
+    mode: "0600"
+
+- name: Deploy backup script
+  template:
+    src: backup.sh.j2
+    dest: /usr/local/bin/backup.sh
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Schedule daily backup cron job
+  cron:
+    name: "lunarfront backup"
+    job: "/usr/local/bin/backup.sh >> /var/log/backup.log 2>&1"
+    minute: "0"
+    hour: "3"
+    user: root
--- a/ansible/roles/backup/templates/backup.sh.j2
+++ b/ansible/roles/backup/templates/backup.sh.j2
@@ -0,0 +1,34 @@
+#!/bin/bash
+set -euo pipefail
+
+DATE=$(date +%Y-%m-%d)
+MONTH=$(date +%Y-%m)
+DAY_OF_MONTH=$(date +%d)
+
+echo "[$(date)] Starting backup"
+
+{% for item in backup_dirs %}
+echo "[$(date)] Backing up {{ item.src }}"
+
+# Daily backup — kept for 30 days
+rclone sync {{ item.src }} spaces://{{ backup_bucket }}/{{ item.dest }}/daily/${DATE} \
+  --s3-acl private
+
+# Monthly backup on the 1st — kept for 12 months
+if [ "${DAY_OF_MONTH}" = "01" ]; then
+  rclone sync {{ item.src }} spaces://{{ backup_bucket }}/{{ item.dest }}/monthly/${MONTH} \
+    --s3-acl private
+  echo "[$(date)] Monthly backup complete for {{ item.src }}"
+fi
+
+# Prune daily backups older than 30 days
+rclone delete spaces://{{ backup_bucket }}/{{ item.dest }}/daily \
+  --min-age 30d --s3-acl private
+
+# Prune monthly backups older than 12 months
+rclone delete spaces://{{ backup_bucket }}/{{ item.dest }}/monthly \
+  --min-age 365d --s3-acl private
+
+{% endfor %}
+
+echo "[$(date)] Backup complete"
--- a/ansible/roles/backup/templates/rclone.conf.j2
+++ b/ansible/roles/backup/templates/rclone.conf.j2
@@ -0,0 +1,7 @@
+[spaces]
+type = s3
+provider = DigitalOcean
+access_key_id = {{ spaces_access_key }}
+secret_access_key = {{ spaces_secret_key }}
+endpoint = nyc3.digitaloceanspaces.com
+acl = private