Version 0.1.0 release

@@ -13,6 +13,14 @@ driver:
 provisioner:
 provisioner:
   name: chef_zero
   name: chef_zero
 
 
+platforms:
+  - name: ubuntu-14.04
+    driver:
+      image_id: ami-xxx
+    transport:
+      username: ubuntu
+      ssh_key: ~/.ssh/xxx.pem
+
 suites:
 suites:
   - name: default
   - name: default
     run_list:
     run_list:

@@ -4,7 +4,7 @@ Just a wrapper around [`mongodb3`](https://supermarket.chef.io/cookbooks/mongodb
 
 
 ## Supported Platforms
 ## Supported Platforms
 
 
-The cookbook `mongodb3` supports the most common Linux distros.
+The cookbook `mongodb3` supports the most common Linux distros, but this cookbook has some constants that might be Ubuntu-specific only.
 
 
 ## Attributes
 ## Attributes
 
 
@@ -16,10 +16,76 @@ The cookbook `mongodb3` supports the most common Linux distros.
     <th>Default</th>
     <th>Default</th>
   </tr>
   </tr>
   <tr>
   <tr>
-    <td><tt>['cfe-mongodb']['']</tt></td>
-    <td>Boolean</td>
-    <td>Desctd>
-    <td><tt>True</tt></td>
+    <td><tt>['cfe-mongodb']['local_ipv4']</tt></td>
+    <td>String</td>
+    <td>The local IP where mongod should be listening. Should be at least a member of the mongod bind IPs. (The node's IP in a replication set.)<td>
+    <td><tt>'127.0.0.1'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['s3_region']</tt></td>
+    <td>String</td>
+    <td>S3 region if using the backup script.<td>
+    <td><tt>'us-east-1'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['s3_bucket']</tt></td>
+    <td>String</td>
+    <td>S3 bucket if using the backup script<td>
+    <td><tt>'test-bucket'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['db']['map']</tt></td>
+    <td>Hash/Array</td>
+    <td>Details of every database to set up, including users and passwords, etc. Please refer to the default attributes file.<td>
+    <td><tt>{}</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['db']['pass_root']</tt></td>
+    <td>String</td>
+    <td>The mongodb password for user 'root'<td>
+    <td><tt>'secret'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['db']['pass_backup']</tt></td>
+    <td>String</td>
+    <td>The mongodb password for user 'backup', used for performing mongodumps during the backup script operation.<td>
+    <td><tt>'secret'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['rs']['key']</tt></td>
+    <td>String</td>
+    <td>Contents of replication key.<td>
+    <td><tt>'xxxx'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['rs']['nodes']['primary']</tt></td>
+    <td>String</td>
+    <td>The primary mongodb node during initial Chef run, e.g. '10.0.0.1:27017'.<td>
+    <td><tt>''</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['rs']['nodes']['secondary']</tt></td>
+    <td>Array</td>
+    <td>Array of secondary mongodb nodes during initial Chef run, e.g. ['10.0.0.2:27017', '10.0.0.3:27017'].<td>
+    <td><tt>[]</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['rs']['nodes']['arbiter']</tt></td>
+    <td>Array</td>
+    <td>Array of arbiter mongodb nodes during initial Chef run, e.g. ['10.0.0.4:27017'].<td>
+    <td><tt>[]</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['install']['bak_sched']</tt></td>
+    <td>String</td>
+    <td>Crontab schedule for running the backup script.<td>
+    <td><tt>'0 7 * * *'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mongodb']['encrypt']['pub_key']</tt></td>
+    <td>String</td>
+    <td>Encryption public key if at least one of the databases specified in the DB map is to be encrypted when it is automatically backed up.<td>
+    <td><tt>nil</tt></td>
   </tr>
   </tr>
 </table>
 </table>
 
 
@@ -37,6 +103,19 @@ After setting proper node attributes, include `cfe-mongodb` in your node's `run_
 }
 }
 ```
 ```
 
 
+### cfe-mongodb::backup2s3
+
+Sets up an automated backup script that uploads DB backups into an S3 bucket:
+
+```json
+{
+  "run_list": [
+    "recipe[cfe-mongodb::default]",
+    "recipe[cfe-mongodb::backup2s3]"
+  ]
+}
+```
+
 ## License and Authors
 ## License and Authors
 
