From 5b953c8dba0d7d4be10f93dfa10da975e5be1294 Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Tue, 9 Jul 2019 11:45:03 +0200
Subject: Added borg backup role

---
 tasks/client.yml | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 tasks/common.yml | 25 ++++++++++++++++
 tasks/main.yml   | 10 +++++++
 tasks/server.yml | 26 +++++++++++++++++
 4 files changed, 150 insertions(+)
 create mode 100644 tasks/client.yml
 create mode 100644 tasks/common.yml
 create mode 100644 tasks/main.yml
 create mode 100644 tasks/server.yml

(limited to 'tasks')

diff --git a/tasks/client.yml b/tasks/client.yml
new file mode 100644
index 0000000..b4c4b22
--- /dev/null
+++ b/tasks/client.yml
@@ -0,0 +1,89 @@
+---
+- name: generate borg ssh key on client
+  openssh_keypair:
+    owner: root
+    mode: 0400
+    path: /root/.ssh/borg
+    type: ed25519
+  register: borg_ssh_key
+
+- name: reload ansible_local
+  setup: filter=ansible_local
+  when: borg_ssh_key.changed
+
+- name: Enforce borg authorized key on server
+  authorized_key:
+    user: borg
+    key: "{{ ansible_local.borg.pubkey }}"
+    key_options: 'command="cd /srv/borg/repos/{{ ansible_hostname }}; borg serve --restrict-to-path /srv/borg/repos/{{ ansible_hostname }}",restrict'
+  delegate_to: "{{ borg_server }}"
+
+- name: create borg client repo directory on server
+  file:
+    path: "/srv/borg/repos/{{ ansible_hostname }}"
+    state: directory
+    owner: borg
+    mode: 0700
+  delegate_to: "{{ borg_server }}"
+
+- name: create borg client repo on server
+  command: "borg init --encryption=none /srv/borg/repos/{{ ansible_hostname }}"
+  become: yes
+  become_method: su
+  become_user: borg
+  delegate_to: "{{ borg_server }}"
+  args:
+    creates: "/srv/borg/repos/{{ ansible_hostname }}/config"
+
+- name: reload ansible_local
+  setup: filter=ansible_local
+  delegate_to: "{{ borg_server }}"
+  delegate_facts: True
+  when: hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] is not defined
+
+- name: make the server known to the client
+  lineinfile:
+    line: "{{ borg_server }} ecdsa-sha2-nistp256 {{ hostvars[borg_server]['ansible_ssh_host_key_ecdsa_public'] }}"
+    path: /root/.ssh/known_hosts
+    create: yes
+
+- name: make the repo directory on the client
+  file:
+    state: directory
+    path: "/root/.config/borg/security/{{ hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] }}"
+    owner: root
+    mode: 0700
+
+- name: make the repo known to the client
+  copy:
+    dest: "/root/.config/borg/security/{{ hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] }}/key-type"
+    content: "2"
+    owner: root
+    mode: 0600
+
+- name: deploy borg backup script
+  template:
+    dest: /usr/local/bin/adyxax_backup.sh
+    src: backup.sh.j2
+    owner: root
+    mode: 0500
+
+- name: activate borg cron on alpine
+  lineinfile:
+    line: '0 23 * * * /usr/local/bin/adyxax_backup.sh'
+    path: /etc/crontabs/root
+  when: ansible_os_family == 'Alpine'
+
+- name: activate borg cron on gentoo or redhat
+  file:
+    state: link
+    src: /usr/local/bin/adyxax_backup.sh
+    dest: /etc/cron.daily/backup
+  when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat'
+
+- name: activate borg cron on openbsd
+  lineinfile:
+    line: '0 23 * * * /usr/local/bin/adyxax_backup.sh'
+    path: /var/cron/tabs/root
+  when: ansible_os_family == 'OpenBSD'
+...
diff --git a/tasks/common.yml b/tasks/common.yml
new file mode 100644
index 0000000..057cd25
--- /dev/null
+++ b/tasks/common.yml
@@ -0,0 +1,25 @@
+---
+- name: set distro-specific server variables
+  include_vars: '{{ ansible_os_family }}.yml'
+
+- name: Check if borg is supported on distro
+  fail:
+    msg: "borg tasks are not supported on this operating system yet."
+  when: borg_packages is not defined
+
+- name: Ensure borg is installed
+  package:
+    name: "{{ borg_packages }}"
+
+- name: Push borg gathering fact on client
+  copy:
+    src: borg.fact
+    dest: /etc/ansible/facts.d/
+    mode: 0500
+    owner: root
+  register: borg_gathering_fact
+
+- name: reload ansible_local
+  setup: filter=ansible_local
+  when: borg_gathering_fact.changed
+...
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..e49b440
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- import_tasks: common.yml
+  when: (is_borg_server|default(false)) or borg_server is defined
+
+- import_tasks: server.yml
+  when: (is_borg_server|default(false))
+
+- import_tasks: client.yml
+  when: borg_server is defined
+...
diff --git a/tasks/server.yml b/tasks/server.yml
new file mode 100644
index 0000000..bd40dab
--- /dev/null
+++ b/tasks/server.yml
@@ -0,0 +1,26 @@
+---
+- name: Create borg group on server
+  group:
+    name: borg
+    system: yes
+
+- name: Create borg user on server
+  user:
+    name: borg
+    shell: /bin/sh
+    home: /srv/borg
+    createhome: yes
+    system: yes
+    password_lock: yes
+
+- name: Ensure borg directories exist on server
+  file:
+    state: directory
+    path: "{{ item }}"
+    owner: borg
+    mode: 0700
+  loop:
+    - /srv/borg
+    - /srv/borg/.ssh
+    - /srv/borg/repos
+...
-- 
cgit v1.2.3