Mirrors/ansible-role-borg-backup
1
0
Fork 0
mirror of https://github.com/borgbase/ansible-role-borgbackup.git synced 2025-08-02 13:49:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Mirrors:master
Branches Tags
Mirrors:master
Mirrors:v1.1.3
Mirrors:v1.1.2
Mirrors:v1.1.1
Mirrors:v1.1.0
Mirrors:v1.0.1
Mirrors:v1.0.0
Mirrors:v0.9.4
Mirrors:v0.9.3
Mirrors:v0.9.2
Mirrors:v0.9.1
Mirrors:v0.9.0
Mirrors:v0.8.1
Mirrors:v0.8.0
..
compare: Mirrors:v0.9.2
Branches Tags
Mirrors:master
Mirrors:v1.1.3
Mirrors:v1.1.2
Mirrors:v1.1.1
Mirrors:v1.1.0
Mirrors:v1.0.1
Mirrors:v1.0.0
Mirrors:v0.9.4
Mirrors:v0.9.3
Mirrors:v0.9.2
Mirrors:v0.9.1
Mirrors:v0.9.0
Mirrors:v0.8.1
Mirrors:v0.8.0

No commits in common. "master" and "v0.9.2" have entirely different histories.
master ... v0.9.2

41 changed files with 571 additions and 1049 deletions
Show Stats Expand all files Collapse all files

3
.ansible-lint
View File

@ -1,3 +0,0 @@
---
skip_list:
- fqcn-builtins

4
.github/workflows/main.yml vendored
View File

@ -8,9 +8,9 @@ jobs:
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v4
uses: actions/setup-python@v1
with:
python-version: "3.10"
python-version: 3.8
- name: Install Molecule
run: |
pip install -U pip setuptools wheel

1
.gitignore vendored
View File

@ -1 +0,0 @@
.cache

130
EXAMPLES.md
View File

@ -1,130 +0,0 @@
# Additional Examples
## Custom SSH key for backups only
```
- hosts: webservers
roles:
- role: borgbase.ansible_role_borgbackup
borg_encryption_passphrase: CHANGEME
borg_repository: ssh://m5vz9gp4@m5vz9gp4.repo.borgbase.com/./repo
borgmatic_timer: systemd
borg_ssh_key_name: id_backup
borg_ssh_key_comment: backup key
borg_ssh_command: "ssh -i {{ borg_ssh_key_file_path }} -o StrictHostKeyChecking=accept-new"
borg_user: backupuser
borg_group: backupuser
```
## Use service user and copy SSH key to target server
Installs and configures the Borgmatic client and also initializes the repo on the
remote backup server. (not tested)
```
- name: Configure backup
hosts: test.lab
pre_tasks:
- name: Get home of {{ borg_user }}
ansible.builtin.user:
name: "{{ borg_user }}"
state: present
register: user_info
changed_when: false
check_mode: true # Important, otherwise user will be created
- name: Save the user_info, we need them for the home_dir
ansible.builtin.set_fact:
backup_user_info: "{{ user_info }}"
vars_files: []
vars:
borg_encryption_passphrase: "CHANGEME"
borg_repository: "USER@TARGET_SERVER:/PATH/TO/BACKUP"
borg_user: "srv_backup"
borg_group: "srv_backup"
borg_ssh_key_name: id_backup
borg_ssh_command: "ssh -i {{ borg_ssh_key_file_path }} -o StrictHostKeyChecking=accept-new"
borgmatic_timer: systemd
borg_source_directories:
- /srv/www
- /var/lib/automysqlbackup
borg_exclude_patterns:
- /srv/www/old-sites
borg_retention_policy:
keep_hourly: 3
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
borgmatic_hooks:
before_backup:
- echo "`date` - Starting backup."
tasks:
- name: Configure Borg Backup and Backupmatic
tags:
- always
- install_backup
ansible.builtin.include_role:
name: ansible_role_borgbackup
apply:
tags:
- always
- name: Copy SSH-Key to Target {{ borg_repository }} and Init Repo
tags:
- never
- backup_init_repo
block:
- name: Read ssh key
ansible.builtin.slurp:
src: "{{ borg_ssh_key_file_path }}.pub"
register: backup_local_ssh_key
- name: Set authorized key taken from file
ansible.posix.authorized_key:
# example:
# borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
# have three parts: "username"@"FQDN":"path/to/store/backup", specific:
# a) user: m5vz9gp4
# b) fqdn: m5vz9gp4.repo.borgbase.co
# c) dir: repo
user: "{{ borg_repository | regex_search('(.*)@', '\\1') | first }}" # part a)
state: present
key: "{{ backup_local_ssh_key['content'] | b64decode }}"
delegate_to: "{{ borg_repository | regex_search('@(.*):', '\\1') | first }}" # part b)
- name: Init repository
ansible.builtin.command:
cmd: "su - {{ borg_user }} -c '/usr/local/bin/borgmatic rcreate --encryption keyfile --append-only'"
- name: Activate systemd service and timer
when:
- borgmatic_timer is defined and borgmatic_timer == "systemd"
tags:
- never
- backup_init_repo
block:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Start borgmatic services
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
masked: false
daemon_reload: true
when: "item in services"
with_items:
- borgmatic.service
# bug: Need own section without masked else the timer are skipped
- name: Start borgmatic timers
ansible.builtin.systemd:
name: "{{ item }}"
state: started
enabled: true
daemon_reload: true
with_items:
- "borgmatic.timer"
```

