hachyderm.general.pgbackrest role – Install and configure pgBackRest

Note

This role is part of the hachyderm.general collection (version 1.0.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install hachyderm.general.

To use it in a playbook, specify: hachyderm.general.pgbackrest.

Entry point main – Install and configure pgBackRest

Synopsis

  • Install and configure pgBackRest, a reliable backup and restore solution for PostgreSQL

Parameters

Parameter

Comments

pgbackrest_additional_groups

list / elements=string

List of groups to append to the operating system user.

pgbackrest_agent_address

string

Address to listen for an agent.

See TLS Server Address Option.

Default: "localhost"

pgbackrest_agent_allowed_users

dictionary

Dictionary of allowed users (server) on the agent.

The key is the hostname.

The value is the stanza name.

See TLS Server Authorized Clients Option.

pgbackrest_agent_group

string

Operating system group for an agent.

Default: "postgres"

pgbackrest_agent_port

integer

Address to listen for an agent.

See TLS Server Port Option.

Default: 8432

pgbackrest_agent_repositories

list / elements=dictionary

List of agent to repositories (server) communication.

All repositories must be declared.

If pgBackRest is supposed to send backups to multiple object storage or filesystems, create a list of the size of the number of server repositories (pgbackrest_server_repositories).

Even if the content is repeated.

The repository index will be automatically generated.

See Repository Options.

Default: [{"config": "/etc/pgbackrest-server/pgbackrest.conf", "host": "localhost", "port": 8432, "user": "pgbackrest"}]

pgbackrest_agent_stanzas

dictionary

Dictionary of stanzas supported by an agent.

The key is the name of each stanza.

The value is a list of stanza options.

The server index will be automatically generated.

See Stanza Options.

pgbackrest_agent_tls_ca

string

Content of a Certificate Authority (CA) to verify the authenticity of TLS certificates for an agent.

Use the same CA for agent and server.

If defined, the content will be written in pgbackrest_agent_tls_ca_file.

See TLS Server Certificate Authorities Option.

Generate a CA key with openssl ecparam -name secp384r1 -genkey -noout -out ca.key.

Keep the key to renew certificates during the validity time.

Generate a CA certificate with openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=BE/ST=Brussels Capital/L=Brussels/O=My Organization/OU=pgBackRest/CN=CA".

pgbackrest_agent_tls_ca_file

path

Path to the TLS server certificate authorities for an agent.

For certificates signed by a trusted CA, use /etc/ssl/certs/ca-certificates.crt.

See TLS Server Certificate Authorities Option.

Default: "/etc/pgbackrest/ca.crt"

pgbackrest_agent_tls_cert

string

Content of the TLS server certificate for an agent.

See TLS Server Certificate Option.

See pgbackrest_agent_tls_key to generate the key.

Generate a certificate request with openssl req -new -nodes -out agent.csr -key agent.key -subj "/CN=agent".

Generate a certificate with openssl x509 -req -in agent.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out agent.crt.

Replace agent by the fully qualified domain name of the agent.

The fully qualified domain name must be resolvable.

pgbackrest_agent_tls_cert_file

path

Path to the TLS server certificate for an agent.

See TLS Server Certificate Option.

Default: "/etc/pgbackrest/server.crt"

pgbackrest_agent_tls_key

string

Content of the TLS server key for an agent.

If defined, the content will be written in pgbackrest_agent_tls_key_file.

See TLS Server Key Option.

Generate a key with openssl ecparam -name prime256v1 -genkey -noout -out agent.key.

pgbackrest_agent_tls_key_file

path

Path to the TLS server key file for an agent.

See TLS Server Key Option.

Default: "/etc/pgbackrest/server.key"

pgbackrest_agent_user

string

Operating system user for an agent.

Default: "postgres"

pgbackrest_full_install

boolean

Enable tasks that are part of a circular dependency with the hachyderm.general.postgresql role.

Checking configuration forces a WAL to be archived so a working PostgreSQL instance is required.

But, if PostgreSQL is deployed with the pgbackrest binary for the restore command, the service may not start because it requires pgBackRest to be fully working.

Same for stanza creation.

The pgbackrest_full_install variable can be disabled to ignore all the tasks that are part of the circular dependency issue.

Choices:

  • false

  • true ← (default)

pgbackrest_group

string

Operating system group for a standalone deployment.

Default: "postgres"

pgbackrest_notification_command

string

Command to execute when a pgBackRest backup command is performed.

The command takes two positional arguments.

  1. the pgBackRest string to tell who’s runing the command.

  2. a message to tell what is happening (replaced by pgbackrest_notification_message_start and pgbackrest_notification_message_stop).

pgbackrest_notification_message_start

string

Message sent to the notification command when a backup command is starting.

Default: "starting"

pgbackrest_notification_message_stop

string

Message sent to the notification command when a backup command is stopping.

