Adding Restore Functionality (#10)

* Initial re-drafting variables to support backup configuration for gitlab v12.1+, parameterizing the backup schedule to allow for greater flexibility * Temporarily disabling the installation of cron to debug values * Resolving template issues for gitlab configuration backups * Adding customizable environment variable configuration for GitLab Application Backup Cron tasks * Fixing up templating for ansible-role * Cleaning up the filtering process for gitlab_config_backup_env_vars * Correcting backup command debugging message * Adding backup:restore commands for debugging * Finalizing tasks/restore.yml and including gitlab_config_privilege_escalation_user to parameterize become_user for ansible-role * Cleaning up vars/main.tf * Removing debugging message block * Adding dependent roles and debugging andrewrothstein.gitlab vars * Dropping gitlab_ver definition * Cleaning up main/task.yml * Parameterize the letsencrypt operation for omnibus-gitlab in test domain on vSphere-Lab * Convert ansible_bool variable to JSON compatible value
spk83 · Sep 24, 2021 · dd7b995 · dd7b995
1 parent 25bd0d3
commit dd7b995
Show file tree

Hide file tree

Showing 8 changed files with 207 additions and 60 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,15 +1,18 @@
 ---
-
+# gitlab_ver: 13.10.2
 gitlab_config_dest: /etc/gitlab
+gitlab_config_privilege_escalate: True
+gitlab_config_privilege_escalation_user: root
 
 # Run gitlab-ctl reconfigure if config has changed
-gitlab_config_reconfigure: true
+gitlab_config_reconfigure: True
 
 # Take nightly backup of gitlab application and configuration
-gitlab_config_auto_nightly_backup: true
+gitlab_config_auto_backup_enabled: True
 
 # Required
 gitlab_config_external_url: http://example.com
+gitlab_config_letsencrypt_enabled: true
 
 # Optional - Following are NOT default values, are only examples
 
@@ -91,7 +94,36 @@ gitlab_config_external_url: http://example.com
 #     },
 #   ]
 
-# gitlab_config_manage_backup_path: true
+gitlab_config_manage_backup_path: False
+gitlab_config_backup_use_nfs: False
+
+gitlab_config_backup_restore_enabled: False
+gitlab_config_backup_restore_check_config: True
+gitlab_config_backup_restore_verify_db_secrets: False
+
+## Backup Environment Variables
+# gitlab_config_backup_restore_prompt_disable: True
+gitlab_config_backup_strategy: copy
+# gitlab_config_backup_timestamp_prefix: [TIMESTAMP]
+# gitlab_config_backup_gzip_rsyncable: true
+# gitlab_config_backup_group_duration: daily|weekly
+# gitlab_config_backup_exclude_directories:
+#   - db # (databases)
+#   - uploads # (attachments)
+#   - builds # (CI job output logs)
+#   - artifacts # (CI job artifacts)
+#   - lfs # (LFS objects)
+#   - registry # (Container Registry Images)
+#   - pages # (Pages Content)
+#   - repositories # (Git repositories data)
+#   - tar # (Tar Creation)
+# Note: v13.3+ https://docs.gitlab.com/ee/raketasks/backup_restore.html#back-up-git-repositories-concurrently
+# gitlab_config_backup_concurrency: 1
+# gitlab_config_backup_storage_concurrency: 1
+
+## Backup:Restore Environment Variables
+# gitlab_config_backup_restore_timestamp: [TIMESTAMP]-{{ gitlab_config_mode | default("omnibus") }}
+
 # gitlab_config_backup_path: /var/opt/gitlab/backups
 
 # gitlab_config_backup_archive_permissions: '0644'
@@ -111,6 +143,23 @@ gitlab_config_external_url: http://example.com
 #   endPoint: https://s3.abc.com
 # gitlab_config_backup_upload_remote_directory: my.s3.gitlab-backups
 
+gitlab_config_backup_application_data: True
+gitlab_config_backup_application_data_schedule:
+  # month: '*'
+  # weekday: '*'
+  # day: '*'
+  # hour: '*'
+  # minute: '*'
+gitlab_config_backup_config_data: True
+gitlab_config_backup_config_data_schedule:
+  # month: '*'
+  # weekday: '*'
+  # day: '*'
+  # hour: '*'
+  # minute: '*'
+# gitlab_config_backup_config_data_path: /var/opt/gitlab/config-backups
+# gitlab_config_backup_config_data_addl_cmds: []
+
 # gitlab_config_smtp_enabled: true
 # gitlab_config_smtp_address: example.com
 # gitlab_config_smtp_port: 25
@@ -156,7 +205,7 @@ gitlab_config_external_url: http://example.com
 # gitlab_config_prometheus_gitlab_monitor_enabled: true
 
