diff --git a/roles/borgbackup_client/defaults/main.yml b/roles/borgbackup_client/defaults/main.yml new file mode 100644 index 0000000..28ba278 --- /dev/null +++ b/roles/borgbackup_client/defaults/main.yml @@ -0,0 +1,5 @@ +--- +borg_keep_daily: 7 +borg_keep_weekly: 4 +borg_keep_monthly: 12 +... diff --git a/roles/borgbackup_client/handlers/main.yml b/roles/borgbackup_client/handlers/main.yml new file mode 100644 index 0000000..426cc4e --- /dev/null +++ b/roles/borgbackup_client/handlers/main.yml @@ -0,0 +1,17 @@ +--- +- name: Run systemd daemon-reload + systemd: + daemon_reload: true + +- name: Start and enable borgmatic timer + systemd: + name: borgmatic.timer + state: started + enabled: true + +- name: Start and enable borgmatic service + systemd: + name: borgmatic.service + state: started + enabled: true +... diff --git a/roles/borgbackup_client/tasks/main.yml b/roles/borgbackup_client/tasks/main.yml new file mode 100644 index 0000000..a337fee --- /dev/null +++ b/roles/borgbackup_client/tasks/main.yml @@ -0,0 +1,85 @@ +--- +- name: Pin borgmatic + template: + src: "apt/{{ item }}.j2" + dest: "/etc/apt/{{ item }}" + loop: + - sources.list.d/bullseye.list + - preferences.d/borgmatic-bullseye + when: + - ansible_distribution == "Debian" + - ansible_distribution_major_version | int <= 10 + - ansible_distribution_release != "bullseye" + +- name: Don't pin borgmatic if we are on bullseye + file: + path: "/etc/apt/{{ item }}" + state: absent + loop: + - sources.list.d/bullseye.list + - preferences.d/borgmatic-bullseye + when: + - ansible_distribution == "Debian" + - ansible_distribution_release == "bullseye" + +- name: Install borgmatic + apt: + name: borgmatic + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Create SSH key + openssh_keypair: + path: /etc/borgbackup/id_remote + type: ed25519 + owner: root + group: root + mode: u=r,g=r,o= + register: ssh_key + +- name: Add public key to remote + delegate_to: "{{ borg_server_host }}" + become: "{{ borg_server_user }}" + authorized_key: + exclusive: false + key: "{{ ssh_key.public_key }}" + key_options: >- + command="borg serve --restrict-to-path {{ borg_host_dir }}, + no-agent-forwarding, + no-port-forwarding, + no-pty, + no-user-rc, + no-X11-forwarding + vars: + borg_host_dir: "{{ borg_server_base_dir }}/{{ ansible_fqdn }}" + +- name: Add borgmatic configuration file + become: true + template: + src: borgmatic.conf.j2 + dest: /etc/borgmatic/config.yaml + owner: root + group: root + mode: u=rw,g=r,o= + +- name: Install timer and service for borgmatic + template: + src: "{{ item }}.j2" + dest: "/etc/systemd/system/{{ item }}" + owner: root + group: root + mode: u=rw,g=r,o= + loop: + - borgmatic.timer + - borgmatic.service + notify: + - Run systemd daemon-reload + - Start and enable borgmatic timer + - Start and enable borgmatic service + +- include_role: update_motd + vars: + key: 10-borgmatic + message: Borgmatic (client) est installé dans /etc/borgmatic/config.yaml. +... diff --git a/roles/borgbackup_client/templates/borgmatic.service.j2 b/roles/borgbackup_client/templates/borgmatic.service.j2 new file mode 100644 index 0000000..f689b66 --- /dev/null +++ b/roles/borgbackup_client/templates/borgmatic.service.j2 @@ -0,0 +1,29 @@ +{{ ansible_managed | comment }} + +[Unit] +Description=Service for borgmatic backup +Wants=network-online.target +After=network-online.target +ConditionACPower=true + +[Service] +Type=oneshot +ProtectSystem=full +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW + +# Lower CPU and I/O priority. +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 + +Restart=no +# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that +# doesn't support this (pre-240 or so), you may have to remove this option. +LogRateLimitIntervalSec=0 + +# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and +# dbus-user-session to be installed. +ExecStartPre=sleep 1m +ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --syslog-verbosity 1 diff --git a/roles/borgbackup_client/templates/borgmatic.timer.j2 b/roles/borgbackup_client/templates/borgmatic.timer.j2 new file mode 100644 index 0000000..22f1bf9 --- /dev/null +++ b/roles/borgbackup_client/templates/borgmatic.timer.j2 @@ -0,0 +1,10 @@ +{{ ansible_managed | comment }} + +[Unit] +Description=Timer for borgmatic backup + +[Timer] +OnCalendar=daily + +[Install] +WantedBy=timers.target diff --git a/roles/borgbackup_client/templates/config.yaml.j2 b/roles/borgbackup_client/templates/config.yaml.j2 new file mode 100644 index 0000000..ead247e --- /dev/null +++ b/roles/borgbackup_client/templates/config.yaml.j2 @@ -0,0 +1,25 @@ +--- +{{ ansible_managed | comment }} + +location: + source_directories: {{ borg_backup_directories | to_nice_yaml }} + repositories: + - {{ borg_server_user }}@{{ borg_server_host }}:{{ borg_host_dir }} + +retention: + keep_daily: "{{ borg_keep_daily }}" + keep_weekly: "{{ borg_keep_weekly }}" + keep_monthly: "{{ borg_keep_yearly }}" + +consistency: + checks: + - repository + - archives + +{% if postgresql_databases is defined %} +hooks: + postgresql_databases: + - name: all +{% endif %} +... +