 
 Author:: Earth U. (<sysadmin @ chromedia.com>)
 Author:: Earth U. (<sysadmin @ chromedia.com>)

@@ -17,3 +17,76 @@
 # See the License for the specific language governing permissions and
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # limitations under the License.
 #
 #
+
+default['cfe-mongodb']['local_ipv4'] = '127.0.0.1'
+
+default['cfe-mongodb']['s3_region'] = 'us-east-1'
+default['cfe-mongodb']['s3_bucket'] = 'test-bucket'
+
+default['cfe-mongodb']['db']['map'] = {
+  # The db_map format is:
+  # 'example_db_name' => {
+  #   :db_user => '<name_of_custom_user>',
+  #   :db_pass => '<name_of_custom_pass>',
+  #
+  # Optional:
+  #   :db_auth       => '<name_of_authentication_db>' # default is db_name
+  #   :backup        => # default: true
+  #   :bak_encrypted => # default: false
+  #   :bak_filename  => # default is db_name
+  #   :bak_maxcopies => # default: 30
+  # }
+}
+default['cfe-mongodb']['db']['pass_root']   = 'secret'
+default['cfe-mongodb']['db']['pass_backup'] = 'secret'
+
+# Create custom key contents with:
+#   $ openssl rand -base64 756
+default['cfe-mongodb']['rs']['key']   = 'supersecretkeyxxx'
+default['cfe-mongodb']['rs']['delay'] = 2
+# Note: the following attributes for primary/secondary/arbiter
+# should all include the port number (e.g. '1.2.3.4:27017')
+default['cfe-mongodb']['rs']['nodes']['primary']   = ''
+default['cfe-mongodb']['rs']['nodes']['secondary'] = []
+default['cfe-mongodb']['rs']['nodes']['arbiter']   = []
+
+default['cfe-mongodb']['install']['priv_dir']    = '/opt/mongodb/priv'
+default['cfe-mongodb']['install']['bak_log_dir'] = '/var/log/mongodb_backup2s3'
+default['cfe-mongodb']['install']['bak_sched']   = '0 7 * * *'
+
+default['cfe-mongodb']['encrypt']['priv_key'] = nil
+default['cfe-mongodb']['encrypt']['pub_key']  = nil
+
+## Constant logrotate options if automated backups are used
+
+default['cfe-mongodb']['logrotate']['conf_dir'] = '/etc/logrotate.d'
+default['cfe-mongodb']['logrotate']['options'] = %w{
+  weekly
+  rotate\ 12
+  missingok
+  compress
+  notifempty
+}
+
+## Constant location of binaries (at least for Ubuntu 14.04)
+
+default['cfe-mongodb']['bin']['aws']       = '/usr/local/bin/aws'
+default['cfe-mongodb']['bin']['mongo']     = '/usr/bin/mongo'
+default['cfe-mongodb']['bin']['mongodump'] = '/usr/bin/mongodump'
+default['cfe-mongodb']['bin']['openssl']   = '/usr/bin/openssl'
+
+## mongodb3 attributes
+
+default['mongodb3']['version'] = '3.2.8'
+
+default['mongodb3']['mongod']['disable-transparent-hugepages'] = true
+
+default['mongodb3']['config']['mongod']['net']['port']   = 27017
+default['mongodb3']['config']['mongod']['net']['bindIp'] = '127.0.0.1'
+
+default['mongodb3']['config']['mongod']['security']['authorization'] = 'enabled'
+default['mongodb3']['config']['mongod']['security']['keyFile'] =
+  "#{node['cfe-mongodb']['install']['priv_dir']}/mongod.rs.key"
+
+default['mongodb3']['config']['mongod']['replication']['replSetName'] = 'test'
+default['mongodb3']['config']['mongod']['replication']['oplogSizeMB'] = '1024'