152
README.md
View File

@ -1,36 +1,35 @@
# Ansible Role: BorgBackup Client
[![Test](https://github.com/borgbase/ansible-role-borgbackup/actions/workflows/main.yml/badge.svg)](https://github.com/borgbase/ansible-role-borgbackup/actions/workflows/main.yml) [![Ansible Galaxy](https://img.shields.io/ansible/role/d/borgbase/ansible_role_borgbackup?logo=ansible&color=5cbec1&label=Ansible%20Galaxy)](https://galaxy.ansible.com/ui/standalone/roles/borgbase/ansible_role_borgbackup/)
[![Test](https://github.com/borgbase/ansible-role-borgbackup/actions/workflows/main.yml/badge.svg)](https://github.com/borgbase/ansible-role-borgbackup/actions/workflows/main.yml) [![Ansible Galaxy](https://img.shields.io/ansible/role/48519)](https://galaxy.ansible.com/m3nu/ansible_role_borgbackup)
Set up encrypted, compressed and deduplicated backups using [BorgBackup](https://borgbackup.readthedocs.io/en/stable/) and [Borgmatic](https://github.com/witten/borgmatic). Currently supports Debian/Ubuntu, CentOS/Red Hat/Fedora, Archlinux and Manjaro.
Set up encrypted, compressed and deduplicated backups using [BorgBackup](https://borgbackup.readthedocs.io/en/stable/) and [Borgmatic](https://github.com/witten/borgmatic). Currently supports Debian/Ubuntu and CentOS/Red Hat.
Works great with [BorgBase.com](https://www.borgbase.com) - Simple and Secure Hosting for your Borg Repositories. To manage BorgBase repos via Ansible, also see Andy Hawkins' [BorgBase Collection](https://galaxy.ansible.com/adhawkins/borgbase).
Works great with [BorgBase.com](https://www.borgbase.com) - Simple and Secure Hosting for your Borg Repositories.
**Main features**
- Install Borg and Borgmatic from PyPi or distro packages
- Set up Borgmatic config
- Schedule regular backups using Cron or Systemd timer
Main features:
- Set up Borg and Borgmatic
- Add cron job at random time
- Provision new remote [BorgBase.com](https://www.borgbase.com) repo for storing backups (optional)
## Breaking changes
- Older versions of this role set up a separate Cron job for creating and checking
backups. With recent Borgmatic version, this feature is now managed in Borgmatic.
As a result the extra Cron job will be removed by this role.
- Older versions of this role only supported Cron for scheduling. If you use
Systemd timers, be sure to remove the Cron job in `/etc/cron.d/borgmatic` first.
The role will also alert you when trying to use both timers.
## Example playbook with root as backup user, using the distro package and Cron timer
## Example Playbook
```
- hosts: all
- hosts: webservers
roles:
- role: borgbase.ansible_role_borgbackup
borg_install_method: package
- role: m3nu.ansible_role_borgbackup
borg_encryption_passphrase: CHANGEME
borg_repository:
- ssh://xxxxxx@xxxxxx.repo.borgbase.com/./repo
borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
borg_source_directories:
- /var/www
- /srv/www
- /var/lib/automysqlbackup
borg_exclude_patterns:
- /srv/www/old-sites
borg_retention_policy:
keep_hourly: 3
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
borgmatic_hooks:
before_backup:
- echo "`date` - Starting backup."
@ -38,38 +37,20 @@ Works great with [BorgBase.com](https://www.borgbase.com) - Simple and Secure Ho
- name: users
hostname: database1.example.org
port: 5433
```
## Example playbook with service user and Systemd timer
```
- hosts: all
roles:
- role: borgbase.ansible_role_borgbackup
borg_encryption_passphrase: CHANGEME
borg_repository: ssh://xxxxxx@xxxxxx.repo.borgbase.com/./repo
borgmatic_timer: systemd
borg_user: "backupuser"
borg_group: "backupuser"
borg_source_directories:
- /var/www
borg_retention_policy:
keep_hourly: 3
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
```
## Installation
Download from Ansible Galaxy
```
$ ansible-galaxy install borgbase.ansible_role_borgbackup
$ ansible-galaxy install m3nu.ansible_role_borgbackup
```
Clone latest version from Github
Clone to local folder
```
$ git clone https://github.com/borgbase/ansible-role-borgbackup.git roles/ansible_role_borgbackup
```
@ -77,50 +58,77 @@ $ git clone https://github.com/borgbase/ansible-role-borgbackup.git roles/ansibl
## Role Variables
### Required Variables
- `borg_repository`: Full path to repository. Your own server or [BorgBase.com](https://www.borgbase.com) repo.
Can be a list if you want to backup to multiple repositories.
### Required Arguments
- `borg_repository`: Full path to repository. Your own server or [BorgBase.com](https://www.borgbase.com) repo. Not required when using auto creation of repositories. Can be a list if you want to backup to multiple repositories.
- `borg_source_directories`: List of local folders to back up.
### Optional Variables
- `borg_dep_packages`: Dependency Packages to install `borg(backup)` and `borgmatic`.
- `borg_distro_packages`: contains the names of distributions packages for `borg(backup)` and `borgmatic`, only used if `borg_install_method` is set to `package`.
### Optional Arguments
- `borg_encryption_passcommand`: The standard output of this command is used to unlock the encryption key.
- `borg_encryption_passphrase`: Password to use for repokey or keyfile. Empty if repo is unencrypted.
- `borg_exclude_from`: Read exclude patterns from one or more separate named files, one pattern per line.
- `borg_exclude_patterns`: Paths or patterns to exclude from backup. See [official documentation](https://borgbackup.readthedocs.io/en/stable/usage/help.html#borg-help-patterns) for more.
- `borg_install_method`: By default `pip` is used to install borgmatic. To install via your distributions package manager set this to `package` and (if needed) overwrite the `borg_distro_packages` variable to contain your distributions package names required to install borgmatic. Note that many distributions ship outdated versions of borgbackup and borgmatic; use at your own risk. `none` completely disables installation management.
- `borg_require_epel`: When using `borg_install_method: package` on RHEL-based distributions, the EPEL repo is required. To disable the check (e.g. when using a custom mirror instead of the `epel-release` package), set this to `false`. Defaults to `{{ ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora' }}` (i.e. `true` on Enterprise Linux-based distros).
- `borg_lock_wait_time`: Config maximum seconds to wait for acquiring a repository/cache lock. Defaults to 5 seconds.
- `borg_one_file_system`: Don't cross file-system boundaries. Defaults to `true`
- `borg_pip_packages`: Dependancy Packages (pip) to install `borg(backup)` and `borgmatic`.
- `borg_remote_path`: Path to the borg executable on the remote. It will default to `borg`.
- `borg_remote_rate_limit`: Remote network upload rate limit in kiBytes/second.
- `borg_retention_policy`: Retention policy for how many backups to keep in each category (daily, weekly, monthly, etc).
- `borg_source_directories`: List of local folders to back up. Default is `/etc/hostname` to prevent an empty backup.
- `borg_ssh_key_name`: Name of the SSH public and pivate key. Default `id_ed25519`
- `borg_ssh_key_file_path`: SSH-key to be used. Default `~/.ssh/{{ borg_ssh_key_name }}`
- `borg_ssh_key_type`: The algorithm used to generate the SSH private key. Choose: `rsa`, `dsa`, `rsa1`, `ecdsa`, `ed25519`. Default: `ed25519`
- `borg_ssh_key_comment`: Comment added to the SSH public key.
- `borg_ssh_command`: Command to use instead of just "ssh". This can be used to specify SSH options.
- `borg_version`: Force a specific borg version to be installed
- `borg_venv_path`: Path to store the venv for `borg(backup)` and `borgmatic`
- `borg_ssh_command`: Command to use instead of just "ssh". This can be used to specify ssh options.
- `borgmatic_check_last`: Number of archives to check. Defaults to `3`
- `borgmatic_checks`: List of consistency checks. Defaults to monthly checks. See [docs](https://torsion.org/borgmatic/docs/how-to/deal-with-very-large-backups/#check-frequency) for all options.
- `borgmatic_config_name`: Name to use for the Borgmatic config file. Defaults to `config.yaml`
- `borgmatic_timer_hour`: Hour when regular create and prune cron/systemd-timer job will run. Defaults to `{{ 6 | random }}`
- `borgmatic_timer_minute`: Minute when regular create and prune cron/systemd-timer job will run. Defaults to `{{ 59 | random }}`
- `borgmatic_timer_flags`: Flags to pass to borgmatic cron/systemd-timer job, like "--log-file /path/to/file.log --log-file-verbosity 2"
- `borgmatic_checks`: List of consistency checks. Defaults to `['repository']`
- `borgmatic_config_name`: Name to use for the borgmatic config file. Defaults to `config.yaml`
- `borgmatic_cron_checks_day`: Day when cron job for infrequent checks will run. Defaults to `{{ 28 | random }}`
- `borgmatic_cron_checks_hour`: Hour when cron job for infrequent checks will run. Defaults to `{{ range(7, 24) | random }}`
- `borgmatic_cron_checks_minute`: Minute when cron job for infrequent checks will run. Defaults to `{{ 59 | random }}`
- `borgmatic_cron_hour`: Hour when regular create and prune cron job will run. Defaults to `{{ 6 | random }}`
- `borgmatic_cron_minute`: Minute when regular create and prune cron job will run. Defaults to `{{ 59 | random }}`
- `borgmatic_hooks`: Hooks to monitor your backups e.g. with [Healthchecks](https://healthchecks.io/). See [official documentation](https://torsion.org/borgmatic/docs/how-to/monitor-your-backups/) for more.
- `borgmatic_timer`: If the variable is set, a timer is installed. A choice must be made between `cron` and `systemd`.
- `borgmatic_large_repo`: Less frequent, monthly repo checking. Defaults to `true`
- `borgmatic_relocated_repo_access_is_ok`: Bypass Borg error about a repository that has been moved. Defaults to `false`
- `borgmatic_unknown_unencrypted_repo_access_is_ok`: Bypass Borg error about a previously unknown unencrypted repository. Defaults to `false`
- `borgmatic_store_atime`: Store atime into archive. Defaults to `true`
- `borgmatic_store_ctime`: Store ctime into archive. Defaults to `true`
- `borgmatic_version`: Force a specific borgmatic version to be installed
- `ssh_key_file`: Path to a private ssh key file (default is `.ssh/id_ed25519`). It generates a ed25519 key if the file doesn't exist yet.
- `borg_user`: Name of the User to create Backups (service account)
- `borg_group`: Name of the Group to create Backups (service account)
### Optional Arguments for [BorgBase.com](https://www.borgbase.com) repository auto creation
This role can also set up a new repository on BorgBase, using the arguments below. Thanks to [Philipp Rintz](https://github.com/p-rintz) for contribution of this feature.
- `create_repo`: Whether to let the role create the repository for the server. Default: False
- `bb_token`: Your [BorgBase.com](https://www.borgbase.com) API-Token. Should be Create Only for security reasons.
- `bb_region`: Which region the backups should be saved in. Choice: "eu" or "us".
- `bb_new_sshkey`: Whether to use the automatically created SSH_key. Default: True
- `bb_sshkey`: If there is a key already available on [BorgBase.com](https://www.borgbase.com) that should be used, it can be set with this variable. The key needs to be exactly the same, including key-comment.
- `bb_append`: Should the permission of the newly created repository be append only? Default: True
- `bb_quota`: To use a quota for the Server. Default: False
- `bb_quota_size`: Will need to be set if `bb_quota` is set to True. In Gigabyte.
- `bb_alertdays`: After how many days of no backup activity should alerts be sent out? Defaults to off.
- `bb_repo_name`: What name the created repository should have. Defaults to the inventory_hostname.
### Use BorgBase Module Standalone
You can also use the BorgBase-Ansible module directly if needed:
```
- name: Create new repository for server in EU with new SSH_key and quota
borgbase:
repository_name: "{{ inventory_hostname }}"
token: "Your Borgbase API Token"
new_ssh_key: True
ssh_key: "{{ some_variable }}"
append_only: True
quota_enable: True
quota: 1000 #in GB
region: eu
alertdays: 2
delegate_to: localhost
```
## Planned features
- [x] Testing
- [ ] Multiple repos in one role-call instead of callng this role multiple times.
- [ ] Support more OSs, like Red Hat/Fedora/CentOS, SuSE, Gentoo, Slackware, Arch, BSD
## Contributing
@ -138,4 +146,4 @@ MIT/BSD
## Author
© 2018-2023 Manuel Riel and contributors.
© 2018-2020 Manuel Riel and contributors.

