Mirrors/ansible-role-borg-backup
1
0
Fork 0
mirror of https://github.com/borgbase/ansible-role-borgbackup.git synced 2025-11-04 01:19:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

add example for service account

Browse Source
This commit is contained in:
Frank Dornheim 2023-03-10 18:31:30 +01:00
parent 2e8fc5e266
commit 3a80957fe8
10 changed files with 55 additions and 240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -12,7 +12,7 @@ Main features:
- Provision new remote [BorgBase.com](https://www.borgbase.com) repo for storing backups (optional)
## Example Playbook
## Example Playbook with root as backup user
```
- hosts: webservers
@ -40,6 +40,37 @@ Main features:
port: 5433
```
## Example Playbook with service user
```
- hosts: webservers
roles:
- role: m3nu.ansible_role_borgbackup
borg_encryption_passphrase: CHANGEME
borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
borgmatic_timer: systemd
backup_ssh_key_file: "{{ backup_user_info.home }}/.ssh/id_rsa"
backup_ssh_command: "ssh -i {{ backup_ssh_key_file }} -o StrictHostKeyChecking=no"
borgmatic_timer: systemd
borgbackup_user: "srv_backup"
borgbackup_group: "srv_backup"
borg_source_directories:
- /srv/www
- /var/lib/automysqlbackup
borg_exclude_patterns:
- /srv/www/old-sites
borg_retention_policy:
keep_hourly: 3
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
borgmatic_hooks:
before_backup:
- echo "`date` - Starting backup."
postgresql_databases:
- name: users
hostname: database1.example.org
port: 5433
```
## Installation

37
tasks/02_create_backup_user_and_group.yml
View File

@ -1,37 +0,0 @@
---
- name: Setup backup environment
tags:
- install_backup
when:
- install_backup is not defined or install_backup
- backup_create_local_user is not defined or backup_create_local_user
block:
- name: Add local backup group
ansible.builtin.group:
name: "{{ borgbackup_group }}"
state: present
- name: Add local backup user
ansible.builtin.user:
name: "{{ borgbackup_user }}"
shell: "/bin/bash"
groups: "{{ borgbackup_group }}"
comment: "Backup User Account"
append: true
- name: Add sudo users
community.general.sudoers:
name: "backup"
state: present
user: "{{ borgbackup_user }}"
nopassword: true
commands:
- "/opt/borgmatic/bin/borg"
- "/usr/local/bin/borgmatic -C -p -c /etc/borgmatic/{{ borgmatic_config_name }}"
- "/usr/local/bin/borgmatic -k -c /etc/borgmatic/{{ borgmatic_config_name }}"
- "/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}"
- name: Install Links to borg and borgmatic
ansible.builtin.include_tasks:
file: noauto_create_links_and_install_helperscripts.yml
...

69
tasks/02_create_key.yml
View File

@ -1,69 +0,0 @@
---
- name: Create ssh-key (if neeeded) for {{ borgbackup_user }}
when:
- install_backup is not defined or install_backup
- backup_id_rsa is not defined or backup_id_rsa | length == 0
tags:
- install_backup
block:
- name: Ensire directory exist
ansible.builtin.file:
path: "/home/{{ borgbackup_user }}/.ssh/"
state: directory
mode: "0700"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Generate an OpenSSH keypair with the default values (4096 bits, rsa)
community.crypto.openssh_keypair:
path: "/home/{{ borgbackup_user }}/.ssh/id_rsa"
mode: "0600"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Set key permission
ansible.builtin.file:
path: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub"
mode: "0644"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Read ssh key
ansible.builtin.slurp:
src: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub"
register: backup_local_ssh_key
- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: "{{ backup_repository | regex_search('(.*)@', '\\1') | first }}"
state: present
key: "{{ backup_local_ssh_key['content'] | b64decode }}"
# This is a bit tricky, the string backup_repository consists of three parts:
# "username"@"FQDN":"path/to/store/backup".
# With the regex we use the FQDN part to store the ssh-key on the target system.
delegate_to: "{{ backup_repository | regex_search('@(.*):', '\\1') | first }}"
- name: Install ssh cert and key
when:
- install_backup is not defined or install_backup
- backup_id_rsa is defined and backup_id_rsa | length > 0
- backup_id_rsa_pub is defined and backup_id_rsa_pub | length > 0
tags:
- install_backup
block:
- name: Copy existing id_rsa, not genereting one
ansible.builtin.copy:
content: "{{ backup_id_rsa }}"
dest: "/home/{{ borgbackup_user }}/.ssh/id_rsa"
mode: "0600"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Copy existing id_rsa.pub, not genereting one
ansible.builtin.copy:
content: "{{ backup_id_rsa_pub }}"
dest: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub"
mode: "0644"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
...