 # To enable HTTPS, change the gitlab_config_external_url to https://example.com
-# gitlab_config_enable_https: true
+gitlab_config_enable_https: False
 # gitlab_config_src_pki_dir: ~/pki
 # gitlab_config_dest_pki_dir: /etc/gitlab/ssl
 # gitlab_config_pki_key_suffix: '.key'
@@ -173,12 +222,6 @@ gitlab_config_external_url: http://example.com
 #     - key: no_proxy
 #       value: localhost,127.0.0.1
 
-# Setting for auto nightly backups
-# gitlab_config_backup_application_data: true
-# gitlab_config_backup_config_data: true
-# gitlab_config_backup_config_data_path: /var/opt/gitlab/config-backups
-# gitlab_config_backup_config_data_additional_cmd: ''
-
 # For all other settings listed on - https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template ,
 # use following map to add custom settings
 # gitlab_config_custom: |+

diff --git a/meta/main.yml b/meta/main.yml
@@ -28,4 +28,8 @@ galaxy_info:
     - gitlab
     - configure
 
-dependencies: []
+dependencies:
+  - role: andrewrothstein.cron
+    version: v1.0.0
+  - role: andrewrothstein.gitlab
+    version: v2.2.8
diff --git a/tasks/backup.yml b/tasks/backup.yml
@@ -1,38 +1,66 @@
 ---
+- name: create backup dir
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  when: gitlab_config_manage_backup_path or gitlab_config_backup_use_nfs
+  file:
+    path: '{{ gitlab_config_backup_dir }}'
+    state: directory
+    mode: 0755
+    owner: '{{ gitlab_config_eff_user }}'
+    group: '{{ gitlab_config_eff_group }}'
+
 - name: create cronjob to take nightly backup of application data
-  become: yes
-  become_user: root
-  when: gitlab_config_backup_application_data|default(true)
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  when: gitlab_config_backup_application_data
   cron:
-    name: "gitlab-ce-nightly-backups-app-data"
-    minute: "0"
-    hour: "2"
-    job: "/opt/gitlab/bin/gitlab-rake gitlab:backup:create"
+    name: "gitlab-app-data-backup"
+    job: |-
+      {{ gitlab_config_backup_program }} {{ gitlab_config_backup_command }}
+      {%- for env in (gitlab_config_backup_environment_vars | dict2items | rejectattr("value", "eq", "") | list) %} {{ env.key }}={{ env.value }}{% endfor -%}
+    month: '{{ gitlab_config_backup_application_data_schedule.month | default(omit) }}'
+    weekday: '{{ gitlab_config_backup_application_data_schedule.weekday | default(omit) }}'
+    day: '{{ gitlab_config_backup_application_data_schedule.day | default(omit) }}'
+    hour: '{{ gitlab_config_backup_application_data_schedule.hour | default(omit) }}'
+    minute: '{{ gitlab_config_backup_application_data_schedule.minute | default(omit) }}'
     state: present
 
 - name: create cronjob to take nightly backup of configuration data
-  become: yes
-  become_user: root
-  when: gitlab_config_backup_config_data|default(true)
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  when: gitlab_config_backup_config_data
   cron:
-    name: "gitlab-ce-nightly-backups-config-data"
-    minute: "0"
-    hour: "2"
-    job: 'umask 0077; FILE=$(date "+etc-gitlab-\%s.tgz"); tar cfz {{ gitlab_config_auto_nightly_backup_config_data_path }}/$FILE -C / etc/gitlab; {{ gitlab_config_backup_config_data_additional_cmd }}'
+    name: "gitlab-config-data-backup"
+    job: |-
+      {{ ((gitlab_ver is version("12.3", operator="<") | ternary(
+        [
+          "umask %s" | format(gitlab_config_auto_backup_config_data_permissions),
+          'FILE=$(date "+etc-gitlab-\%s.tgz")',
+          "tar cfz %s/$FILE -C / %s" | format(gitlab_config_auto_backup_config_data_path, gitlab_config_dest)
+        ],
+        [
+          "%s backup-etc %s" | format(gitlab_config_controller_cli, gitlab_config_auto_backup_config_data_path)
+        ])) + (gitlab_config_backup_config_data_addl_cmds | default([]))) | join(";") }}
+    month: '{{ gitlab_config_backup_config_data_schedule.month | default(omit) }}'
+    weekday: '{{ gitlab_config_backup_config_data_schedule.weekday | default(omit) }}'
+    day: '{{ gitlab_config_backup_config_data_schedule.day | default(omit) }}'
+    hour: '{{ gitlab_config_backup_config_data_schedule.hour | default(omit) }}'
+    minute: '{{ gitlab_config_backup_config_data_schedule.minute | default(omit) }}'
     state: present
 