69
defaults/main.yml
View File

@ -1,14 +1,25 @@
---
borg_encryption_passphrase: ''
borg_exclude_patterns: []
borgmatic_config_name: config.yaml
borgmatic_large_repo: true
borgmatic_hooks:
on_error:
- echo "`date` - Error while creating a backup."
before_backup:
- echo "`date` - Starting backup."
after_backup:
- echo "`date` - Finished backup."
borgmatic_checks:
- repository
borgmatic_check_last: 3
borgmatic_store_atime: true
borgmatic_store_ctime: true
borgmatic_relocated_repo_access_is_ok: false
borg_one_file_system: true
borg_exclude_from: []
borg_encryption_passcommand: false
borg_lock_wait_time: 5
borg_ssh_key_type: "ed25519"
borg_ssh_key_name: "id_{{ borg_ssh_key_type }}"
borg_ssh_key_comment: ''
borg_ssh_key_file_path: "{{ backup_user_info.home }}/.ssh/{{ borg_ssh_key_name }}"
borg_ssh_command: false
borg_remote_path: false
borg_remote_rate_limit: 0
@ -17,38 +28,18 @@ borg_retention_policy:
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
borg_version: false
borgmatic_timer_cron_name: "borgmatic"
borgmatic_timer: cron
borgmatic_timer_hour: "{{ range(0, 5) | random(seed=inventory_hostname) }}"
borgmatic_timer_minute: "{{ range(0, 59) | random(seed=inventory_hostname) }}"
borgmatic_timer_flags: ""
borg_install_method: "pip"
borg_require_epel: "{{ ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora' }}"
borgmatic_config_name: config.yaml
borgmatic_hooks:
on_error:
- echo "`date` - Error while creating a backup."
before_backup:
- echo "`date` - Starting backup."
after_backup:
- echo "`date` - Finished backup."
borgmatic_checks:
- name: repository
frequency: "4 weeks"
- name: archives
frequency: "6 weeks"
borgmatic_check_last: 3
borgmatic_store_atime: true
borgmatic_store_ctime: true
borgmatic_relocated_repo_access_is_ok: false
borgmatic_unknown_unencrypted_repo_access_is_ok: false
borgmatic_version: ">=1.7.11"
borg_venv_path: "/opt/borgmatic"
borg_user: "root"
borg_group: "root"
backup_user_info:
home: "/home/{{ borg_user }}"
...
create_repo: False
ssh_key_file: .ssh/id_ed25519
bb_new_sshkey: True
bb_append: True
bb_quota: False
bb_quota_size: 0
bb_alertdays: 0
bb_repo_name: "{{ inventory_hostname }}"
bb_sshkey: "{{ root_user['ssh_public_key'] }}"
borgmatic_cron_name: borgmatic
borgmatic_cron_hour: "{{ 6 | random(seed=inventory_hostname) }}"
borgmatic_cron_minute: "{{ 59 | random(seed=inventory_hostname) }}"
borgmatic_cron_checks_day: "{{ range(1, 28) | random(seed=inventory_hostname) }}"
borgmatic_cron_checks_hour: "{{ range(9, 24) | random(seed=inventory_hostname) }}"
borgmatic_cron_checks_minute: "{{ 59 | random(seed=inventory_hostname) }}"

