bundlewrap/bundles/backup-server/metadata.py

from bundlewrap.exceptions import BundleError

defaults = {
    'backup-server': {
        'my_ssh_port': 22,
    },
    'openssh': {
        'allowed_users': {
            # Usernames for backup clients always start with 'c-'
            'c-*',
        },
    },
    'systemd-timers': {
        'timers': {
            'check_backup_for_node-cron': {
                'command': '/usr/local/share/icinga/plugins/check_backup_for_node-cron',
                'when': '*-*-* *:00/5:00', # every five minutes
            }
        },
    },
    'zfs': {
        # The whole point of doing backups is to keep them for a long
        # time, which eliminates the need for this check.
        'enable_old_snapshots_check': False,
    },
}

@metadata_reactor.provides(
    'backup-server/clients',
    'backup-server/my_hostname',
)
def get_my_clients(metadata):
    my_clients = {}
    retain_defaults = {
        'daily': 14,
        'weekly': 4,
        'monthly': 6,
    }

    for rnode in repo.nodes:
        if not rnode.has_bundle('backup-client') or rnode.metadata.get('backups/exclude_from_backups', False):
            continue

        if node.name != rnode.metadata.get('backup-client/target'):
            continue

        my_clients[rnode.name] = {
            'exclude_from_monitoring': rnode.metadata.get(
                'backup-client/exclude_from_monitoring',
                rnode.metadata.get(
                    'icinga_options/exclude_from_monitoring',
                    False,
                ),
            ),
            'one_backup_every_hours': rnode.metadata.get('backup-client/one_backup_every_hours', 24),
            'user': rnode.metadata.get('backup-client/user-name'),
            'retain': {
                'daily': rnode.metadata.get('backups/retain/daily', retain_defaults['daily']),
                'weekly': rnode.metadata.get('backups/retain/weekly', retain_defaults['weekly']),
                'monthly': rnode.metadata.get('backups/retain/monthly', retain_defaults['monthly']),
            },
        }

    return {
        'backup-server': {
            'clients': my_clients,
            'my_hostname': metadata.get('hostname'),
        },
    }


@metadata_reactor.provides(
    'backup-server/zfs-base',
    'dm-crypt/encrypted-devices',
    'zfs/pools',
)
def zfs_pool(metadata):
    if not metadata.get('backup-server/encrypted-devices', {}):
        return {}

    crypt_devices = {}
    unlock_actions = set()

    devices = metadata.get('backup-server/encrypted-devices')

    # TODO remove this once we have migrated all systems
    if isinstance(devices, dict):
        pool_devices = set()

        for number, (device, passphrase) in enumerate(sorted(devices.items())):
            crypt_devices[device] = {
                'dm-name': f'backup{number}',
                'passphrase': passphrase,
            }
            pool_devices.add(f'/dev/mapper/backup{number}')
            unlock_actions.add(f'action:dm-crypt_open_backup{number}')

        pool_config = [{
            'devices': pool_devices,
        }]

        if len(pool_devices) > 2:
            pool_config[0]['type'] = 'raidz'
        elif len(pool_devices) > 1:
            pool_config[0]['type'] = 'mirror'

    elif isinstance(devices, list):
        pool_config = []

        for idx, intended_pool in enumerate(devices):
            pool_devices = set()

            for number, (device, passphrase) in enumerate(sorted(intended_pool.items())):
                crypt_devices[device] = {
                    'dm-name': f'backup{idx}-{number}',
                    'passphrase': passphrase,
                }
                pool_devices.add(f'/dev/mapper/backup{idx}-{number}')
                unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}')

            pool_config.append({
                'devices': pool_devices,
                'type': 'raidz',
            })
    else:
        raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices')

    return {
        'backup-server': {
            'zfs-base': 'backups',
        },
        'dm-crypt': {
            'encrypted-devices': crypt_devices,
        },
        'zfs': {
            'pools': {
                'backups': {
                    'when_creating': {
                        'config': pool_config,
                        **metadata.get('backup-server/zpool_create_options', {}),
                    },
                    'needs': unlock_actions,
                    # That's a bit hacky. We do it this way to auto-import
                    # the pool after decrypting the devices. Otherwise
                    # the pool wouldn't exist, which leads to bundlewrap
                    # trying to re-create the pool.
                    # Also, -N to not auto-mount anything.
                    'unless': 'zpool import -N backups',
                },
            },
        }
    }


