mirror of
https://github.com/borgbase/ansible-role-borgbackup.git
synced 2024-11-19 19:07:42 +01:00
dd960dcf4e
* add full path * Update Readme.me: reorder optional Arguments, update cron -> systemd timer * remove ssh_key_file; change cron to timer * Removed cronie from package installation because systemd timer is used * docker.sh - Stops all or selected containers to save the persistent data intact. The containers are started in reverse order * Created arguments_specs.yml * Role restructured: - if needed creation of a service user incl. creation of the ssh-key, - add the ssh key to authorized_keys, - auto init of the repos, - creation and start of systemd timer and services and - installation of the Docker helperscript. * restructure role add import logic * cleanup: user backup_user * - "borg_source_directories" is not longer a required Argument - add "borg_keys_directory" to load key from Service user during starting borgmatic by sudo * Add borgmatic_initialization_repo (bool) as option to disable init of repo * cleanup * fix ansible-lint errors and warnings * fix letter turner * add option: borgmatic_timer * add: - borgmatic_timer_systemd: true readd: - borgmatic_cron_name: "borgmatic" * - renamed borgmatic_cron_name to borgmatic_timer_cron_name to be more convergent. - Change recommendations implemented by m3nu so that creation of a timer (systemd or cron) is optional and can be selected via borgmatic_timer. * Add description to borgmatic_timer_cron_name and borgmatic_timer * Add variable borg_cron_package to install the cron-packages in case of using timer: cron * reworked timer install logic * reworked timer install logic * Add comments for running backup with service account * add new parameters for tests * Switch created to perform the backup as root or service account. If a service account is to be used, it will be created. * Refactored: Check for ssh-key if not present, genereate them. * Refactored * Refactored * renamed tasks/03_configure.yml to tasks/04_create_links_to_borg_and_borgmatic.yml * Refactored * Refactored * add example for service account * Update Python version for testing * No auto init * Add description to install_backup * Add description to install_backup * set coverage back to: m3nu.ansible_role_borgbackup * The initialization of the repository must be activated and does not take place automatically. * The initialization of the repository must be activated and does not take place automatically. * Removed install_backup as var (bool) to prevent that this role run * Rename backup_ssh_command to borg_ssh_command, tis was a double definition * Renamed backup_repository to borg_repository and add better explanations * remove copy ssh-keys and cert parts * Add comments to borg_ssh_key_file and borg_ssh_key_type * Set allways the borg_ssh_key_file and borg_ssh_command to load the right ssh-key. Add borg_ssh_key_type to select the key type by user * Add borg_ssh_key_type * renamed id_rsa to backup * generate ssh-keys (backup and backup.pub) and add better explanation * Print out key if borgmatic_initialization_repo is false * Remove 'su - {{ borgbackup_user }} -c' to execute the borgmatic by the right user * Add Check frequency, therefore, we no longer need to distinguish between normal and large repos * Add link to Article * renamed backup_ssh_command and backup_ssh_key_file to borg_ssh_command and borg_ssh_key_file * Removed: borgmatic_initialization_repo * Removed: borgmatic_initialization_repo * Removed: borgmatic_initialization_repo * revert changes * Add Full Automation * polishing * rename backup.timer and bakup.service to borgmatic.timer and borgmatic.service * remove debug * Try to find services in ansible_facts * Forgot to install Cron * change borg_ssh_key_type to ed25519 * remove conditional checks * - add hint to using a service user - renamed: borg_ssh_key_file to borg_ssh_key_file_path - removed advanced example * add borg_ssh_key_name, renamed borg_ssh_key_file to borg_ssh_key_file_path * removed static pointing to ~/.ssh/backup SSH private key * Add README-Advanced-Examples.md for storing more examples * Fix test idempotence * Dont symlink when using distro packages * Remove old test targets, consistent wording, remove tag * Remove helper scripts, fix absolute path * Fix cron job, add assert to prevent duplicate timers * nit-pick * Create bin links as root, no borg_ssh_command by default. * Add breaking changes note to README --------- Co-authored-by: Manu <manu@snapdragon.cc>
61 lines
2.3 KiB
Django/Jinja
61 lines
2.3 KiB
Django/Jinja
# Managed by Ansible, please don't edit manually
|
|
|
|
[Unit]
|
|
Description=borgmatic backup
|
|
Wants=backup_normal_repo.timer
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
|
|
# want to allow borgmatic to run anytime.
|
|
ConditionACPower=true
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
User={{ borg_user }}
|
|
ExecStart=borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}
|
|
|
|
# Source: https://projects.torsion.org/borgmatic-collective/borgmatic/raw/branch/master/sample/systemd/borgmatic.service
|
|
# Security settings for systemd running as root, optional but recommended to improve security. You
|
|
# can disable individual settings if they cause problems for your use case. For more details, see
|
|
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
|
LockPersonality=true
|
|
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
|
|
# But you can try setting it to "yes" for improved security if you don't use those features.
|
|
MemoryDenyWriteExecute=no
|
|
NoNewPrivileges=yes
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallErrorNumber=EPERM
|
|
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
|
|
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
|
|
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
|
|
# leaves most of the filesystem read-only to borgmatic.
|
|
ProtectSystem=full
|
|
# ReadWritePaths=-/mnt/my_backup_drive
|
|
# ReadOnlyPaths=-/var/lib/my_backup_source
|
|
# This will mount a tmpfs on top of /root and pass through needed paths
|
|
# ProtectHome=tmpfs
|
|
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
|
|
|
# May interfere with running external programs within borgmatic hooks.
|
|
# CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
|
|
|
# Lower CPU and I/O priority.
|
|
Nice=19
|
|
CPUSchedulingPolicy=batch
|
|
IOSchedulingClass=best-effort
|
|
IOSchedulingPriority=7
|
|
IOWeight=100
|