215
library/borgbase.py Normal file
View File

@ -0,0 +1,215 @@
#!/usr/bin/python
DOCUMENTATION = '''
---
module: borgbase
author: "Philipp Rintz (https://github.com/p-rintz)"
short_description: Ansible module for creating new repositories with borgbase.com
description:
- Ansible Module for creating new repositories with borgbase.com including adding new ssh keys
version_added: "2.6"
'''
EXAMPLES = '''
- name: Create new repository for server in EU with new SSH_key and quota
borgbase:
repository_name: "{{ inventory_hostname }}"
token: "Your Borgbase API Token"
new_ssh_key: True
ssh_key: "{{ some_variable }}"
append_only: True
quota_enable: True
quota: 1000 #in GB
region: eu
alertdays: 2
delegate_to: localhost
- name: Create new repository without new key and no quota/alerting in US region
borgbase:
repository_name: "{{ inventory_hostname }}"
token: "Your Borgbase API Token"
new_ssh_key: False
ssh_key: "ssh-ed25519 AAAAC3Nz......aLqRJw+dl/E+2BJ xxx@yyy"
region: us
delegate_to: localhost
'''
from ansible.module_utils.basic import *
from ansible.module_utils.borgbase_api_client.client import GraphQLClient
from ansible.module_utils.borgbase_api_client.mutations import *
from ansible.module_utils.borgbase_api_client.queries import *
def get_key_id(ssh_key):
res = client.execute(KEY_DETAILS)
for i in res['data']['sshList']:
if i['keyData'] == ssh_key:
key_id = i['id']
return key_id
def add_ssh_key():
key_name = 'Key for %s' % (module.params['repository_name'],)
new_key_vars = {
'name': key_name,
'keyData': module.params['ssh_key']
}
res = client.execute(SSH_ADD, new_key_vars)
new_key_id = res['data']['sshAdd']['keyAdded']['id']
return new_key_id
def add_repo(key_id):
if module.params['append_only']:
access_level = 'appendOnlyKeys'
else:
access_level = 'fullAccessKeys'
if not module.params['quota_enable']:
new_repo_vars = {
'name': module.params['repository_name'],
'quotaEnabled': module.params['quota_enable'],
access_level: [key_id],
'alertDays': module.params['alertdays'],
'region': module.params['region']
}
else:
new_repo_vars = {
'name': module.params['repository_name'],
'quotaEnabled': module.params['quota_enable'],
'quota': 1000*module.params['quota'],
access_level: [key_id],
'alertDays': module.params['alertdays'],
'region': module.params['region']
}
res = client.execute(REPO_ADD, new_repo_vars)
return res
def get_repo_id(name):
res = client.execute(REPO_DETAILS)
for repo in res['data']['repoList']:
if repo['name'] == name:
repo_id = repo['id']
return repo_id
return None
def edit_repo(repo_id, key_id):
if module.params['append_only']:
access_level = 'appendOnlyKeys'
else:
access_level = 'fullAccessKeys'
if not module.params['quota_enable']:
repo_vars = {
'id': repo_id,
'name': module.params['repository_name'],
access_level: [key_id],
'alertDays': module.params['alertdays'],
'region': module.params['region']
}
else:
repo_vars = {
'id': repo_id,
'name': module.params['repository_name'],
'quotaEnabled': module.params['quota_enable'],
'quota': 1000*module.params['quota'],
access_level: [key_id],
'alertDays': module.params['alertdays'],
'region': module.params['region']
}
res = client.execute(REPO_EDIT, repo_vars)
return res
def main():
global module
module = AnsibleModule(
argument_spec = dict(
repository_name = dict(
type='str',
required=True,
),
token = dict(
required=True,
type='str',
no_log=True
),
new_ssh_key = dict(
required=False,
default='True',
type='bool'
),
ssh_key = dict(
required=True,
type='str'
),
append_only = dict(
required=False,
default='True',
type='bool'
),
quota_enable = dict(
required=False,
default='False',
type='bool'
),
quota = dict(
required=False,
type='int'
),
region = dict(
required=True,
type='str',
choice=["eu", "us"]
),
alertdays = dict(
required=False,
default=0,
type='int'
)
)
)
global client
client = GraphQLClient(module.params['token'])
# Add new SSH key or get ID of old key
if module.params['new_ssh_key']:
key_id = add_ssh_key()
else:
key_id = get_key_id(module.params['ssh_key'])
# Check if repo with given name exists
repo_id = get_repo_id(module.params['repository_name'])
if repo_id is None:
# Add new repo using the key
res = add_repo(key_id)
repo_exist = False
else:
# Edit the repo
res = edit_repo(repo_id, key_id)
repo_exist = True
# Setup information for Ansible
result = dict(
changed = False,
data = '',
type = '',
key_id = ''
)
# Test for success and change info
if type(res) == dict:
result['changed'] = True
if repo_exist:
result['data'] = res["data"]["repoEdit"]["repoEdited"]
else:
result['data'] = res['data']['repoAdd']['repoAdded']
result['key_id'] = key_id
module.exit_json(**result)
else:
result['data'] = res
result['type'] = type(res)
result['key_id'] = key_id
module.fail_json(msg="Failed creating new respository.", **result)
if __name__ == '__main__':
main()

209
meta/argument_specs.yml
View File

@ -1,209 +0,0 @@
argument_specs:
main:
# https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html#role-argument-validation
# https://docs.ansible.com/ansible/latest/dev_guide/developing_program_flow_modules.html#argument-spec
short_description: Role to install borgbackup and borgmatic.
description: Role to install borgbackup and borgmatic
author:
- 2018-2020 Manuel Riel and contributors.
- Frank Dornheim
options:
borg_dep_packages:
type: str
required: false
description: Dependancy Packages to install borg(backup) and borgmatic.
borg_distro_packages:
type: str
required: false
description: |
Contains the names of distributions packages for borg(backup) and borgmatic,
only used if `borg_install_method` is set to package
borg_pip_packages:
type: str
required: false
description: Dependancy Packages (pip) to install borg(backup) and borgmatic.
borg_venv_path:
type: str
required: false
description: Path to store the venv for borg(backup) and borgmatic.
borg_install_method:
type: str
required: false
default: pip
description: |
By default pip is used to install borgmatic.
To install via your distributions package manager set this to package and (if needed)
overwrite the borg_distro_packages variable to contain your distributions package names
required to install borgmatic.
Note that many distributions ship outdated versions of borgbackup and borgmatic; use at your own risk.
Set to none to disable installation management.
borgmatic_config_name:
type: str
required: false
default: config.yaml
description: Name to use for the borgmatic config file.
borg_user:
type: str
default: root
description: Name of the User to create Backups (Service Account)
borg_group:
type: str
default: root
description: Name of the Group to create Backups (Service Account)
borg_source_directories:
type: list
default: "/etc/hostname"
required: false
description: List of local folders to back up.
borg_one_file_system:
type: str
required: false
description: Don't cross file-system boundaries.
borg_repository:
type: str
required: true
description: |
Full path to repository.
Your own server or [BorgBase.com](https://www.borgbase.com) repo.
Not required when using auto creation of repositories.
Can be a list if you want to backup to multiple repositories.
borgmatic_store_atime:
type: bool
required: false
description: Store atime into archive.
borgmatic_store_ctime:
type: bool
required: false
description: Store ctime into archive.
borg_exclude_patterns:
type: list
required: false
description: Any paths matching these patterns are excluded from backups. Globs and tildes are expanded.
borg_exclude_from:
type: list
required: false
description: Read exclude patterns from one or more separate named files, one pattern per line.
borg_remote_path:
type: str
required: false
description: Alternate Borg remote executable. Defaults to "borg"
borg_encryption_passphrase:
type: str
description: |
The standard output of this command is used to unlock the encryption key.
Only use on repositories that were initialized with passcommand/repokey encryption.
Note that if both encryption_passcommand and encryption_passphrase are set,
then encryption_passphrase takes precedence.
borg_encryption_passcommand:
type: str
required: false
description: secret-tool lookup borg-repository repo-name
borg_remote_rate_limit:
type: int
required: false
description: Remote network upload rate limit in kiBytes/second.
borg_ssh_key_file_path:
type: str
required: false
description: Path to ssh-key
borg_ssh_command:
type: str
description: Command to use instead of just ssh. This can be used to specify ssh options.
borg_lock_wait_time:
type: int
description: Maximum seconds to wait for acquiring a repository/cache lock.
borgmatic_relocated_repo_access_is_ok:
type: bool
description: Bypass Borg error about a repository that has been moved.
borgmatic_unknown_unencrypted_repo_access_is_ok:
type: bool
description: Bypass Borg error about a previously unknown unencrypted repository.
borg_retention_policy:
type: dict
description: Define the pruning policy
options:
keep_secondly:
type: int
required: false
description: Number of secondly archives to keep.
keep_minutely:
type: int
required: false
description: Number of minutely archives to keep.
keep_hourly:
type: int
required: false
description: Number of hourly archives to keep.
keep_daily:
type: int
required: false
description: Number of daily archives to keep.
keep_weekly:
type: int
required: false
description: Number of weekly archives to keep.
keep_monthly:
type: int
required: false
description: Number of monthly archives to keep.
keep_yearly:
type: int
required: false
description: Number of yearly archives to keep.
borgmatic_checks:
type: list
required: false
description: |
List of one or more consistency checks to run
"repository", "archives", "data", and/or "extract".
Defaults to "repository" and "archives".
Set to "disabled" to disable all consistency checks.
"repository" checks the consistency of the repository,
"archives" checks all of the archives, "data" verifies
the integrity of the data within the archives, and
"extract" does an extraction dry-run of the most recent archive.
Note that "data" implies "archives".
borgmatic_check_last:
type: int
required: false
description: Restrict the number of checked archives to the last n. Applies only to the "archives" check.
borgmatic_hooks:
type: dict
required: false
description: Shell commands or scripts to execute before and after a backup or if an error has occurred.
borgmatic_timer_cron_name:
type: str
required: false
description: Name of the cron Job
borgmatic_timer:
type: str
required: false
description: If the variable is set, a timer is installed. A choice must be made between "cron" and "systemd".
borgmatic_timer_hour:
type: str
required: false
description: Hour when regular create and prune cron/systemd-timer job will run.
borgmatic_timer_minute:
type: str
required: false
description: Minute when regular create and prune cron/systemd-timer job will run.
borgmatic_timer_flags:
type: str
required: false
description: Flags to pass to borgmatic cron/systemd-timer job, like "--log-file /path/to/file.log --log-file-verbosity 2"
borgmatic_version:
type: str
required: false
description: Borgmatic version to install. Defaults to 'latest'
borg_ssh_key_type:
type: str
required: false
description: The algorithm used to generate the SSH private key
borg_ssh_key_name:
type: str
required: false
description: Name of the SSH public and private key
borg_ssh_key_comment:
type: str
required: false
description: Comment added to the SSH public key.

