feat(id.tjo.space): change folder structure and initial backup work
This commit is contained in:
parent
713389cdd1
commit
76607ae199
SSH key fingerprint:
SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
15 changed files with 75 additions and 105 deletions
id.tjo.space
configure.shdocker-compose.yml
root
etc
authentik
caddy
containers/systemd
authentik-server.containerauthentik-worker.containercaddy.containermain.networkpostgresql.containervalkey.container
postgresql
systemd/system
tmpfiles.d
usr/local/bin
|
|
@ -21,40 +21,42 @@ else
|
|||
fi
|
||||
|
||||
echo "=== Copy Configuration Files"
|
||||
rsync -a id.tjo.space/containers/ /etc/containers/systemd/
|
||||
rsync -a id.tjo.space/configs/ /etc/
|
||||
rsync -a id.tjo.space/root/ /
|
||||
systemctl daemon-reload
|
||||
|
||||
echo "=== Read Secrets"
|
||||
age -d -i /etc/age/key.txt id.tjo.space/secrets.env.encrypted >id.tjo.space/secrets.env
|
||||
set -a && source id.tjo.space/secrets.env && set +a
|
||||
|
||||
echo "=== Prepare srv directories"
|
||||
mkdir -p /srv/authentik/{media,certs,custom-templates}
|
||||
chown -R 1200:1200 /srv/authentik
|
||||
|
||||
mkdir -p /srv/postgresql/data
|
||||
|
||||
echo "=== Setup Caddy"
|
||||
systemctl restart caddy
|
||||
echo "=== Read Secrets"
|
||||
age -d -i /etc/age/key.txt id.tjo.space/secrets.env.encrypted >id.tjo.space/secrets.env
|
||||
set -a && source id.tjo.space/secrets.env && set +a
|
||||
|
||||
echo "=== Setup Postgresql"
|
||||
echo "=== Prepare Configurations"
|
||||
mkdir -p /etc/postgresql
|
||||
cat <<EOF >/etc/postgresql/secrets.env
|
||||
POSTGRES_PASSWORD=${POSTGRESQL_PASSWORD}
|
||||
EOF
|
||||
systemctl restart postgresql
|
||||
|
||||
echo "=== Setup Valkey"
|
||||
systemctl restart valkey
|
||||
|
||||
echo "=== Setup Authentik Server"
|
||||
mkdir -p /etc/authentik
|
||||
cat <<EOF >/etc/authentik/secrets.env
|
||||
AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
|
||||
AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRESQL_PASSWORD}
|
||||
EOF
|
||||
|
||||
echo "=== Setup Caddy"
|
||||
systemctl restart caddy
|
||||
|
||||
echo "=== Setup Postgresql"
|
||||
systemctl restart postgresql
|
||||
|
||||
echo "=== Setup Valkey"
|
||||
systemctl restart valkey
|
||||
|
||||
echo "=== Setup Authentik Server"
|
||||
|
||||
systemctl restart authentik-server
|
||||
|
||||
echo "=== Setup Authentik Worker"
|
||||
|
|
|
|||
|
|
@ -1,90 +0,0 @@
|
|||
---
|
||||
|
||||
services:
|
||||
postgresql:
|
||||
image: docker.io/library/postgres:16-alpine
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
|
||||
start_period: 20s
|
||||
interval: 30s
|
||||
retries: 5
|
||||
timeout: 5s
|
||||
volumes:
|
||||
- database:/var/lib/postgresql/data
|
||||
environment:
|
||||
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
|
||||
POSTGRES_USER: ${PG_USER:-authentik}
|
||||
POSTGRES_DB: ${PG_DB:-authentik}
|
||||
env_file:
|
||||
- .env
|
||||
redis:
|
||||
image: docker.io/library/redis:alpine
|
||||
command: --save 60 1 --loglevel warning
|
||||
restart: unless-stopped
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
|
||||
start_period: 20s
|
||||
interval: 30s
|
||||
retries: 5
|
||||
timeout: 3s
|
||||
volumes:
|
||||
- redis:/data
|
||||
server:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
|
||||
restart: unless-stopped
|
||||
command: server
|
||||
environment:
|
||||
AUTHENTIK_REDIS__HOST: redis
|
||||
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
|
||||
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
|
||||
volumes:
|
||||
- ./media:/media
|
||||
- ./custom-templates:/templates
|
||||
env_file:
|
||||
- .env
|
||||
ports:
|
||||
- "${COMPOSE_PORT_HTTP:-9000}:9000"
|
||||
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
|
||||
depends_on:
|
||||
postgresql:
|
||||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
worker:
|
||||
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
|
||||
restart: unless-stopped
|
||||
command: worker
|
||||
environment:
