From 8b67e74440a00673e5501dd8dd990cca22fac5de Mon Sep 17 00:00:00 2001 From: Frank Dornheim <524257+conloos@users.noreply.github.com> Date: Sun, 5 Mar 2023 13:52:02 +0100 Subject: [PATCH] Role restructured: - if needed creation of a service user incl. creation of the ssh-key, - add the ssh key to authorized_keys, - auto init of the repos, - creation and start of systemd timer and services and - installation of the Docker helperscript. --- tasks/01_install.yml | 32 +++++++ tasks/02_create_backup_user_and_group.yml | 37 ++++++++ tasks/02_create_key.yml | 69 ++++++++++++++ tasks/03_configure.yml | 23 +++++ tasks/04_init_borg_repo.yml | 9 ++ tasks/05_create_timer.yml | 89 +++++++++++++++++++ ...create_links_and_install_helperscripts.yml | 33 +++++++ tasks/noauto_install_package.yml | 23 +++++ tasks/noauto_install_pip.yml | 33 +++++++ templates/backup_large_repo.service.j2 | 59 ++++++++++++ templates/backup_large_repo.timer.j2 | 13 +++ templates/backup_large_repo_check.service.j2 | 59 ++++++++++++ templates/backup_large_repo_check.timer.j2 | 13 +++ templates/backup_normal_repo.service.j2 | 59 ++++++++++++ templates/backup_normal_repo.timer.j2 | 13 +++ 15 files changed, 564 insertions(+) create mode 100644 tasks/01_install.yml create mode 100644 tasks/02_create_backup_user_and_group.yml create mode 100644 tasks/02_create_key.yml create mode 100755 tasks/03_configure.yml create mode 100644 tasks/04_init_borg_repo.yml create mode 100644 tasks/05_create_timer.yml create mode 100644 tasks/noauto_create_links_and_install_helperscripts.yml create mode 100644 tasks/noauto_install_package.yml create mode 100644 tasks/noauto_install_pip.yml create mode 100644 templates/backup_large_repo.service.j2 create mode 100644 templates/backup_large_repo.timer.j2 create mode 100644 templates/backup_large_repo_check.service.j2 create mode 100644 templates/backup_large_repo_check.timer.j2 create mode 100644 templates/backup_normal_repo.service.j2 create mode 100644 templates/backup_normal_repo.timer.j2 diff --git a/tasks/01_install.yml b/tasks/01_install.yml new file mode 100644 index 0000000..3ea9dd2 --- /dev/null +++ b/tasks/01_install.yml @@ -0,0 +1,32 @@ +--- +- name: Install borgbackup + when: install_backup is not defined or install_backup + tags: + - install_backup + block: + - name: Ensure legacy hooks aren't used + ansible.builtin.assert: + that: + - borgmatic_failure_command is undefined + - borgmatic_before_backup_command is undefined + - borgmatic_after_backup_command is undefined + msg: Please use the new borgmatic_hooks variable instead of individual before/after/failure hooks. + + - name: Include OS-specific variables + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + - "{{ ansible_lsb.id }}.yml" + + - name: Install general dependencies (openssh) + ansible.builtin.package: + name: "{{ borg_dep_packages }}" + state: present + + - name: Install Borg and Borgmatic + ansible.builtin.include_tasks: + file: noauto_install_{{ borg_install_method }}.yml +... diff --git a/tasks/02_create_backup_user_and_group.yml b/tasks/02_create_backup_user_and_group.yml new file mode 100644 index 0000000..3dc4113 --- /dev/null +++ b/tasks/02_create_backup_user_and_group.yml @@ -0,0 +1,37 @@ +--- +- name: Setup backup environment + tags: + - install_backup + when: + - install_backup is not defined or install_backup + - backup_create_local_user is not defined or backup_create_local_user + block: + - name: Add local backup group + ansible.builtin.group: + name: "{{ vault_borg.backup_group }}" + state: present + + - name: Add local backup user + ansible.builtin.user: + name: "{{ vault_borg.backup_user }}" + shell: "/bin/bash" + groups: "{{ vault_borg.backup_group }}" + comment: "Backup User Account" + append: true + + - name: Add sudo users + community.general.sudoers: + name: "backup" + state: present + user: "{{ vault_borg.backup_user }}" + nopassword: true + commands: + - "/opt/borgmatic/bin/borg" + - "/usr/local/bin/borgmatic -C -p -c /etc/borgmatic/{{ borgmatic_config_name }}" + - "/usr/local/bin/borgmatic -k -c /etc/borgmatic/{{ borgmatic_config_name }}" + - "/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}" + + - name: Install Links to borg and borgmatic + ansible.builtin.include_tasks: + file: noauto_create_links_and_install_helperscripts.yml +... diff --git a/tasks/02_create_key.yml