veza/infra/ansible/roles/pgbackrest/tasks/main.yml

# pgBackRest role — installs pgbackrest, renders the stanza config,
# wires the archive_command on the data nodes, and schedules the
# backup + drill timers.
#
# Apply ON the postgres data nodes (pgaf-primary, pgaf-replica).
# The monitor doesn't carry app data and doesn't need a stanza.
---
- name: Sanity check — secrets must not be placeholder
  ansible.builtin.assert:
    that:
      - "'CHANGEME-PGBR' not in pgbackrest_repo_s3_key"
      - "'CHANGEME-PGBR' not in pgbackrest_repo_s3_key_secret"
      - "'CHANGEME-PGBR' not in pgbackrest_repo_cipher_pass"
    fail_msg: >
      pgbackrest_repo_s3_key / _secret / cipher_pass still contain
      the CHANGEME placeholder. Provide a vault file
      group_vars/postgres_ha.vault.yml with vault_pgbackrest_s3_key,
      vault_pgbackrest_s3_key_secret, vault_pgbackrest_cipher_pass
      before applying. The role refuses to install with placeholders
      to prevent a live rollout pointing at the wrong S3 keys.      
  tags: [pgbackrest, secrets]

- name: Install pgBackRest
  ansible.builtin.apt:
    name: pgbackrest
    state: present
    update_cache: true
    cache_valid_time: 3600
  tags: [pgbackrest, packages]

- name: Ensure /etc/pgbackrest exists
  ansible.builtin.file:
    path: /etc/pgbackrest
    state: directory
    owner: postgres
    group: postgres
    mode: "0750"
  tags: [pgbackrest, config]

- name: Render pgbackrest.conf
  ansible.builtin.template:
    src: pgbackrest.conf.j2
    dest: /etc/pgbackrest/pgbackrest.conf
    owner: postgres
    group: postgres
    mode: "0600"
  tags: [pgbackrest, config]

- name: Configure archive_command on the postgres instance
  become: true
  become_user: postgres
  ansible.builtin.shell:
    cmd: |
      psql -h /var/run/postgresql -p {{ pg_auto_failover_node_port | default(5432) }} -U postgres -d postgres <<SQL
        ALTER SYSTEM SET archive_mode = 'on';
        ALTER SYSTEM SET archive_command = 'pgbackrest --stanza={{ pgbackrest_stanza }} archive-push %p';
        ALTER SYSTEM SET archive_timeout = '60';
        SELECT pg_reload_conf();
      SQL      
  args:
    executable: /bin/bash
  changed_when: false
  tags: [pgbackrest, postgres]

- name: Detect pg_auto_failover role at runtime (primary vs secondary)
  become: true
  become_user: postgres
  ansible.builtin.command:
    cmd: >
      /usr/lib/postgresql/{{ postgres_version }}/bin/pg_autoctl show state
      --pgdata {{ pg_auto_failover_state_dir | default('/var/lib/postgresql/' ~ postgres_version ~ '/pgaf') }}/postgres
      --json      
  register: pgaf_state
  changed_when: false
  failed_when: false
  tags: [pgbackrest, init]

- name: Set node-role fact from monitor state
  ansible.builtin.set_fact:
    pgaf_role_runtime: >-
      {{ (pgaf_state.stdout | from_json | json_query('[?name==''' ~ inventory_hostname ~ '''].current_state | [0]'))
         | default('unknown') }}      
  when: pgaf_state.rc == 0 and pgaf_state.stdout | length > 0
  failed_when: false
  tags: [pgbackrest, init]

- name: Stanza-create (only from the primary — pgbackrest takes a repo-wide lock)
  become: true
  become_user: postgres
  ansible.builtin.command:
    cmd: pgbackrest --stanza={{ pgbackrest_stanza }} --log-level-console=info stanza-create
  register: stanza_create
  changed_when: "'stanza already exists' not in (stanza_create.stdout | default(''))"
  failed_when:
    - stanza_create.rc | default(0) != 0
    - "'stanza already exists' not in (stanza_create.stdout | default(''))"
  when: (pgaf_role_runtime | default('unknown')) == 'primary'
  tags: [pgbackrest, init]

- name: Render systemd timer + service for full / diff / drill
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: root
    mode: "0644"
  loop:
    - { src: pgbackrest-full.service.j2,   dest: /etc/systemd/system/pgbackrest-full.service }
    - { src: pgbackrest-full.timer.j2,     dest: /etc/systemd/system/pgbackrest-full.timer }
    - { src: pgbackrest-diff.service.j2,   dest: /etc/systemd/system/pgbackrest-diff.service }
    - { src: pgbackrest-diff.timer.j2,     dest: /etc/systemd/system/pgbackrest-diff.timer }
    - { src: pgbackrest-drill.service.j2,  dest: /etc/systemd/system/pgbackrest-drill.service }
    - { src: pgbackrest-drill.timer.j2,    dest: /etc/systemd/system/pgbackrest-drill.timer }
  notify: Reload systemd
  tags: [pgbackrest, schedule]

- name: Enable + start backup timers on all data nodes
  ansible.builtin.systemd:
    name: "{{ item }}"
    state: started
    enabled: true
    daemon_reload: true
  loop:
    - pgbackrest-full.timer
    - pgbackrest-diff.timer
  # Enabled on every data node — pgbackrest itself takes a
  # repository-wide lock on backup start, so the two nodes can't
  # both run a full backup concurrently. The randomized delay (300s)
  # in the timer cushions clock skew. After failover, the new
  # primary picks up the schedule on the next interval; no manual
  # reconfiguration needed.
  tags: [pgbackrest, schedule]