Setting up PostgreSQL

Setting up PostgreSQL

October 6, 2024

1. Install packages

apt install postgresql postgresql-16-postgis-3

Quickly create long passwords:

openssl rand -base64 32

2. Set up main password

sudo -u postgres psql template1
ALTER USER postgres with encrypted password '<PASSWORD>';

3. Set up SSL (create keys with Certbot, see NGINX guide)

> nano ./psql_rotate_certs.sh
#!/bin/bash
cp /etc/letsencrypt/live/db.example.com/fullchain.pem /etc/postgresql/16/main/fullchain.pem
cp /etc/letsencrypt/live/db.example.com/privkey.pem /etc/postgresql/16/main/privkey.pem
chmod 600 /etc/postgresql/16/main/fullchain.pem /etc/postgresql/16/main/privkey.pem
chown postgres:postgres /etc/postgresql/16/main/fullchain.pem /etc/postgresql/16/main/privkey.pem
chmod +x ./psql_rotate_certs.sh
./psql_rotate_certs.sh
> crontab -e
00 08 * * * certbot renew --post-hook /path/to/psql_rotate_certs.sh --quiet

4. Update configs

> nano /etc/postgresql/16/main/postgresql.conf
listen_addresses = '*'
ssl = on
ssl_cert_file = '/etc/postgresql/16/main/fullchain.pem'
ssl_key_file = '/etc/postgresql/16/main/privkey.pem'

> nano /etc/postgresql/16/main/pg_hba.conf
hostssl all             all             0.0.0.0/0               scram-sha-256

5. Start PostgreSQL

ufw allow postgresql
systemctl restart postgresql

6. Create first User/DB

> sudo -u postgres psql
CREATE DATABASE dbName;
CREATE USER userName WITH ENCRYPTED PASSWORD '<PASSWORD>';
ALTER DATABASE dbName OWNER TO userName;
GRANT ALL ON DATABASE dbName TO userName;

Restoring backups:

> sudo -u postgres psql dbName < dump.sql
> sudo -u postgres psql
\c dbName;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO userName;

7. Manual backups/restore

Dump DB:

pg_dump -F t dbName > dbName.tar

Restore DB:

pg_restore -d dbName dbName.tar

Dump all:

pg_dumpall -F t > all_pg_dbs.tar

Restore all

psql -f all_pg_dbs.sql postgres

8. Automated backups (optional)

> nano ./pg_backup.sh
#!/bin/bash

###########################
####### LOAD CONFIG #######
###########################

while [ $# -gt 0 ]; do
        case $1 in
                -c)
                        CONFIG_FILE_PATH="$2"
                        shift 2
                        ;;
                *)
                        ${ECHO} "Unknown Option \"$1\"" 1>&2
                        exit 2
                        ;;
        esac
done

if [ -z $CONFIG_FILE_PATH ] ; then
        SCRIPTPATH=$(cd ${0%/*} && pwd -P)
        CONFIG_FILE_PATH="${SCRIPTPATH}/pg_backup.config"
fi

if [ ! -r ${CONFIG_FILE_PATH} ] ; then
        echo "Could not load config file from ${CONFIG_FILE_PATH}" 1>&2
        exit 1
fi

source "${CONFIG_FILE_PATH}"

###########################
#### PRE-BACKUP CHECKS ####
###########################

# Make sure we're running as the required backup user
if [ "$BACKUP_USER" != "" -a "$(id -un)" != "$BACKUP_USER" ] ; then
  echo "This script must be run as $BACKUP_USER. Exiting." 1>&2
  exit 1
fi


###########################
### INITIALISE DEFAULTS ###
###########################

if [ ! $HOSTNAME ]; then
  HOSTNAME="localhost"
fi;

if [ $PORT ]; then
  export PGPORT="$PORT"
fi;

if [ ! $USERNAME ]; then
  USERNAME="postgres"
fi;

if [ $PASSWORD ]; then
  export PGPASSWORD="$PASSWORD"
fi;

if [ ! $DAY_OF_WEEK_TO_KEEP ]; then
  DAY_OF_WEEK_TO_KEEP=5
fi;

if [ ! $DAYS_TO_KEEP ]; then
  DAYS_TO_KEEP=7
fi;

if [ ! $WEEKS_TO_KEEP ]; then
  WEEKS_TO_KEEP=5
fi;