b/tasks/02_create_key.yml new file mode 100644 index 0000000..3a7ac61 --- /dev/null +++ b/tasks/02_create_key.yml @@ -0,0 +1,69 @@ +--- +- name: Create ssh-key for {{ borgbackup_user }} if neeeded + when: + - install_backup is not defined or install_backup + - backup_id_rsa is not defined or backup_id_rsa | length == 0 + tags: + - install_backup + block: + - name: Ensire /home/{{ borgbackup_user }}/.ssh directory exist + ansible.builtin.file: + path: "/home/{{ borgbackup_user }}/.ssh/" + state: directory + mode: "0700" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" + + - name: Generate an OpenSSH keypair with the default values (4096 bits, rsa) + community.crypto.openssh_keypair: + path: "/home/{{ borgbackup_user }}/.ssh/id_rsa" + mode: "0600" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" + + - name: Set key (/home/{{ borgbackup_user }}/.ssh) permission + ansible.builtin.file: + path: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub" + mode: "0644" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" + + - name: Read ssh key + ansible.builtin.slurp: + src: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub" + register: backup_local_ssh_key + + - name: Set authorized key taken from file + ansible.posix.authorized_key: + user: "{{ backup_repository | regex_search('(.*)@', '\\1') | first }}" + state: present + key: "{{ backup_local_ssh_key['content'] | b64decode }}" + # This is a bit tricky, the string backup_repository consists of three parts: + # "username"@"FQDN":"path/to/store/backup". + # With the regex we use the FQDN part to store the ssh-key on the target system. + delegate_to: "{{ backup_repository | regex_search('@(.*):', '\\1') | first }}" + +- name: Install ssh cert and key + when: + - install_backup is not defined or install_backup + - backup_id_rsa is defined and backup_id_rsa | length > 0 + - backup_id_rsa_pub is defined and backup_id_rsa_pub | length > 0 + tags: + - install_backup + block: + - name: Copy existing id_rsa, not genereting one + ansible.builtin.copy: + content: "{{ backup_id_rsa }}" + dest: "/home/{{ borgbackup_user }}/.ssh/id_rsa" + mode: "0600" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" + + - name: Copy existing id_rsa.pub, not genereting one + ansible.builtin.copy: + content: "{{ backup_id_rsa_pub }}" + dest: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub" + mode: "0644" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" +... diff --git a/tasks/03_configure.yml b/tasks/03_configure.yml new file mode 100755 index 0000000..f81d0b7 --- /dev/null +++ b/tasks/03_configure.yml @@ -0,0 +1,23 @@ +--- +- name: Configure borgbackup + when: + - install_backup is not defined or install_backup + tags: + - install_backup + block: + - name: Ensure /etc/borgmatic exists + ansible.builtin.file: + path: /etc/borgmatic + state: directory + mode: "0700" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" + + - name: Add Borgmatic configuration + ansible.builtin.template: + src: config.yaml.j2 + dest: "/etc/borgmatic/{{ borgmatic_config_name }}" + mode: "0600" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" +... diff --git a/tasks/04_init_borg_repo.yml b/tasks/04_init_borg_repo.yml new file mode 100644 index 0000000..cf264d8 --- /dev/null +++ b/tasks/04_init_borg_repo.yml @@ -0,0 +1,9 @@ +--- +- name: Init repository + when: + - install_backup is not defined or install_backup + tags: + - install_backup + ansible.builtin.command: + cmd: "su - {{ borgbackup_user }} -c '/usr/local/bin/borgmatic rcreate --encryption keyfile --append-only'" +... diff --git a/tasks/05_create_timer.yml b/tasks/05_create_timer.yml new file mode 100644 index 0000000..9d40956 --- /dev/null +++ b/tasks/05_create_timer.yml @@ -0,0 +1,89 @@ +--- +- name: Create borgbackup timer + when: + - install_backup is not defined or install_backup + tags: + - install_backup + block: + - name: Add systemd.timer for borgmatic (large repo, create and check separate) + when: borgmatic_large_repo + block: + - name: Copy systemd files + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + backup: true + mode: "{{ item.mode }}" + with_items: + - { src: "backup_large_repo_check.timer.j2", dest: "/usr/lib/systemd/system/backup_large_repo_check.timer", mode: "0644" } + - { src: "backup_large_repo_check.service.j2", dest: "/usr/lib/systemd/system/backup_large_repo_check.service", mode: "0644" } + - { src: "backup_large_repo.timer.j2", dest: "/usr/lib/systemd/system/backup_large_repo.timer", mode: "0644" } + - { src: "backup_large_repo.service.j2", dest: "/usr/lib/systemd/system/backup_large_repo.service", mode: "0644" } + + - name: Populate service facts (large repo, create and check separate) + ansible.builtin.service_facts: + + - name: Restart borgmatic services (large repo, create and check separate) + ansible.builtin.systemd: + name: "{{ item }}" + state: restarted + enabled: true + masked: false + daemon_reload: true + when: "item in services" + with_items: + - "backup_large_repo_check.service" + - "backup_large_repo.service" + + # bug: Need own section without masked else the timer are skipped + - name: Restart borgmatic timers (large repo, create and check separate) + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + daemon_reload: true + with_items: + - "backup_large_repo_check.timer" + - "backup_large_repo.timer" + + - name: Add systemd.timer for borgmatic (normal-sized repo) + when: not borgmatic_large_repo + block: + - name: Copy systemd files (normal-sized repo) + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + backup: true + mode: "{{ item.mode }}" + with_items: + - { src: "backup_normal_repo.timer.j2", dest: "/usr/lib/systemd/system/backup_normal_repo.timer", mode: "0644" } + - { src: "backup_normal_repo.service.j2", dest: "/usr/lib/systemd/system/backup_normal_repo.service", mode: "0644" } + + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Restart borgmatic services (normal-sized repo) + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + masked: false + daemon_reload: true + when: "item in services" + with_items: + - backup_normal_repo.service + + # bug: Need own section without masked else the timer ar skipped + - name: Restart borgmatic timers (normal-sized repo) + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + daemon_reload: true + with_items: + - "backup_normal_repo.timer" +... diff --git a/tasks/noauto_create_links_and_install_helperscripts.yml b/tasks/noauto_create_links_and_install_helperscripts.yml new file mode 100644 index 0000000..e03c398 --- /dev/null +++ b/tasks/noauto_create_links_and_install_helperscripts.yml @@ -0,0 +1,33 @@ +--- +- name: Create borgmatic command in /usr/local/bin + ansible.builtin.copy: + content: | + #!/bin/bash + . "{{ borg_venv_path }}"/bin/activate + borgmatic "$@" + dest: /usr/local/bin/borgmatic + mode: "0755" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" + +- name: Create borg command in /usr/local/bin + ansible.builtin.copy: + content: | + #!/bin/bash + . "{{ borg_venv_path }}"/bin/activate + borg "$@" + dest: /usr/local/bin/borg + mode: "0755" + owner: "{{ borgbackup_user }}" + group: "{{ borgbackup_group }}" + +- name: Install helper scripts + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + mode: "{{ item.mode }}" + with_items: + - { src: "docker.sh", dest: "/usr/local/bin/docker.sh", owner: "{{ backup_owner }}", group: "{{ backup_group }}", mode: "0770" } +... diff --git a/tasks/noauto_install_package.yml b/tasks/noauto_install_package.yml new file mode 100644 index 0000000..c91aa6a --- /dev/null +++ b/tasks/noauto_install_package.yml @@ -0,0 +1,23 @@ +--- +- name: Install borgbackup by distro + tags: + - install_backup + block: + - name: Check if EPEL repo is enabled, if installation from distro is requested + when: ansible_os_family == 'RedHat' + block: + - name: Get list of installed packages + ansible.builtin.package_facts: + manager: auto + - name: Ensure EPEL is enabled + ansible.builtin.assert: + that: + - "'epel-release' in ansible_facts.packages" + fail_msg: Need EPEL repo to install via distro package. + + - name: Install borgmatic and borg via distribution package manager + ansible.builtin.package: + name: "{{ item }}" + state: present + loop: "{{ borg_distro_packages }}" +... diff --git a/tasks/noauto_install_pip.yml b/tasks/noauto_install_pip.yml new file mode 100644 index 0000000..687faf2 --- /dev/null +++ b/tasks/noauto_install_pip.yml @@ -0,0 +1,33 @@ +--- +- name: Install borgbackup by pip + tags: + - install_backup + block: + - name: Install build dependencies + ansible.builtin.package: + name: "{{ borg_pip_packages }}" + state: present + + - name: Create virtualenv for borg # noqa package-latest + ansible.builtin.pip: + name: + - pip + - setuptools + state: latest + virtualenv: "{{ borg_venv_path }}" + virtualenv_command: "{{ python_bin }} -m venv" + + - name: Install dependent Python Packages + ansible.builtin.pip: + name: "{{ borg_dependent_python_packages }}" + virtualenv: "{{ borg_venv_path }}" + when: borg_dependent_python_packages is defined + + - name: Install main Python Packages + ansible.builtin.pip: + name: "{{ item.name }}" + version: "{{ item.version | default(omit, true) }}" + virtualenv: "{{ borg_venv_path }}" + when: borg_python_packages is defined + loop: "{{ borg_python_packages }}" +... diff --git a/templates/backup_large_repo.service.j2 b/templates/backup_large_repo.service.j2 new file mode 100644 index 0000000..7114b8f --- /dev/null +++ b/templates/backup_large_repo.service.j2 @@ -0,0 +1,59 @@ +# Managed by Ansible, please don't edit manually + +[Unit] +Description=borgmatic backup only - because large repo +Wants=backup_normal_repo.timer +Wants=network-online.target +After=network-online.target +# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you +# want to allow borgmatic to run anytime. +ConditionACPower=true + +[Service] +Type=oneshot +ExecStart=su - {{ borgbackup_user }} -c '/usr/local/bin/borgmatic -C -p -c /etc/borgmatic/{{ borgmatic_config_name }}' + +# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service +# Security settings for systemd running as root, optional but recommended to improve security. You +# can disable individual settings if they cause problems for your use case. For more details, see +# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +LockPersonality=true +# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. +# But you can try setting it to "yes" for improved security if you don't use those features. +MemoryDenyWriteExecute=no +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +# To restrict write access further, change "ProtectSystem" to "strict" and uncomment +# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository +# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This +# leaves most of the filesystem read-only to borgmatic. +ProtectSystem=full +# ReadWritePaths=-/mnt/my_backup_drive +# ReadOnlyPaths=-/var/lib/my_backup_source +# This will mount a tmpfs on top of /root and pass through needed paths +# ProtectHome=tmpfs +# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic + +# May interfere with running external programs within borgmatic hooks. +# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW + +# Lower CPU and I/O priority. +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 \ No newline at end of file diff --git a/templates/backup_large_repo.timer.j2 b/templates/backup_large_repo.timer.j2 new file mode 100644 index 0000000..2ff402c --- /dev/null +++ b/templates/backup_large_repo.timer.j2 @@ -0,0 +1,13 @@ +# Managed by Ansible, please don't edit manually + +[Unit] +Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html# + +[Timer] +# Day-of-the-Week Year-Month-Day Hour:Minutes:Seconds +# Persistent -> resume backup after shutdown +OnCalendar= *-*-* {{ borgmatic_timer_hour }}:{{ borgmatic_timer_minute }}:00 +Persistent=true + +[Install] +WantedBy=timers.target \ No newline at end of file diff --git a/templates/backup_large_repo_check.service.j2 b/templates/backup_large_repo_check.service.j2 new file mode 100644 index 0000000..97d6b7c --- /dev/null +++ b/templates/backup_large_repo_check.service.j2 @@ -0,0 +1,59 @@ +# Managed by Ansible, please don't edit manually + +[Unit] +Description=borgmatic check consistently only - because large repo +Wants=backup_normal_repo.timer +Wants=network-online.target +After=network-online.target +# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you +# want to allow borgmatic to run anytime. +ConditionACPower=true + +[Service] +Type=oneshot +ExecStart=su - {{ borgbackup_user }} -c '/usr/local/bin/borgmatic -k -c /etc/borgmatic/{{ borgmatic_config_name }}' + +# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service +# Security settings for systemd running as root, optional but recommended to improve security. You +# can disable individual settings if they cause problems for your use case. For more details, see +# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +LockPersonality=true +# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. +# But you can