%20by%20%E2%80%9EDiceBear%E2%80%9D%2C%20licensed%20under%20%E2%80%9ECC0%201.0%E2%80%9D%20(https%3A%2F%2Fcreativecommons.org%2Fpublicdomain%2Fzero%2F1.0%2F)%3C%2Fdc%3Arights%3E%3C%2Frdf%3ADescription%3E%3C%2Frdf%3ARDF%3E%3C%2Fmetadata%3E%3Cmask%20id%3D%22viewboxMask%22%3E%3Crect%20width%3D%22100%22%20height%3D%22100%22%20rx%3D%220%22%20ry%3D%220%22%20x%3D%220%22%20y%3D%220%22%20fill%3D%22%23fff%22%20%2F%3E%3C%2Fmask%3E%3Cg%20mask%3D%22url(%23viewboxMask)%22%3E%3Crect%20fill%3D%22url(%23backgroundLinear)%22%20width%3D%22100%22%20height%3D%22100%22%20x%3D%220%22%20y%3D%220%22%20%2F%3E%3Cdefs%3E%3ClinearGradient%20id%3D%22backgroundLinear%22%20gradientTransform%3D%22rotate(219%200.5%200.5)%22%3E%3Cstop%20stop-color%3D%22%23ffffff%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23ffffff%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22matrix(1.2%200%200%201.2%20-10%20-10)%22%3E%3Cg%20transform%3D%22translate(-45%2C%20-37)%20rotate(-30%2050%2050)%22%3E%3Cpath%20d%3D%22M0%200h100v100H0V0Z%22%20fill%3D%22%23e34aab%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3Cg%20transform%3D%22matrix(.8%200%200%20.8%2010%2010)%22%3E%3Cg%20transform%3D%22translate(-25%2C%2013)%20rotate(-49%2050%2050)%22%3E%3Cpath%20d%3D%22M100%2050A50%2050%200%201%201%200%2050a50%2050%200%200%201%20100%200Z%22%20fill%3D%22%23ff8000%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3Cg%20transform%3D%22matrix(.4%200%200%20.4%2030%2030)%22%3E%3Cg%20transform%3D%22translate(18%2C%205)%20rotate(-79%2050%2050)%22%3E%3Cpath%20fill-rule%3D%22evenodd%22%20clip-rule%3D%22evenodd%22%20d%3D%22M50%207%200%2093.6h100L50%207Zm0%2020L17.3%2083.6h65.4L50%2027Z%22%20fill%3D%22%2300d2a8%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E)
October 6, 2024
1. Install packages
apt install postgresql postgresql-16-postgis-3Quickly create long passwords:
openssl rand -base64 322. Set up main password
sudo -u postgres psql template1
ALTER USER postgres with encrypted password '<PASSWORD>';3. Set up SSL (create keys with Certbot, see NGINX guide)
> nano ./psql_rotate_certs.sh
#!/bin/bash
cp /etc/letsencrypt/live/db.example.com/fullchain.pem /etc/postgresql/16/main/fullchain.pem
cp /etc/letsencrypt/live/db.example.com/privkey.pem /etc/postgresql/16/main/privkey.pem
chmod 600 /etc/postgresql/16/main/fullchain.pem /etc/postgresql/16/main/privkey.pem
chown postgres:postgres /etc/postgresql/16/main/fullchain.pem /etc/postgresql/16/main/privkey.pemchmod +x ./psql_rotate_certs.sh
./psql_rotate_certs.sh> crontab -e
00 08 * * * certbot renew --post-hook /path/to/psql_rotate_certs.sh --quiet4. Update configs
> nano /etc/postgresql/16/main/postgresql.conf
listen_addresses = '*'
ssl = on
ssl_cert_file = '/etc/postgresql/16/main/fullchain.pem'
ssl_key_file = '/etc/postgresql/16/main/privkey.pem'
> nano /etc/postgresql/16/main/pg_hba.conf
hostssl all all 0.0.0.0/0 scram-sha-256For fine tuning the rest of the settings like write buffers and connection limits use pgTune.
An example configuration for the cheapest tier on Hetzner:
# DB Version: 16
# OS Type: linux
# DB Type: web
# Total Memory (RAM): 4 GB
# CPUs num: 2
# Data Storage: ssd
max_connections = 200
shared_buffers = 1GB
effective_cache_size = 3GB
maintenance_work_mem = 256MB
checkpoint_completion_target = 0.9
wal_buffers = 16MB
default_statistics_target = 100
random_page_cost = 1.1
effective_io_concurrency = 200
work_mem = 2621kB
huge_pages = off
min_wal_size = 1GB
max_wal_size = 4GBThis will double the default connection limit since default PostgreSQL configuration is very conservative.
