October 6, 2024
1. Install packages
apt install postgresql postgresql-16-postgis-3
Quickly create long passwords:
openssl rand -base64 32
2. Set up main password
sudo -u postgres psql template1
ALTER USER postgres with encrypted password '<PASSWORD>';
3. Set up SSL (create keys with Certbot, see NGINX guide)
> nano ./psql_rotate_certs.sh
#!/bin/bash
cp /etc/letsencrypt/live/db.example.com/fullchain.pem /etc/postgresql/16/main/fullchain.pem
cp /etc/letsencrypt/live/db.example.com/privkey.pem /etc/postgresql/16/main/privkey.pem
chmod 600 /etc/postgresql/16/main/fullchain.pem /etc/postgresql/16/main/privkey.pem
chown postgres:postgres /etc/postgresql/16/main/fullchain.pem /etc/postgresql/16/main/privkey.pem
chmod +x ./psql_rotate_certs.sh
./psql_rotate_certs.sh
> crontab -e
00 08 * * * certbot renew --post-hook /path/to/psql_rotate_certs.sh --quiet
4. Update configs
> nano /etc/postgresql/16/main/postgresql.conf
listen_addresses = '*'
ssl = on
ssl_cert_file = '/etc/postgresql/16/main/fullchain.pem'
ssl_key_file = '/etc/postgresql/16/main/privkey.pem'
> nano /etc/postgresql/16/main/pg_hba.conf
hostssl all all 0.0.0.0/0 scram-sha-256
5. Start PostgreSQL
ufw allow postgresql
systemctl restart postgresql
6. Create first User/DB
> sudo -u postgres psql
CREATE DATABASE dbName;
CREATE USER userName WITH ENCRYPTED PASSWORD '<PASSWORD>';
ALTER DATABASE dbName OWNER TO userName;
GRANT ALL ON DATABASE dbName TO userName;
Restoring backups:
> sudo -u postgres psql dbName < dump.sql
> sudo -u postgres psql
\c dbName;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userName;
7. Manual backups/restore
Dump DB:
pg_dump -F t dbName > dbName.tar
Restore DB:
pg_restore -d dbName dbName.tar
Dump all:
pg_dumpall -F t > all_pg_dbs.tar
Restore all
psql -f all_pg_dbs.sql postgres
8. Automated backups (optional)
> nano ./pg_backup.sh
#!/bin/bash
###########################
####### LOAD CONFIG #######
###########################
while [ $# -gt 0 ]; do
case $1 in
-c)
CONFIG_FILE_PATH="$2"
shift 2
;;
*)
${ECHO} "Unknown Option \"$1\"" 1>&2
exit 2
;;
esac
done
if [ -z $CONFIG_FILE_PATH ] ; then
SCRIPTPATH=$(cd ${0%/*} && pwd -P)
CONFIG_FILE_PATH="${SCRIPTPATH}/pg_backup.config"
fi
if [ ! -r ${CONFIG_FILE_PATH} ] ; then
echo "Could not load config file from ${CONFIG_FILE_PATH}" 1>&2
exit 1
fi
source "${CONFIG_FILE_PATH}"
###########################
#### PRE-BACKUP CHECKS ####
###########################
# Make sure we're running as the required backup user
if [ "$BACKUP_USER" != "" -a "$(id -un)" != "$BACKUP_USER" ] ; then
echo "This script must be run as $BACKUP_USER. Exiting." 1>&2
exit 1
fi
###########################
### INITIALISE DEFAULTS ###
###########################
if [ ! $HOSTNAME ]; then
HOSTNAME="localhost"
fi;
if [ $PORT ]; then
export PGPORT="$PORT"
fi;
if [ ! $USERNAME ]; then
USERNAME="postgres"
fi;
if [ $PASSWORD ]; then
export PGPASSWORD="$PASSWORD"
fi;
if [ ! $DAY_OF_WEEK_TO_KEEP ]; then
DAY_OF_WEEK_TO_KEEP=5
fi;
if [ ! $DAYS_TO_KEEP ]; then
DAYS_TO_KEEP=7
fi;
if [ ! $WEEKS_TO_KEEP ]; then
WEEKS_TO_KEEP=5
fi;
###########################
#### START THE BACKUPS ####
###########################
function perform_backups()
{
SUFFIX=$1
FINAL_BACKUP_DIR=$BACKUP_DIR"`date +\%Y-\%m-\%d`$SUFFIX/"