 - name: update MAILTO entry of crontab to get output of nightly jobs
-  become: yes
-  become_user: root
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
   when: gitlab_config_cronjob_notification_email is defined
   cronvar:
     name: MAILTO
-    value: "{{ gitlab_config_cronjob_notification_email }}"
+    value: '{{ gitlab_config_cronjob_notification_email }}'
 
 - name: update MAILFROM entry of crontab
-  become: yes
-  become_user: root
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
   when: gitlab_config_cronjob_notification_email is defined and gitlab_config_email_from is defined
   cronvar:
     name: MAILFROM
-    value: "{{ gitlab_config_email_from }}"
+    value: '{{ gitlab_config_email_from }}'
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,32 +1,25 @@
 ---
-- include_tasks: pki.yml
-  when: gitlab_config_enable_https|default(false)
-
-- name: create backup dir
-  become: yes
-  become_user: root
-  when: gitlab_config_manage_backup_path|default(false) or gitlab_config_backup_use_nfs|default(false)
-  file:
-    path: '{{ gitlab_config_backup_dir }}'
-    state: directory
-    mode: 0755
-    owner: git
-    group: git
-
 - name: load gitlab-config file
-  become: yes
-  become_user: root
-  register: load_config
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  register: gitlab_config
   template:
     src: gitlab.rb.j2
     dest: '{{ gitlab_config_dest }}/gitlab.rb'
     mode: 0600
 
-- name: reconfigure gitlab
-  become: yes
-  become_user: root
-  when: gitlab_config_reconfigure|default(true) and load_config is changed
-  command: gitlab-ctl reconfigure
+- include_tasks: pki.yml
+  when: gitlab_config_enable_https
 
 - include_tasks: backup.yml
-  when: gitlab_config_auto_nightly_backup | default(true)
+  when: gitlab_config_auto_backup_enabled
+
+- name: reconfigure gitlab
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  when: gitlab_config_reconfigure and gitlab_config is changed
+  command: '{{ gitlab_config_controller_cli }} reconfigure'
+
+- name: restore gitlab
+  when: gitlab_config_backup_restore_enabled
+  include_tasks: restore.yml
diff --git a/tasks/pki.yml b/tasks/pki.yml
@@ -1,15 +1,15 @@
 ---
 - name: create host pki dir
-  become: yes
-  become_user: root
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
   file:
     state: directory
     path: '{{ gitlab_config_dest_pki_dir }}'
     mode: 0700
 
 - name: install keys/certs
-  become: yes
-  become_user: root
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
   with_items:
     - { f: '{{ gitlab_config_pki_key_src }}', d: '{{ gitlab_config_pki_key_dest }}', m: '0400' }
     - { f: '{{ gitlab_config_pki_cert_src }}', d: '{{ gitlab_config_pki_cert_dest }}', m: '0400'}

diff --git a/tasks/restore.yml b/tasks/restore.yml
@@ -0,0 +1,42 @@
+---
+- name: stop processes connected to database
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  loop:
+    - unicorn
+    - puma
+    - sidekiq
+  command: '{{ gitlab_config_controller_cli }} stop {{ item }}'
+
+- name: restore application backup ref={{ gitlab_config_backup_restore_timestamp }}
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  command: |-
+    {{ gitlab_config_backup_program }} {{ gitlab_config_backup_restore_command }}
+      {%- for k,v in gitlab_config_backup_restore_environment_vars.items() %} {{ k }}={{ v }}{% endfor -%}
+
+- name: look for gitlab secrets file
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  changed_when: False
+  stat:
+    path: '{{ gitlab_config_secrets_path }}'
+  register: gitlab_secrets
+
+- when: gitlab_secrets.stat.exists
+  become: '{{ gitlab_config_privilege_escalate }}'
+  become_user: '{{ gitlab_config_privilege_escalation_user }}'
+  block:
+    - name: reload gitlab
+      loop:
+        - reconfigure
+        - restart
+      command: '{{ gitlab_config_controller_cli }} {{ item }}'
+
+    - name: check gitlab configuration
+      when: gitlab_config_backup_restore_check_config
+      command: gitlab-rake gitlab:check SANITIZE=true
+
+    - name: verify db decryption capabilities
+      when: gitlab_config_backup_restore_verify_db_secrets
+      command: gitlab-rake gitlab:doctor:secrets
diff --git a/templates/gitlab.rb.j2 b/templates/gitlab.rb.j2
@@ -1,11 +1,20 @@
 #jinja2: trim_blocks:False
 ## Latest options listed at https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
 