@metadata_reactor.provides(
    'zfs/datasets',
    'zfs/snapshots/snapshot_never',
)
def zfs_datasets_and_snapshots(metadata):
    zfs_datasets = {}

    for client in metadata.get('backup-server/clients', {}).keys():
        dataset = '{}/{}'.format(metadata.get('backup-server/zfs-base'), client)

        zfs_datasets[dataset] = {
            'mountpoint': '/srv/backups/{}'.format(client),
            'compression': 'on',
        }


    return {
        'zfs': {
            'datasets': zfs_datasets,
            'snapshots': {
                'snapshot_never': {
                    metadata.get('backup-server/zfs-base'),
                },
            },
        },
    }


@metadata_reactor.provides(
    'icinga2_api/backup-server/services',
)
def monitoring(metadata):
    services = {}

    for client, config in metadata.get('backup-server/clients', {}).items():
        if config.get('exclude_from_monitoring', False):
            continue

        services[f'BACKUPS FOR NODE {client}'] = {
            'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_backup_for_node {} {}'.format(
                client,
                config['one_backup_every_hours'],
            ),
            'vars.sshmon_timeout': 40,
        }

    return {
        'icinga2_api': {
            'backup-server': {
                'services': services,
            },
        },
    }
bundles/backup-server: support raid0-ing multiple raidz 2025-02-14 19:32:13 +01:00			`from bundlewrap.exceptions import BundleError`

bundles/openssh: introduce, add to all nodes 2020-11-14 14:35:54 +01:00			`defaults = {`
bundles/backup-{client,server}: use node names, only deploy users to correct backup server 2022-01-04 17:14:55 +01:00			`'backup-server': {`
			`'my_ssh_port': 22,`
			`},`
bundles/openssh: introduce, add to all nodes 2020-11-14 14:35:54 +01:00			`'openssh': {`
			`'allowed_users': {`
			`# Usernames for backup clients always start with 'c-'`
			`'c-*',`
			`},`
			`},`
bundles/backups-server: read backup snapshot info from file instead of asking zfs every time 2025-02-14 21:25:10 +01:00			`'systemd-timers': {`
			`'timers': {`
			`'check_backup_for_node-cron': {`
			`'command': '/usr/local/share/icinga/plugins/check_backup_for_node-cron',`
			`'when': '--* *:00/5:00', # every five minutes`
			`}`
			`},`
			`},`
bundles/backup-server: disable ZFS OLD SNAPSHOTS check 2022-04-06 18:13:23 +02:00			`'zfs': {`
			`# The whole point of doing backups is to keep them for a long`
			`# time, which eliminates the need for this check.`
			`'enable_old_snapshots_check': False,`
			`},`
bundles/openssh: introduce, add to all nodes 2020-11-14 14:35:54 +01:00			`}`

update bw to 4.3, add .provides() to metadata reactors 2021-01-07 18:44:38 +01:00			`@metadata_reactor.provides(`
			`'backup-server/clients',`
bundles/backup-{client,server}: use node names, only deploy users to correct backup server 2022-01-04 17:14:55 +01:00			`'backup-server/my_hostname',`
update bw to 4.3, add .provides() to metadata reactors 2021-01-07 18:44:38 +01:00			`)`
bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00			`def get_my_clients(metadata):`
			`my_clients = {}`
backups: do backup rotation ourselves instead of relying on zfs-auto-snapshot 2022-01-05 09:53:18 +01:00			`retain_defaults = {`
			`'daily': 14,`
			`'weekly': 4,`
			`'monthly': 6,`
			`}`
bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00
			`for rnode in repo.nodes:`
bundles/backup-server: of course, we need to ignore hosts which have exclude_from_backups set 2021-01-16 22:22:51 +01:00			`if not rnode.has_bundle('backup-client') or rnode.metadata.get('backups/exclude_from_backups', False):`
bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00			`continue`

