Indépendance de restic (avec borg dans les variables), généralisation de la configuration (possibilité d'avoir un autre timer de backup) et prise en charge de debian bullseye (version <12)

2024-11-18 09:13:30 +01:00 · 2024-11-18 09:13:30 +01:00 · e7170f7633
parent d8257424e2
commit e7170f7633
20 changed files with 161 additions and 48 deletions
--- a/group_vars/all/restic.yml
+++ b/group_vars/all/restic.yml
@ -1,9 +1,17 @@
 ---
 glob_restic:
-  to_exclude:
-    - /var/lib/lxcfs
-  to_backup:
-    - /etc
-    - /var
+  config:
+    base:
+      to_exclude:
+        - /var/cache
+        - /var/lib/lxcfs
+      to_backup:
+        - /etc
+        - /var
+      retention:
+        - [--keep-daily, 2]
+        - [--keep-weekly, 2]
+        - [--keep-monthly, 2]
+        - [--keep-yearly, 1]
  remote:
-    - rest:http://{{ ansible_hostname }}:{{ vault.restic[ansible_hostname].rest_password }}@172.16.10.14/{{ ansible_hostname }}/base
+    - rest:http://{{ ansible_hostname }}:{{ vault.restic[ansible_hostname].rest_password }}@172.16.10.14/{{ ansible_hostname }}/
--- a/host_vars/apprentis.adm.crans.org.yml
+++ b/host_vars/apprentis.adm.crans.org.yml
@ -7,3 +7,17 @@ loc_unattended:

 loc_needrestart:
  override: []
+
+loc_borg:
+  to_backup:
+    - /etc
+    - /home_nounou
+    - /var
+
+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /home_nounou
+        - /var
--- a/host_vars/cameron.adm.crans.org.yml
+++ b/host_vars/cameron.adm.crans.org.yml
@ -10,6 +10,27 @@ loc_borg:
    - /var/mail
    - /var/lib/lxcfs

+loc_restic:
+  config:
+    base:
+      to_exclude:
+        - /var/cache
+        - /var/mail
+        - /var/lib/lxcfs
+    pool:
+      to_exclude:
+        - "*.pyc"
+        - "\\#*\\#"
+        - "*~"
+      to_backup:
+        - /pool/home
+        - /pool/mail
+      retention:
+        - [--keep-daily, 4]
+        - [--keep-weekly, 4]
+        - [--keep-monthly, 6]
+      backup_extra_param: " --exclude-if-present .nobackup"
+
 loc_service_home:
  name: home
  install_dir: /var/local/services/home
--- a/host_vars/cephiroth.adm.crans.org.yml
+++ b/host_vars/cephiroth.adm.crans.org.yml
@ -1,17 +0,0 @@
---
-interfaces:
-  disable: true
-
-loc_needrestart:
-  override: []
-
-loc_borg:
-  to_backup:
-    - /etc
-    - /home_nounou
-    - /var
-
-loc_slapd:
-  ip: "{{ lookup('ldap', 'ip4', 'cephiroth', 'adm') }}"
-  replica: true
-  replica_rid: 5
--- a/host_vars/ft.adm.crans.org.yml
+++ b/host_vars/ft.adm.crans.org.yml
@ -11,6 +11,14 @@ loc_borg:
    - /home_nounou
    - /var

+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /home_nounou
+        - /var
+
 loc_slapd:
  ip: "{{ lookup('ldap', 'ip4', 'ft', 'adm') }}"
  replica: true
--- a/host_vars/owl.adm.crans.org.yml
+++ b/host_vars/owl.adm.crans.org.yml
@ -16,3 +16,11 @@ loc_borg:
  to_exclude:
    - /var/mail
    - /var/lib/lxcfs
+
+loc_restic:
+  config:
+    base:
+      to_exclude:
+        - /var/cache
+        - /var/mail
+        - /var/lib/lxcfs
--- a/host_vars/routeur-sam.adm.crans.org/restic.yml
+++ b/host_vars/routeur-sam.adm.crans.org/restic.yml
@ -0,0 +1,8 @@
+---
+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /home_nounou
+        - /var
--- a/host_vars/sam.adm.crans.org.yml
+++ b/host_vars/sam.adm.crans.org.yml
@ -11,6 +11,15 @@ loc_borg:
    - /home_nounou
    - /var

