Restructure role, add Systemd timer option. By @conloos (#112)
* add full path
* Update Readme.me: reorder optional Arguments, update cron -> systemd timer
* remove ssh_key_file; change cron to timer
* Removed cronie from package installation because systemd timer is used
* docker.sh - Stops all or selected containers to save the persistent data intact. The containers are started in reverse order
* Created arguments_specs.yml
* Role restructured:
- if needed creation of a service user incl. creation of the ssh-key,
- add the ssh key to authorized_keys,
- auto init of the repos,
- creation and start of systemd timer and services and
- installation of the Docker helperscript.
* restructure role add import logic
* cleanup: user backup_user
* - "borg_source_directories" is not longer a required Argument
- add "borg_keys_directory" to load key from Service user during starting borgmatic by sudo
* Add borgmatic_initialization_repo (bool) as option to disable init of repo
* cleanup
* fix ansible-lint errors and warnings
* fix letter turner
* add option: borgmatic_timer
* add:
- borgmatic_timer_systemd: true
readd:
- borgmatic_cron_name: "borgmatic"
* - renamed borgmatic_cron_name to borgmatic_timer_cron_name to be more convergent.
- Change recommendations implemented by m3nu so that creation of a timer (systemd or cron) is optional and can be selected via borgmatic_timer.
* Add description to borgmatic_timer_cron_name and borgmatic_timer
* Add variable borg_cron_package to install the cron-packages in case of using timer: cron
* reworked timer install logic
* reworked timer install logic
* Add comments for running backup with service account
* add new parameters for tests
* Switch created to perform the backup as root or service account. If a service account is to be used, it will be created.
* Refactored: Check for ssh-key if not present, genereate them.
* Refactored
* Refactored
* renamed tasks/03_configure.yml to tasks/04_create_links_to_borg_and_borgmatic.yml
* Refactored
* Refactored
* add example for service account
* Update Python version for testing
* No auto init
* Add description to install_backup
* Add description to install_backup
* set coverage back to: m3nu.ansible_role_borgbackup
* The initialization of the repository must be activated and does not take place automatically.
* The initialization of the repository must be activated and does not take place automatically.
* Removed install_backup as var (bool) to prevent that this role run
* Rename backup_ssh_command to borg_ssh_command, tis was a double definition
* Renamed backup_repository to borg_repository and add better explanations
* remove copy ssh-keys and cert parts
* Add comments to borg_ssh_key_file and borg_ssh_key_type
* Set allways the borg_ssh_key_file and borg_ssh_command to load the right ssh-key. Add borg_ssh_key_type to select the key type by user
* Add borg_ssh_key_type
* renamed id_rsa to backup
* generate ssh-keys (backup and backup.pub) and add better explanation
* Print out key if borgmatic_initialization_repo is false
* Remove 'su - {{ borgbackup_user }} -c' to execute the borgmatic by the right user
* Add Check frequency, therefore, we no longer need to distinguish between normal and large repos
* Add link to Article
* renamed backup_ssh_command and backup_ssh_key_file to borg_ssh_command and borg_ssh_key_file
* Removed: borgmatic_initialization_repo
* Removed: borgmatic_initialization_repo
* Removed: borgmatic_initialization_repo
* revert changes
* Add Full Automation
* polishing
* rename backup.timer and bakup.service to borgmatic.timer and borgmatic.service
* remove debug
* Try to find services in ansible_facts
* Forgot to install Cron
* change borg_ssh_key_type to ed25519
* remove conditional checks
* - add hint to using a service user
- renamed: borg_ssh_key_file to borg_ssh_key_file_path
- removed advanced example
* add borg_ssh_key_name, renamed borg_ssh_key_file to borg_ssh_key_file_path
* removed static pointing to ~/.ssh/backup SSH private key
* Add README-Advanced-Examples.md for storing more examples
* Fix test idempotence
* Dont symlink when using distro packages
* Remove old test targets, consistent wording, remove tag
* Remove helper scripts, fix absolute path
* Fix cron job, add assert to prevent duplicate timers
* nit-pick
* Create bin links as root, no borg_ssh_command by default.
