diff --git a/defaults/main.yml b/defaults/main.yml index b670066..3ca1cb3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,8 @@ --- vault_listener_address: 0.0.0.0 +# vault backup variable +vault_snapshot: false +vault_backup_location: /tmp +vault_cron_hour: 1 +vault_roleID: '' +vault_secretID: '' diff --git a/files/daily/2023-08-27.snap b/files/daily/2023-08-27.snap new file mode 100644 index 0000000..3f45ca4 Binary files /dev/null and b/files/daily/2023-08-27.snap differ diff --git a/files/vault-backup.sh b/files/vault-backup.sh new file mode 100755 index 0000000..e7e0fba --- /dev/null +++ b/files/vault-backup.sh @@ -0,0 +1,31 @@ +export PATH_SNAPSHOT=$1 +export PATH_DIR="daily" +export PATH_BACKUP=$PATH_SNAPSHOT"/"$PATH_DIR +export VAULT_APPROLEID=$2 +export VAULT_SECRETID=$3 +export RETENTION=30 +export ENV="0" # (0 = staging, 1 = production) +export SNAPSHOT_FILE=$(date +%Y-%m-%d) + + +create_snapshot_folder(){ + mkdir -p $PATH_BACKUP +} + +run_snapshot() { + VAULT_TOKEN=$(/usr/bin/vault write -field=token auth/approle/login role_id=$VAULT_APPROLEID secret_id=$VAULT_SECRETID) + /usr/bin/vault operator raft snapshot save $PATH_BACKUP/$SNAPSHOT_FILE.snap +} + +retention() { +find $PATH_BACKUP -name "*.snap" -mtime +${RETENTION} -print -exec rm {} \; +} + +main() { + create_snapshot_folder + run_snapshot + retention +} + +### START HERE ### +main $@ diff --git a/tasks/main.yml b/tasks/main.yml index 1ea17e7..22662e0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -57,3 +57,20 @@ name: '{{ vault_os_service }}' state: started enabled: true + +- name: configure backup + block: + - name: copy backup script + copy: + dest: "/opt/vault/vault-backup.sh" + mode: 0744 + owner: vault + src: vault-backup.sh + - name: vault snaphot cron.d + cron: + name: vault backup + user: vault + state: present + job: "/opt/vault/vault-backup.sh {{ vault_backup_location }} {{vault_roleID}} {{vault_secretID}}" + hour: "{{vault_cron_hour}}" + when: vault_snapshot