+{% if gitlab_config_user is defined -%}
+user['username'] = {{ gitlab_config_user | to_json }}
+{%- endif %}
+{% if gitlab_config_group is defined -%}
+user['group'] = {{ gitlab_config_group | to_json }}
+{%- endif %}
+
 ## GitLab URL
 ##! URL on which GitLab will be reachable.
 ##! For more details on configuring external_url see:
 ##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab
 external_url "{{ gitlab_config_external_url }}"
+##! SSL Configuration Options: https://docs.gitlab.com/omnibus/settings/ssl.html
+letsencrypt['enable'] = {{ gitlab_config_letsencrypt_enabled | to_json }}
 
 {% if proxy_env is defined -%}
 gitlab_rails['env'] = {

diff --git a/vars/main.yml b/vars/main.yml
@@ -1,4 +1,10 @@
 ---
+gitlab_config_controller_cli: gitlab-ctl
+gitlab_config_secrets_path: '{{ gitlab_config_dest }}/gitlab-secrets.json'
+
+gitlab_config_eff_user: gitlab_config_user | default("git")
+gitlab_config_eff_group:  gitlab_config_group | default("git")
+
 gitlab_config_pki_key_file: '{{ inventory_hostname }}{{ gitlab_config_pki_key_suffix | default(".key") }}'
 gitlab_config_pki_key_src: '{{ gitlab_config_src_pki_dir | default("~/pki") }}/{{ gitlab_config_pki_key_file }}'
 gitlab_config_pki_key_dest: '{{ gitlab_config_dest_pki_dir | default("/etc/gitlab/ssl") }}/{{ gitlab_config_pki_key_file }}'
@@ -7,7 +13,29 @@ gitlab_config_pki_cert_file: '{{ inventory_hostname }}{{ gitlab_config_pki_cert_
 gitlab_config_pki_cert_src: '{{ gitlab_config_src_pki_dir | default("~/pki") }}/{{ gitlab_config_pki_cert_file }}'
 gitlab_config_pki_cert_dest: '{{ gitlab_config_dest_pki_dir | default("/etc/gitlab/ssl") }}/{{ gitlab_config_pki_cert_file }}'
 
+gitlab_config_backup_program: '{{ gitlab_ver is version("12.1", operator=">") | ternary("gitlab-backup", "gitlab-rake") }}'
+gitlab_config_backup_command: '{{ gitlab_ver is version("12.1", operator=">") | ternary("create", "gitlab:backup:create") }}'
+gitlab_config_backup_restore_command: '{{ gitlab_ver is version("12.1", operator=">") | ternary("restore", "gitlab:backup:restore") }}'
 gitlab_config_backup_use_nfs: '{{ gitlab_config_backup_upload is defined and gitlab_config_backup_upload[":local_root"] is defined }}'
 gitlab_config_backup_dir: "{% if gitlab_config_backup_use_nfs %}{{ gitlab_config_backup_upload[':local_root'] }}{% else %}{{ gitlab_config_backup_path|default('/var/opt/gitlab/backups') }}{% endif %}"
 
-gitlab_config_auto_nightly_backup_config_data_path: "{% if gitlab_config_backup_config_data_path is defined %}{{ gitlab_config_backup_config_data_path }}{% else %}{{ gitlab_config_backup_path | default('/var/opt/gitlab/backups') }}{% endif %}"
+gitlab_config_backup_environment_vars:
+  CRON: 1
+  STRATEGY: '{{ gitlab_config_backup_strategy | default(None) }}'
+  BACKUP: '{{ gitlab_config_backup_timestamp_prefix | default(None) }}'
+  GZIP_RSYNCABLE: '{{ gitlab_config_backup_gzip_rsyncable | default(None) }}'
+  DIRECTORY: '{{ gitlab_config_backup_group_duration | default(None) }}'
+  SKIP: |-
+    {{ (gitlab_config_backup_exclude_directories is defined and gitlab_config_backup_exclude_directories is sequence) | ternary(
+      gitlab_config_backup_exclude_directories | default([]) | join(","),
+      None
+    ) }}
+  GITLAB_BACKUP_MAX_CONCURRENCY: '{{ gitlab_ver is version("13.3", operator="<") | ternary(None, gitlab_config_backup_concurrency) }}'
+  GITLAB_BACKUP_MAX_STORAGE_CONCURRENCY: '{{ gitlab_ver is version("13.3", operator="<") | ternary(None, gitlab_config_backup_storage_concurrency) }}'
+gitlab_config_backup_restore_environment_vars:
+  GITLAB_ASSUME_YES: '{{ gitlab_config_backup_restore_prompt_disable | default(True) | int }}'
+  BACKUP: '{{ gitlab_config_backup_restore_timestamp }}'
+  force: 'yes'
+
+gitlab_config_auto_backup_config_data_path: '{{ gitlab_config_backup_config_data_path | default("/etc/gitlab/config_backup") }}'
+gitlab_config_auto_backup_config_data_permissions: '0600'