create playbook for backup servers and the connection between app ser…

…vers and backups

.github/workflows/provision.yml

@@ -74,7 +74,7 @@ jobs:
           backup_encryption_passphrase: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }}
           elasticsearch_superuser_password: ${{ secrets.ELASTICSEARCH_SUPERUSER_PASSWORD }}
           external_backup_server_remote_directory: ${{ vars.BACKUP_DIRECTORY }}
-          external_backup_server_user: ${{ secrets.SSH_USER }}
+          external_backup_server_user: ${{ secrets.BACKUP_SSH_USER }}
           external_backup_server_ssh_port: 22
           external_backup_server_ip: ${{ secrets.BACKUP_HOST }}
           manager_production_server_ip: ${{ secrets.SSH_HOST }}
@@ -107,7 +107,7 @@ jobs:
           backup_encryption_passphrase: ${{ secrets.BACKUP_ENCRYPTION_PASSPHRASE }}
           elasticsearch_superuser_password: ${{ secrets.ELASTICSEARCH_SUPERUSER_PASSWORD }}
           external_backup_server_remote_directory: ${{ vars.BACKUP_DIRECTORY }}
-          external_backup_server_user: ${{ secrets.SSH_USER }}
+          external_backup_server_user: ${{ secrets.BACKUP_SSH_USER }}
           external_backup_server_ssh_port: 22
           external_backup_server_ip: ${{ secrets.BACKUP_HOST }}
           manager_production_server_ip: ${{ secrets.SSH_HOST }}

infrastructure/create-github-environment.js

@@ -78,6 +78,7 @@ const config = {
   },
   backup: {
     BACKUP_HOST: process.env.BACKUP_HOST || '',
+    BACKUP_SSH_USER: process.env.BACKUP_SSH_USER || '',
     BACKUP_DIRECTORY: ''
   }
 }

infrastructure/server-setup/backups.yml

@@ -0,0 +1,54 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# OpenCRVS is also distributed under the terms of the Civil Registration
+# & Healthcare Disclaimer located at http://opencrvs.org/license.
+#
+# Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
+---
+- hosts: localhost
+  tasks:
+    - name: Generate SSH keypair for application -> backup server connection
+      command: ssh-keygen -t rsa -b 4096 -f /tmp/backup_ssh_key -N ""
+
+- hosts: docker-manager-first
+  tasks:
+    - name: Check if ssh_key already exists
+      stat:
+        path: /home/{{ ansible_user }}/.ssh/id_rsa
+      register: file_check
+
+    - name: Ensure application server can login to backup server
+      copy:
+        src: /tmp/backup_ssh_key
+        dest: /home/{{ ansible_user }}/.ssh/id_rsa
+        mode: 0600
+      when: not file_check.stat.exists
+
+- hosts: backups
+  become: yes
+  become_method: sudo
+  tasks:
+    - name: Ensure backup user is present
+      user:
+        name: '{{ external_backup_server_user }}'
+        state: present
+
+    - name: Check if authorized_keys already exists
+      stat:
+        path: /home/{{ external_backup_server_user }}/.ssh/authorized_keys
+      register: file_check
+
+    - name: Ensure backup application servers can login to backup server
+      copy:
+        src: /tmp/backup_ssh_key.pub
+        dest: /home/{{ external_backup_server_user }}/.ssh/authorized_keys
+        mode: 0600
+      when: not file_check.stat.exists
+
+    - name: 'Create backup directory'
+      file:
+        path: '{{ external_backup_server_remote_directory }}'
+        state: directory
+        owner: '{{ external_backup_server_user }}'

infrastructure/server-setup/playbook.yml

@@ -12,7 +12,7 @@
     - name: Create MongoDB replicate key file locally
       local_action: shell openssl rand -base64 755 > /tmp/mongodb-keyfile
 
-- hosts: all
+- hosts: docker-manager-first, docker-workers
   become: yes
   become_method: sudo
   tasks:
@@ -186,3 +186,5 @@
       when: "docker_info.stdout.find('Swarm: inactive') != -1"
       retries: 3
       delay: 20
+
+- import_playbook: backups.yml

infrastructure/server-setup/production.yml

@@ -45,3 +45,8 @@ docker-workers:
       ansible_host: '178.128.245.255'
       data_label: data2
       ansible_ssh_common_args: '-J provision@165.22.110.53 -o StrictHostKeyChecking=no'
+
+backups:
+  hosts:
+    farajaland-qa:
+      ansible_host: '165.22.110.53'

infrastructure/server-setup/tasks/crontab.yml

@@ -4,18 +4,12 @@
     minute: '0'
     hour: '0'
     job: 'cd / && bash /opt/opencrvs/infrastructure/backup.sh --passphrase={{ backup_encryption_passphrase }} --ssh_user={{ external_backup_server_user }} --ssh_host={{ external_backup_server_ip }} --ssh_port={{ external_backup_server_ssh_port }} --production_ip={{ manager_production_server_ip }} --remote_dir={{ external_backup_server_remote_directory }} --replicas=1 >> /var/log/opencrvs-backup.log 2>&1'
-  when:
-    - external_backup_server_ip is defined
-    - backup_encryption_passphrase
-    - enable_backups
+    state: "{{ 'present' if (external_backup_server_ip is defined and backup_encryption_passphrase and enable_backups) else 'absent' }}"
 
 - name: 'Setup crontab to restore the opencrvs data'
   cron:
     name: 'restore opencrvs'
     minute: '0'
     hour: '1'
     job: 'cd / && bash /opt/opencrvs/infrastructure/restore.sh --passphrase={{ backup_encryption_passphrase }} --ssh_user={{ external_backup_server_user }} --ssh_host={{ external_backup_server_ip }} --ssh_port={{ external_backup_server_ssh_port }} --remote_dir={{ external_backup_server_remote_directory }} --replicas=1 >> /var/log/opencrvs-restore.log 2>&1'
-  when:
-    - external_backup_server_ip is defined
-    - backup_encryption_passphrase
-    - periodic_restore_from_backup
+    state: "{{ 'present' if (external_backup_server_ip is defined and backup_encryption_passphrase and periodic_restore_from_backup) else 'absent' }}"