###########################
#### START THE BACKUPS ####
###########################

function perform_backups()
{
  SUFFIX=$1
  FINAL_BACKUP_DIR=$BACKUP_DIR"`date +\%Y-\%m-\%d`$SUFFIX/"

  echo "Making backup directory in $FINAL_BACKUP_DIR"

  if ! mkdir -p $FINAL_BACKUP_DIR; then
    echo "Cannot create backup directory in $FINAL_BACKUP_DIR. Go and fix it!" 1>&2
    exit 1;
  fi;

  #######################
  ### GLOBALS BACKUPS ###
  #######################

  echo -e "\n\nPerforming globals backup"
  echo -e "--------------------------------------------\n"

  if [ $ENABLE_GLOBALS_BACKUPS = "yes" ]
  then
        echo "Globals backup"

        set -o pipefail
        if ! pg_dumpall -g -h "$HOSTNAME" -U "$USERNAME" | gzip > $FINAL_BACKUP_DIR"globals".sql.gz.in_progress; then
                echo "[!!ERROR!!] Failed to produce globals backup" 1>&2
        else
                mv $FINAL_BACKUP_DIR"globals".sql.gz.in_progress $FINAL_BACKUP_DIR"globals".sql.gz
        fi
        set +o pipefail
  else
    echo "None"
  fi


  ###########################
  ### SCHEMA-ONLY BACKUPS ###
  ###########################

  for SCHEMA_ONLY_DB in ${SCHEMA_ONLY_LIST//,/ }
  do
          SCHEMA_ONLY_CLAUSE="$SCHEMA_ONLY_CLAUSE or datname ~ '$SCHEMA_ONLY_DB'"
  done

  SCHEMA_ONLY_QUERY="select datname from pg_database where false $SCHEMA_ONLY_CLAUSE order by datname;"

  echo -e "\n\nPerforming schema-only backups"
  echo -e "--------------------------------------------\n"

  SCHEMA_ONLY_DB_LIST=`psql -h "$HOSTNAME" -U "$USERNAME" -At -c "$SCHEMA_ONLY_QUERY" postgres`

  echo -e "The following databases were matched for schema-only backup:\n${SCHEMA_ONLY_DB_LIST}\n"

  for DATABASE in $SCHEMA_ONLY_DB_LIST
  do
          echo "Schema-only backup of $DATABASE"
    set -o pipefail
          if ! pg_dump -Fp -s -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" | gzip > $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz.in_progress; then
                  echo "[!!ERROR!!] Failed to backup database schema of $DATABASE" 1>&2
          else
                  mv $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz.in_progress $FINAL_BACKUP_DIR"$DATABASE"_SCHEMA.sql.gz
          fi
          set +o pipefail
  done


  ###########################
  ###### FULL BACKUPS #######
  ###########################

  for SCHEMA_ONLY_DB in ${SCHEMA_ONLY_LIST//,/ }
  do
    EXCLUDE_SCHEMA_ONLY_CLAUSE="$EXCLUDE_SCHEMA_ONLY_CLAUSE and datname !~ '$SCHEMA_ONLY_DB'"
  done

  FULL_BACKUP_QUERY="select datname from pg_database where not datistemplate and datallowconn $EXCLUDE_SCHEMA_ONLY_CLAUSE order by datname;"

  echo -e "\n\nPerforming full backups"
  echo -e "--------------------------------------------\n"

  for DATABASE in `psql -h "$HOSTNAME" -U "$USERNAME" -At -c "$FULL_BACKUP_QUERY" postgres`
  do
    if [ $ENABLE_PLAIN_BACKUPS = "yes" ]
    then
      echo "Plain backup of $DATABASE"

      set -o pipefail
      if ! pg_dump -Fp -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" | gzip > $FINAL_BACKUP_DIR"$DATABASE".sql.gz.in_progress; then
        echo "[!!ERROR!!] Failed to produce plain backup database $DATABASE" 1>&2
      else
        mv $FINAL_BACKUP_DIR"$DATABASE".sql.gz.in_progress $FINAL_BACKUP_DIR"$DATABASE".sql.gz
      fi
      set +o pipefail

