migrate vaultwarden to seperate db

2025-02-07 22:54:23 +00:00 · 2025-02-07 22:54:23 +00:00 · 8e623cddd2
commit 8e623cddd2
parent 8819180c25
2 changed files with 82 additions and 5 deletions
--- a/jobs/services/vaultwarden-backup.hcl
+++ b/jobs/services/vaultwarden-backup.hcl
@ -0,0 +1,50 @@
+job "vaultwarden-backup" {
+  datacenters = ["aperture"]
+  type        = "batch"
+
+  periodic {
+    crons            = ["0 */3 * * * *"]
+    prohibit_overlap = true
+  }
+
+  group "db-backup" {
+    task "postgres-backup" {
+      driver = "raw_exec"
+
+      config {
+        command = "/bin/bash"
+        args    = ["local/script.sh"]
+      }
+
+      template {
+        data        = <<EOH
+#!/bin/bash
+
+file=/storage/backups/nomad/vaultwarden/postgresql-vaultwarden-$(date +%Y-%m-%d_%H-%M-%S).sql
+
+mkdir -p /storage/backups/nomad/vaultwarden
+
+alloc_id=$(nomad job status vaultwarden | grep running | tail -n 1 | cut -d " " -f 1)
+
+job_name=$(echo ${NOMAD_JOB_NAME} | cut -d "/" -f 1)
+
+nomad alloc exec -task db $alloc_id pg_dumpall -U {{ key "vaultwarden/db/user" }} > "${file}"
+
+find /storage/backups/nomad/vaultwarden/postgresql-vaultwarden* -ctime +3 -exec rm {} \; || true
+
+if [ -s "$file" ]; then # check if file exists and is not empty
+  echo "Backup successful"
+  exit 0
+else
+  rm $file
+  curl -H "Content-Type: application/json" -d \
+  '{"content": "<@&585512338728419341> `PostgreSQL` backup for **'"${job_name}"'** has just **FAILED**\nFile name: `'"$file"'`\nDate: `'"$(TZ=Europe/Dublin date)"'`\nTurn off this script with `nomad job stop '"${job_name}"'` \n\n## Remember to restart this backup job when fixed!!!"}' \
+  {{ key "postgres/webhook/discord" }}
+fi
+EOH
+        destination = "local/script.sh"
+      }
+    }
+  }
+}
+
--- a/jobs/services/vaultwarden.hcl
+++ b/jobs/services/vaultwarden.hcl
@ -9,6 +9,9 @@ job "vaultwarden" {
      port "http" {
        to = 80
      }
+      port "db" {
+        to = 5432
+      }
    }

    service {
@ -31,14 +34,15 @@ job "vaultwarden" {
        ports = ["http"]

        volumes = [
-          "/storage/nomad/vaultwarden:/data"
+          "/storage/nomad/${NOMAD_JOB_NAME}:/data",
+          "/etc/localtime:/etc/localtime:ro"
        ]
      }

      template {
        data = <<EOF
 DOMAIN=https://vault.redbrick.dcu.ie
-DATABASE_URL=postgresql://{{ key "vaultwarden/db/user" }}:{{ key "vaultwarden/db/password" }}@postgres.service.consul:5432/{{ key "vaultwarden/db/name" }}
+DATABASE_URL=postgresql://{{ key "vaultwarden/db/user" }}:{{ key "vaultwarden/db/password" }}@{{ env "NOMAD_ADDR_db" }}/{{ key "vaultwarden/db/name" }}
 SIGNUPS_ALLOWED=false
 INVITATIONS_ALLOWED=true

@ -55,14 +59,37 @@ EOF
        destination = "local/env"
        env         = true
      }
-# These yubico variables are not necessary for yubikey support, only to verify the keys with yubico.
-#YUBICO_CLIENT_ID={{ key "vaultwarden/yubico/client_id" }}
-#YUBICO_SECRET_KEY={{ key "vaultwarden/yubico/secret_key" }}
+      # These yubico variables are not necessary for yubikey support, only to verify the keys with yubico.
+      #YUBICO_CLIENT_ID={{ key "vaultwarden/yubico/client_id" }}
+      #YUBICO_SECRET_KEY={{ key "vaultwarden/yubico/secret_key" }}

      resources {
        cpu    = 500
        memory = 500
      }
    }
+
+    task "db" {
+      driver = "docker"
+
+      config {
+        image = "postgres:17-alpine"
+        ports = ["db"]
+
+        volumes = [
+          "/storage/nomad/${NOMAD_JOB_NAME}/${NOMAD_TASK_NAME}:/var/lib/postgresql/data",
+        ]
+      }
+
+      template {
+        data        = <<EOH
+POSTGRES_PASSWORD={{ key "vaultwarden/db/password" }}
+POSTGRES_USER={{ key "vaultwarden/db/user" }}
+POSTGRES_NAME={{ key "vaultwarden/db/name" }}
+EOH
+        destination = "local/db.env"
+        env         = true
+      }
+    }
  }
 }