* Add breaking changes note to README
---------
Co-authored-by: Manu <manu@snapdragon.cc>
2023-03-28 19:01:12 +02:00
|
|
|
# Managed by Ansible, please don't edit manually
|
|
|
|
|
|
|
|
|
|
[Unit]
|
|
|
|
|
Description=borgmatic backup
|
|
|
|
|
Wants=backup_normal_repo.timer
|
|
|
|
|
Wants=network-online.target
|
|
|
|
|
After=network-online.target
|
|
|
|
|
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
|
|
|
|
|
# want to allow borgmatic to run anytime.
|
|
|
|
|
ConditionACPower=true
|
|
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
|
Type=oneshot
|
|
|
|
|
User={{ borg_user }}
|
2024-11-26 13:02:57 +01:00
|
|
|
ExecStart={{ 'sudo ' if borgmatic_run_as_root}}borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}
|
Restructure role, add Systemd timer option. By @conloos (#112)
* add full path
* Update Readme.me: reorder optional Arguments, update cron -> systemd timer
* remove ssh_key_file; change cron to timer
* Removed cronie from package installation because systemd timer is used
* docker.sh - Stops all or selected containers to save the persistent data intact. The containers are started in reverse order
* Created arguments_specs.yml
* Role restructured:
- if needed creation of a service user incl. creation of the ssh-key,
- add the ssh key to authorized_keys,
- auto init of the repos,
- creation and start of systemd timer and services and
- installation of the Docker helperscript.
* restructure role add import logic
* cleanup: user backup_user
* - "borg_source_directories" is not longer a required Argument
- add "borg_keys_directory" to load key from Service user during starting borgmatic by sudo
* Add borgmatic_initialization_repo (bool) as option to disable init of repo
* cleanup
* fix ansible-lint errors and warnings
* fix letter turner
* add option: borgmatic_timer
* add:
- borgmatic_timer_systemd: true
readd:
- borgmatic_cron_name: "borgmatic"
* - renamed borgmatic_cron_name to borgmatic_timer_cron_name to be more convergent.
- Change recommendations implemented by m3nu so that creation of a timer (systemd or cron) is optional and can be selected via borgmatic_timer.
* Add description to borgmatic_timer_cron_name and borgmatic_timer
* Add variable borg_cron_package to install the cron-packages in case of using timer: cron
* reworked timer install logic
* reworked timer install logic
* Add comments for running backup with service account
* add new parameters for tests
* Switch created to perform the backup as root or service account. If a service account is to be used, it will be created.
* Refactored: Check for ssh-key if not present, genereate them.
* Refactored
* Refactored
* renamed tasks/03_configure.yml to tasks/04_create_links_to_borg_and_borgmatic.yml
* Refactored
* Refactored
* add example for service account
* Update Python version for testing
* No auto init
* Add description to install_backup
* Add description to install_backup
* set coverage back to: m3nu.ansible_role_borgbackup
* The initialization of the repository must be activated and does not take place automatically.
* The initialization of the repository must be activated and does not take place automatically.