+
+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /home_nounou
+        - /var
+
 loc_slapd:
  ip: "{{ lookup('ldap', 'ip4', 'sam', 'adm') }}"
  replica: true
--- a/host_vars/tealc.adm.crans.org.yml
+++ b/host_vars/tealc.adm.crans.org.yml
@ -41,6 +41,25 @@ loc_borg:
    - /var
    - /pool/home

+loc_restic:
+  config:
+    base:
+      to_backup:
+        - /etc
+        - /var
+    pool:
+      to_exclude:
+        - "*.pyc"
+        - "\\#*\\#"
+        - "*~"
+      to_backup:
+        - /pool/home
+      retention:
+        - [--keep-daily, 4]
+        - [--keep-weekly, 4]
+        - [--keep-monthly, 6]
+      backup_extra_param: " --exclude-if-present .nobackup"
+
 loc_rsyslog_server:
  name: tealc
  root: /pool/logs
--- a/host_vars/zamok.adm.crans.org.yml
+++ b/host_vars/zamok.adm.crans.org.yml
@ -19,6 +19,16 @@ loc_borg:
    - /var/lib/lxcfs
    - /var/lib/mysql

+loc_restic:
+  config:
+    base:
+      to_exclude:
+        - /var/cache
+        - /var/mail
+        - /var/lib/podman
+        - /var/lib/lxcfs
+        - /var/lib/mysql
+
 loc_thelounge:
  host: "\"{{ lookup('ldap', 'ip4', 'zamok', 'adm') }}\""
  oidentd: "\"/usr/local/lib/thelounge/.oidentd.conf\""
--- a/plays/restic_client.yml
+++ b/plays/restic_client.yml
@ -3,6 +3,6 @@

 - hosts: server
  vars:
-    restic: "{{ glob_restic | default({}) | combine(loc_borg | default({})) }}"
+    restic: "{{ glob_restic | default({}) | combine(loc_restic | default({}), recursive=true) }}"
  roles:
    - restic-client
--- a/roles/restic-client/handlers/main.yml
+++ b/roles/restic-client/handlers/main.yml
@ -1,5 +1,6 @@
 ---
 - name: Restart timer
  service:
-    name: restic-base.timer
+    name: restic-{{ item }}.timer
    state: restarted
+  loop: "{{ restic.config.keys() }}"
--- a/roles/restic-client/tasks/main.yml
+++ b/roles/restic-client/tasks/main.yml
@ -18,26 +18,45 @@

 - name: Deploy restic config
  template:
-    src: "{{ item }}.j2"
-    dest: /etc/{{ item }}
+    src: "restic/base{{ item.1 }}.j2"
+    dest: /etc/restic/{{ item.0 }}{{ item.1 }}
    mode: 0600
    owner: root
    group: root
-  loop:
-    - restic/base.env
-    - restic/base-excludes
-    - restic/base-includes
-    - restic/base-password
-    - restic/base-repo
-    - systemd/system/restic-base.service
-    - systemd/system/restic-base.timer
+  with_nested:
+    - "{{ restic.config }}"
+    - { .env, -excludes, -includes, -password, -repo }
  notify: Restart timer

- name: Init restic repository
+- name: Deploy restic systemd
+  template:
+    src: "systemd/system/restic-base{{ item.1 }}.j2"
+    dest: /etc/systemd/system/restic-{{ item.0 }}{{ item.1 }}
+    mode: 0600
+    owner: root
+    group: root
+  with_nested:
+    - "{{ restic.config }}"
+    - { .service, .timer }
+  notify: Restart timer
+
+- name: Init restic repository (Debian >=12)
  command:
-    cmd: "restic init --repository-file /etc/restic/base-repo --password-file /etc/restic/base-password"
+    cmd: "restic init --repository-file /etc/restic/{{ item }}-repo --password-file /etc/restic/base-password"
  register: restic_init
  ignore_errors: true
+  loop: "{{ restic.config.keys() }}"
+  when:
+    - ansible_facts['distribution_major_version'] >= "12"
+
+- name: Init restic repository (Debian <12)
+  command:
+    cmd: "restic init --repo {{ restic.remote.0 + item }} --password-file /etc/restic/{{ item }}-password"
+  register: restic_init
+  ignore_errors: true
+  loop: "{{ restic.config.keys() }}"
+  when:
+    - ansible_facts['distribution_major_version'] < "12"

