From 5b953c8dba0d7d4be10f93dfa10da975e5be1294 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Tue, 9 Jul 2019 11:45:03 +0200 Subject: Added borg backup role --- tasks/client.yml | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tasks/common.yml | 25 ++++++++++++++++ tasks/main.yml | 10 +++++++ tasks/server.yml | 26 +++++++++++++++++ 4 files changed, 150 insertions(+) create mode 100644 tasks/client.yml create mode 100644 tasks/common.yml create mode 100644 tasks/main.yml create mode 100644 tasks/server.yml (limited to 'tasks') diff --git a/tasks/client.yml b/tasks/client.yml new file mode 100644 index 0000000..b4c4b22 --- /dev/null +++ b/tasks/client.yml @@ -0,0 +1,89 @@ +--- +- name: generate borg ssh key on client + openssh_keypair: + owner: root + mode: 0400 + path: /root/.ssh/borg + type: ed25519 + register: borg_ssh_key + +- name: reload ansible_local + setup: filter=ansible_local + when: borg_ssh_key.changed + +- name: Enforce borg authorized key on server + authorized_key: + user: borg + key: "{{ ansible_local.borg.pubkey }}" + key_options: 'command="cd /srv/borg/repos/{{ ansible_hostname }}; borg serve --restrict-to-path /srv/borg/repos/{{ ansible_hostname }}",restrict' + delegate_to: "{{ borg_server }}" + +- name: create borg client repo directory on server + file: + path: "/srv/borg/repos/{{ ansible_hostname }}" + state: directory + owner: borg + mode: 0700 + delegate_to: "{{ borg_server }}" + +- name: create borg client repo on server + command: "borg init --encryption=none /srv/borg/repos/{{ ansible_hostname }}" + become: yes + become_method: su + become_user: borg + delegate_to: "{{ borg_server }}" + args: + creates: "/srv/borg/repos/{{ ansible_hostname }}/config" + +- name: reload ansible_local + setup: filter=ansible_local + delegate_to: "{{ borg_server }}" + delegate_facts: True + when: hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] is not defined + +- name: make the server known to the client + lineinfile: + line: "{{ borg_server }} ecdsa-sha2-nistp256 {{ hostvars[borg_server]['ansible_ssh_host_key_ecdsa_public'] }}" + path: /root/.ssh/known_hosts + create: yes + +- name: make the repo directory on the client + file: + state: directory + path: "/root/.config/borg/security/{{ hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] }}" + owner: root + mode: 0700 + +- name: make the repo known to the client + copy: + dest: "/root/.config/borg/security/{{ hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] }}/key-type" + content: "2" + owner: root + mode: 0600 + +- name: deploy borg backup script + template: + dest: /usr/local/bin/adyxax_backup.sh + src: backup.sh.j2 + owner: root + mode: 0500 + +- name: activate borg cron on alpine + lineinfile: + line: '0 23 * * * /usr/local/bin/adyxax_backup.sh' + path: /etc/crontabs/root + when: ansible_os_family == 'Alpine' + +- name: activate borg cron on gentoo or redhat + file: + state: link + src: /usr/local/bin/adyxax_backup.sh + dest: /etc/cron.daily/backup + when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat' + +- name: activate borg cron on openbsd + lineinfile: + line: '0 23 * * * /usr/local/bin/adyxax_backup.sh' + path: /var/cron/tabs/root + when: ansible_os_family == 'OpenBSD' +... diff --git a/tasks/common.yml b/tasks/common.yml new file mode 100644 index 0000000..057cd25 --- /dev/null +++ b/tasks/common.yml @@ -0,0 +1,25 @@ +--- +- name: set distro-specific server variables + include_vars: '{{ ansible_os_family }}.yml' + +- name: Check if borg is supported on distro + fail: + msg: "borg tasks are not supported on this operating system yet." + when: borg_packages is not defined + +- name: Ensure borg is installed + package: + name: "{{ borg_packages }}" + +- name: Push borg gathering fact on client + copy: + src: borg.fact + dest: /etc/ansible/facts.d/ + mode: 0500 + owner: root + register: borg_gathering_fact + +- name: reload ansible_local + setup: filter=ansible_local + when: borg_gathering_fact.changed +... diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..e49b440 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- import_tasks: common.yml + when: (is_borg_server|default(false)) or borg_server is defined + +- import_tasks: server.yml + when: (is_borg_server|default(false)) + +- import_tasks: client.yml + when: borg_server is defined +... diff --git a/tasks/server.yml b/tasks/server.yml new file mode 100644 index 0000000..bd40dab --- /dev/null +++ b/tasks/server.yml @@ -0,0 +1,26 @@ +--- +- name: Create borg group on server + group: + name: borg + system: yes + +- name: Create borg user on server + user: + name: borg + shell: /bin/sh + home: /srv/borg + createhome: yes + system: yes + password_lock: yes + +- name: Ensure borg directories exist on server + file: + state: directory + path: "{{ item }}" + owner: borg + mode: 0700 + loop: + - /srv/borg + - /srv/borg/.ssh + - /srv/borg/repos +... -- cgit v1.2.3