* Removed install_backup as var (bool) to prevent that this role run
* Rename backup_ssh_command to borg_ssh_command, tis was a double definition
* Renamed backup_repository to borg_repository and add better explanations
* remove copy ssh-keys and cert parts
* Add comments to borg_ssh_key_file and borg_ssh_key_type
* Set allways the borg_ssh_key_file and borg_ssh_command to load the right ssh-key. Add borg_ssh_key_type to select the key type by user
* Add borg_ssh_key_type
* renamed id_rsa to backup
* generate ssh-keys (backup and backup.pub) and add better explanation
* Print out key if borgmatic_initialization_repo is false
* Remove 'su - {{ borgbackup_user }} -c' to execute the borgmatic by the right user
* Add Check frequency, therefore, we no longer need to distinguish between normal and large repos
* Add link to Article
* renamed backup_ssh_command and backup_ssh_key_file to borg_ssh_command and borg_ssh_key_file
* Removed: borgmatic_initialization_repo
* Removed: borgmatic_initialization_repo
* Removed: borgmatic_initialization_repo
* revert changes
* Add Full Automation
* polishing
* rename backup.timer and bakup.service to borgmatic.timer and borgmatic.service
* remove debug
* Try to find services in ansible_facts
* Forgot to install Cron
* change borg_ssh_key_type to ed25519
* remove conditional checks
* - add hint to using a service user
- renamed: borg_ssh_key_file to borg_ssh_key_file_path
- removed advanced example
* add borg_ssh_key_name, renamed borg_ssh_key_file to borg_ssh_key_file_path
* removed static pointing to ~/.ssh/backup SSH private key
* Add README-Advanced-Examples.md for storing more examples
* Fix test idempotence
* Dont symlink when using distro packages
* Remove old test targets, consistent wording, remove tag
* Remove helper scripts, fix absolute path
* Fix cron job, add assert to prevent duplicate timers
* nit-pick
* Create bin links as root, no borg_ssh_command by default.
* Add breaking changes note to README
---------
Co-authored-by: Manu <manu@snapdragon.cc>
2023-03-28 19:01:12 +02:00
|
|
|
|
|
|
|
|
# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
|
|
|
|
|
# Security settings for systemd running as root, optional but recommended to improve security. You
|
|
|
|
|
# can disable individual settings if they cause problems for your use case. For more details, see
|
|
|
|
|
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
|
|
|
|
LockPersonality=true
|
|
|
|
|
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
|
|
|
|
|
# But you can try setting it to "yes" for improved security if you don't use those features.
|
|
|
|
|
MemoryDenyWriteExecute=no
|
2024-11-26 13:02:57 +01:00
|
|
|
NoNewPrivileges={{ 'no' if borgmatic_run_as_root else 'yes'}}
|
Restructure role, add Systemd timer option. By @conloos (#112)
* add full path
* Update Readme.me: reorder optional Arguments, update cron -> systemd timer
* remove ssh_key_file; change cron to timer
* Removed cronie from package installation because systemd timer is used
* docker.sh - Stops all or selected containers to save the persistent data intact. The containers are started in reverse order
* Created arguments_specs.yml
* Role restructured:
- if needed creation of a service user incl. creation of the ssh-key,
- add the ssh key to authorized_keys,
- auto init of the repos,
- creation and start of systemd timer and services and
- installation of the Docker helperscript.
* restructure role add import logic
* cleanup: user backup_user
* - "borg_source_directories" is not longer a required Argument
- add "borg_keys_directory" to load key from Service user during starting borgmatic by sudo
* Add borgmatic_initialization_repo (bool) as option to disable init of repo
* cleanup
* fix ansible-lint errors and warnings
* fix letter turner
* add option: borgmatic_timer
* add:
- borgmatic_timer_systemd: true
readd:
- borgmatic_cron_name: "borgmatic"
* - renamed borgmatic_cron_name to borgmatic_timer_cron_name to be more convergent.
- Change recommendations implemented by m3nu so that creation of a timer (systemd or cron) is optional and can be selected via borgmatic_timer.
* Add description to borgmatic_timer_cron_name and borgmatic_timer
* Add variable borg_cron_package to install the cron-packages in case of using timer: cron
* reworked timer install logic
* reworked timer install logic
* Add comments for running backup with service account
* add new parameters for tests
* Switch created to perform the backup as root or service account. If a service account is to be used, it will be created.
* Refactored: Check for ssh-key if not present, genereate them.
* Refactored
* Refactored
* renamed tasks/03_configure.yml to tasks/04_create_links_to_borg_and_borgmatic.yml
* Refactored
* Refactored
* add example for service account
* Update Python version for testing
* No auto init
* Add description to install_backup
* Add description to install_backup
* set coverage back to: m3nu.ansible_role_borgbackup
* The initialization of the repository must be activated and does not take place automatically.
