feat(ansible): add pgBackRest tasks and configurations

[jchancojr]

What kind of change does this PR introduce?

Feature- pgBackRest backup solution

What is the current behavior?

pgBackRest tasks and configs are absent

What is the new behavior?

pgBackRest tasks and configs are missing are present

Additional context

NA

Summary by CodeRabbit

• New Features

  • Adds pgBackRest support with configurable global and repository settings (S3 storage, retention, encryption, compression, performance and logging). Some async/archive options remain as commented placeholders.

• Chores / Install

  • Adds automated install and setup: package install, user/group and sudoers provisioning, directory creation, config placement and a safe wrapper for invoking pgBackRest.
  • Updates packaged PostgreSQL release references.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds pgBackRest configuration and installation: new config files, an Ansible playbook task to import setup tasks, a setup task sequence that creates user/group, updates sudoers, installs binaries via Nix (optional), provisions directories and configs, symlinks main config, and installs a wrapper script.

Changes

Cohort / File(s)	Summary
Configuration files ansible/files/pgbackrest_config/computed_globals.conf, ansible/files/pgbackrest_config/pgbackrest.conf, ansible/files/pgbackrest_config/repo1.conf, ansible/files/pgbackrest_config/repo1_async.conf, ansible/files/pgbackrest_config/repo1_encrypted.conf	Added five pgBackRest config files: commented global defaults; main pgbackrest.conf with global/archive/log/performance settings and [supabase] DB section; repo1.conf with repo/S3/retention options; repo1_async.conf with commented async placeholder; repo1_encrypted.conf with cipher-type and pass placeholder.
Playbook integration ansible/playbook.yml	Inserted "Install pgBackRest" import to run tasks/setup-pgbackrest.yml when debpkg_mode or nixpkg_mode or stage2_nix; positioned between WAL-G and Gotrue tasks.
Setup tasks & scripts ansible/tasks/setup-pgbackrest.yml	New task sequence: create pgbackrest group/user (conditional), update sudoers (with visudo validation), install via Nix (stage2_nix), create directories and set ownership/permissions, deploy configs to /etc/pgbackrest, create /etc/pgbackrest.conf symlink, and add /usr/bin/pgbackrest wrapper that sanitizes args and execs the real binary.
Variables ansible/vars.yml	Bumped PostgreSQL release version strings: postgresorioledb-17, postgres17, and postgres15 updated to new patch versions.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Playbook as Ansible Playbook
    participant Tasks as setup-pgbackrest.yml
    participant Host as Host/System
    participant Nix as Nix/Profile
    participant Sudo as sudoers
    participant FS as Filesystem
    participant Binary as pgbackrest binary

    Playbook->>Tasks: import/setup when debpkg_mode or nixpkg_mode or stage2_nix
    Tasks->>Host: create group `pgbackrest` (conditional)
    Tasks->>Host: create user `pgbackrest` (conditional)
    Tasks->>Sudo: add sudoers entries and visudo validate
    Tasks->>Nix: install pgbackrest (stage2_nix)
    Nix-->>Host: place binaries
    Tasks->>FS: create directories and set ownership (/var/lib/pgbackrest, /etc/pgbackrest)
    Tasks->>FS: deploy config files to /etc/pgbackrest
    Tasks->>FS: symlink /etc/pgbackrest.conf -> /etc/pgbackrest/pgbackrest.conf
    Tasks->>FS: install wrapper /usr/bin/pgbackrest
    FS->>Binary: wrapper sanitizes args and execs binary as `pgbackrest` user

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• samrose
• Crispy1975

Poem

🐰
I hopped through configs, calm and bright,
Laid symlinks, sudo lines, and scripts by night,
A wrapper hums to guard each run,
Directories set, the task is done,
Rabbit nods — backups take flight.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately summarizes the main change: adding pgBackRest tasks and configurations to the Ansible setup.
Description check	✅ Passed	The description provides the basic required information (what kind of change, current behavior, new behavior) but lacks detail and contains a typo; however, it covers the essential template sections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dfbdf86 and 478e19f.