echo "Making backup directory in $FINAL_BACKUP_DIR"
if ! mkdir -p $FINAL_BACKUP_DIR; then
echo "Cannot create backup directory in $FINAL_BACKUP_DIR. Go and fix it!" 1>&2
exit 1;
fi;
#######################
### GLOBALS BACKUPS ###
#######################
echo -e "\n\nPerforming globals backup"
echo -e "--------------------------------------------\n"
if [ $ENABLE_GLOBALS_BACKUPS = "yes" ]
then
echo "Globals backup"
set -o pipefail
if ! pg_dumpall -g -h "$HOSTNAME" -U "$USERNAME" | gzip > $FINAL_BACKUP_DIR"globals".sql.gz.in_progress; then
echo "[!!ERROR!!] Failed to produce globals backup" 1>&2
else
mv $FINAL_BACKUP_DIR"globals".sql.gz.in_progress $FINAL_BACKUP_DIR"globals".sql.gz
fi
set +o pipefail
else
echo "None"
fi
###########################
### SCHEMA-ONLY BACKUPS ###
###########################
for SCHEMA_ONLY_DB in ${SCHEMA_ONLY_LIST//,/ }
do
SCHEMA_ONLY_CLAUSE="$SCHEMA_ONLY_CLAUSE or datname ~ '$SCHEMA_ONLY_DB'"
done
SCHEMA_ONLY_QUERY="select datname from pg_database where false $SCHEMA_ONLY_CLAUSE order by datname;"
echo -e "\n\nPerforming schema-only backups"
echo -e "--------------------------------------------\n"
SCHEMA_ONLY_DB_LIST=`psql -h "$HOSTNAME" -U "$USERNAME" -At -c "$SCHEMA_ONLY_QUERY" postgres`
echo -e "The following databases were matched for schema-only backup:\n${SCHEMA_ONLY_DB_LIST}\n"
for DATABASE in $SCHEMA_ONLY_DB_LIST
do
echo "Schema-only backup of $DATABASE"
set -o pipefail
if ! pg_dump -Fp -s -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" | gzip > $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz.in_progress; then
echo "[!!ERROR!!] Failed to backup database schema of $DATABASE" 1>&2
else
mv $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz.in_progress $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz
fi
set +o pipefail
done
###########################
###### FULL BACKUPS #######
###########################
for SCHEMA_ONLY_DB in ${SCHEMA_ONLY_LIST//,/ }
do
EXCLUDE_SCHEMA_ONLY_CLAUSE="$EXCLUDE_SCHEMA_ONLY_CLAUSE and datname !~ '$SCHEMA_ONLY_DB'"
done
FULL_BACKUP_QUERY="select datname from pg_database where not datistemplate and datallowconn $EXCLUDE_SCHEMA_ONLY_CLAUSE order by datname;"
echo -e "\n\nPerforming full backups"
echo -e "--------------------------------------------\n"
for DATABASE in `psql -h "$HOSTNAME" -U "$USERNAME" -At -c "$FULL_BACKUP_QUERY" postgres`
do
if [ $ENABLE_PLAIN_BACKUPS = "yes" ]
then
echo "Plain backup of $DATABASE"
set -o pipefail
if ! pg_dump -Fp -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" | gzip > $FINAL_BACKUP_DIR"$DATABASE".sql.gz.in_progress; then
echo "[!!ERROR!!] Failed to produce plain backup database $DATABASE" 1>&2
else
mv $FINAL_BACKUP_DIR"$DATABASE".sql.gz.in_progress $FINAL_BACKUP_DIR"$DATABASE".sql.gz
fi
set +o pipefail
fi
if [ $ENABLE_CUSTOM_BACKUPS = "yes" ]
then
echo "Custom backup of $DATABASE"
if ! pg_dump -Fc -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" -f $FINAL_BACKUP_DIR"$DATABASE".custom.in_progress; then
echo "[!!ERROR!!] Failed to produce custom backup database $DATABASE"
else
mv $FINAL_BACKUP_DIR"$DATABASE".custom.in_progress $FINAL_BACKUP_DIR"$DATABASE".custom
fi
fi
done
echo -e "\nAll database backups complete!"
