From 87e8ec2ed4230c20b04a130cb3e886492c5e3245 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 23 May 2023 09:42:54 -0500
Subject: [PATCH] synapse: Back up data using BURP

Most of the Synapse server's state is in its SQLite database.  It also
has a `media_store` directory that needs to be backed up, though.

In order to back up the SQLite database while the server is running, the
database must be in "WAL mode."  By default, Synapse leaves the database
in the default "rollback journal mode," which disallows multiple
processes from accessing the database, even for read-only operations.
To change the journal mode:

```sh
sudo systemctl stop synapse
sudo -u synapse sqlite3 /var/lib/synapse/homeserver.db 'PRAGMA journal_mode=WAL;'
sudo systemctl start synapse
```
---
 group_vars/synapse/main.yml                               | 8 ++++++++
 hosts                                                     | 1 +
 .../files/scripts/matrix0.pyrocufflink.blue/backup-pre.sh | 4 ++++
 .../scripts/matrix0.pyrocufflink.blue/restore-post.sh     | 3 +++
 vault/burp/matrix0.pyrocufflink.blue                      | 8 ++++++++
 5 files changed, 24 insertions(+)
 create mode 100644 roles/burp-client/files/scripts/matrix0.pyrocufflink.blue/backup-pre.sh
 create mode 100644 roles/burp-client/files/scripts/matrix0.pyrocufflink.blue/restore-post.sh
 create mode 100644 vault/burp/matrix0.pyrocufflink.blue

diff --git a/group_vars/synapse/main.yml b/group_vars/synapse/main.yml
index fd6879d..a07b0da 100644
--- a/group_vars/synapse/main.yml
+++ b/group_vars/synapse/main.yml
@@ -7,3 +7,11 @@ synapse_ldap_bind_dn: CN=svc.synapse,CN=Users,DC=pyrocufflink,DC=blue
 synapse_ldap_bind_password: '{{ vault_synapse_ldap_bind_password }}'
 matrix_tls_cert: websites/hatch.chat.cer
 matrix_tls_key: websites/hatch.chat.key
+
+burp_backup_script_pre: /etc/burp/backup-pre.sh
+burp_restore_script_post: /etc/burp/restore-post.sh
+burp_backup:
+- include: /var/lib/synapse
+- exclude: /var/lib/synapse/homeserver.db
+- exclude: /var/lib/synapse/homeserver.db-shm
+- exclude: /var/lib/synapse/homeserver.db-wal
diff --git a/hosts b/hosts
index ca6abba..c5d5423 100644
--- a/hosts
+++ b/hosts
@@ -19,6 +19,7 @@ cloud0.pyrocufflink.blue
 file0.pyrocufflink.blue
 hass2.pyrocufflink.blue
 git0.pyrocufflink.blue
+matrix0.pyrocufflink.blue
 
 [burp-server]
 burp1.pyrocufflink.blue
diff --git a/roles/burp-client/files/scripts/matrix0.pyrocufflink.blue/backup-pre.sh b/roles/burp-client/files/scripts/matrix0.pyrocufflink.blue/backup-pre.sh
new file mode 100644
index 0000000..abe5928
--- /dev/null
+++ b/roles/burp-client/files/scripts/matrix0.pyrocufflink.blue/backup-pre.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+sqlite3 /var/lib/synapse/homeserver.db \
+    ".backup '/var/lib/synapse/homeserver.db.bak'"
diff --git a/roles/burp-client/files/scripts/matrix0.pyrocufflink.blue/restore-post.sh b/roles/burp-client/files/scripts/matrix0.pyrocufflink.blue/restore-post.sh
new file mode 100644
index 0000000..667a44d
--- /dev/null
+++ b/roles/burp-client/files/scripts/matrix0.pyrocufflink.blue/restore-post.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+mv /var/lib/synapse/homeserver.db.bak /var/lib/synapse/homeserver.db
diff --git a/vault/burp/matrix0.pyrocufflink.blue b/vault/burp/matrix0.pyrocufflink.blue
new file mode 100644
index 0000000..8095fe7
--- /dev/null
+++ b/vault/burp/matrix0.pyrocufflink.blue
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+31616232336335636664393531396632643439396464393764626139303534353761313466613933
+6164313339336634346533313166313565373739646535320a306438316238633437653732646566
+38666262363532646337356239633234336532306539303764363561303438336230306333666264
+6431376631626565330a666166393966383963313262646465613063376236653035323361663737
+61653732663436303735396531653630343366376638316439306265386431353636373762656339
+34373738353536656132356339376432616564316361663430356332663332626661663231663465
+653064363166616232316435366534366630