5. Start PostgreSQL
ufw allow postgresql
systemctl restart postgresql6. Create first User/DB
> sudo -u postgres psql
CREATE DATABASE dbName;
CREATE USER userName WITH ENCRYPTED PASSWORD '<PASSWORD>';
ALTER DATABASE dbName OWNER TO userName;
GRANT ALL ON DATABASE dbName TO userName;Restoring backups:
> sudo -u postgres psql dbName < dump.sql
> sudo -u postgres psql
\c dbName;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userName;7. Manual backups/restore
Dump DB:
pg_dump -F t dbName > dbName.tarRestore DB:
pg_restore -d dbName dbName.tarDump all:
pg_dumpall -F t > all_pg_dbs.tarRestore all
psql -f all_pg_dbs.sql postgres8. Automated backups (optional)
> nano ./pg_backup.sh
#!/bin/bash
###########################
####### LOAD CONFIG #######
###########################
while [ $# -gt 0 ]; do
case $1 in
-c)
CONFIG_FILE_PATH="$2"
shift 2
;;
*)
${ECHO} "Unknown Option \"$1\"" 1>&2
exit 2
;;
esac
done
if [ -z $CONFIG_FILE_PATH ] ; then
SCRIPTPATH=$(cd ${0%/*} && pwd -P)
CONFIG_FILE_PATH="${SCRIPTPATH}/pg_backup.config"
fi
if [ ! -r ${CONFIG_FILE_PATH} ] ; then
echo "Could not load config file from ${CONFIG_FILE_PATH}" 1>&2
exit 1
fi
source "${CONFIG_FILE_PATH}"
###########################
#### PRE-BACKUP CHECKS ####
###########################
# Make sure we're running as the required backup user
if [ "$BACKUP_USER" != "" -a "$(id -un)" != "$BACKUP_USER" ] ; then
echo "This script must be run as $BACKUP_USER. Exiting." 1>&2
exit 1
fi
###########################
### INITIALISE DEFAULTS ###
###########################
if [ ! $HOSTNAME ]; then
HOSTNAME="localhost"
fi;
if [ $PORT ]; then
export PGPORT="$PORT"
fi;
if [ ! $USERNAME ]; then
USERNAME="postgres"
fi;
if [ $PASSWORD ]; then
export PGPASSWORD="$PASSWORD"
fi;
if [ ! $DAY_OF_WEEK_TO_KEEP ]; then
DAY_OF_WEEK_TO_KEEP=5
fi;
if [ ! $DAYS_TO_KEEP ]; then
DAYS_TO_KEEP=7
fi;
if [ ! $WEEKS_TO_KEEP ]; then
WEEKS_TO_KEEP=5
fi;
###########################
#### START THE BACKUPS ####
###########################
function perform_backups()
{
SUFFIX=$1
FINAL_BACKUP_DIR=$BACKUP_DIR"`date +\%Y-\%m-\%d`$SUFFIX/"
echo "Making backup directory in $FINAL_BACKUP_DIR"
if ! mkdir -p $FINAL_BACKUP_DIR; then
echo "Cannot create backup directory in $FINAL_BACKUP_DIR. Go and fix it!" 1>&2
exit 1;
fi;
#######################
### GLOBALS BACKUPS ###
#######################
echo -e "\n\nPerforming globals backup"
echo -e "--------------------------------------------\n"
if [ $ENABLE_GLOBALS_BACKUPS = "yes" ]
then
echo "Globals backup"
set -o pipefail
if ! pg_dumpall -g -h "$HOSTNAME" -U "$USERNAME" | gzip > $FINAL_BACKUP_DIR"globals".sql.gz.in_progress; then
echo "[!!ERROR!!] Failed to produce globals backup" 1>&2
else
mv $FINAL_BACKUP_DIR"globals".sql.gz.in_progress $FINAL_BACKUP_DIR"globals".sql.gz
fi
set +o pipefail
else
echo "None"
fi
###########################
### SCHEMA-ONLY BACKUPS ###
###########################
for SCHEMA_ONLY_DB in ${SCHEMA_ONLY_LIST//,/ }
do
SCHEMA_ONLY_CLAUSE="$SCHEMA_ONLY_CLAUSE or datname ~ '$SCHEMA_ONLY_DB'"
done
SCHEMA_ONLY_QUERY="select datname from pg_database where false $SCHEMA_ONLY_CLAUSE order by datname;"
echo -e "\n\nPerforming schema-only backups"
echo -e "--------------------------------------------\n"
SCHEMA_ONLY_DB_LIST=`psql -h "$HOSTNAME" -U "$USERNAME" -At -c "$SCHEMA_ONLY_QUERY" postgres`
echo -e "The following databases were matched for schema-only backup:\n${SCHEMA_ONLY_DB_LIST}\n"
for DATABASE in $SCHEMA_ONLY_DB_LIST
do
echo "Schema-only backup of $DATABASE"
set -o pipefail
if ! pg_dump -Fp -s -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" | gzip > $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz.in_progress; then
echo "[!!ERROR!!] Failed to backup database schema of $DATABASE" 1>&2
else
mv $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz.in_progress $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz
fi
set +o pipefail
done
###########################
###### FULL BACKUPS #######
###########################
