Ajout des backups avec restic

2024-11-16 22:16:14 +01:00 · 2024-11-16 22:16:14 +01:00 · 1f5129092e
parent 8c15a54cf2
commit 1f5129092e
15 changed files with 120 additions and 0 deletions
--- a/all.yml
+++ b/all.yml
@ -49,6 +49,7 @@
 - import_playbook: plays/radvd.yml
 - import_playbook: plays/re2o-ldap.yml
 - import_playbook: plays/re2o.yml
+- import_playbook: plays/restic_client.yml
 - import_playbook: plays/reverse-proxy.yml
 - import_playbook: plays/root.yml
 - import_playbook: plays/roundcube.yml
--- a/group_vars/all/restic.yml
+++ b/group_vars/all/restic.yml
@ -0,0 +1,9 @@
+---
+glob_restic:
+  to_exclude:
+    - /var/lib/lxcfs
+  to_backup:
+    - /etc
+    - /var
+  remote:
+    - rest:http://{{ ansible_hostname }}:{{ vault.restic[ansible_hostname].rest_password }}@172.16.10.14/{{ ansible_hostname }}/base
--- a/plays/restic_client.yml
+++ b/plays/restic_client.yml
@ -0,0 +1,8 @@
+#!/usr/bin/env ansible-playbook
+---
+
+- hosts: server
+  vars:
+    restic: "{{ glob_restic | default({}) | combine(loc_borg | default({})) }}"
+  roles:
+    - restic-client
--- a/plays/root.yml
+++ b/plays/root.yml
@ -30,6 +30,7 @@
 - import_playbook: scripts.yml
 - import_playbook: vm_setup.yml
 - import_playbook: borgbackup_client.yml
+- import_playbook: restic_client.yml
 - import_playbook: network_interfaces.yml
 - import_playbook: nullmailer.yml

--- a/roles/restic-client/handlers/main.yml
+++ b/roles/restic-client/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Restart timer
+  service:
+    name: restic-base.timer
+    state: restarted
--- a/roles/restic-client/tasks/main.yml
+++ b/roles/restic-client/tasks/main.yml
@ -0,0 +1,51 @@
+---
+- name: Install restic
+  apt:
+    update_cache: true
+    name:
+      - restic
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Ensures /etc/restic exists
+  file:
+    path: /etc/restic
+    state: directory
+    mode: 0700
+    owner: root
+
+- name: Deploy restic config
+  template:
+    src: "{{ item }}.j2"
+    dest: /etc/{{ item }}
+    mode: 0600
+    owner: root
+    group: root
+  loop:
+    - restic/base.env
+    - restic/base-excludes
+    - restic/base-includes
+    - restic/base-password
+    - restic/base-repo
+    - systemd/system/restic-base.service
+    - systemd/system/restic-base.timer
+  notify: Restart timer
+
+- name: Init restic repository
+  command:
+    cmd: "restic init --repository-file /etc/restic/base-repo --password-file /etc/restic/base-password"
+  register: restic_init
+  ignore_errors: true
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/04-service.j2
+    dest: /etc/update-motd.d/04-restic
+    mode: 0755
+
+- name: Enable timer
+  service:
+    name: restic-base.timer
+    enabled: true
--- a/roles/restic-client/templates/restic/base-excludes.j2
+++ b/roles/restic-client/templates/restic/base-excludes.j2
@ -0,0 +1,3 @@
+{% for dir in restic.to_exclude %}
+{{ dir }}
+{% endfor %}
--- a/roles/restic-client/templates/restic/base-includes.j2
+++ b/roles/restic-client/templates/restic/base-includes.j2
@ -0,0 +1,3 @@
+{% for dir in restic.to_backup %}
+{{ dir }}
+{% endfor %}
--- a/roles/restic-client/templates/restic/base-password.j2
+++ b/roles/restic-client/templates/restic/base-password.j2
@ -0,0 +1 @@
+{{ vault.restic[ansible_hostname].repo_password }}
--- a/roles/restic-client/templates/restic/base-repo.j2
+++ b/roles/restic-client/templates/restic/base-repo.j2
@ -0,0 +1,3 @@
+{% for repo in restic.remote %}
+{{ repo }}
+{% endfor %}
--- a/roles/restic-client/templates/restic/base.env.j2
+++ b/roles/restic-client/templates/restic/base.env.j2
@ -0,0 +1,9 @@
+{{ ansible_header | comment }}
+
+RESTIC_REPOSITORY_FILE="/etc/restic/base-repo"
+RESTIC_PASSWORD_FILE="/etc/restic/base-password"
+
+RESTIC_CACHE_DIR="/var/cache/restic"
+RESTIC_COMPRESSION="max"
+RESTIC_PROGRESS_FPS=1
+RESTIC_PACK_SIZE="64M"
--- a/roles/restic-client/templates/systemd/system/restic-base.service.j2
+++ b/roles/restic-client/templates/systemd/system/restic-base.service.j2
@ -0,0 +1,13 @@
+{{ ansible_header | comment }}
+
+[Unit]
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+EnvironmentFile=/etc/restic/base.env
+ExecStart=restic backup --files-from=/etc/restic/base-includes --exclude-file=/etc/restic/base-excludes
+ExecStart=restic forget --prune --keep-daily 2 --keep-weekly 2 --keep-monthly 2 --keep-yearly 1
+
+Type=oneshot
+User=root
--- a/roles/restic-client/templates/systemd/system/restic-base.timer.j2
+++ b/roles/restic-client/templates/systemd/system/restic-base.timer.j2
@ -0,0 +1,10 @@
+{{ ansible_header | comment }}
+
+[Unit]
+
+[Timer]
+OnCalendar={{ 24 | random(seed=inventory_hostname) }}:{{ 60 | random(seed=inventory_hostname) }}
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/roles/restic-client/templates/update-motd.d/04-service.j2
+++ b/roles/restic-client/templates/update-motd.d/04-service.j2
@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+[0m> [38;5;82mRestic (Client)[0m a été déployé sur cette machine. Voir [38;5;6m/etc/restic/[0m.
--- a/0
+++ b/0
				`@ -0,0 +1 @@`
				`{{ vault.restic[ansible_hostname].repo_password }}`