ADMIN-6044: add app_name

2025-09-17 17:53:06 +02:00 · 2025-09-05 11:22:25 +04:00 · 2025-09-05 11:22:25 +04:00 · 009e2af2d0
commit 009e2af2d0
parent 714cb2dd6f
7 changed files with 105 additions and 1 deletions
--- a/meta/argument_specs.yml
+++ b/meta/argument_specs.yml
@ -8,6 +8,10 @@ argument_specs:
      - 2018-2020 Manuel Riel and contributors.
      - Frank Dornheim
    options:
+      borg_app_name:
+        type: str
+        required: false
+        description: Name of the application (borgbackup or borgmatic).
      borg_dep_packages:
        type: str
        required: false
--- a/tasks/05_configure.yml
+++ b/tasks/05_configure.yml
@ -9,6 +9,15 @@
        owner: "{{ borg_user }}"
        group: "{{ borg_group }}"
    
+    - name: Ensure /etc/borgmatic.d exists
+      ansible.builtin.file:
+        path: /etc/borgmatic.d
+        state: directory
+        mode: "0700"
+        owner: "{{ borg_user }}"
+        group: "{{ borg_group }}"
+      when: borg_app_name is defined and borg_app_name | length > 0
+
    - name: Add Borgmatic configuration
      ansible.builtin.template:
        src: config.yaml.j2
@ -16,4 +25,15 @@
        mode: "0600"
        owner: "{{ borg_user }}"
        group: "{{ borg_group }}"
+      when: borg_app_name is not defined or borg_app_name | length == 0
+    
+    - name: Add Borgmatic app configuration
+      ansible.builtin.template:
+        src: config.yaml.j2
+        dest: "/etc/borgmatic.d/{{ borg_app_name }}-{{ borgmatic_config_name }}"
+        mode: "0600"
+        owner: "{{ borg_user }}"
+        group: "{{ borg_group }}"
+      when: borg_app_name is defined and borg_app_name | length > 0
+
 ...
--- a/tasks/noauto_create_backup_user_and_group.yml
+++ b/tasks/noauto_create_backup_user_and_group.yml
@ -31,4 +31,5 @@
        commands:
          - "/opt/borgmatic/bin/borg"
          - "/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}"
+          - "/usr/local/bin/borgmatic -c /etc/borgmatic.d/{{ borg_app_name }}-{{ borgmatic_config_name }}"
 ...
--- a/tasks/noauto_create_timer_systemd.yml
+++ b/tasks/noauto_create_timer_systemd.yml
@ -28,6 +28,12 @@
      with_items:
        - { src: "borgmatic.timer.j2", dest: "/usr/lib/systemd/system/borgmatic.timer", mode: "0644" }
        - { src: "borgmatic.service.j2", dest: "/usr/lib/systemd/system/borgmatic.service", mode: "0644" }
+        - { src: "borgmatic@.timer.j2", dest: "/usr/lib/systemd/system/borgmatic@.timer", mode: "0644" }
+        - { src: "borgmatic@.service.j2", dest: "/usr/lib/systemd/system/borgmatic@.service", mode: "0644" }
+
+    - name: Reload systemd
+      ansible.builtin.systemd:
+        daemon_reload: true

    - name: Populate service facts
      ansible.builtin.service_facts:
--- a/templates/borgmatic.timer.j2
+++ b/templates/borgmatic.timer.j2
@ -1,4 +1,4 @@
-# Managed by Ansible, please don't edit manually
+# {{ ansible_managed }}

 [Unit]
 Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html#
--- a/templates/borgmatic@.service.j2
+++ b/templates/borgmatic@.service.j2
@ -0,0 +1,60 @@
+#{{ ansible_managed }}
+
+[Unit]
+Description=borgmatic backup
+Wants=backup_normal_repo.timer
+Wants=network-online.target
+After=network-online.target
+# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
+# want to allow borgmatic to run anytime.
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+User={{ borg_user }}
+ExecStart={{ borg_abs_path }}/borgmatic -c /etc/borgmatic.d/%i-{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}
+
+# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
+# Security settings for systemd running as root, optional but recommended to improve security. You
+# can disable individual settings if they cause problems for your use case. For more details, see
+# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+LockPersonality=true
+# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
+# But you can try setting it to "yes" for improved security if you don't use those features.
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
+# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
+# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
+# leaves most of the filesystem read-only to borgmatic.
+ProtectSystem=full
+# ReadWritePaths=-/mnt/my_backup_drive
+# ReadOnlyPaths=-/var/lib/my_backup_source
+# This will mount a tmpfs on top of /root and pass through needed paths
+# ProtectHome=tmpfs
+# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
+
+# May interfere with running external programs within borgmatic hooks.
+# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
+# Lower CPU and I/O priority.
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
--- a/templates/borgmatic@.timer.j2
+++ b/templates/borgmatic@.timer.j2
@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html#
+
+[Timer]
+# Day-of-the-Week Year-Month-Day Hour:Minutes:Seconds
+# Persistent -> resume backup after shutdown
+OnCalendar= *-*-* {{ borgmatic_timer_hour }}:{{ borgmatic_timer_minute }}:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target