Default: "done"

pgbackrest_repositories

list / elements=dictionary

List of repositories in a standalone deployment.

The repository index will be automatically generated.

See Repository Options.

pgbackrest_role

string

Role of the pgBackRest instance on the server.

standalone to run everything locally.

server to start a TLS server and orchestrate backup policies.

agent to start a TLS server to receive operations from the server.

both to configure a server and an agent on the same host.

Choices:

  • "standalone" ← (default)

  • "server"

  • "agent"

  • "both"

pgbackrest_schedule_diff

string

When to start differential backups.

See OnCalendar.

See Calendar Events.

pgbackrest_schedule_full

string

When to start full backups.

See OnCalendar.

See Calendar Events.

pgbackrest_schedule_incr

string

When to start incremental backups.

See OnCalendar.

See Calendar Events.

pgbackrest_schedules

dictionary

DEPRECATED.

Use pgbackrest_schedule_full, pgbackrest_schedule_diff and pgbackrest_schedule_incr instead.

Dictionary of backup schedules.

The key is the backup type (full or diff).

The value is a dict of systemd timer settings (see systemd.timer).

pgbackrest_schedules_randomized_delay_sec

integer

Random number of seconds to wait before starting backup services.

pgbackrest_server_address

string

Address to listen for a server.

See TLS Server Address Option.

Default: "localhost"

pgbackrest_server_allowed_users

dictionary

Dictionary of allowed users (agents) on the server.

The key is the hostname.

The value is the stanza name.

Names must be included in the TLS certificate and resolvable by DNS.

See TLS Server Authorized Clients Option.

pgbackrest_server_group

string

Operating system group for a server.

Default: "pgbackrest"

pgbackrest_server_lock_path

path

Path where lock files are stored on the server.

See Lock Path Option.

Default: "/tmp/pgbackrest-server"

pgbackrest_server_port

integer

Port to listen for a server.

See TLS Server Port Option.

Default: 8432

pgbackrest_server_repositories

list / elements=dictionary

List of repositories.

See Repository Options.

pgbackrest_server_stanzas

dictionary

Dictionary of stanzas to create on a server.

The key is the stanza name.

The value is a list of repositories.

The server index will be automatically generated.

See Stanza Options.

pgbackrest_server_tls_ca

string

Content of a Certificate Authority (CA) to verify the authenticity of TLS certificates for a server.

Use the same CA for agent and server.

If defined, the content will be written in pgbackrest_server_tls_ca_file.

See TLS Server Certificate Authorities Option.

Generate a CA key with openssl ecparam -name secp384r1 -genkey -noout -out ca.key.

Keep the key to renew certificates during the validity time.

Generate a CA certificate with openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=BE/ST=Brussels Capital/L=Brussels/O=My Organization/OU=pgBackRest/CN=CA".

pgbackrest_server_tls_ca_file

path

Path to the TLS server certificate authorities for a server.

See TLS Server Certificate Authorities Option.

Default: "/etc/pgbackrest-server/ca.crt"

pgbackrest_server_tls_cert

string

Content of the TLS server certificate for a server.

When pgbackrest_role is both, use the same TLS cert for agent and server.

If defined, the content will be written in pgbackrest_server_tls_cert_file.

See TLS Server Certificate Option.

See pgbackrest_server_tls_key to generate the key.

Generate a certificate request with openssl req -new -nodes -out server.csr -key server.key -subj "/CN=server".

Generate a certificate with openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt.

Replace server by the fully qualified domain name of the server.

The fully qualified domain name must be resolvable.

pgbackrest_server_tls_cert_file

path

Path to the TLS server certificate for a server.

See TLS Server Certificate Option.

Default: "/etc/pgbackrest-server/server.crt"

pgbackrest_server_tls_key

string

Content of the TLS server key for a server.

When pgbackrest_role is both, use the same TLS key for agent and server.

If defined, the content will be written in pgbackrest_server_tls_key_file.

See TLS Server Key Option.

Generate a key with openssl ecparam -name prime256v1 -genkey -noout -out server.key.

pgbackrest_server_tls_key_file

path

Path to the TLS server key file for a server.

See TLS Server Key Option.

Default: "/etc/pgbackrest-server/server.key"

pgbackrest_server_user

string

Operating system user for a server.

Default: "pgbackrest"

pgbackrest_server_user_home

path

Home of the operating system user for a server.

Default: "/var/lib/pgbackrest"

pgbackrest_service_after

list / elements=string

List of systemd units to wait before starting pgBackRest.

pgbackrest_settings

dictionary

Dictionary of custom settings.

The key is the setting name.

The value is the setting value.

See General Options.

pgbackrest_stanzas

dictionary

Dictionary of stanzas to create in a standalone deployment.

The repository index will be automatically generated.

See Stanza Options.

pgbackrest_user

string

Operating system user for a standalone deployment.

Default: "postgres"

Authors

  • Hachyderm contributors