From 1f5129092ebf6176260cf67edc21216b71cf9d2a Mon Sep 17 00:00:00 2001 From: korenstin Date: Sat, 16 Nov 2024 22:16:14 +0100 Subject: [PATCH] Ajout des backups avec restic --- all.yml | 1 + group_vars/all/restic.yml | 9 ++++ plays/restic_client.yml | 8 +++ plays/root.yml | 1 + roles/restic-client/handlers/main.yml | 5 ++ roles/restic-client/tasks/main.yml | 51 +++++++++++++++++++ .../templates/restic/base-excludes.j2 | 3 ++ .../templates/restic/base-includes.j2 | 3 ++ .../templates/restic/base-password.j2 | 1 + .../templates/restic/base-repo.j2 | 3 ++ .../templates/restic/base.env.j2 | 9 ++++ .../systemd/system/restic-base.service.j2 | 13 +++++ .../systemd/system/restic-base.timer.j2 | 10 ++++ .../templates/update-motd.d/04-service.j2 | 3 ++ {attempts: | 0 15 files changed, 120 insertions(+) create mode 100644 group_vars/all/restic.yml create mode 100755 plays/restic_client.yml create mode 100644 roles/restic-client/handlers/main.yml create mode 100644 roles/restic-client/tasks/main.yml create mode 100644 roles/restic-client/templates/restic/base-excludes.j2 create mode 100644 roles/restic-client/templates/restic/base-includes.j2 create mode 100644 roles/restic-client/templates/restic/base-password.j2 create mode 100644 roles/restic-client/templates/restic/base-repo.j2 create mode 100644 roles/restic-client/templates/restic/base.env.j2 create mode 100644 roles/restic-client/templates/systemd/system/restic-base.service.j2 create mode 100644 roles/restic-client/templates/systemd/system/restic-base.timer.j2 create mode 100755 roles/restic-client/templates/update-motd.d/04-service.j2 create mode 100644 {attempts: diff --git a/all.yml b/all.yml index 0a8fa5ae..bcb5b71b 100755 --- a/all.yml +++ b/all.yml @@ -49,6 +49,7 @@ - import_playbook: plays/radvd.yml - import_playbook: plays/re2o-ldap.yml - import_playbook: plays/re2o.yml +- import_playbook: plays/restic_client.yml - import_playbook: plays/reverse-proxy.yml - import_playbook: plays/root.yml - import_playbook: plays/roundcube.yml diff --git a/group_vars/all/restic.yml b/group_vars/all/restic.yml new file mode 100644 index 00000000..3a3c808f --- /dev/null +++ b/group_vars/all/restic.yml @@ -0,0 +1,9 @@ +--- +glob_restic: + to_exclude: + - /var/lib/lxcfs + to_backup: + - /etc + - /var + remote: + - rest:http://{{ ansible_hostname }}:{{ vault.restic[ansible_hostname].rest_password }}@172.16.10.14/{{ ansible_hostname }}/base diff --git a/plays/restic_client.yml b/plays/restic_client.yml new file mode 100755 index 00000000..89e182ad --- /dev/null +++ b/plays/restic_client.yml @@ -0,0 +1,8 @@ +#!/usr/bin/env ansible-playbook +--- + +- hosts: server + vars: + restic: "{{ glob_restic | default({}) | combine(loc_borg | default({})) }}" + roles: + - restic-client diff --git a/plays/root.yml b/plays/root.yml index 48b558c2..fc0f8a22 100755 --- a/plays/root.yml +++ b/plays/root.yml @@ -30,6 +30,7 @@ - import_playbook: scripts.yml - import_playbook: vm_setup.yml - import_playbook: borgbackup_client.yml +- import_playbook: restic_client.yml - import_playbook: network_interfaces.yml - import_playbook: nullmailer.yml diff --git a/roles/restic-client/handlers/main.yml b/roles/restic-client/handlers/main.yml new file mode 100644 index 00000000..4da8318a --- /dev/null +++ b/roles/restic-client/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart timer + service: + name: restic-base.timer + state: restarted diff --git a/roles/restic-client/tasks/main.yml b/roles/restic-client/tasks/main.yml new file mode 100644 index 00000000..1cc9132a --- /dev/null +++ b/roles/restic-client/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: Install restic + apt: + update_cache: true + name: + - restic + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Ensures /etc/restic exists + file: + path: /etc/restic + state: directory + mode: 0700 + owner: root + +- name: Deploy restic config + template: + src: "{{ item }}.j2" + dest: /etc/{{ item }} + mode: 0600 + owner: root + group: root + loop: + - restic/base.env + - restic/base-excludes + - restic/base-includes + - restic/base-password + - restic/base-repo + - systemd/system/restic-base.service + - systemd/system/restic-base.timer + notify: Restart timer + +- name: Init restic repository + command: + cmd: "restic init --repository-file /etc/restic/base-repo --password-file /etc/restic/base-password" + register: restic_init + ignore_errors: true + +- name: Indicate role in motd + template: + src: update-motd.d/04-service.j2 + dest: /etc/update-motd.d/04-restic + mode: 0755 + +- name: Enable timer + service: + name: restic-base.timer + enabled: true diff --git a/roles/restic-client/templates/restic/base-excludes.j2 b/roles/restic-client/templates/restic/base-excludes.j2 new file mode 100644 index 00000000..c0f493be --- /dev/null +++ b/roles/restic-client/templates/restic/base-excludes.j2 @@ -0,0 +1,3 @@ +{% for dir in restic.to_exclude %} +{{ dir }} +{% endfor %} diff --git a/roles/restic-client/templates/restic/base-includes.j2 b/roles/restic-client/templates/restic/base-includes.j2 new file mode 100644 index 00000000..abd7ea10 --- /dev/null +++ b/roles/restic-client/templates/restic/base-includes.j2 @@ -0,0 +1,3 @@ +{% for dir in restic.to_backup %} +{{ dir }} +{% endfor %} diff --git a/roles/restic-client/templates/restic/base-password.j2 b/roles/restic-client/templates/restic/base-password.j2 new file mode 100644 index 00000000..1d8595e8 --- /dev/null +++ b/roles/restic-client/templates/restic/base-password.j2 @@ -0,0 +1 @@ +{{ vault.restic[ansible_hostname].repo_password }} diff --git a/roles/restic-client/templates/restic/base-repo.j2 b/roles/restic-client/templates/restic/base-repo.j2 new file mode 100644 index 00000000..30fda05f --- /dev/null +++ b/roles/restic-client/templates/restic/base-repo.j2 @@ -0,0 +1,3 @@ +{% for repo in restic.remote %} +{{ repo }} +{% endfor %} diff --git a/roles/restic-client/templates/restic/base.env.j2 b/roles/restic-client/templates/restic/base.env.j2 new file mode 100644 index 00000000..8b7a1504 --- /dev/null +++ b/roles/restic-client/templates/restic/base.env.j2 @@ -0,0 +1,9 @@ +{{ ansible_header | comment }} + +RESTIC_REPOSITORY_FILE="/etc/restic/base-repo" +RESTIC_PASSWORD_FILE="/etc/restic/base-password" + +RESTIC_CACHE_DIR="/var/cache/restic" +RESTIC_COMPRESSION="max" +RESTIC_PROGRESS_FPS=1 +RESTIC_PACK_SIZE="64M" diff --git a/roles/restic-client/templates/systemd/system/restic-base.service.j2 b/roles/restic-client/templates/systemd/system/restic-base.service.j2 new file mode 100644 index 00000000..671871fc --- /dev/null +++ b/roles/restic-client/templates/systemd/system/restic-base.service.j2 @@ -0,0 +1,13 @@ +{{ ansible_header | comment }} + +[Unit] +After=network-online.target +Wants=network-online.target + +[Service] +EnvironmentFile=/etc/restic/base.env +ExecStart=restic backup --files-from=/etc/restic/base-includes --exclude-file=/etc/restic/base-excludes +ExecStart=restic forget --prune --keep-daily 2 --keep-weekly 2 --keep-monthly 2 --keep-yearly 1 + +Type=oneshot +User=root diff --git a/roles/restic-client/templates/systemd/system/restic-base.timer.j2 b/roles/restic-client/templates/systemd/system/restic-base.timer.j2 new file mode 100644 index 00000000..4aad3f85 --- /dev/null +++ b/roles/restic-client/templates/systemd/system/restic-base.timer.j2 @@ -0,0 +1,10 @@ +{{ ansible_header | comment }} + +[Unit] + +[Timer] +OnCalendar={{ 24 | random(seed=inventory_hostname) }}:{{ 60 | random(seed=inventory_hostname) }} +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/restic-client/templates/update-motd.d/04-service.j2 b/roles/restic-client/templates/update-motd.d/04-service.j2 new file mode 100755 index 00000000..19e00b90 --- /dev/null +++ b/roles/restic-client/templates/update-motd.d/04-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +{{ ansible_header | comment }} +> Restic (Client) a été déployé sur cette machine. Voir /etc/restic/. diff --git a/{attempts: b/{attempts: new file mode 100644 index 00000000..e69de29b