📒 Files selected for processing (7)

• ansible/files/pgbackrest_config/computed_globals.conf (1 hunks)
• ansible/files/pgbackrest_config/pgbackrest.conf (1 hunks)
• ansible/files/pgbackrest_config/repo1.conf (1 hunks)
• ansible/files/pgbackrest_config/repo1_async.conf (1 hunks)
• ansible/files/pgbackrest_config/repo1_encrypted.conf (1 hunks)
• ansible/playbook.yml (1 hunks)
• ansible/tasks/setup-pgbackrest.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: nix-eval / eval

🔇 Additional comments (10)

ansible/files/pgbackrest_config/repo1_async.conf (1)

1-2: LGTM - placeholder configuration.

This placeholder configuration for async archiving is well-structured and ready for future activation when needed.

ansible/files/pgbackrest_config/computed_globals.conf (1)

1-8: LGTM - placeholder defaults documented.

These commented placeholder defaults provide clear documentation for future tuning of process parallelism across different pgBackRest operations.

ansible/files/pgbackrest_config/pgbackrest.conf (1)

1-18: Configuration looks solid.

The pgBackRest global settings are well-chosen:

• zst compression provides good balance of speed and ratio
• start-fast = y ensures quick archiving
• Connection details are appropriate

Note that resume = n (line 12) means interrupted backups will restart from scratch rather than resuming. This is a conservative choice that may be appropriate for your use case.

ansible/playbook.yml (1)

43-48: LGTM - appropriate task placement.

The pgBackRest installation task is logically positioned after WAL-G and uses consistent conditional patterns with the rest of the playbook.

ansible/files/pgbackrest_config/repo1.conf (1)

1-14: Verify WAL archive retention strategy.

Line 8 sets repo1-retention-history = 0, which means pgBackRest will not retain any WAL archives. This prevents point-in-time recovery (PITR) between backups.

If PITR capability is required, consider setting this to a positive value. If WAL archiving is handled separately (e.g., via archive_command), ensure that strategy is documented and coordinated with these backup retention settings.

ansible/tasks/setup-pgbackrest.yml (4)

1-18: LGTM - secure user configuration.

The pgBackRest user is properly configured as a system user with /sbin/nologin shell, which follows security best practices for service accounts.

---

35-42: LGTM - installation approach is sound.

Installing pgBackRest via Nix with a specific commit SHA ensures reproducible builds and version consistency.

---

44-59: LGTM - appropriate directory structure.

The directory permissions (0770 with pgbackrest:postgres ownership) correctly allow both the pgBackRest daemon and PostgreSQL processes to access necessary files while restricting access from other users.

---

61-66: Symlink direction is backwards; reverse it to follow pgBackRest's expected hierarchy.

The code creates a symlink at /etc/pgbackrest/pgbackrest.conf pointing to /etc/pgbackrest.conf. Since pgBackRest looks for configuration first at /etc/pgbackrest/pgbackrest.conf and falls back to /etc/pgbackrest.conf if the primary location doesn't exist, the symlink should point in the opposite direction: the main config file should be at /etc/pgbackrest/pgbackrest.conf with an optional symlink from the legacy location for backward compatibility.

Likely an incorrect or invalid review comment.

ansible/files/pgbackrest_config/repo1_encrypted.conf (1)

1-3: Remove this comment.

pgBackRest supports only two cipher types: none (no encryption) and aes-256-cbc. aes-256-cbc is recommended in the official pgBackRest documentation. No alternative or newer cipher types exist across different pgBackRest versions.

Likely an incorrect or invalid review comment.

[jchancojr]

test-postgres-engines-with-smoke.sh

============================================================
Test Summary
============================================================

ENGINE          RESULT
------          ------
15              PASSED (375s)
17              PASSED (352s)
17-oriole       PASSED (367s)

============================================================
Total: 3 | Passed: 3 | Failed: 0
============================================================

[INFO] Postgres commit: add0a0f372300387e01d5652e45d077143861a83