crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Indépendance de restic (avec borg dans les variables), généralisation de la configuration (possibilité d'avoir un autre timer de backup) et prise en charge de debian bullseye (version <12)

mise_a_niveau
korenstin 2024-11-18 09:13:30 +01:00
parent d8257424e2
commit e7170f7633
20 changed files with 161 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
group_vars/all/restic.yml
View File

@ -1,9 +1,17 @@
--- ---
glob_restic: glob_restic:
to_exclude: config:
- /var/lib/lxcfs base:
to_backup: to_exclude:
- /etc - /var/cache
- /var - /var/lib/lxcfs
to_backup:
- /etc
- /var
retention:
- [--keep-daily, 2]
- [--keep-weekly, 2]
- [--keep-monthly, 2]
- [--keep-yearly, 1]
remote: remote:
- rest:http://{{ ansible_hostname }}:{{ vault.restic[ansible_hostname].rest_password }}@172.16.10.14/{{ ansible_hostname }}/base - rest:http://{{ ansible_hostname }}:{{ vault.restic[ansible_hostname].rest_password }}@172.16.10.14/{{ ansible_hostname }}/

14
host_vars/apprentis.adm.crans.org.yml
View File

@ -7,3 +7,17 @@ loc_unattended:
loc_needrestart: loc_needrestart:
override: [] override: []
loc_borg:
to_backup:
- /etc
- /home_nounou
- /var
loc_restic:
config:
base:
to_backup:
- /etc
- /home_nounou
- /var

21
host_vars/cameron.adm.crans.org.yml
View File

@ -10,6 +10,27 @@ loc_borg:
- /var/mail - /var/mail
- /var/lib/lxcfs - /var/lib/lxcfs
loc_restic:
config:
base:
to_exclude:
- /var/cache
- /var/mail
- /var/lib/lxcfs
pool:
to_exclude:
- "*.pyc"
- "\\#*\\#"
- "*~"
to_backup:
- /pool/home
- /pool/mail
retention:
- [--keep-daily, 4]
- [--keep-weekly, 4]
- [--keep-monthly, 6]
backup_extra_param: " --exclude-if-present .nobackup"
loc_service_home: loc_service_home:
name: home name: home
install_dir: /var/local/services/home install_dir: /var/local/services/home

17
host_vars/cephiroth.adm.crans.org.yml
View File

@ -1,17 +0,0 @@
---
interfaces:
disable: true
loc_needrestart:
override: []
loc_borg:
to_backup:
- /etc
- /home_nounou
- /var
loc_slapd:
ip: "{{ lookup('ldap', 'ip4', 'cephiroth', 'adm') }}"
replica: true
replica_rid: 5

8
host_vars/ft.adm.crans.org.yml
View File

@ -11,6 +11,14 @@ loc_borg:
- /home_nounou - /home_nounou
- /var - /var
loc_restic:
config:
base:
to_backup:
- /etc
- /home_nounou
- /var
loc_slapd: loc_slapd:
ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}" ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}"
replica: true replica: true

8
host_vars/owl.adm.crans.org.yml
View File

@ -16,3 +16,11 @@ loc_borg:
to_exclude: to_exclude:
- /var/mail - /var/mail
- /var/lib/lxcfs - /var/lib/lxcfs
loc_restic:
config:
base:
to_exclude:
- /var/cache
- /var/mail
- /var/lib/lxcfs

8
host_vars/routeur-sam.adm.crans.org/restic.yml 100644
View File

@ -0,0 +1,8 @@
---
loc_restic:
config:
base:
to_backup:
- /etc
- /home_nounou
- /var

9
host_vars/sam.adm.crans.org.yml
View File

@ -11,6 +11,15 @@ loc_borg:
- /home_nounou - /home_nounou
- /var - /var
loc_restic:
config:
base:
to_backup:
- /etc
- /home_nounou
- /var
loc_slapd: loc_slapd:
ip: "{{ lookup('ldap', 'ip4', 'sam', 'adm') }}" ip: "{{ lookup('ldap', 'ip4', 'sam', 'adm') }}"
replica: true replica: true