bundles/backup-{client,server}: use node names, only deploy users to correct backup server 2022-01-04 17:14:55 +01:00			`if node.name != rnode.metadata.get('backup-client/target'):`
			`continue`

bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00			`my_clients[rnode.name] = {`
bundles/backup-client: don't monitor backups for nodes which have exclude_from_monitoring 2024-02-13 14:24:27 +01:00			`'exclude_from_monitoring': rnode.metadata.get(`
			`'backup-client/exclude_from_monitoring',`
			`rnode.metadata.get(`
			`'icinga_options/exclude_from_monitoring',`
			`False,`
			`),`
			`),`
bundles/backup-server: add metadata backup-client/one_backup_every_hours 2022-02-12 19:04:15 +01:00			`'one_backup_every_hours': rnode.metadata.get('backup-client/one_backup_every_hours', 24),`
bundles/backup-client: don't monitor backups for nodes which have exclude_from_monitoring 2024-02-13 14:24:27 +01:00			`'user': rnode.metadata.get('backup-client/user-name'),`
backups: do backup rotation ourselves instead of relying on zfs-auto-snapshot 2022-01-05 09:53:18 +01:00			`'retain': {`
			`'daily': rnode.metadata.get('backups/retain/daily', retain_defaults['daily']),`
			`'weekly': rnode.metadata.get('backups/retain/weekly', retain_defaults['weekly']),`
			`'monthly': rnode.metadata.get('backups/retain/monthly', retain_defaults['monthly']),`
			`},`
bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00			`}`

			`return {`
			`'backup-server': {`
			`'clients': my_clients,`
bundles/backup-{client,server}: use node names, only deploy users to correct backup server 2022-01-04 17:14:55 +01:00			`'my_hostname': metadata.get('hostname'),`
bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00			`},`
			`}`


bundles/backup-server: add option for encrypted devices 2022-01-04 15:08:52 +01:00			`@metadata_reactor.provides(`
			`'backup-server/zfs-base',`
			`'dm-crypt/encrypted-devices',`
			`'zfs/pools',`
			`)`
			`def zfs_pool(metadata):`
			`if not metadata.get('backup-server/encrypted-devices', {}):`
			`return {}`

			`crypt_devices = {}`
			`unlock_actions = set()`

bundles/backup-server: support raid0-ing multiple raidz 2025-02-14 19:32:13 +01:00			`devices = metadata.get('backup-server/encrypted-devices')`

			`# TODO remove this once we have migrated all systems`
			`if isinstance(devices, dict):`
			`pool_devices = set()`

			`for number, (device, passphrase) in enumerate(sorted(devices.items())):`
			`crypt_devices[device] = {`
			`'dm-name': f'backup{number}',`
			`'passphrase': passphrase,`
			`}`
			`pool_devices.add(f'/dev/mapper/backup{number}')`
			`unlock_actions.add(f'action:dm-crypt_open_backup{number}')`

			`pool_config = [{`
			`'devices': pool_devices,`
			`}]`

			`if len(pool_devices) > 2:`
			`pool_config[0]['type'] = 'raidz'`
			`elif len(pool_devices) > 1:`
			`pool_config[0]['type'] = 'mirror'`

			`elif isinstance(devices, list):`
			`pool_config = []`

			`for idx, intended_pool in enumerate(devices):`
			`pool_devices = set()`

			`for number, (device, passphrase) in enumerate(sorted(intended_pool.items())):`
			`crypt_devices[device] = {`
			`'dm-name': f'backup{idx}-{number}',`
			`'passphrase': passphrase,`
			`}`
			`pool_devices.add(f'/dev/mapper/backup{idx}-{number}')`
			`unlock_actions.add(f'action:dm-crypt_open_backup{idx}-{number}')`

