crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'borgbackup' into 'newinfra' 

Borgbackup

See merge request nounous/ansible!121
certbot_on_virtu
_pollion 2020-12-15 10:13:37 +01:00
parent 502c03d674 d2a6501b9e
commit 293784a5cf
15 changed files with 257 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
group_vars/crans_server/vars.yml
View File

@ -9,3 +9,18 @@ debian_mirror: http://mirror.adm.crans.org/debian
ubuntu_mirror: http://mirror.adm.crans.org/ubuntu ubuntu_mirror: http://mirror.adm.crans.org/ubuntu
debian_components: main non-free debian_components: main non-free
ubuntu_components: main restricted universe multiverse ubuntu_components: main restricted universe multiverse
glob_borg:
to_backup:
- /etc
- /var
path: /backup/borg
remote:
- borg@zephir.adm.crans.org:/backup/borg/{{ ansible_hostname }}
retention:
- ["daily", 4]
- ["monthly", 6]
consistency_check:
- disabled
extra_init:
- make-parent-dirs

7
host_vars/zephir.adm.crans.org.yml 100644
View File

@ -0,0 +1,7 @@
---
loc_borg:
to_exclude:
- /var/lib/backuppc
remote:
- /backup/borg/zephir

3
hosts
View File

@ -23,6 +23,9 @@
# [test_vm] # [test_vm]
# re2o-test.adm.crans.org # re2o-test.adm.crans.org
[backups]
zephir.adm.crans.org
[certbot] [certbot]
gitzly.adm.crans.org gitzly.adm.crans.org

22
plays/backup.yml
View File

@ -1,15 +1,15 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# zephir backups virtual machines.
# omnomnom backups home dirs.
# Rsync client on all server to allow backup - hosts: server
#- hosts: server vars:
# vars: borg: '{{ glob_borg | default({}) | combine(loc_borg | default({})) }}'
# # Backup password mirror: '{{ glob_mirror | default({}) | combine(loc_mirror | default({})) }}'
# backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}" roles:
# roles: ["rsync-client"] - borgbackup-client
# Backuppc backup software - hosts: backups
#- hosts: zephir.adm.crans.org,omnomnom.adm.crans.org vars:
# roles: ["backuppc"] borg: '{{ glob_borg | default({}) | combine(loc_borg | default({})) }}'
roles:
- borgbackup-server

5
roles/borgbackup-client/handlers/main.yml 100644
View File

@ -0,0 +1,5 @@
---
- name: restart cron
service:
name: cron
state: restarted

60
roles/borgbackup-client/tasks/main.yml 100644
View File

@ -0,0 +1,60 @@
---
- name: Pin borgmatic
template:
src: "apt/{{ item }}.j2"
dest: "/etc/apt/{{ item }}"
loop:
- sources.list.d/bullseye.list
- preferences.d/borgmatic-bullseye
when: ansible_lsb.release | int <= 10
- name: Install borgbackup
apt:
update_cache: true
name:
- borgbackup
- borgmatic
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Ensures /etc/borgmatic exists
file:
path: /etc/borgmatic
state: directory
mode: 0700
owner: root
- name: Deploy ssh private key
template:
src: "borgmatic/id_ed25519_borg.j2"
dest: "/etc/borgmatic/id_ed25519_borg"
mode: 0600
owner: root
- name: Deploy borgmatic config
template:
src: "borgmatic/config.yaml.j2"
dest: "/etc/borgmatic/config.yaml"
mode: 0600
owner: root
group: root
- name: Init borg repository
command:
cmd: /usr/bin/borgmatic init -e repokey
register: borg_init
changed_when: '"does not exist" in borg_init.stderr'
- name: Deploy borg cron
template:
src: "cron.d/borg.j2"
dest: "/etc/cron.d/borg"
notify: restart cron
- name: Indicate role in motd
template:
src: update-motd.d/04-service.j2
dest: /etc/update-motd.d/04-borgbackup
mode: 0755

12
roles/borgbackup-client/templates/apt/preferences.d/borgmatic-bullseye.j2 100644
View File

@ -0,0 +1,12 @@
{{ ansible_header | comment }}
Package: *
Pin: release n=bullseye
Pin-Priority: 1
Package: borgmatic
Pin: release n=bullseye
Pin-Priority: 900

3
roles/borgbackup-client/templates/apt/sources.list.d/bullseye.list.j2 100644
View File

@ -0,0 +1,3 @@
{{ ansible_header | comment }}
deb http://{{ mirror.name }}/debian bullseye main

