diff --git a/meta/argument_specs.yml b/meta/argument_specs.yml index 8d14e28..7b62880 100644 --- a/meta/argument_specs.yml +++ b/meta/argument_specs.yml @@ -8,6 +8,10 @@ argument_specs: - 2018-2020 Manuel Riel and contributors. - Frank Dornheim options: + borg_app_name: + type: str + required: false + description: Name of the application (borgbackup or borgmatic). borg_dep_packages: type: str required: false diff --git a/tasks/05_configure.yml b/tasks/05_configure.yml index e055c20..0d84bc1 100644 --- a/tasks/05_configure.yml +++ b/tasks/05_configure.yml @@ -8,6 +8,15 @@ mode: "0700" owner: "{{ borg_user }}" group: "{{ borg_group }}" + + - name: Ensure /etc/borgmatic.d exists + ansible.builtin.file: + path: /etc/borgmatic.d + state: directory + mode: "0700" + owner: "{{ borg_user }}" + group: "{{ borg_group }}" + when: borg_app_name is defined and borg_app_name | length > 0 - name: Add Borgmatic configuration ansible.builtin.template: @@ -16,4 +25,15 @@ mode: "0600" owner: "{{ borg_user }}" group: "{{ borg_group }}" + when: borg_app_name is not defined or borg_app_name | length == 0 + + - name: Add Borgmatic app configuration + ansible.builtin.template: + src: config.yaml.j2 + dest: "/etc/borgmatic.d/{{ borg_app_name }}-{{ borgmatic_config_name }}" + mode: "0600" + owner: "{{ borg_user }}" + group: "{{ borg_group }}" + when: borg_app_name is defined and borg_app_name | length > 0 + ... diff --git a/tasks/noauto_create_backup_user_and_group.yml b/tasks/noauto_create_backup_user_and_group.yml index d11526e..38cc49b 100644 --- a/tasks/noauto_create_backup_user_and_group.yml +++ b/tasks/noauto_create_backup_user_and_group.yml @@ -31,4 +31,5 @@ commands: - "/opt/borgmatic/bin/borg" - "/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}" + - "/usr/local/bin/borgmatic -c /etc/borgmatic.d/{{ borg_app_name }}-{{ borgmatic_config_name }}" ... diff --git a/tasks/noauto_create_timer_systemd.yml b/tasks/noauto_create_timer_systemd.yml index 40619df..b31b412 100644 --- a/tasks/noauto_create_timer_systemd.yml +++ b/tasks/noauto_create_timer_systemd.yml @@ -28,6 +28,12 @@ with_items: - { src: "borgmatic.timer.j2", dest: "/usr/lib/systemd/system/borgmatic.timer", mode: "0644" } - { src: "borgmatic.service.j2", dest: "/usr/lib/systemd/system/borgmatic.service", mode: "0644" } + - { src: "borgmatic@.timer.j2", dest: "/usr/lib/systemd/system/borgmatic@.timer", mode: "0644" } + - { src: "borgmatic@.service.j2", dest: "/usr/lib/systemd/system/borgmatic@.service", mode: "0644" } + + - name: Reload systemd + ansible.builtin.systemd: + daemon_reload: true - name: Populate service facts ansible.builtin.service_facts: diff --git a/templates/borgmatic.timer.j2 b/templates/borgmatic.timer.j2 index 2ff402c..0093cf5 100644 --- a/templates/borgmatic.timer.j2 +++ b/templates/borgmatic.timer.j2 @@ -1,4 +1,4 @@ -# Managed by Ansible, please don't edit manually +# {{ ansible_managed }} [Unit] Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html# diff --git a/templates/borgmatic@.service.j2 b/templates/borgmatic@.service.j2 new file mode 100644 index 0000000..47189df --- /dev/null +++ b/templates/borgmatic@.service.j2 @@ -0,0 +1,60 @@ +#{{ ansible_managed }} + +[Unit] +Description=borgmatic backup +Wants=backup_normal_repo.timer +Wants=network-online.target +After=network-online.target +# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you +# want to allow borgmatic to run anytime. +ConditionACPower=true + +[Service] +Type=oneshot +User={{ borg_user }} +ExecStart={{ borg_abs_path }}/borgmatic -c /etc/borgmatic.d/%i-{{ borgmatic_config_name }} {{ borgmatic_timer_flags }} + +# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service +# Security settings for systemd running as root, optional but recommended to improve security. You +# can disable individual settings if they cause problems for your use case. For more details, see +# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +LockPersonality=true +# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. +# But you can try setting it to "yes" for improved security if you don't use those features. +MemoryDenyWriteExecute=no +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +# To restrict write access further, change "ProtectSystem" to "strict" and uncomment +# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository +# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This +# leaves most of the filesystem read-only to borgmatic. +ProtectSystem=full +# ReadWritePaths=-/mnt/my_backup_drive +# ReadOnlyPaths=-/var/lib/my_backup_source +# This will mount a tmpfs on top of /root and pass through needed paths +# ProtectHome=tmpfs +# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic + +# May interfere with running external programs within borgmatic hooks. +# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW + +# Lower CPU and I/O priority. +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 diff --git a/templates/borgmatic@.timer.j2 b/templates/borgmatic@.timer.j2 new file mode 100644 index 0000000..0093cf5 --- /dev/null +++ b/templates/borgmatic@.timer.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} + +[Unit] +Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html# + +[Timer] +# Day-of-the-Week Year-Month-Day Hour:Minutes:Seconds +# Persistent -> resume backup after shutdown +OnCalendar= *-*-* {{ borgmatic_timer_hour }}:{{ borgmatic_timer_minute }}:00 +Persistent=true + +[Install] +WantedBy=timers.target \ No newline at end of file