19
host_vars/tealc.adm.crans.org.yml
View File

@ -41,6 +41,25 @@ loc_borg:
- /var - /var
- /pool/home - /pool/home
loc_restic:
config:
base:
to_backup:
- /etc
- /var
pool:
to_exclude:
- "*.pyc"
- "\\#*\\#"
- "*~"
to_backup:
- /pool/home
retention:
- [--keep-daily, 4]
- [--keep-weekly, 4]
- [--keep-monthly, 6]
backup_extra_param: " --exclude-if-present .nobackup"
loc_rsyslog_server: loc_rsyslog_server:
name: tealc name: tealc
root: /pool/logs root: /pool/logs

10
host_vars/zamok.adm.crans.org.yml
View File

@ -19,6 +19,16 @@ loc_borg:
- /var/lib/lxcfs - /var/lib/lxcfs
- /var/lib/mysql - /var/lib/mysql
loc_restic:
config:
base:
to_exclude:
- /var/cache
- /var/mail
- /var/lib/podman
- /var/lib/lxcfs
- /var/lib/mysql
loc_thelounge: loc_thelounge:
host: "\"{{ lookup('ldap', 'ip4', 'zamok', 'adm') }}\"" host: "\"{{ lookup('ldap', 'ip4', 'zamok', 'adm') }}\""
oidentd: "\"/usr/local/lib/thelounge/.oidentd.conf\"" oidentd: "\"/usr/local/lib/thelounge/.oidentd.conf\""

2
plays/restic_client.yml
View File

@ -3,6 +3,6 @@
- hosts: server - hosts: server
vars: vars:
restic: "{{ glob_restic | default({}) | combine(loc_borg | default({})) }}" restic: "{{ glob_restic | default({}) | combine(loc_restic | default({}), recursive=true) }}"
roles: roles:
- restic-client - restic-client

3
roles/restic-client/handlers/main.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: Restart timer - name: Restart timer
service: service:
name: restic-base.timer name: restic-{{ item }}.timer
state: restarted state: restarted
loop: "{{ restic.config.keys() }}"

46
roles/restic-client/tasks/main.yml
View File

@ -18,26 +18,45 @@
- name: Deploy restic config - name: Deploy restic config
template: template:
src: "{{ item }}.j2" src: "restic/base{{ item.1 }}.j2"
dest: /etc/{{ item }} dest: /etc/restic/{{ item.0 }}{{ item.1 }}
mode: 0600 mode: 0600
owner: root owner: root
group: root group: root
loop: with_nested:
- restic/base.env - "{{ restic.config }}"
- restic/base-excludes - { .env, -excludes, -includes, -password, -repo }
- restic/base-includes
- restic/base-password
- restic/base-repo
- systemd/system/restic-base.service
- systemd/system/restic-base.timer
notify: Restart timer notify: Restart timer
- name: Init restic repository - name: Deploy restic systemd
template:
src: "systemd/system/restic-base{{ item.1 }}.j2"
dest: /etc/systemd/system/restic-{{ item.0 }}{{ item.1 }}
mode: 0600
owner: root
group: root
with_nested:
- "{{ restic.config }}"
- { .service, .timer }
notify: Restart timer
- name: Init restic repository (Debian >=12)
command: command:
cmd: "restic init --repository-file /etc/restic/base-repo --password-file /etc/restic/base-password" cmd: "restic init --repository-file /etc/restic/{{ item }}-repo --password-file /etc/restic/base-password"
register: restic_init register: restic_init
ignore_errors: true ignore_errors: true
loop: "{{ restic.config.keys() }}"
when:
- ansible_facts['distribution_major_version'] >= "12"
- name: Init restic repository (Debian <12)
command:
cmd: "restic init --repo {{ restic.remote.0 + item }} --password-file /etc/restic/{{ item }}-password"
register: restic_init
ignore_errors: true
loop: "{{ restic.config.keys() }}"
when:
- ansible_facts['distribution_major_version'] < "12"
- name: Indicate role in motd - name: Indicate role in motd
template: template:
@ -47,5 +66,6 @@
- name: Enable timer - name: Enable timer
service: service:
name: restic-base.timer name: restic-{{ item }}.timer
enabled: true enabled: true
loop: "{{ restic.config.keys() }}"