@@ -5,3 +5,10 @@ license          'Apache License'
 description      'Simplifies setup of staging MongoDB servers'
 description      'Simplifies setup of staging MongoDB servers'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.1.0'
 version          '0.1.0'
+
+depends 'mongodb3', '~> 5.3.0'
+depends 'awscli', '~> 1.0.1'
+depends 'openssl', '~> 4.4.0'
+depends 'cron', '~> 1.7.4'
+
+supports 'ubuntu', '14.04'

+#
+# Author:: Earth U (<sysadmin @ chromedia.com>)
+# Cookbook Name:: cfe-mongodb
+# Recipe:: backup2s3
+#
+# Copyright (C) 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package 'gzip'
+package 'logrotate'
+include_recipe 'openssl::upgrade'
+include_recipe 'awscli'
+
+pub_key = "#{node[cookbook_name]['install']['priv_dir']}/pub.key"
+bscript = "#{node[cookbook_name]['install']['priv_dir']}/mongodb_backup2s3"
+
+ip = (node['mongodb3']['config']['mongod']['net']['bindIp'].split(','))[-1]
+
+directory(node[cookbook_name]['install']['bak_log_dir']) { recursive true }
+
+is_any_enc = node[cookbook_name]['db']['map'].any? do |x|
+  if x.is_a?(Array)
+    x = x[1]
+  end
+  do_backup = x.has_key?(:backup) ? x[:backup] : true
+  do_backup ? x[:bak_encrypted] : false
+end
+if !node[cookbook_name]['encrypt']['pub_key'] && is_any_enc
+  Chef::Application.fatal!('No encryption public key contents supplied')
+end
+
+file pub_key do
+  content   node[cookbook_name]['encrypt']['pub_key']
+  mode      0600
+  owner     'root'
+  group     'root'
+  sensitive true
+  only_if   { is_any_enc }
+end
+
+template bscript do
+  mode      0700
+  owner     'root'
+  group     'root'
+  sensitive true
+  variables(
+    :bin_aws       => node[cookbook_name]['bin']['aws'],
+    :bin_mongo     => node[cookbook_name]['bin']['mongo'],
+    :bin_mongodump => node[cookbook_name]['bin']['mongodump'],
+    :bin_openssl   => node[cookbook_name]['bin']['openssl'],
+
+    :db_host => ip,
+    :db_port => node['mongodb3']['config']['mongod']['net']['port'],
+    :db_map  => node[cookbook_name]['db']['map'],
+
+    :backup_user => 'backup',
+    :backup_pass => node[cookbook_name]['db']['pass_backup'],
+    :backup_auth => 'admin',
+
+    :s3_region => node[cookbook_name]['s3_region'],
+    :s3_bucket => node[cookbook_name]['s3_bucket'],
+
+    :pub_key => pub_key
+  )
+end
+
+sched = node[cookbook_name]['install']['bak_sched'].split(' ')
+cron_d 'mongodb_backup2s3' do
+  command "bash #{bscript} >> #{node[cookbook_name]['install']['bak_log_dir']}"\
+          '/mongodb_backup2s3.log 2>&1'
+  minute  sched[0]
+  hour    sched[1]
+  day     sched[2]
+  month   sched[3]
+  weekday sched[4]
+  mailto  "''"
+  path    '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin'
+end
+
+template "#{node[cookbook_name]['logrotate']['conf_dir']}/mongodb_backup2s3" do
+  source 'logrotate.erb'
+  variables(
+    :log_dir => node[cookbook_name]['install']['bak_log_dir'],
+    :opts    => node[cookbook_name]['logrotate']['options']
+  )
+end

@@ -17,3 +17,6 @@
 # See the License for the specific language governing permissions and
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # limitations under the License.
 #
 #
+
+include_recipe 'mongodb3'
+include_recipe "#{cookbook_name}::replicate"

