From 9759f82b295ea37f09e23a7141c02fb73cbb7fa9 Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:33 +0200 Subject: [PATCH] [rules/base/backup] setup backups --- roles/base/backup/defaults/main.yml | 10 + .../default/backup-server.authorized_keys | 12 + .../backup/files/default/backup.conf.managed | 27 ++ .../base/backup/files/default/backup.service | 21 ++ roles/base/backup/files/default/backup.sh | 108 ++++++ roles/base/backup/files/default/backup.timer | 18 + .../default/exclude/etc--00-global.managed | 17 + .../default/exclude/etc--10-host.managed | 10 + .../default/exclude/home--00-global.managed | 12 + .../default/exclude/home--10-host.managed | 10 + .../default/exclude/root--00-global.managed | 13 + .../default/exclude/root--10-host.managed | 10 + .../default/exclude/srv--00-global.managed | 20 ++ .../default/exclude/srv--10-host.managed | 10 + .../default/exclude/var--00-global.managed | 46 +++ .../default/exclude/var--10-host.managed | 10 + roles/base/backup/tasks/main.yml | 308 ++++++++++++++++++ 17 files changed, 662 insertions(+) create mode 100644 roles/base/backup/defaults/main.yml create mode 100644 roles/base/backup/files/default/backup-server.authorized_keys create mode 100644 roles/base/backup/files/default/backup.conf.managed create mode 100644 roles/base/backup/files/default/backup.service create mode 100644 roles/base/backup/files/default/backup.sh create mode 100644 roles/base/backup/files/default/backup.timer create mode 100644 roles/base/backup/files/default/exclude/etc--00-global.managed create mode 100644 roles/base/backup/files/default/exclude/etc--10-host.managed create mode 100644 roles/base/backup/files/default/exclude/home--00-global.managed create mode 100644 roles/base/backup/files/default/exclude/home--10-host.managed create mode 100644 roles/base/backup/files/default/exclude/root--00-global.managed create mode 100644 roles/base/backup/files/default/exclude/root--10-host.managed create mode 100644 roles/base/backup/files/default/exclude/srv--00-global.managed create mode 100644 roles/base/backup/files/default/exclude/srv--10-host.managed create mode 100644 roles/base/backup/files/default/exclude/var--00-global.managed create mode 100644 roles/base/backup/files/default/exclude/var--10-host.managed create mode 100644 roles/base/backup/tasks/main.yml diff --git a/roles/base/backup/defaults/main.yml b/roles/base/backup/defaults/main.yml new file mode 100644 index 0000000..3d85b7a --- /dev/null +++ b/roles/base/backup/defaults/main.yml @@ -0,0 +1,10 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# If not overridden in inventory or as a parameter, this is the value that will be used +# +--- +setup_backup_storage_server: False diff --git a/roles/base/backup/files/default/backup-server.authorized_keys b/roles/base/backup/files/default/backup-server.authorized_keys new file mode 100644 index 0000000..3c3e264 --- /dev/null +++ b/roles/base/backup/files/default/backup-server.authorized_keys @@ -0,0 +1,12 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +# Override this file. + +# example +# command="cd /bkp/storage-server/example.com; borg serve --storage-quota 100G --restrict-to-path /bkp/storage-server/example.com/",restrict ssh-ed25519 diff --git a/roles/base/backup/files/default/backup.conf.managed b/roles/base/backup/files/default/backup.conf.managed new file mode 100644 index 0000000..469af5f --- /dev/null +++ b/roles/base/backup/files/default/backup.conf.managed @@ -0,0 +1,27 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# beware of pruning logic. +# + +# postgresql backup. +#backup_cmd "backup:POSTGRES/_GLOBAL_" "$(hostname -f)--POSTGRES" "sudo -u postgres -- pg_dumpall --globals-only" "-d13 -w7 -m24" "passphrase" +#for dbname in `echo "SELECT datname FROM pg_database WHERE datname not in ('template0', 'template1', 'postgres') AND datname not ilike '%_NOBKP' ORDER BY datname" | sudo -u postgres psql -A -P tuples_only=true` ; do +# backup_cmd "backup:POSTGRES/$dbname" "$(hostname -f)--POSTGRES-$dbname" "sudo -u postgres -- pg_dump --clean --if-exists --create $dbname" "-d13 -w7 -m24" "passphrase" +#done + + +# local backup. +#backup "/bkp/storage-local/$(hostname -s)/etc.enc" "$(hostname -f)" "/etc" "-d13 -w7 -m24" "passphrase" +backup "/bkp/storage-local/$(hostname -s)/etc" "$(hostname -f)" "/etc" "-d13 -w7 -m24" +backup "/bkp/storage-local/$(hostname -s)/root" "$(hostname -f)" "/root" "-d13 -w7 -m24" +backup "/bkp/storage-local/$(hostname -s)/var" "$(hostname -f)" "/var" "-d13 -w7 -m24" +backup "/bkp/storage-local/$(hostname -s)/srv" "$(hostname -f)" "/srv" "-d13 -w7 -m24" + + +# remote backup. +#backup "backup:home" "$(hostname -f)" "/home" "-d13 -w7 -m6" diff --git a/roles/base/backup/files/default/backup.service b/roles/base/backup/files/default/backup.service new file mode 100644 index 0000000..f52f252 --- /dev/null +++ b/roles/base/backup/files/default/backup.service @@ -0,0 +1,21 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +[Unit] +Description=Run backup +ConditionPathIsDirectory=/bkp/local +OnFailure=unit-status-mail@%n.service + +[Service] +Type=oneshot +UMask=0077 +Nice=5 +IOSchedulingClass=best-effort +IOSchedulingPriority=6 +ExecStart=/bin/bash -c 'set -o pipefail; /bkp/local/backup.sh 2>&1 | tee /tmp/backup.service.log.all | egrep -v "^[^x] /" | tee /bkp/local/backup.service.log' +WorkingDirectory=/bkp/local diff --git a/roles/base/backup/files/default/backup.sh b/roles/base/backup/files/default/backup.sh new file mode 100644 index 0000000..45cc5b1 --- /dev/null +++ b/roles/base/backup/files/default/backup.sh @@ -0,0 +1,108 @@ +#!/bin/bash +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +umask 0077 +cd /tmp +export ERRCODE=0 + +export BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK="yes" +export BORG_RELOCATED_REPO_ACCESS_IS_OK="yes" + +function backup { + export BKPREPO=${1} # backup repo (should be: "/bkp/storage-local/$host/$path" or for ssh: "user@server:$path") + export BKPHOST=${2} # src-host + export BKPPATH=${3} # abs-path on src-host + export BKPKEEP=${4} # pruning-settings + export BORG_PASSPHRASE=${5} # borg key passphrase + + BKPPATH_ESCAPED=$(echo -n "$BKPPATH"|sed -e 's#/#-#g') # contains first "/" + + if [[ -z "$BORG_PASSPHRASE" ]]; then + borg info "$BKPREPO" >/dev/null 2>&1 || borg init --umask 0077 -e none --make-parent-dirs "$BKPREPO" + else + borg info "$BKPREPO" >/dev/null 2>&1 || borg init --umask 0077 -e repokey-blake2 --make-parent-dirs "$BKPREPO" + fi + + echo "# Merged on: $(date -Isec)" > "/bkp/local/exclude.conf.d/.merged.$BKPHOST-$BKPPATH_ESCAPED" + for file in /bkp/local/exclude.conf.d/$BKPHOST-$BKPPATH_ESCAPED*; do + echo -e "\n\n# $file" >> "/bkp/local/exclude.conf.d/.merged.$BKPHOST-$BKPPATH_ESCAPED" + cat "$file" >> "/bkp/local/exclude.conf.d/.merged.$BKPHOST-$BKPPATH_ESCAPED" + done + + borg create --umask 0077 --info --list --stats --noctime --nobirthtime --exclude-caches --exclude-from "/bkp/local/exclude.conf.d/.merged.