}
# MONTHLY BACKUPS
DAY_OF_MONTH=`date +%d`
if [ $DAY_OF_MONTH -eq 1 ];
then
# Delete all expired monthly directories
find $BACKUP_DIR -maxdepth 1 -name "*-monthly" -exec rm -rf '{}' ';'
perform_backups "-monthly"
exit 0;
fi
# WEEKLY BACKUPS
DAY_OF_WEEK=`date +%u` #1-7 (Monday-Sunday)
EXPIRED_DAYS=`expr $((($WEEKS_TO_KEEP * 7) + 1))`
if [ $DAY_OF_WEEK = $DAY_OF_WEEK_TO_KEEP ];
then
# Delete all expired weekly directories
find $BACKUP_DIR -maxdepth 1 -mtime +$EXPIRED_DAYS -name "*-weekly" -exec rm -rf '{}' ';'
perform_backups "-weekly"
exit 0;
fi
# DAILY BACKUPS
# Delete daily backups 7 days old or more
find $BACKUP_DIR -maxdepth 1 -mtime +$DAYS_TO_KEEP -name "*-daily" -exec rm -rf '{}' ';'
perform_backups "-daily"
> nano ./pg_backup.config
##############################
## POSTGRESQL BACKUP CONFIG ##
##############################
# Optional system user to run backups as. If the user the script is running as doesn't match this
# the script terminates. Leave blank to skip check.
BACKUP_USER=
# Optional hostname to adhere to pg_hba policies. Will default to "localhost" if none specified.
HOSTNAME=
# Optional port to use
PORT=37413
# Optional username to connect to database as. Will default to "postgres" if none specified.
USERNAME=
# Optional password to use
PASSWORD=<PASSWORD>
# This dir will be created if it doesn't exist. This must be writable by the user the script is
# running as.
BACKUP_DIR=/path/to/backups/psql_
# List of strings to match against in database name, separated by space or comma, for which we only
# wish to keep a backup of the schema, not the data. Any database names which contain any of these
# values will be considered candidates. (e.g. "system_log" will match "dev_system_log_2010-01")
SCHEMA_ONLY_LIST=""
# Will produce a custom-format backup if set to "yes"
ENABLE_CUSTOM_BACKUPS=no
# Will produce a gzipped plain-format backup if set to "yes"
ENABLE_PLAIN_BACKUPS=yes
# Will produce gzipped sql file containing the cluster globals, like users and passwords, if set to "yes"
ENABLE_GLOBALS_BACKUPS=yes
#### SETTINGS FOR ROTATED BACKUPS ####
# Which day to take the weekly backup from (1-7 = Monday-Sunday)
DAY_OF_WEEK_TO_KEEP=5
# Number of days to keep daily backups
DAYS_TO_KEEP=7
# How many weeks to keep weekly backups
WEEKS_TO_KEEP=5
######################################
Test & automate:
chmod +x ./pg_backup.sh
./pg_backup.sh
> crontab -e
00 02 * * * cd /path/to/backup/file && ./pg_backup.sh
Upload to BackBlaze:
30 02 * * * /snap/bin/aws s3 sync /root/backups s3://bucket --exclude '*.log' --exclude '*.sh' --exclude '*.config' --endpoint-url=https://s3.eu-central-003.backblazeb2.com