+#
+# Author:: Earth U (<sysadmin @ chromedia.com>)
+# Cookbook Name:: cfe-mongodb
+# Recipe:: replicate
+#
+# Copyright (C) 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+directory(node[cookbook_name]['install']['priv_dir']) { recursive true }
+
+file node['mongodb3']['config']['mongod']['security']['keyFile'] do
+  content   node[cookbook_name]['rs']['key']
+  owner     node['mongodb3']['user']
+  group     node['mongodb3']['group']
+  mode      0400
+  sensitive true
+  notifies  :restart, 'service[mongod]', :immediately
+  notifies  :reboot_now, 'reboot[reboot_before_replication]', :immediately
+  only_if   { node[cookbook_name]['rs']['key'] }
+end
+
+reboot 'reboot_before_replication' do
+  action :nothing
+  reason 'Node needs to restart before initiating MongoDB replication'
+end
+
+server = "#{node[cookbook_name]['local_ipv4']}"\
+         ":#{node['mongodb3']['config']['mongod']['net']['port']}"
+if node['cfe-mongodb']['rs']['nodes']['primary'] == server
+  include_recipe "#{cookbook_name}::replicate_pri_init"
+  include_recipe "#{cookbook_name}::replicate_pri_addnodes"
+end

+#
+# Author:: Earth U (<sysadmin @ chromedia.com>)
+# Cookbook Name:: cfe-mongodb
+# Recipe:: replicate_pri_addnodes
+#
+# Copyright (C) 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+mongod = node['mongodb3']['config']['mongod']
+ip     = (mongod['net']['bindIp'].split(','))[-1]
+port   = mongod['net']['port']
+
+com = "sleep #{node[cookbook_name]['rs']['delay']} "\
+      "&& mongo --host #{ip} --port #{port} "\
+      "-u root -p #{node[cookbook_name]['db']['pass_root']} "\
+      "--authenticationDatabase admin --eval 'rs.add<<1>>(\"<<2>>\")' "\
+      ">> #{::File.dirname(mongod['systemLog']['path'])}/primary_addnodes"
+
+node[cookbook_name]['rs']['nodes']['secondary'].each do |sec|
+  execute com.sub('<<1>>', '').sub('<<2>>', sec)
+end
+
+node[cookbook_name]['rs']['nodes']['arbiter'].each do |arb|
+  execute com.sub('<<1>>', 'Arb').sub('<<2>>', arb)
+end

+#
+# Author:: Earth U (<sysadmin @ chromedia.com>)
+# Cookbook Name:: cfe-mongodb
+# Recipe:: replicate_pri_init
+#
+# Copyright (C) 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# NOTE:
+# The recipe cfe-mongodb::replicate must be run before this
+#   in order to restart the node beforehand.
+# Otherwise, manually restart the node first because that seems to
+#   be the only way for an automated rs.initiate() to proceed.
+#   Doing it immediately after mongodb install does not work,
+#   nor does implementing delay, or even restarting the mongod service.
+
+# NOTE:
+# It is recommended that this cookbook be run on secondary and
+#   arbiter nodes first, before finally running it on the primary node.
+
+log  = node['mongodb3']['config']['mongod']['systemLog']
+port = node['mongodb3']['config']['mongod']['net']['port']
+
+boot_mark    = "#{::File.dirname(log['path'])}/primary_init_mark"
+boot_log     = "#{::File.dirname(log['path'])}/primary_init"
+is_logrename = log['logRotate'] == 'rename'
+
+boot_script = "#{Chef::Config[:file_cache_path]}/mongodb_pri_bootstrap.js"
+
+template boot_script do
+  sensitive true
+  variables(
+    :db_map         => node[cookbook_name]['db']['map'],
+    :db_pass_root   => node[cookbook_name]['db']['pass_root'],
+    :db_pass_backup => node[cookbook_name]['db']['pass_backup'],
+    :is_logrename   => is_logrename
+  )
+end
+
+script 'mongodb_pri_bootstrap' do
+  interpreter 'bash'
+  not_if { ::File.exist?(boot_mark) }
+  code <<-CODE
+    set -e
+    mongo --host 127.0.0.1 --port #{port} --eval "rs.initiate()" >> #{boot_log}
+    sleep #{node[cookbook_name]['rs']['delay']}
+    mongo #{boot_script} --host 127.0.0.1 --port #{port} >> #{boot_log}
+    date > #{boot_mark}
+    CODE
+end
+
+file boot_script do
+  action :delete
+end

+<%= @log_dir %>/*.log {
+<% @opts.each do |opt| -%>
+  <%= opt %>
+<% end -%>
+}