 - name: Indicate role in motd
  template:
@ -47,5 +66,6 @@

 - name: Enable timer
  service:
-    name: restic-base.timer
+    name: restic-{{ item }}.timer
    enabled: true
+  loop: "{{ restic.config.keys() }}"
--- a/roles/restic-client/templates/restic/base-excludes.j2
+++ b/roles/restic-client/templates/restic/base-excludes.j2
@ -1,3 +1,3 @@
-{% for dir in restic.to_exclude %}
+{% for dir in restic.config[item.0].to_exclude %}
 {{ dir }}
 {% endfor %}
--- a/roles/restic-client/templates/restic/base-includes.j2
+++ b/roles/restic-client/templates/restic/base-includes.j2
@ -1,3 +1,3 @@
-{% for dir in restic.to_backup %}
+{% for dir in restic.config[item.0].to_backup %}
 {{ dir }}
 {% endfor %}
--- a/roles/restic-client/templates/restic/base-password.j2
+++ b/roles/restic-client/templates/restic/base-password.j2
@ -1 +1 @@
-{{ vault.restic[ansible_hostname].repo_password }}
+{{ vault.restic[ansible_hostname].repo_password[item.0] }}
--- a/roles/restic-client/templates/restic/base-repo.j2
+++ b/roles/restic-client/templates/restic/base-repo.j2
@ -1,3 +1,3 @@
 {% for repo in restic.remote %}
-{{ repo }}
+{{ repo }}{{ item.0 }}
 {% endfor %}
--- a/roles/restic-client/templates/restic/base.env.j2
+++ b/roles/restic-client/templates/restic/base.env.j2
@ -1,7 +1,11 @@
 {{ ansible_header | comment }}

-RESTIC_REPOSITORY_FILE="/etc/restic/base-repo"
-RESTIC_PASSWORD_FILE="/etc/restic/base-password"
+{% if ansible_facts['distribution_major_version'] >= "12" %}
+RESTIC_REPOSITORY_FILE="/etc/restic/{{ item.0 }}-repo"
+{% else %}
+RESTIC_REPOSITORY="{{ restic.remote.0 + item.0 }}"
+{% endif %}
+RESTIC_PASSWORD_FILE="/etc/restic/{{ item.0 }}-password"

 RESTIC_CACHE_DIR="/var/cache/restic"
 RESTIC_COMPRESSION="max"
--- a/roles/restic-client/templates/systemd/system/restic-base.service.j2
+++ b/roles/restic-client/templates/systemd/system/restic-base.service.j2
@ -5,9 +5,9 @@ After=network-online.target
 Wants=network-online.target

 [Service]
-EnvironmentFile=/etc/restic/base.env
-ExecStart=restic backup --files-from=/etc/restic/base-includes --exclude-file=/etc/restic/base-excludes
-ExecStart=restic forget --prune --keep-daily 2 --keep-weekly 2 --keep-monthly 2 --keep-yearly 1
+EnvironmentFile=/etc/restic/{{ item.0 }}.env
+ExecStart=restic backup --files-from=/etc/restic/{{ item.0 }}-includes --exclude-file=/etc/restic/{{ item.0 }}-excludes{{ restic.config[item.0].backup_extra_param | default("") }}
+ExecStart=restic forget --prune{% for freq, n in restic.config[item.0].retention %} {{ freq }} {{ n }}{% endfor %}

 Type=oneshot
 User=root
--- a/roles/restic-client/templates/systemd/system/restic-base.timer.j2
+++ b/roles/restic-client/templates/systemd/system/restic-base.timer.j2
@ -3,7 +3,7 @@
 [Unit]

 [Timer]
-OnCalendar={{ 24 | random(seed=inventory_hostname) }}:{{ 60 | random(seed=inventory_hostname) }}
+OnCalendar={{ 24 | random(seed=inventory_hostname+item.0) }}:{{ 60 | random(seed=inventory_hostname+item.0) }}
 Persistent=true

 [Install]