10
meta/main.yml
View File

@ -4,19 +4,21 @@ dependencies: []
galaxy_info:
author: Manuel Riel
role_name: ansible_role_borgbackup
namespace: borgbase
namespace: m3nu
description: Set up backup to remote machine using Borg and Borgmatic.
company: "BorgBase.com"
license: license (BSD, MIT)
min_ansible_version: "2.0"
min_ansible_version: 2.0
platforms:
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
- name: ArchLinux
- trusty
- xenial
- bionic
- name: Archlinux
versions:
- all
galaxy_tags:

6
module_utils/README Normal file
View File

@ -0,0 +1,6 @@
The "borgbase_api_client" folder of the API client repository will need to be put into this folder.
Folder structure:
ansible-role-borgbackup/
|---------------------+ module_utils/
|-------- borgbase_api_client/

4
molecule/default/Dockerfile.j2
View File

@ -14,10 +14,10 @@ ENV {{ var }} {{ value }}
{% endfor %}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python3 python3-pip sudo bash ca-certificates iproute2 python3-apt aptitude && apt-get clean; \
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 python3-apt aptitude && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install /usr/bin/python3 /usr/bin/python3-config /usr/bin/dnf-3 sudo bash iproute && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y /usr/bin/python /usr/bin/python2-config sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
elif [ $(command -v pacman) ]; then pacman --noconfirm -Suy python python-pip sudo openssh; \
elif [ $(command -v pacman) ]; then pacman --noconfirm -Suy python sudo openssh; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi

27
molecule/default/converge.yml
View File

@ -5,13 +5,11 @@
- name: Set ssh server package name for non-Archlinux ansible_os_family
set_fact:
openssh_package: "openssh-server"
pip3_extra_args: ""
when: ansible_os_family != "Archlinux"
- name: Set ssh server package name and pip3 argument for Archlinux ansible_os_family
- name: Set ssh server package name for Archlinux ansible_os_family
set_fact:
openssh_package: "openssh"
pip3_extra_args: "--break-system-packages"
when: ansible_os_family == "Archlinux"
- name: Install openssh
@ -19,23 +17,10 @@
name: "{{ openssh_package }}"
state: present
- name: Enable EPEL for yamllint
package:
name: epel-release
state: present
when: ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora'
- name: Install yamllint
package:
name: yamllint
state: present
roles:
- role: borgbase.ansible_role_borgbackup
borg_install_method: pip
borgmatic_timer: cron
borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
- role: m3nu.ansible_role_borgbackup
borg_encryption_passphrase: CHANGEME
borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
borg_source_directories:
- /srv/www
- /var/lib/automysqlbackup
@ -53,3 +38,9 @@
- name: users
hostname: database1.example.org
port: 5433
post_tasks:
- name: Install yamllint for checking config file
pip:
name: yamllint
executable: pip3

16
molecule/default/molecule.yml
View File

@ -6,12 +6,16 @@ driver:
platforms:
- name: archlinux-latest
image: archlinux:latest
- name: almalinux-9
image: almalinux:9
# - name: fedora-latest
# image: fedora:latest
- name: debian-bookworm
image: debian:bookworm
- name: centos-7
image: centos:7
- name: almalinux-8
image: almalinux:8
- name: fedora-latest
image: fedora:latest
- name: debian-bullseye
image: debian:bullseye
- name: ubuntu-bionic
image: ubuntu:bionic
- name: ubuntu-latest
image: ubuntu:latest
provisioner:

3
requirements-dev.txt
View File

@ -1,4 +1,3 @@
ansible
ansible-lint
molecule
molecule-plugins[docker]
molecule[lint,docker]

9
tasks/00_assert.yml
View File

@ -1,9 +0,0 @@
---
- name: Ensure legacy hooks aren't used
ansible.builtin.assert:
that:
- borgmatic_failure_command is undefined
- borgmatic_before_backup_command is undefined
- borgmatic_after_backup_command is undefined
msg: Please use the new borgmatic_hooks variable instead of individual before/after/failure hooks.
...

22
tasks/01_install.yml
View File

@ -1,22 +0,0 @@
---
- name: Install borgbackup
when: borg_install_method != "none"
block:
- name: Include OS-specific variables
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
- "{{ ansible_lsb.id }}.yml"
- name: Install general dependencies (openssh)
ansible.builtin.package:
name: "{{ borg_dep_packages }}"
state: present
- name: Install Borg and Borgmatic
ansible.builtin.include_tasks:
file: noauto_install_{{ borg_install_method }}.yml
...

25
tasks/02_user_management.yml
View File

@ -1,25 +0,0 @@
---
# So in different positions in that role we need the user home
# Since we cannot be sure that this FSH is compatible we will determine it.
- name: Get home dir
when:
- borg_user == "root"
block:
- name: Get home if borg_user == "root"
ansible.builtin.user:
name: "{{ borg_user }}"
state: present
register: user_info
changed_when: false
check_mode: true # Important, otherwise user will be created
- name: Save the user_info, we need them for the home_dir
ansible.builtin.set_fact:
backup_user_info: "{{ user_info }}"
- name: Create user if borg_user != "root"
when:
- borg_user != "root"
ansible.builtin.include_tasks:
file: noauto_create_backup_user_and_group.yml
...

29
tasks/03_create_key.yml
View File

@ -1,29 +0,0 @@
---
- name: Create SSH key (if neeeded) for {{ borg_user }}
block:
- name: Ensure directory exist
ansible.builtin.file:
path: "{{ backup_user_info.home }}/.ssh/"
state: directory
mode: "0700"
owner: "{{ borg_user }}"
group: "{{ borg_group }}"
- name: Generate an OpenSSH keypair
community.crypto.openssh_keypair:
path: "{{ borg_ssh_key_file_path }}"
mode: "0600"
type: "{{ borg_ssh_key_type }}"
owner: "{{ borg_user }}"
group: "{{ borg_group }}"
comment: "{{ borg_ssh_key_comment }}"
- name: Read SSH key
ansible.builtin.slurp:
src: "{{ borg_ssh_key_file_path }}.pub"
register: backup_local_ssh_key
- name: Print key
ansible.builtin.debug:
msg: "The generated key is: {{ backup_local_ssh_key['content'] | b64decode }}"
...