+#!/bin/bash
+#
+# This file was generated by CHEF. Changes will be overwritten!
+
+# Backup script for MongoDB in AWS EC2 instances.
+#
+# If this mongod instance is primary, then backup the
+# designated database/s and upload it to S3. Encrypt first if needed.
+#
+# Depends on:
+#   MongoDB
+#   AWSCLI
+#   OpenSSL
+
+set -e
+
+suffix=.mongodb_backup2s3
+if [ -f /tmp/*"$suffix" ] ; then
+    ( >&2 echo "[ERROR] Another operation might still be in progress" )
+    exit 200
+fi
+tmp_file=$( mktemp --suffix "$suffix" )
+
+bin_aws=<%= @bin_aws %>
+bin_mongo=<%= @bin_mongo %>
+bin_mongodump=<%= @bin_mongodump %>
+bin_openssl=<%= @bin_openssl %>
+
+db_host=<%= @db_host %>
+db_port=<%= @db_port %>
+db_user='<%= @backup_user %>'
+db_pass='<%= @backup_pass %>'
+db_auth=<%= @backup_auth %>
+
+s3_bucket=<%= @s3_bucket %>
+s3_region=<%= @s3_region %>
+
+pub_key=<%= @pub_key %>
+<% bak_dir = "#{Chef::Config[:file_cache_path]}/mongodb_backup2s3" -%>
+bak_dir=<%= bak_dir %>
+
+# Perform the actual mongodump
+# Args:
+#   $1 = db name
+#   $2 = backup dump filename, e.g. 'mydb'
+export_db() {
+    echo "$(date) : Export database ${1} to ${bak_dir}."
+    rm -f "${bak_dir}/${2}.gz"
+
+    "$bin_mongodump" --host="${db_host}:${db_port}" \
+        -u "$db_user" -p "$db_pass" --authenticationDatabase="${db_auth}" \
+        --dumpDbUsersAndRoles --gzip -d "${1}" --archive="${bak_dir}/${1}.gz"
+}
+
+# Encrypt the backup file with OpenSSL
+# Args:
+#   $1 = compressed dump filename, e.g. 'mydb.gz'
+encrypt_backup() {
+    echo "$(date) : Encrypt file ${1}."
+    rm -f "${bak_dir}/${1}.enc"
+
+    "$bin_openssl" smime -encrypt -binary -text -aes256 \
+        -in "${bak_dir}/${1}" -out "${bak_dir}/${1}.enc" \
+        -outform DER "$pub_key"
+    rm "${bak_dir}/${1}"
+}
+
+# Rotate the current backups in S3
+# Args:
+#   $1 = backup dump filename, e.g. 'mydb'
+#   $2 = max number of backup files to store at a time
+rotate_backup() {
+    folder=$1
+    max=$2
+
+    # Backups will stored inside subfolders (prefixes)
+    # in S3, so only look at 'PRE' objects.
+    baks=$( "$bin_aws" --output text --region "$s3_region" \
+            s3 ls "s3://${s3_bucket}/" | grep '^\s*PRE' | \
+            sed -e 's/^ *PRE //' -e 's/\/$//' | \
+            grep "^${folder}" || echo "" )
+
+    echo "$(date) : Backup rotation for ${folder}."
+    start=$((max - 1))
+
+    for (( x=start ; x > 0 ; x-- )) ; do
+        if echo "$baks" | grep "^${folder}\\.${x}\$" ; then
+            newx=$((x + 1))
+            if [[ $newx -lt $max ]] ; then
+                "$bin_aws" --region "$s3_region" \
+                    s3 mv --recursive "s3://${s3_bucket}/${folder}.${x}" \
+                    "s3://${s3_bucket}/${folder}.${newx}"
+            else
+                "$bin_aws" --region "$s3_region" \
+                    s3 rm --recursive "s3://${s3_bucket}/${folder}.${x}"
+            fi
+        fi
+    done
+
+    if echo "$baks" | grep "^${folder}\$" ; then
+        if [[ $max -gt 1 ]] ; then
+            "$bin_aws" --region "$s3_region" \
+                s3 mv --recursive "s3://${s3_bucket}/${folder}" \