33
tasks/02_user_management.yml
View File

@ -1,20 +1,31 @@
---
# So in different positions in that role we need the user home
# Since we cannot be sure that this FSH is compatible we will determine it.
- name: Get home if borgbackup_user == "root"
when: borgbackup_user == "root"
ansible.builtin.user:
name: "{{ borgbackup_user }}"
state: present
register: user_info
changed_when: false
check_mode: true # Important, otherwise user will be created
- name: Get home dir
when:
- borgbackup_user == "root"
- install_backup is not defined or install_backup
tags:
- install_backup
block:
- name: Get home if borgbackup_user == "root"
ansible.builtin.user:
name: "{{ borgbackup_user }}"
state: present
register: user_info
changed_when: false
check_mode: true # Important, otherwise user will be created
- name: Save the user_info, we need them for the home_dir
ansible.builtin.set_fact:
backup_user_info: "{{ user_info }}"
- name: Save the user_info, we need them for the home_dir
ansible.builtin.set_fact:
backup_user_info: "{{ user_info }}"
- name: Create User if borgbackup_user != "root"
when:
- borgbackup_user == "root"
- install_backup is not defined or install_backup
tags:
- install_backup
ansible.builtin.include_tasks:
file: noauto_create_backup_user_and_group.yml
...

23
tasks/03_configure.yml
View File

@ -1,23 +0,0 @@
---
- name: Configure borgbackup
when:
- install_backup is not defined or install_backup
tags:
- install_backup
block:
- name: Ensure /etc/borgmatic exists
ansible.builtin.file:
path: /etc/borgmatic
state: directory
mode: "0700"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Add Borgmatic configuration
ansible.builtin.template:
src: config.yaml.j2
dest: "/etc/borgmatic/{{ borgmatic_config_name }}"
mode: "0600"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
...

33
tasks/03_create_links_to_borg_and_borgmatic.yml
View File

@ -1,33 +0,0 @@
---
- name: Create borgmatic command in /usr/local/bin
ansible.builtin.copy:
content: |
#!/bin/bash
. "{{ borg_venv_path }}"/bin/activate
borgmatic "$@"
dest: /usr/local/bin/borgmatic
mode: "0755"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Create borg command in /usr/local/bin
ansible.builtin.copy:
content: |
#!/bin/bash
. "{{ borg_venv_path }}"/bin/activate
borg "$@"
dest: /usr/local/bin/borg
mode: "0755"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Install helper scripts
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- { src: "docker.sh", dest: "/usr/local/bin/docker.sh", owner: "{{ borgbackup_user }}", group: "{{ borgbackup_group }}", mode: "0770" }
...

10
tasks/04_init_borg_repo.yml
View File

@ -1,10 +0,0 @@
---
- name: Init repository
when:
- install_backup is not defined or install_backup
- borgmatic_initialization_repo is not defined or borgmatic_initialization_repo
tags:
- install_backup
ansible.builtin.command:
cmd: "su - {{ borgbackup_user }} -c '/usr/local/bin/borgmatic rcreate --encryption keyfile --append-only'"
...

22
tasks/05_install_timer.yml
View File

@ -1,22 +0,0 @@
---
- name: Create borgbackup timer
when:
- install_backup is not defined or install_backup
- borgmatic_timer is defined and borgmatic_timer == "systemd"
tags:
- install_backup
block:
- name: Timer Systemd
ansible.builtin.include_tasks:
file: noauto_create_timer.yml
- name: Create borgbackup cron
when:
- install_backup is not defined or install_backup
- borgmatic_timer is defined or not borgmatic_timer == "systemd"
tags:
- install_backup
block:
- name: Install cron backup job
ansible.builtin.include_tasks:
file: noauto_create_cronjobs.yml

33
tasks/noauto_create_links_and_install_helperscripts.yml
View File

@ -1,33 +0,0 @@
---
- name: Create borgmatic command in /usr/local/bin
ansible.builtin.copy:
content: |
#!/bin/bash
. "{{ borg_venv_path }}"/bin/activate
borgmatic "$@"
dest: /usr/local/bin/borgmatic
mode: "0755"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Create borg command in /usr/local/bin
ansible.builtin.copy:
content: |
#!/bin/bash
. "{{ borg_venv_path }}"/bin/activate
borg "$@"
dest: /usr/local/bin/borg
mode: "0755"
owner: "{{ borgbackup_user }}"
group: "{{ borgbackup_group }}"
- name: Install helper scripts
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: "{{ item.mode }}"
with_items:
- { src: "docker.sh", dest: "/usr/local/bin/docker.sh", owner: "{{ backup_owner }}", group: "{{ backup_group }}", mode: "0770" }
...

2
templates/config.yaml.j2
View File

@ -112,7 +112,7 @@ storage:
# Path for Borg encryption key files. Defaults to
# $borg_base_directory/.config/borg/keys
borg_keys_directory: /home/{{ borgbackup_user }}/.config/borg/keys
borg_keys_directory: {{ backup_user_info.home }}/.config/borg/keys
# Retention policy for how many backups to keep in each category. See
# https://borgbackup.readthedocs.org/en/stable/usage.html#borg-prune for details.