Puppet Class: mediabackup::worker
- Defined in:
- modules/mediabackup/manifests/worker.pp
Overview
SPDX-License-Identifier: Apache-2.0 Media backups worker: Install required packages and configures them.
-
sections: hash containing as keys the MediaWiki sections (as they appear on
dblists to backup) and as value, another hash with the host, the port, and optionally, a dblist file name containing the list of wikis -
mw_db_user: user used to authenticate to the mediawiki database (neads only
SELECT grants on the image, oldimage and filearchive tables) -
mw_db_password: password used to authenticate to the mediawiki database
-
dblists_path: Absolute path of where the dblists can be found.
-
mw_db_config_file: Absolute path of where the config file for database
connection to MediaWiki production dbs will be stored -
batchsize: maximum number of rows (files) of metadata to be read into memory and
processed for both mw metadata and backups metadata -
db_config_file: Absolute path of where the config file for database
connection to the mediabackup db will be stored -
db_host: fqdn of the database used to write the media backups metadata backend
-
db_port: port of such database
-
db_user: user used to authenticate to the database (needs read/write grants)
-
db_password: password used to authenticate to the database
-
db_schema: name of the database inside the server where the data is read
from and written to -
storage_hosts: list of hosts where the file backend runs, where the files
will be finally stored -
storage_port: Port where all storage nodes will be listening to (it may
change in the future to a per-host configuration (socket) to allow for multiplexing with multiple services per host -
encryption_key: String used for encryption and decryption of private files
Can be an age secret key or an ssh file -
storage_root_user: identifier to authenticate on the s3-compatible api for
the admin account (all privileges) -
storage_root_password: password to authenticate on the s3-compatible api for
the admin user -
access_key: identifier to authenticate on the s3-compatible api to store
the backup files (it has both read and write ) -
secret_key: password to authenticate on the s3-compatible api for backing
up files -
recovery_access_key: identifier to authenticate on the s3-compatible api to
restore the backup files (only has read and list permissions) -
recovery_secret_key: password to authenticate on the s3-compatible api
for recovering files
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 |
# File 'modules/mediabackup/manifests/worker.pp', line 43
class mediabackup::worker (
Hash[String, Hash[String, Any]] $sections,
String $mw_db_user,
String $mw_db_password,
Stdlib::Unixpath $dblists_path,
Stdlib::Unixpath $mw_db_config_file,
Integer[1] $batchsize,
Stdlib::Unixpath $db_config_file,
Stdlib::Fqdn $db_host,
Stdlib::Port $db_port,
String $db_user,
String $db_password,
Array[Stdlib::Fqdn] $storage_hosts,
Stdlib::Port $storage_port,
String $encryption_key,
String $storage_root_user,
String $storage_root_password,
String $access_key,
String $secret_key,
String $recovery_access_key,
String $recovery_secret_key,
String $db_schema = 'mediabackups',
) {
ensure_packages([
'mediabackups',
'rclone',
's3cmd', # optional, but useful s3 command line util
])
# user and group so we don't run anything as a privileged user
systemd::sysuser { 'mediabackup':
home_dir => '/srv/mediabackup',
}
# location of temporary storage to download and hash files before
# sending it to its final location
file { '/srv/mediabackup':
ensure => directory,
mode => '0750',
owner => 'mediabackup',
group => 'mediabackup',
}
# backup execution configuration dir (including secrets)
file { '/etc/mediabackup':
ensure => directory,
mode => '0400',
owner => 'mediabackup',
group => 'mediabackup',
}
$mw_db_ssl_ca = '/etc/ssl/certs/wmf-ca-certificates.crt'
# list of backup source dbs to read mediawiki image metadata
file { '/etc/mediabackup/mw_db.conf':
ensure => present,
mode => '0400',
owner => 'mediabackup',
group => 'mediabackup',
content => template('mediabackup/mw_db.conf.erb'),
require => File['/etc/mediabackup'],
}
# private data (password) and mysql connection settings
# (minus host and port)
file { $mw_db_config_file:
ensure => present,
mode => '0400',
owner => 'mediabackup',
group => 'mediabackup',
content => template('mediabackup/mw_db.ini.erb'),
show_diff => false,
require => File['/etc/mediabackup'],
}
$db_ssl_ca = '/etc/ssl/certs/wmf-ca-certificates.crt'
# general config for the access to a rw db to write and coordinate
# backup metadata
file { '/etc/mediabackup/mediabackups_db.conf':
ensure => present,
mode => '0400',
owner => 'mediabackup',
group => 'mediabackup',
content => template('mediabackup/mediabackups_db.conf.erb'),
require => File['/etc/mediabackup'],
}
# private data (password) and mysql connection settings
file { '/etc/mediabackup/mediabackups_db.ini':
ensure => present,
mode => '0400',
owner => 'mediabackup',
group => 'mediabackup',
content => template('mediabackup/mediabackups_db.ini.erb'),
show_diff => false,
require => File['/etc/mediabackup'],
}
$tmpdir = '/srv/mediabackup'
# configuration and credentials to access final storage (S3-compatible
# cluster on the same dc) for writing (backup generation)
file { '/etc/mediabackup/mediabackups_storage.conf':
ensure => present,
mode => '0400',
owner => 'mediabackup',
group => 'mediabackup',
content => template('mediabackup/mediabackups_storage.conf.erb'),
show_diff => false,
require => [ File['/etc/mediabackup'], File['/srv/mediabackup'], ],
}
# identity file used for encryption with age
file { '/etc/mediabackup/encryption.key':
ensure => present,
mode => '0400',
owner => 'mediabackup',
group => 'mediabackup',
content => $encryption_key,
show_diff => false,
}
# extra read-only policy for the recovery account
file { '/etc/mediabackup/readandlist.json':
ensure => present,
owner => 'mediabackup',
group => 'mediabackup',
mode => '0444',
source => 'puppet:///modules/mediabackup/readandlist.json',
}
# extra read and deletion policy for the deletion account
# Temporarily applied to the read only account until a separate
# account is created for it.
file { '/etc/mediabackup/readlistanddelete.json':
ensure => present,
owner => 'mediabackup',
group => 'mediabackup',
mode => '0444',
source => 'puppet:///modules/mediabackup/readlistanddelete.json',
}
# configuration and credentials to access final storage (S3-compatible
# cluster on the same dc) for reading and listing (backup recovery)
file { '/etc/mediabackup/mediabackups_recovery.conf':
ensure => present,
mode => '0400',
owner => 'mediabackup',
group => 'mediabackup',
content => template('mediabackup/mediabackups_recovery.conf.erb'),
show_diff => false,
require => [
File['/etc/mediabackup'],
File['/srv/mediabackup'],
File['/etc/mediabackup/readandlist.json'],
],
}
# setup mc client server aliases for admin convenience
file { '/root/.mc':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0750',
}
file { '/root/.mc/config.json':
ensure => present,
owner => 'root',
group => 'root',
mode => '0750',
show_diff => false,
content => template('mediabackup/mc_config.json.erb'),
}
git::clone { 'operations/mediawiki-config':
ensure => present,
directory => '/srv/mediawiki-config',
owner => 'mediabackup',
group => 'mediabackup',
}
}
|