+                "s3://${s3_bucket}/${folder}.1"
+        else
+            "$bin_aws" --region "$s3_region" \
+                s3 rm --recursive "s3://${s3_bucket}/${folder}"
+        fi
+    fi
+}
+
+# Upload the compressed db backup file. It will be uploaded
+# to this example location: ${s3_bucket}/dump_filename/dump_filename.gz.enc
+#
+# A timestamp file will also be uploaded to this location:
+# ${s3_bucket}/dump_filename/YYYY-MM-DDThh:mm:ss.txt
+# Args:
+#   $1 = backup dump filename, e.g. 'mydb'
+#   $2 = if file is encrypted or not (boolean)
+upload_to_s3() {
+    keyname=$1
+    if [ "$2" = true ] ; then
+        fname="${keyname}.gz.enc"
+    else
+        fname="${keyname}.gz"
+    fi
+
+    echo "$(date) : Upload ${fname} to S3 bucket ${s3_bucket}."
+
+    stamp=$( date +"%FT%T" )
+    echo "Uploaded: ${stamp}" > "${bak_dir}/${stamp}.txt"
+
+    "$bin_aws" --region "$s3_region" \
+        s3 mv "${bak_dir}/${fname}" \
+        "s3://${s3_bucket}/${keyname}/${fname}"
+    "$bin_aws" --region "$s3_region" \
+        s3 mv "${bak_dir}/${stamp}.txt" \
+        "s3://${s3_bucket}/${keyname}/${stamp}.txt"
+}
+
+## Do the backup only if this node is the primary:
+if "$bin_mongo" --host="${db_host}:${db_port}" -u "$db_user" \
+                -p "$db_pass" --authenticationDatabase="${db_auth}" \
+                --eval 'db.isMaster()["ismaster"]' | grep -q true ; then
+
+    if [[ ! -d "$bak_dir" ]] ; then
+        mkdir -p "$bak_dir"
+    fi
+
+<% @db_map.each do |x| -%>
+<%
+    if x.is_a?(Array)
+      db_name = x[0]
+      x = x[1]
+    else
+      db_name = x[:db_name]
+    end
+
+    do_backup = x.has_key?(:backup) ? x[:backup] : true
+    is_enc = x.has_key?(:bak_encrypted) ? x[:bak_encrypted] : false
+    bak_filename = x[:bak_filename] || db_name
+    bak_maxcopies = x[:bak_maxcopies] || 30
+-%>
+<%   if do_backup -%>
+    # Database: <%= db_name %>
+    export_db <%= db_name %> <%= bak_filename %>
+<%     if is_enc -%>
+    encrypt_backup <%= bak_filename %>.gz
+<%     end -%>
+    rotate_backup <%= bak_filename %> <%= bak_maxcopies %>
+    upload_to_s3 <%= bak_filename %> <%= is_enc %>
+
+<%   end -%>
+<% end -%>
+    echo "$(date) : Done."
+fi
+
+rm "$tmp_file"

+var db_pass_root   = "<%= @db_pass_root %>";
+var db_pass_backup = "<%= @db_pass_backup %>";
+
+db = db.getSiblingDB("admin");
+db.createUser( { user: "root", pwd: db_pass_root, roles: [ "root", "__system" ] } );
+db.auth("root", db_pass_root);
+
+<% if @is_logrename -%>
+db.runCommand( { logRotate : 1 } );
+
+<% end -%>
+db.createUser( { user: "backup", pwd: db_pass_backup, roles: [ "backup" ] } );
+
+<% @db_map.each do |x| -%>
+<%
+    if x.is_a?(Array)
+      db_name = x[0]
+      x = x[1]
+    else
+      db_name = x[:db_name]
+    end
+
+    db_auth = x.has_key?(:db_auth) ? x[:db_auth] : db_name
+-%>
+db = db.getSiblingDB("<%= db_auth %>");
+db.createUser( { user: "<%= x[:db_user] %>", pwd: "<%= x[:db_pass] %>", roles: [ { role: "readWrite", db: "<%= db_name %>" }, { role: "dbAdmin", db: "<%= db_name %>" } ] } );
+
+<% end -%>