* The initialization of the repository must be activated and does not take place automatically.
* Removed install_backup as var (bool) to prevent that this role run
* Rename backup_ssh_command to borg_ssh_command, tis was a double definition
* Renamed backup_repository to borg_repository and add better explanations
* remove copy ssh-keys and cert parts
* Add comments to borg_ssh_key_file and borg_ssh_key_type
* Set allways the borg_ssh_key_file and borg_ssh_command to load the right ssh-key. Add borg_ssh_key_type to select the key type by user
* Add borg_ssh_key_type
* renamed id_rsa to backup
* generate ssh-keys (backup and backup.pub) and add better explanation
* Print out key if borgmatic_initialization_repo is false
* Remove 'su - {{ borgbackup_user }} -c' to execute the borgmatic by the right user
* Add Check frequency, therefore, we no longer need to distinguish between normal and large repos
* Add link to Article
* renamed backup_ssh_command and backup_ssh_key_file to borg_ssh_command and borg_ssh_key_file
* Removed: borgmatic_initialization_repo
* Removed: borgmatic_initialization_repo
* Removed: borgmatic_initialization_repo
* revert changes
* Add Full Automation
* polishing
* rename backup.timer and bakup.service to borgmatic.timer and borgmatic.service
* remove debug
* Try to find services in ansible_facts
* Forgot to install Cron
* change borg_ssh_key_type to ed25519
* remove conditional checks
* - add hint to using a service user
- renamed: borg_ssh_key_file to borg_ssh_key_file_path
- removed advanced example
* add borg_ssh_key_name, renamed borg_ssh_key_file to borg_ssh_key_file_path
* removed static pointing to ~/.ssh/backup SSH private key
* Add README-Advanced-Examples.md for storing more examples
* Fix test idempotence
* Dont symlink when using distro packages
* Remove old test targets, consistent wording, remove tag
* Remove helper scripts, fix absolute path
* Fix cron job, add assert to prevent duplicate timers
* nit-pick
* Create bin links as root, no borg_ssh_command by default.
* Add breaking changes note to README
---------
Co-authored-by: Manu <manu@snapdragon.cc>
2023-03-28 19:01:12 +02:00
|
|
|
PrivateDevices=yes
|
|
|
|
|
PrivateTmp=yes
|
|
|
|
|
ProtectClock=yes
|
|
|
|
|
ProtectControlGroups=yes
|
|
|
|
|
ProtectHostname=yes
|
|
|
|
|
ProtectKernelLogs=yes
|
|
|
|
|
ProtectKernelModules=yes
|
|
|
|
|
ProtectKernelTunables=yes
|
|
|
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
|
|
|
|
RestrictNamespaces=yes
|
|
|
|
|
RestrictRealtime=yes
|
|
|
|
|
RestrictSUIDSGID=yes
|
|
|
|
|
SystemCallArchitectures=native
|
|
|
|
|
SystemCallFilter=@system-service
|
|
|
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
|
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
|
|
|
|
|
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
|
|
|
|
|
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
|
|
|
|
|
# leaves most of the filesystem read-only to borgmatic.
|
|
|
|
|
ProtectSystem=full
|
|
|
|
|
# ReadWritePaths=-/mnt/my_backup_drive
|
|
|
|
|
# ReadOnlyPaths=-/var/lib/my_backup_source
|
|
|
|
|
# This will mount a tmpfs on top of /root and pass through needed paths
|
|
|
|
|
# ProtectHome=tmpfs
|
|
|
|
|
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
|
|
|
|
|
|
|
|
|
# May interfere with running external programs within borgmatic hooks.
|
|
|
|
|
# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
|
|
|
|
|
|
|
|
|
# Lower CPU and I/O priority.
|
|
|
|
|
Nice=19
|
|
|
|
|
CPUSchedulingPolicy=batch
|
|
|
|
|
IOSchedulingClass=best-effort
|
|
|
|
|
IOSchedulingPriority=7
|
|
|
|
|
IOWeight=100
|