|
||||
AUTHENTIK_REDIS__HOST: redis
|
||||
AUTHENTIK_POSTGRESQL__HOST: postgresql
|
||||
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
|
||||
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
|
||||
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
|
||||
# `user: root` and the docker socket volume are optional.
|
||||
# See more for the docker socket integration here:
|
||||
# https://goauthentik.io/docs/outposts/integrations/docker
|
||||
# Removing `user: root` also prevents the worker from fixing the permissions
|
||||
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
|
||||
# (1000:1000 by default)
|
||||
user: root
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ./media:/media
|
||||
- ./certs:/certs
|
||||
- ./custom-templates:/templates
|
||||
env_file:
|
||||
- .env
|
||||
depends_on:
|
||||
postgresql:
|
||||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
|
||||
volumes:
|
||||
database:
|
||||
driver: local
|
||||
redis:
|
||||
driver: local
|
||||
2
id.tjo.space/root/etc/postgresql/postgresql.env
Normal file
2
id.tjo.space/root/etc/postgresql/postgresql.env
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
POSTGRES_USER=id.tjo.space
|
||||
POSTGRES_DB=id.tjo.space
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
[Unit]
|
||||
Description=Backup PostgreSQL databases
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/local/bin/postgresql-backup.sh
|
||||
EnvironmentFile=/etc/postgresql/secrets.env
|
||||
EnvironmentFile=/etc/postgresql/postgresql.env
|
||||
Environment=BACKUP_DIR=/srv/postgresql/backups
|
||||
11
id.tjo.space/root/etc/systemd/system/postgresql-backup.timer
Normal file
11
id.tjo.space/root/etc/systemd/system/postgresql-backup.timer
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
[Unit]
|
||||
Description=Backup PostgreSQL databases daily
|
||||
|
||||
[Timer]
|
||||
OnCalendar=daily
|
||||
AccuracySec=1h
|
||||
Persistent=true
|
||||
RandomizedDelaySec=100min
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
1
id.tjo.space/root/etc/tmpfiles.d/postgresql-backup.conf
Normal file
1
id.tjo.space/root/etc/tmpfiles.d/postgresql-backup.conf
Normal file
|
|
@ -0,0 +1 @@
|
|||
d /srv/postgresql/backups 0750 root root 10d -
|
||||
35
id.tjo.space/root/usr/local/bin/postgresql-backup.sh
Executable file
35
id.tjo.space/root/usr/local/bin/postgresql-backup.sh
Executable file
|
|
@ -0,0 +1,35 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
[ -z "${POSTGRES_USER}" ] && { echo "=> POSTGRES_USER cannot be empty" && exit 1; }
|
||||
[ -z "${POSTGRES_PASSWORD}" ] && { echo "=> POSTGRES_PASSWORD cannot be empty" && exit 1; }
|
||||
[ -z "${GZIP_LEVEL}" ] && { GZIP_LEVEL=6; }
|
||||
|
||||
DATE=$(date +%Y%m%d%H%M)
|
||||
echo "=> Backup started at $(date "+%Y-%m-%d %H:%M:%S")"
|
||||
|
||||
export PGHOST=${POSTGRES_HOST}
|
||||
export PGPORT=${POSTGRES_PORT}
|
||||
export PGUSER=${POSTGRES_USER}
|
||||
export PGPASSWORD=${POSTGRES_PASSWORD}
|
||||
|
||||
DATABASES=${POSTGRES_DATABASE:-${POSTGRES_DB:-$(psql "${POSTGRES_SSL_OPTS}" -t -c "SELECT datname FROM pg_database;")}}
|
||||
|
||||
for db in ${DATABASES}; do
|
||||
if [[ "$db" != "template1" ]] &&
|
||||
[[ "$db" != "template0" ]]; then
|
||||
|
||||
echo "==> Dumping database: $db"
|
||||
|
||||
FILENAME=${BACKUP_DIR}/$DATE.$db.sql
|
||||
|
||||
if pg_dump ${POSTGRESDUMP_OPTS} "${db}" >"${FILENAME}"; then
|
||||
if [ -z "${USE_PLAIN_SQL}" ]; then
|
||||
echo "==> Compressing $db with LEVEL $GZIP_LEVEL"
|
||||
gzip "-$GZIP_LEVEL" -f "$FILENAME"
|
||||
fi
|
||||
else
|
||||
rm -rf "$FILENAME"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
echo "=> Backup process finished at $(date "+%Y-%m-%d %H:%M:%S")"
|
||||
Loading…
Reference in a new issue