Make backups of mysql databases with rsnapshot

mysql/defaults/main.yml

@@ -2,3 +2,6 @@
 
 # yamllint disable-line rule:line-length
 mysql_root_password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysql create=true length=20') }}"
+
+mysql_backup_user: "backup"
+mysql_backup_password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysql-backup create=true length=20') }}"

mysql/files/crontab

+3 * * * * root /usr/bin/rsnapshot -c /etc/rsnapshot.d/mysql.conf hourly
+55 23 * * * root /usr/bin/rsnapshot -c /etc/rsnapshot.d/mysql.conf daily
+45 23 * * 6 root /usr/bin/rsnapshot -c /etc/rsnapshot.d/mysql.conf weekly
+35 23 3 * * root /usr/bin/rsnapshot -c /etc/rsnapshot.d/mysql.conf monthly

mysql/files/rsnapshot.conf

+config_version	1.2
+snapshot_root	/var/backups/
+cmd_cp	/bin/cp
+cmd_rm	/bin/rm
+cmd_rsync	/usr/bin/rsync
+cmd_logger	/usr/bin/logger
+cmd_du	/usr/bin/du
+
+retain	hourly	6
+retain	daily	7
+retain	weekly	4
+retain	monthly	6
+
+verbose	2
+loglevel	3
+lockfile	/var/run/rsnapshot-mysql.pid
+
+backup_script	/usr/local/bin/mysqlbackup.sh	mysql/

mysql/tasks/main.yml

 ---
 # file: roles/mysql/tasks/main.yml
 
-- name: ensure mysql packages are installed for jessie
-  apt:
-    name:
-      - mysql-server
-      - python-mysqldb
-    state: present
-  when:
-    - debian_version == "jessie"
-  tags:
-    - packages
-    - mysql
-
-- name: ensure mysql packages are installed for stretch
+- name: ensure mysql packages are installed
   apt:
     name:
       - mariadb-server
       - python-mysqldb
     state: present
-  when:
-    - debian_version != "jessie"
   tags:
     - packages
     - mysql
@@ -30,9 +16,6 @@
     name: mysql
     state: started
     enabled: true
-  tags:
-    - service
-    - mysql
 
 - name: ensure the mysql root user exists and has the correct password
   mysql_user:
@@ -43,9 +26,6 @@
   register: mysql_root_creation_result
   no_log: true
   ignore_errors: true
-  tags:
-    - mysql
-    - config
 
 - name: initialize the mysql root user
   mysql_user:
@@ -53,6 +33,56 @@
     password: "{{ mysql_root_password }}"
   no_log: true
   when: mysql_root_creation_result is failed
-  tags:
-    - mysql
-    - config
+
+- name: ensure a read-only mysql user for backups exists
+  mysql_user:
+    name: "{{ mysql_backup_user }}"
+    password: "{{ mysql_backup_password }}"
+    login_user: root
+    login_password: "{{ mysql_root_password }}"
+    priv: "*.*:SELECT,LOCK TABLES"
+
+- name: ensure the backup procedure can access the backup password
+  template:
+    src: my.cnf
+    dest: "/root/.mysql-{{mysql_backup_user}}.cnf"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: deploy the mysql backup script
+  template:
+    src: mysqlbackup.sh
+    dest: /usr/local/bin/
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: ensure we have rsnapshot
+  apt:
+    name: rsnapshot
+    state: present
+
+- name: ensure we have a directory for rsnapshot configuration
+  file:
+    path: /etc/rsnapshot.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: ensure we backup all the mysql databases with rsnapshot
+  copy:
+    src: rsnapshot.conf
+    dest: /etc/rsnapshot.d/mysql.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: make rsnapshot run regularly
+  copy:
+    src: crontab
+    dest: /etc/cron.d/mysql-snapshot
+    owner: root
+    group: root
+    mode: '0644'

mysql/templates/my.cnf

+[client]
+user = {{ mysql_backup_user }}
+password = {{mysql_backup_password }}
+host = localhost

mysql/templates/mysqlbackup.sh

+#!/bin/sh
+
+umask 0077
+/usr/bin/mysqldump --defaults-extra-file=/root/.mysql-{{mysql_backup_user}}.cnf --all-databases | gzip -c -- > mysqldump_all_databases.sql.gz
+
+/bin/chmod 600 mysqldump_all_databases.sql.gz