try setting it to "yes" for improved security if you don't use those features. +MemoryDenyWriteExecute=no +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +# To restrict write access further, change "ProtectSystem" to "strict" and uncomment +# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository +# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This +# leaves most of the filesystem read-only to borgmatic. +ProtectSystem=full +# ReadWritePaths=-/mnt/my_backup_drive +# ReadOnlyPaths=-/var/lib/my_backup_source +# This will mount a tmpfs on top of /root and pass through needed paths +# ProtectHome=tmpfs +# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic + +# May interfere with running external programs within borgmatic hooks. +# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW + +# Lower CPU and I/O priority. +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 \ No newline at end of file diff --git a/templates/backup_large_repo_check.timer.j2 b/templates/backup_large_repo_check.timer.j2 new file mode 100644 index 0000000..2cf5191 --- /dev/null +++ b/templates/backup_large_repo_check.timer.j2 @@ -0,0 +1,13 @@ +# Managed by Ansible, please don't edit manually + +[Unit] +Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html# + +[Timer] +# Day-of-the-Week Year-Month-Day Hour:Minutes:Seconds +# Persistent -> resume backup after shutdown +OnCalendar= {% if borgmatic_timer_day_of_the_week is defined and borgmatic_timer_day_of_the_week | lenght > 0 %} {{ borgmatic_timer_day_of_the_week }} {% endif %} *-*-{{ borgmatic_timer_checks_day }} {{ borgmatic_timer_checks_hour }}:{{ borgmatic_timer_checks_minute }}:00 +Persistent=true + +[Install] +WantedBy=timers.target \ No newline at end of file diff --git a/templates/backup_normal_repo.service.j2 b/templates/backup_normal_repo.service.j2 new file mode 100644 index 0000000..f2e67d1 --- /dev/null +++ b/templates/backup_normal_repo.service.j2 @@ -0,0 +1,59 @@ +# Managed by Ansible, please don't edit manually + +[Unit] +Description=borgmatic backup +Wants=backup_normal_repo.timer +Wants=network-online.target +After=network-online.target +# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you +# want to allow borgmatic to run anytime. +ConditionACPower=true + +[Service] +Type=oneshot +ExecStart=su - {{ borgbackup_user }} -c '/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}' + +# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service +# Security settings for systemd running as root, optional but recommended to improve security. You +# can disable individual settings if they cause problems for your use case. For more details, see +# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +LockPersonality=true +# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. +# But you can try setting it to "yes" for improved security if you don't use those features. +MemoryDenyWriteExecute=no +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +# To restrict write access further, change "ProtectSystem" to "strict" and uncomment +# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository +# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This +# leaves most of the filesystem read-only to borgmatic. +ProtectSystem=full +# ReadWritePaths=-/mnt/my_backup_drive +# ReadOnlyPaths=-/var/lib/my_backup_source +# This will mount a tmpfs on top of /root and pass through needed paths +# ProtectHome=tmpfs +# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic + +# May interfere with running external programs within borgmatic hooks. +# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW + +# Lower CPU and I/O priority. +Nice=19 +CPUSchedulingPolicy=batch +IOSchedulingClass=best-effort +IOSchedulingPriority=7 +IOWeight=100 diff --git a/templates/backup_normal_repo.timer.j2 b/templates/backup_normal_repo.timer.j2 new file mode 100644 index 0000000..2ff402c --- /dev/null +++ b/templates/backup_normal_repo.timer.j2 @@ -0,0 +1,13 @@ +# Managed by Ansible, please don't edit manually + +[Unit] +Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html# + +[Timer] +# Day-of-the-Week Year-Month-Day Hour:Minutes:Seconds +# Persistent -> resume backup after shutdown +OnCalendar= *-*-* {{ borgmatic_timer_hour }}:{{ borgmatic_timer_minute }}:00 +Persistent=true + +[Install] +WantedBy=timers.target \ No newline at end of file