19
tasks/05_configure.yml
View File

@ -1,19 +0,0 @@
---
- name: Add Borgmatic config file
block:
- name: Ensure /etc/borgmatic exists
ansible.builtin.file:
path: /etc/borgmatic
state: directory
mode: "0700"
owner: "{{ borg_user }}"
group: "{{ borg_group }}"
- name: Add Borgmatic configuration
ansible.builtin.template:
src: config.yaml.j2
dest: "/etc/borgmatic/{{ borgmatic_config_name }}"
mode: "0600"
owner: "{{ borg_user }}"
group: "{{ borg_group }}"
...

8
tasks/07_install_timer.yml
View File

@ -1,8 +0,0 @@
---
- name: Install timer to run Borgmatic
when:
- borgmatic_timer is defined and borgmatic_timer | length > 0
block:
- name: Start timer install script
ansible.builtin.include_tasks:
file: noauto_create_timer_{{ borgmatic_timer }}.yml

1
tasks/Archlinux.yml Normal file
View File

@ -0,0 +1 @@
---

1
tasks/Debian.yml Normal file
View File

@ -0,0 +1 @@
---

1
tasks/RedHat.yml Normal file
View File

@ -0,0 +1 @@
---

163
tasks/main.yml Normal file → Executable file
View File

@ -1,7 +1,158 @@
---
- name: Add and run all plays
include_tasks: "{{ bak_element }}"
with_items: "{{ lookup('ansible.builtin.fileglob', '*.yml').split(',') | reject('search', 'main.yml') | reject('search', 'noauto_*') | sort }}"
loop_control:
loop_var: bak_element
...
- name: Ensure legacy hooks aren't used
assert:
that:
- borgmatic_failure_command is undefined
- borgmatic_before_backup_command is undefined
- borgmatic_after_backup_command is undefined
msg: Please use the new borgmatic_hooks variable instead of individual before/after/failure hooks.
- name: Include OS-specific variables
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
- "{{ ansible_lsb.id }}.yml"
- name: Run OS-specific tasks
include: "{{ item }}"
with_first_found:
- "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
- "{{ ansible_os_family }}.yml"
- name: Install required System Packages
package:
name: "{{ borg_packages }}"
state: present
- name: Create virtualenv for borg # noqa package-latest
pip:
name:
- pip
- setuptools
state: latest
virtualenv: /opt/borgmatic
virtualenv_command: "{{ python_bin }} -m venv"
- name: Install dependent Python Packages
pip:
name: "{{ borg_dependent_python_packages }}"
virtualenv: /opt/borgmatic
when: borg_dependent_python_packages is defined
- name: Install main Python Packages
pip:
name: "{{ borg_python_packages }}"
virtualenv: /opt/borgmatic
when: borg_python_packages is defined
- name: Create borgmatic command in /usr/local/bin
copy:
content: |
#!/bin/bash
. /opt/borgmatic/bin/activate
borgmatic "$@"
dest: /usr/local/bin/borgmatic
owner: root
group: root
mode: "0755"
- name: Ensure root has SSH key.
user:
name: "root"
generate_ssh_key: yes
ssh_key_file: "{{ ssh_key_file }}"
ssh_key_type: ed25519
register: root_user
- name: Print key created for root user (use for remote repo)
debug:
var: root_user['ssh_public_key']
- name: Create new repository for server
borgbase:
repository_name: "{{ bb_repo_name }}"
token: "{{ bb_token }}"
new_ssh_key: "{{ bb_new_sshkey }}"
ssh_key: "{{ bb_sshkey }}"
append_only: "{{ bb_append }}"
quota_enable: "{{ bb_quota }}"
quota: "{{ bb_quota_size }}"
region: "{{ bb_region }}"
alertdays: "{{ bb_alertdays }}"
delegate_to: localhost
become: no
register: repo_creation
when: create_repo
- name: Set Repository Fact
set_fact:
borg_repository: |-
{% if borg_repository is defined and borg_repository is string %}
{{ [borg_repository] + [ repo_creation['data']['repoPath'] ] }}
{% elif borg_repository is defined %}
{{ borg_repository + [ repo_creation['data']['repoPath'] ] }}
{% else %}
{{ repo_creation['data']['repoPath'] }}
{% endif %}
when: create_repo
- name: Ensure /etc/borgmatic exists
file:
path: /etc/borgmatic
state: directory
mode: 0700
owner: root
- name: Add Borgmatic configuration
template:
src: config.yaml.j2
dest: "/etc/borgmatic/{{ borgmatic_config_name }}"
mode: 0600
- name: Add cron-job for borgmatic (large repo, create and check separate)
block:
- name: Add cron job for regular create and prune
cron:
name: "{{ borgmatic_cron_name }}"
hour: "{{ borgmatic_cron_hour }}"
minute: "{{ borgmatic_cron_minute }}"
user: "root"
cron_file: "{{ borgmatic_cron_name }}"
job: "borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} --create --prune"
- name: Add cron job for infrequent checks
cron:
name: "{{ borgmatic_cron_name }}-check"
day: "{{ borgmatic_cron_checks_day }}"
hour: "{{ borgmatic_cron_checks_hour }}"
minute: "{{ borgmatic_cron_checks_minute }}"
user: "root"
cron_file: "{{ borgmatic_cron_name }}"
job: "borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} --check"
when: borgmatic_large_repo
- name: Add cron-job for borgmatic (normal-sized repo)
block:
- name: Add cron job for create, check and prune
cron:
name: "{{ borgmatic_cron_name }}"
hour: "{{ borgmatic_cron_hour }}"
minute: "{{ borgmatic_cron_minute }}"
user: "root"
cron_file: "{{ borgmatic_cron_name }}"
job: "borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}"
- name: Ensure separate check cron job is absent
cron:
name: "{{ borgmatic_cron_name }}-check"
state: absent
when: not borgmatic_large_repo
- name: Set PATH for borgmatic cron job.
cron:
user: "root"
cron_file: "{{ borgmatic_cron_name }}"
name: PATH
env: yes
value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

34
tasks/noauto_create_backup_user_and_group.yml
View File

@ -1,34 +0,0 @@
---
- name: Setup backup environment
when:
- backup_create_local_user is not defined or backup_create_local_user
- borg_user != "root"
block:
- name: Add local backup group
ansible.builtin.group:
name: "{{ borg_group }}"
state: present
- name: Add local backup user
ansible.builtin.user:
name: "{{ borg_user }}"
shell: "/bin/bash"
groups: "{{ borg_group }}"
comment: "Backup User Account"
append: true
register: user_info
- name: Save the user_info, we need them for the home_dir
ansible.builtin.set_fact:
backup_user_info: "{{ user_info }}"
- name: Add sudo users
community.general.sudoers:
name: "backup"
state: present
user: "{{ borg_user }}"
nopassword: true
commands:
- "/opt/borgmatic/bin/borg"
- "/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}"
...