			`pool_config.append({`
			`'devices': pool_devices,`
			`'type': 'raidz',`
			`})`
			`else:`
			`raise BundleError(f'{node.name}: unsupported configuration for backup-server/encrypted-devices')`
bundles/backup-server: add option for encrypted devices 2022-01-04 15:08:52 +01:00
			`return {`
			`'backup-server': {`
			`'zfs-base': 'backups',`
			`},`
			`'dm-crypt': {`
			`'encrypted-devices': crypt_devices,`
			`},`
			`'zfs': {`
			`'pools': {`
			`'backups': {`
			`'when_creating': {`
bundles/backup-server: support raid0-ing multiple raidz 2025-02-14 19:32:13 +01:00			`'config': pool_config,`
			`**metadata.get('backup-server/zpool_create_options', {}),`
bundles/backup-server: add option for encrypted devices 2022-01-04 15:08:52 +01:00			`},`
			`'needs': unlock_actions,`
bundles/backup-server: auto-import pool after decrypting 2022-01-04 15:24:22 +01:00			`# That's a bit hacky. We do it this way to auto-import`
			`# the pool after decrypting the devices. Otherwise`
			`# the pool wouldn't exist, which leads to bundlewrap`
			`# trying to re-create the pool.`
			`# Also, -N to not auto-mount anything.`
			`'unless': 'zpool import -N backups',`
bundles/backup-server: add option for encrypted devices 2022-01-04 15:08:52 +01:00			`},`
			`},`
			`}`
			`}`


update bw to 4.3, add .provides() to metadata reactors 2021-01-07 18:44:38 +01:00			`@metadata_reactor.provides(`
			`'zfs/datasets',`
backups: do backup rotation ourselves instead of relying on zfs-auto-snapshot 2022-01-05 09:53:18 +01:00			`'zfs/snapshots/snapshot_never',`
update bw to 4.3, add .provides() to metadata reactors 2021-01-07 18:44:38 +01:00			`)`
bundles/backup-server: add option for encrypted devices 2022-01-04 15:08:52 +01:00			`def zfs_datasets_and_snapshots(metadata):`
bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00			`zfs_datasets = {}`

			`for client in metadata.get('backup-server/clients', {}).keys():`
			`dataset = '{}/{}'.format(metadata.get('backup-server/zfs-base'), client)`

			`zfs_datasets[dataset] = {`
			`'mountpoint': '/srv/backups/{}'.format(client),`
bundles/backup-server: enable compression for backups 2021-06-25 20:04:10 +02:00			`'compression': 'on',`
bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00			`}`


			`return {`
			`'zfs': {`
			`'datasets': zfs_datasets,`
			`'snapshots': {`
backups: do backup rotation ourselves instead of relying on zfs-auto-snapshot 2022-01-05 09:53:18 +01:00			`'snapshot_never': {`
			`metadata.get('backup-server/zfs-base'),`
			`},`
bundles/backup-{client,server}: introduce 2020-11-13 12:36:52 +01:00			`},`
			`},`
			`}`
bundles/backup-client: add check for last backup of specific client 2022-01-05 22:44:55 +01:00

			`@metadata_reactor.provides(`
			`'icinga2_api/backup-server/services',`
			`)`
			`def monitoring(metadata):`
			`services = {}`

bundles/backup-server: add option to disable "last backup" check 2022-01-05 22:56:23 +01:00			`for client, config in metadata.get('backup-server/clients', {}).items():`
			`if config.get('exclude_from_monitoring', False):`
			`continue`

bundles/backup-client: add check for last backup of specific client 2022-01-05 22:44:55 +01:00			`services[f'BACKUPS FOR NODE {client}'] = {`
bundles/backups-server: read backup snapshot info from file instead of asking zfs every time 2025-02-14 21:25:10 +01:00			`'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_backup_for_node {} {}'.format(`
bundles/backup-server: add metadata backup-client/one_backup_every_hours 2022-02-12 19:04:15 +01:00			`client,`
			`config['one_backup_every_hours'],`
			`),`
bundles/backup-server: more time for monitoring please 2024-09-10 06:14:55 +02:00			`'vars.sshmon_timeout': 40,`
bundles/backup-client: add check for last backup of specific client 2022-01-05 22:44:55 +01:00			`}`

			`return {`
			`'icinga2_api': {`
			`'backup-server': {`
			`'services': services,`
			`},`
			`},`
			`}`