for SCHEMA_ONLY_DB in ${SCHEMA_ONLY_LIST//,/ }
do
EXCLUDE_SCHEMA_ONLY_CLAUSE="$EXCLUDE_SCHEMA_ONLY_CLAUSE and datname !~ '$SCHEMA_ONLY_DB'"
done
FULL_BACKUP_QUERY="select datname from pg_database where not datistemplate and datallowconn $EXCLUDE_SCHEMA_ONLY_CLAUSE order by datname;"
echo -e "\n\nPerforming full backups"
echo -e "--------------------------------------------\n"
for DATABASE in `psql -h "$HOSTNAME" -U "$USERNAME" -At -c "$FULL_BACKUP_QUERY" postgres`
do
if [ $ENABLE_PLAIN_BACKUPS = "yes" ]
then
echo "Plain backup of $DATABASE"
set -o pipefail
if ! pg_dump -Fp -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" | gzip > $FINAL_BACKUP_DIR"$DATABASE".sql.gz.in_progress; then
echo "[!!ERROR!!] Failed to produce plain backup database $DATABASE" 1>&2
else
mv $FINAL_BACKUP_DIR"$DATABASE".sql.gz.in_progress $FINAL_BACKUP_DIR"$DATABASE".sql.gz
fi
set +o pipefail
fi
if [ $ENABLE_CUSTOM_BACKUPS = "yes" ]
then
echo "Custom backup of $DATABASE"
if ! pg_dump -Fc -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" -f $FINAL_BACKUP_DIR"$DATABASE".custom.in_progress; then
echo "[!!ERROR!!] Failed to produce custom backup database $DATABASE"
else
mv $FINAL_BACKUP_DIR"$DATABASE".custom.in_progress $FINAL_BACKUP_DIR"$DATABASE".custom
fi
fi
done
echo -e "\nAll database backups complete!"
}
# MONTHLY BACKUPS
DAY_OF_MONTH=`date +%d`
BACKUP_PARENT_DIR=$(dirname "$BACKUP_DIR")
if [ $DAY_OF_MONTH -eq 1 ];
then
# Delete all expired monthly directories
find $BACKUP_PARENT_DIR -maxdepth 1 -name "*-monthly" -exec rm -rf '{}' ';'
perform_backups "-monthly"
exit 0;
fi
# WEEKLY BACKUPS
DAY_OF_WEEK=`date +%u` #1-7 (Monday-Sunday)
EXPIRED_DAYS=`expr $((($WEEKS_TO_KEEP * 7) + 1))`
if [ $DAY_OF_WEEK = $DAY_OF_WEEK_TO_KEEP ];
then
# Delete all expired weekly directories
find $BACKUP_PARENT_DIR -maxdepth 1 -mtime +$EXPIRED_DAYS -name "*-weekly" -exec rm -rf '{}' ';'
perform_backups "-weekly"
exit 0;
fi
# DAILY BACKUPS
# Delete daily backups 7 days old or more
find $BACKUP_PARENT_DIR -maxdepth 1 -mtime +$DAYS_TO_KEEP -name "*-daily" -exec rm -rf '{}' ';'
perform_backups "-daily"> nano ./pg_backup.config
##############################
## POSTGRESQL BACKUP CONFIG ##
##############################
# Optional system user to run backups as. If the user the script is running as doesn't match this
# the script terminates. Leave blank to skip check.
BACKUP_USER=
# Optional hostname to adhere to pg_hba policies. Will default to "localhost" if none specified.
HOSTNAME=
# Optional port to use
PORT=37413
# Optional username to connect to database as. Will default to "postgres" if none specified.
USERNAME=
# Optional password to use
PASSWORD=<PASSWORD>
# This dir will be created if it doesn't exist. This must be writable by the user the script is
# running as.
BACKUP_DIR=/path/to/backups/psql_
# List of strings to match against in database name, separated by space or comma, for which we only
# wish to keep a backup of the schema, not the data. Any database names which contain any of these
# values will be considered candidates. (e.g. "system_log" will match "dev_system_log_2010-01")
SCHEMA_ONLY_LIST=""
# Will produce a custom-format backup if set to "yes"
ENABLE_CUSTOM_BACKUPS=no
# Will produce a gzipped plain-format backup if set to "yes"
ENABLE_PLAIN_BACKUPS=yes
# Will produce gzipped sql file containing the cluster globals, like users and passwords, if set to "yes"
ENABLE_GLOBALS_BACKUPS=yes
#### SETTINGS FOR ROTATED BACKUPS ####
# Which day to take the weekly backup from (1-7 = Monday-Sunday)
DAY_OF_WEEK_TO_KEEP=5
# Number of days to keep daily backups
DAYS_TO_KEEP=7
# How many weeks to keep weekly backups
WEEKS_TO_KEEP=5
######################################Test & automate:
chmod +x ./pg_backup.sh
./pg_backup.sh> crontab -e
00 02 * * * cd /path/to/backup/file && ./pg_backup.shUpload to BackBlaze:
30 02 * * * /snap/bin/aws s3 sync /root/backups s3://bucket --exclude '*.log' --exclude '*.sh' --exclude '*.config' --endpoint-url=https://s3.eu-central-003.backblazeb2.com