    fi

    if [ $ENABLE_CUSTOM_BACKUPS = "yes" ]
    then
      echo "Custom backup of $DATABASE"

      if ! pg_dump -Fc -h "$HOSTNAME" -U "$USERNAME" "$DATABASE" -f $FINAL_BACKUP_DIR"$DATABASE".custom.in_progress; then
        echo "[!!ERROR!!] Failed to produce custom backup database $DATABASE"
      else
        mv $FINAL_BACKUP_DIR"$DATABASE".custom.in_progress $FINAL_BACKUP_DIR"$DATABASE".custom
      fi
    fi

  done

  echo -e "\nAll database backups complete!"
}

# MONTHLY BACKUPS

DAY_OF_MONTH=`date +%d`
BACKUP_PARENT_DIR=$(dirname "$BACKUP_DIR")

if [ $DAY_OF_MONTH -eq 1 ];
then
  # Delete all expired monthly directories
  find $BACKUP_PARENT_DIR -maxdepth 1 -name "*-monthly" -exec rm -rf '{}' ';'

  perform_backups "-monthly"

  exit 0;
fi

# WEEKLY BACKUPS

DAY_OF_WEEK=`date +%u` #1-7 (Monday-Sunday)
EXPIRED_DAYS=`expr $((($WEEKS_TO_KEEP * 7) + 1))`

if [ $DAY_OF_WEEK = $DAY_OF_WEEK_TO_KEEP ];
then
  # Delete all expired weekly directories
  find $BACKUP_PARENT_DIR -maxdepth 1 -mtime +$EXPIRED_DAYS -name "*-weekly" -exec rm -rf '{}' ';'

  perform_backups "-weekly"

  exit 0;
fi

# DAILY BACKUPS

# Delete daily backups 7 days old or more
find $BACKUP_PARENT_DIR -maxdepth 1 -mtime +$DAYS_TO_KEEP -name "*-daily" -exec rm -rf '{}' ';'

perform_backups "-daily"
> nano ./pg_backup.config
##############################
## POSTGRESQL BACKUP CONFIG ##
##############################

# Optional system user to run backups as.  If the user the script is running as doesn't match this
# the script terminates.  Leave blank to skip check.
BACKUP_USER=

# Optional hostname to adhere to pg_hba policies.  Will default to "localhost" if none specified.
HOSTNAME=

# Optional port to use
PORT=37413

# Optional username to connect to database as.  Will default to "postgres" if none specified.
USERNAME=

# Optional password to use
PASSWORD=<PASSWORD>

# This dir will be created if it doesn't exist.  This must be writable by the user the script is
# running as.
BACKUP_DIR=/path/to/backups/psql_

# List of strings to match against in database name, separated by space or comma, for which we only
# wish to keep a backup of the schema, not the data. Any database names which contain any of these
# values will be considered candidates. (e.g. "system_log" will match "dev_system_log_2010-01")
SCHEMA_ONLY_LIST=""

# Will produce a custom-format backup if set to "yes"
ENABLE_CUSTOM_BACKUPS=no

# Will produce a gzipped plain-format backup if set to "yes"
ENABLE_PLAIN_BACKUPS=yes

# Will produce gzipped sql file containing the cluster globals, like users and passwords, if set to "yes"
ENABLE_GLOBALS_BACKUPS=yes


#### SETTINGS FOR ROTATED BACKUPS ####

# Which day to take the weekly backup from (1-7 = Monday-Sunday)
DAY_OF_WEEK_TO_KEEP=5

# Number of days to keep daily backups
DAYS_TO_KEEP=7

# How many weeks to keep weekly backups
WEEKS_TO_KEEP=5

######################################

Test & automate:

chmod +x ./pg_backup.sh
./pg_backup.sh
> crontab -e
00 02 * * * cd /path/to/backup/file && ./pg_backup.sh

Upload to BackBlaze:

30 02 * * * /snap/bin/aws s3 sync /root/backups s3://bucket --exclude '*.log' --exclude '*.sh' --exclude '*.config' --endpoint-url=https://s3.eu-central-003.backblazeb2.com

built withbuildery