88
roles/borgbackup-client/templates/borgmatic/config.yaml.j2 100644
View File

@ -0,0 +1,88 @@
{{ ansible_header | comment }}
location:
source_directories:
{% for dir in borg.to_backup %}
- {{ dir }}
{% endfor %}
repositories:
{% for remote in borg.remote %}
- {{ remote }}
{% endfor %}
exclude_patterns:
- '*.pyc'
- '\#*\#'
- '*~'
{% for pattern in borg.to_exclude | default([]) %}
- {{ pattern }}
{% endfor %}
exclude_caches: true
exclude_if_present:
- .nobackup
borgmatic_source_directory: /tmp/borgmatic
storage:
encryption_passphrase: {{ vault_borgbackup_passwd }}
ssh_command: ssh -i /etc/borgmatic/id_ed25519_borg
borg_base_directory: /etc/borgmatic
borg_config_directory: /etc/borgmatic/config/
borg_cache_directory: /etc/borgmatic/cache
borg_security_directory: /etc/borgmatic/config/security
borg_keys_directory: /etc/borgmatic/config/keys
compression: 'lz4'
umask: 0077
lock_wait: 5
archive_name_format: '{hostname}-{now}'
{% set extra_init = borg.extra_init | default([]) %}
{% set extra_prune = borg.extra_prune | default([]) %}
{% set extra_create = borg.extra_create | default([]) %}
{% set extra_check = borg.extra_check | default([]) %}
{% if extra_init or extra_prune or extra_create or extra_check %}
extra_borg_options:
{% endif %}
{% if extra_init %}
# Extra command-line options to pass to "borg init".
init: {% for cmd in extra_init %}--{{ cmd }} {% endfor %}
{% endif %}
{% if extra_prune %}
# Extra command-line options to pass to "borg prune".
prune: {% for cmd in extra_prune %}--{{ cmd }} {% endfor %}
{% endif %}
{% if extra_create %}
# Extra command-line options to pass to "borg create".
create: {% for cmd in extra_create %}--{{ cmd }} {% endfor %}
{% endif %}
{% if extra_check %}
# Extra command-line options to pass to "borg check".
check: {% for cmd in extra_check %}--{{ cmd }} {% endfor %}
{% endif %}
retention:
{% for retention in borg.retention %}
keep_{{ retention[0] }}: {{ retention[1] }}
{% endfor %}
prefix: '{hostname}-'
consistency:
checks:
{% for check in borg.consistency_check %}
- {{ check }}
{% endfor %}
{% if borg.hooks | default([]) %}
hooks:
{% for hook in borg.hooks %}
{{ hook.type }}:
{% for value in hook.values %}
- {{ value }}
{% endfor %}
{% endfor %}
umask: 0077
{% endif %}

1
roles/borgbackup-client/templates/borgmatic/id_ed25519_borg.j2 100644
View File

@ -0,0 +1 @@
{{ vault_borgbackup_ssh_privkey }}

5
roles/borgbackup-client/templates/cron.d/borg.j2 100644
View File

@ -0,0 +1,5 @@
{{ ansible_header | comment }}
PATH=$PATH:/usr/sbin:/usr/bin:/usr/local/bin:/sbin:/bin
{{ 60 | random(seed=inventory_hostname) }} {{ 24 | random(seed=inventory_hostname) }} * * * root borgmatic --syslog-verbosity 1

3
roles/borgbackup-client/templates/update-motd.d/04-service.j2 100755
View File

@ -0,0 +1,3 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> Borgbackup (Client) a été déployé sur cette machine. Voir /etc/borgmatic/.

38
roles/borgbackup-server/tasks/main.yml 100644
View File

@ -0,0 +1,38 @@
---
- name: Install borgbackup
apt:
update_cache: true
name:
- borgbackup
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Create borgbackup user
user:
create_home: yes
home: '/var/lib/borg/'
system: yes
state: present
update_password: always
name: borg
- name: Ensures .ssh dir exists
file:
path: /var/lib/borg/.ssh
state: directory
mode: 0700
owner: borg
- name: Deploy authorized_keys
template:
src: "authorized_keys.j2"
dest: "/var/lib/borg/.ssh/authorized_keys"
mode: 0600
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-borg
mode: 0755

3
roles/borgbackup-server/templates/authorized_keys.j2 100644
View File

@ -0,0 +1,3 @@
{{ ansible_header | comment }}
command="borg serve --restrict-to-path {{ borg.path }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding {{ vault_borgbackup_ssh_pubkey }}

3
roles/borgbackup-server/templates/update-motd.d/05-service.j2 100755
View File

@ -0,0 +1,3 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> Borgbackup (Serveur) a été déployé sur cette machine. Les backups sont situés dans {{ borg.path }}.