31
tasks/noauto_create_timer_cron.yml
View File

@ -1,31 +0,0 @@
---
- name: Ensure Cron is installed
ansible.builtin.package:
name: "{{ borg_cron_package }}"
state: present
- name: Add Cron job for borgmatic
block:
- name: Add single Cron job for borgmatic
cron:
name: "{{ borgmatic_timer_cron_name }}"
hour: "{{ borgmatic_timer_hour }}"
minute: "{{ borgmatic_timer_minute }}"
user: "{{ borg_user }}"
cron_file: "{{ borgmatic_timer_cron_name }}"
job: "borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}"
- name: Ensure separate check cron job is absent
cron:
name: "{{ borgmatic_timer_cron_name }}-check"
cron_file: "{{ borgmatic_timer_cron_name }}"
state: absent
- name: Set PATH for borgmatic cron job.
cron:
user: "{{ borg_user }}"
cron_file: "{{ borgmatic_timer_cron_name }}"
name: PATH
env: true
value: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
...

67
tasks/noauto_create_timer_systemd.yml
View File

@ -1,67 +0,0 @@
---
- name: Register existence of Borgmatic cron file.
cron:
name: "{{ borgmatic_timer_cron_name }}"
cron_file: "{{ borgmatic_timer_cron_name }}"
state: absent
check_mode: true
register: cron_file_exists
ignore_errors: true
- name: Ensure no Borgmatic Cron file exists.
ansible.builtin.assert:
that:
- not cron_file_exists.changed
- not cron_file_exists.failed or "Failed to find" in cron_file_exists.msg
fail_msg: Found an existing Borgmatic Cron job. Please remove before using Systemd timer.
- name: Create borgbackup timer
block:
- name: Copy systemd files
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
backup: true
mode: "{{ item.mode }}"
with_items:
- { src: "borgmatic.timer.j2", dest: "/usr/lib/systemd/system/borgmatic.timer", mode: "0644" }
- { src: "borgmatic.service.j2", dest: "/usr/lib/systemd/system/borgmatic.service", mode: "0644" }
- name: Populate service facts
ansible.builtin.service_facts:
# If the role is running and the repo is not yet initialized, an error will occur.
# Therefore the service is stopped by default and must be started manually.
- name: Stop fresh installed borgmatic.timer and borgmatic.service
when: "'borgmatic.service' not in ansible_facts.services"
block:
- name: Set borgmatic services to stopped - newly installed
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
masked: false
daemon_reload: true
when: item in ansible_facts.services
with_items:
- borgmatic.service
# bug: Need own section without masked else the timer are skipped
- name: Set borgmatic timers to stopped - newly installed
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
daemon_reload: true
with_items:
- "borgmatic.timer"
- name: Show hints
when: "'backup_init_repo' not in ansible_run_tags"
ansible.builtin.debug:
msg: >-
Attention: Since the repo was not initialized automatically,
the systemd service (borgmatic.service) and the timer (borgmatic.timer) are not activated.
...

21
tasks/noauto_install_package.yml
View File

@ -1,21 +0,0 @@
---
- name: Install borgbackup by distro
block:
- name: Check if EPEL repo is enabled, if installation from distro is requested
when: borg_require_epel
block:
- name: Get list of installed packages
ansible.builtin.package_facts:
manager: auto
- name: Ensure EPEL is enabled
ansible.builtin.assert:
that:
- "'epel-release' in ansible_facts.packages"
fail_msg: Need EPEL repo to install via distro package.
- name: Install borgmatic and borg via distribution package manager
ansible.builtin.package:
name: "{{ item }}"
state: present
loop: "{{ borg_distro_packages }}"
...

57
tasks/noauto_install_pip.yml
View File

@ -1,57 +0,0 @@
---
- name: Install Borg and Borgmatic via pip
block:
- name: Ensure the crb repository is enabled for RedHat (needed for xxhash)
community.general.dnf_config_manager:
name: crb
state: enabled
when: ansible_os_family == 'RedHat' and ansible_distribution != 'Fedora'
- name: Install build dependencies
ansible.builtin.package:
name: "{{ borg_pip_packages }}"
state: present
- name: Create virtualenv for borg # noqa package-latest
ansible.builtin.pip:
name:
- pip
- setuptools
state: latest
virtualenv: "{{ borg_venv_path }}"
virtualenv_command: "{{ python_bin }} -m venv"
- name: Install dependent Python packages
ansible.builtin.pip:
name: "{{ borg_dependent_python_packages }}"
virtualenv: "{{ borg_venv_path }}"
when: borg_dependent_python_packages is defined
- name: Install main Python packages
ansible.builtin.pip:
name: "{{ item.name }}"
version: "{{ item.version | default(omit, true) }}"
virtualenv: "{{ borg_venv_path }}"
when: borg_python_packages is defined
loop: "{{ borg_python_packages }}"
- name: Create links to Borgmatic and Borg binaries
block:
- name: Create borgmatic command in /usr/local/bin
ansible.builtin.copy:
content: |
#!/bin/bash
. "{{ borg_venv_path }}"/bin/activate
borgmatic "$@"
dest: /usr/local/bin/borgmatic
mode: "0755"
- name: Create borg command in /usr/local/bin
ansible.builtin.copy:
content: |
#!/bin/bash
. "{{ borg_venv_path }}"/bin/activate
borg "$@"
dest: /usr/local/bin/borg
mode: "0755"
...

60
templates/borgmatic.service.j2
View File

@ -1,60 +0,0 @@
# Managed by Ansible, please don't edit manually
[Unit]
Description=borgmatic backup
Wants=backup_normal_repo.timer
Wants=network-online.target
After=network-online.target
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
# want to allow borgmatic to run anytime.
ConditionACPower=true
[Service]
Type=oneshot
User={{ borg_user }}
ExecStart=borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }} {{ borgmatic_timer_flags }}
# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
# leaves most of the filesystem read-only to borgmatic.
ProtectSystem=full
# ReadWritePaths=-/mnt/my_backup_drive
# ReadOnlyPaths=-/var/lib/my_backup_source
# This will mount a tmpfs on top of /root and pass through needed paths
# ProtectHome=tmpfs
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
# May interfere with running external programs within borgmatic hooks.
# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
# Lower CPU and I/O priority.
Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100

13
templates/borgmatic.timer.j2
View File

@ -1,13 +0,0 @@
# Managed by Ansible, please don't edit manually
[Unit]
Description=Start creating of Backups - see: https://www.freedesktop.org/software/systemd/man/systemd.time.html#
[Timer]
# Day-of-the-Week Year-Month-Day Hour:Minutes:Seconds
# Persistent -> resume backup after shutdown
OnCalendar= *-*-* {{ borgmatic_timer_hour }}:{{ borgmatic_timer_minute }}:00
Persistent=true
[Install]
WantedBy=timers.target