2
roles/restic-client/templates/restic/base-excludes.j2
View File

@ -1,3 +1,3 @@
{% for dir in restic.to_exclude %} {% for dir in restic.config[item.0].to_exclude %}
{{ dir }} {{ dir }}
{% endfor %} {% endfor %}

2
roles/restic-client/templates/restic/base-includes.j2
View File

@ -1,3 +1,3 @@
{% for dir in restic.to_backup %} {% for dir in restic.config[item.0].to_backup %}
{{ dir }} {{ dir }}
{% endfor %} {% endfor %}

2
roles/restic-client/templates/restic/base-password.j2
View File

@ -1 +1 @@
{{ vault.restic[ansible_hostname].repo_password }} {{ vault.restic[ansible_hostname].repo_password[item.0] }}

2
roles/restic-client/templates/restic/base-repo.j2
View File

@ -1,3 +1,3 @@
{% for repo in restic.remote %} {% for repo in restic.remote %}
{{ repo }} {{ repo }}{{ item.0 }}
{% endfor %} {% endfor %}

8
roles/restic-client/templates/restic/base.env.j2
View File

@ -1,7 +1,11 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
RESTIC_REPOSITORY_FILE="/etc/restic/base-repo" {% if ansible_facts['distribution_major_version'] >= "12" %}
RESTIC_PASSWORD_FILE="/etc/restic/base-password" RESTIC_REPOSITORY_FILE="/etc/restic/{{ item.0 }}-repo"
{% else %}
RESTIC_REPOSITORY="{{ restic.remote.0 + item.0 }}"
{% endif %}
RESTIC_PASSWORD_FILE="/etc/restic/{{ item.0 }}-password"
RESTIC_CACHE_DIR="/var/cache/restic" RESTIC_CACHE_DIR="/var/cache/restic"
RESTIC_COMPRESSION="max" RESTIC_COMPRESSION="max"

6
roles/restic-client/templates/systemd/system/restic-base.service.j2
View File

@ -5,9 +5,9 @@ After=network-online.target
Wants=network-online.target Wants=network-online.target
[Service] [Service]
EnvironmentFile=/etc/restic/base.env EnvironmentFile=/etc/restic/{{ item.0 }}.env
ExecStart=restic backup --files-from=/etc/restic/base-includes --exclude-file=/etc/restic/base-excludes ExecStart=restic backup --files-from=/etc/restic/{{ item.0 }}-includes --exclude-file=/etc/restic/{{ item.0 }}-excludes{{ restic.config[item.0].backup_extra_param | default("") }}
ExecStart=restic forget --prune --keep-daily 2 --keep-weekly 2 --keep-monthly 2 --keep-yearly 1 ExecStart=restic forget --prune{% for freq, n in restic.config[item.0].retention %} {{ freq }} {{ n }}{% endfor %}
Type=oneshot Type=oneshot
User=root User=root

2
roles/restic-client/templates/systemd/system/restic-base.timer.j2
View File

@ -3,7 +3,7 @@
[Unit] [Unit]
[Timer] [Timer]
OnCalendar={{ 24 | random(seed=inventory_hostname) }}:{{ 60 | random(seed=inventory_hostname) }} OnCalendar={{ 24 | random(seed=inventory_hostname+item.0) }}:{{ 60 | random(seed=inventory_hostname+item.0) }}
Persistent=true Persistent=true
[Install] [Install]