36
templates/config.yaml.j2
View File

@ -1,28 +1,21 @@
#jinja2: lstrip_blocks: True, trim_blocks: True
#jinja2: lstrip_blocks: "True", trim_blocks: "True"
---
# Managed by Ansible, please don't edit manually
# Full config: https://torsion.org/borgmatic/docs/reference/config.yaml
location:
{% if borg_source_directories is not defined or borg_source_directories | length == 0 %}
source_directories:
- /etc/hostname # prevent empty backupconfig
{% else %}
source_directories:
{% for dir in borg_source_directories %}
{% for dir in borg_source_directories %}
- {{ dir }}
{% endfor %}
{% endif %}
{% endfor %}
# Stay in same file system (do not cross mount points).
one_file_system: {{ borg_one_file_system }}
repositories:
{% if borg_repository is iterable and (borg_repository is not string and borg_repository is not mapping) %}
{% for repo in borg_repository %}
- path: {{ repo }}
- {{ repo }}
{% endfor %}
{% elif borg_repository is defined and borg_repository is string %}
- path: {{ borg_repository }}
- {{ borg_repository }}
{% endif %}
# Store atime into archive.
@ -66,10 +59,8 @@ location:
# https://borgbackup.readthedocs.io/en/stable/usage/general.html#environment-variables for
# details.
storage:
{% if borg_encryption_passphrase %}
encryption_passphrase: {{ borg_encryption_passphrase }}
{% endif %}
# The standard output of this command is used to unlock the encryption key. Only
# use on repositories that were initialized with passcommand/repokey encryption.
# Note that if both encryption_passcommand and encryption_passphrase are set,
@ -82,7 +73,7 @@ storage:
# Type of compression to use when creating archives. See
# https://borgbackup.readthedocs.org/en/stable/usage.html#borg-create for details.
# Defaults to no compression.
compression: {{ borg_compression|default('auto,zstd') }}
compression: auto,zstd
# Remote network upload rate limit in kiBytes/second.
{% if borg_remote_rate_limit %}
@ -112,9 +103,6 @@ storage:
# Bypass Borg error about a repository that has been moved.
relocated_repo_access_is_ok: {{ borgmatic_relocated_repo_access_is_ok }}
# Bypass Borg error about a previously unknown unencrypted repository.
unknown_unencrypted_repo_access_is_ok: {{ borgmatic_unknown_unencrypted_repo_access_is_ok }}
# Retention policy for how many backups to keep in each category. See
# https://borgbackup.readthedocs.org/en/stable/usage.html#borg-prune for details.
# At least one of the "keep" options is required for pruning to work.
@ -154,6 +142,11 @@ retention:
keep_yearly: {{ borg_retention_policy.keep_yearly }}
{% endif %}
# When pruning, only consider archive names starting with this prefix.
# Borg placeholders can be used. See the output of "borg help placeholders" for
# details. Default is "{hostname}-".
prefix: '{hostname}-'
# Consistency checks to run after backups. See
# https://borgbackup.readthedocs.org/en/stable/usage.html#borg-check and
# https://borgbackup.readthedocs.org/en/stable/usage.html#borg-extract for details.
@ -174,6 +167,11 @@ consistency:
# Restrict the number of checked archives to the last n. Applies only to the "archives" check.
check_last: {{ borgmatic_check_last }}
# When performing the "archives" check, only consider archive names starting with
# this prefix. Borg placeholders can be used. See the output of
# "borg help placeholders" for details. Default is "{hostname}-".
prefix: '{hostname}-'
# Shell commands or scripts to execute before and after a backup or if an error has occurred.
# IMPORTANT: All provided commands and scripts are executed with user permissions of borgmatic.
# Do not forget to set secure permissions on this file as well as on any script listed (chmod 0700) to
@ -181,5 +179,5 @@ consistency:
hooks:
{% for hook in borgmatic_hooks %}
{{ hook }}:
{{ borgmatic_hooks[hook] | to_nice_yaml(indent=4) | indent(8, first=true) }}
{{ borgmatic_hooks[hook] | to_nice_yaml(indent=2) | trim | indent(8) }}
{% endfor %}

20
vars/Archlinux.yml
View File

@ -1,24 +1,10 @@
---
borg_dep_packages:
- openssh
borg_cron_package: cronie
borg_pip_packages:
- acl
borg_packages:
- cronie
- gcc
- lz4
- openssl
- openssh
- pkgconfig
- python-pip
- python-setuptools
- xxhash
- xz
- zstd
borg_distro_packages:
- borg
- borgmatic
python_bin: python3
pip_bin: pip3

16
vars/Debian.yml
View File

@ -1,16 +1,8 @@
---
borg_dep_packages:
- openssh-client
borg_cron_package: cron
borg_pip_packages:
borg_packages:
- libssl-dev
- libacl1-dev
- libacl1
- liblz4-dev
- libzstd-dev
- libxxhash-dev
- build-essential
- python3-setuptools
- python3-dev
@ -18,10 +10,8 @@ borg_pip_packages:
- python3-pkgconfig
- python3-msgpack
- python3-venv
borg_distro_packages:
- borgbackup
- borgmatic
- openssh-client
- cron
python_bin: python3
pip_bin: pip3

28
vars/Fedora.yml
View File

@ -1,29 +1,17 @@
---
borg_dep_packages:
- openssh-clients
borg_cron_package: cronie
borg_pip_packages:
borg_packages:
- libacl-devel
- libacl
- gcc
- gcc-c++
- libacl
- libacl-devel
- libzstd-devel
- lz4-devel
- openssl-devel
- openssl-devel
- python3-cython
# - python3-devel
- python3-pip
- python3-setuptools
- python3-wheel
- xxhash
- xxhash-devel
borg_distro_packages:
- borgbackup
- borgmatic
- python3-devel
- python3-setuptools
- python3-Cython
- openssh-clients
- cronie
python_bin: python3
pip_bin: pip3

22
vars/ManjaroLinux.yml
View File

@ -1,24 +1,8 @@
---
borg_dep_packages:
- openssh
borg_cron_package: cronie
borg_pip_packages: # untested
- libssl-dev
- libacl1-dev
- libacl1
- build-essential
- python3-setuptools
- python3-dev
- python3-pip
- python3-pkgconfig
- python3-msgpack
- python3-venv
borg_distro_packages:
- borg
borg_packages:
- borgmatic
- openssh
- cronie
python_bin: python3
pip_bin: pip3

28
vars/RedHat-10.yml
View File

@ -1,28 +0,0 @@
---
borg_dep_packages:
- openssh-clients
borg_cron_package: cronie
borg_pip_packages:
- gcc
- gcc-c++
- libacl
- libacl-devel
- libzstd-devel
- lz4-devel
- openssl-devel
# - python3-devel
- python3-pip
- python3-setuptools
- xxhash
- xxhash-devel
# - python3-virtualenv
# - python3-wheel
borg_distro_packages:
- borgbackup
- borgmatic
python_bin: python3
pip_bin: pip3

13
vars/RedHat-8.yml
View File

@ -1,10 +1,5 @@
---
borg_dep_packages:
- openssh-clients
borg_cron_package: cronie
borg_pip_packages:
borg_packages:
- libacl-devel
- libacl
- gcc
@ -15,10 +10,8 @@ borg_pip_packages:
- python3-devel
- python3-setuptools
- python3-virtualenv
borg_distro_packages:
- borgbackup
- borgmatic
- openssh-clients
- cronie
python_bin: python3
pip_bin: pip3

27
vars/RedHat-9.yml
View File

@ -1,28 +1,17 @@
---
borg_dep_packages:
- openssh-clients
borg_cron_package: cronie
borg_pip_packages:
borg_packages:
- libacl-devel
- libacl
- gcc
- gcc-c++
- libacl
- libacl-devel
- libzstd-devel
- lz4-devel
- openssl-devel
# - python3-devel
- python3-pip
- python3-wheel
- python3-devel
- python3-setuptools
- xxhash
- xxhash-devel
# - python3-virtualenv
# - python3-wheel
borg_distro_packages:
- borgbackup
- borgmatic
- python3-virtualenv
- openssh-clients
- cronie
python_bin: python3
pip_bin: pip3

13
vars/RedHat.yml
View File

@ -1,10 +1,5 @@
---
borg_dep_packages:
- openssh-clients
borg_cron_package: cronie
borg_pip_packages:
borg_packages:
- libacl-devel
- libacl
- gcc
@ -14,10 +9,8 @@ borg_pip_packages:
- python36-wheel
- python36-devel
- python-setuptools
borg_distro_packages:
- borgbackup
- borgmatic
- openssh-clients
- cronie
python_bin: python3
pip_bin: pip3

7
vars/main.yml
View File

@ -2,9 +2,6 @@
borg_dependent_python_packages:
- cython
- pkgconfig
borg_python_packages:
- name: borgbackup
version: "{{ borg_version }}"
- name: borgmatic
version: "{{ borgmatic_version }}"
- borgbackup
- borgmatic