$BKPHOST-$BKPPATH_ESCAPED" "$BKPREPO::$BKPHOST-$BKPPATH_ESCAPED--{now}" "$BKPPATH" + exit_status=$?; + if [ $exit_status -ne 0 ]; then + export ERRCODE="$exit_status"; + echo "** backup.sh (backup:create): non-zero exitcode: $exit_status" + fi + + backup_prune "$BKPREPO" "$BKPKEEP" "$BORG_PASSPHRASE" +} + +function backup_cmd { + export BKPREPO=${1} # backup repo (should be: "/bkp/storage-local/$host/$path" or for ssh: "user@server:$path") + export BKPNAME=${2} # backup name + export BKPCMD=${3} # command to run + export BKPKEEP=${4} # pruning-settings + export BORG_PASSPHRASE=${5} # borg key passphrase + + if [[ -z "$BORG_PASSPHRASE" ]]; then + borg info "$BKPREPO" >/dev/null 2>&1 || borg init --umask 0077 -e none --make-parent-dirs "$BKPREPO" + else + borg info "$BKPREPO" >/dev/null 2>&1 || borg init --umask 0077 -e repokey-blake2 --make-parent-dirs "$BKPREPO" + fi + + borg create --umask 0077 --info --stats --noctime --nobirthtime --compression zstd --files-cache disabled --content-from-command -- "$BKPREPO::$BKPNAME--{now}" $BKPCMD + exit_status=$?; + if [ $exit_status -ne 0 ]; then + export ERRCODE="$exit_status"; + echo "** backup.sh (backup_cmd:create): non-zero exitcode: $exit_status" + fi + + backup_prune "$BKPREPO" "$BKPKEEP" "$BORG_PASSPHRASE" +} + +function backup_prune { + export BKPREPO=${1} # backup repo (should be: "/bkp/storage-local/$host/$path" or for ssh: "user@server:$path") + export BKPKEEP=${2} # pruning-settings + export BORG_PASSPHRASE=${3} # borg key passphrase + + if [[ -z "$BKPKEEP" ]]; then + echo "** backup.sh(backup_prune): No prune settings, skipping" + else + borg prune --umask 0077 --list --stats --save-space --keep-last 1 $BKPKEEP "$BKPREPO" + exit_status=$?; + if [ $exit_status -ne 0 ]; then + export ERRCODE="$exit_status"; + echo "** backup.sh (backup_prune:prune): non-zero exitcode: $exit_status" + fi + borg compact -v --cleanup-commits "$BKPREPO" + exit_status=$?; + if [ $exit_status -ne 0 ]; then + export ERRCODE="$exit_status"; + echo "** backup.sh (backup_prune:compact): non-zero exitcode: $exit_status" + fi + fi +} + +# run managed +echo "** backup.sh: running /bkp/local/backup.conf.managed" +source /bkp/local/backup.conf.managed + +# run local additions +if [ -e "/bkp/local/backup.conf.local" ]; then + echo "** backup.sh: running /bkp/local/backup.conf.local" + source /bkp/local/backup.conf.local +fi + +echo "** backup.sh: DONE" + +unset BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK +unset BORG_RELOCATED_REPO_ACCESS_IS_OK + +exit $ERRCODE diff --git a/roles/base/backup/files/default/backup.timer b/roles/base/backup/files/default/backup.timer new file mode 100644 index 0000000..f173668 --- /dev/null +++ b/roles/base/backup/files/default/backup.timer @@ -0,0 +1,18 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +[Unit] +Description=Run daily backups + +[Timer] +Persistent=true +OnCalendar=23:00:00 +RandomizedDelaySec=45min + +[Install] +WantedBy=timers.target diff --git a/roles/base/backup/files/default/exclude/etc--00-global.managed b/roles/base/backup/files/default/exclude/etc--00-global.managed new file mode 100644 index 0000000..6a9bd05 --- /dev/null +++ b/roles/base/backup/files/default/exclude/etc--00-global.managed @@ -0,0 +1,17 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# /etc + +/etc/lost+found + + +##################### +## likely unwanted ## +##################### +# gitkeeper. +/etc/.git diff --git a/roles/base/backup/files/default/exclude/etc--10-host.managed b/roles/base/backup/files/default/exclude/etc--10-host.managed new file mode 100644 index 0000000..5450459 --- /dev/null +++ b/roles/base/backup/files/default/exclude/etc--10-host.managed @@ -0,0 +1,10 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# host specific +# +# /etc diff --git a/roles/base/backup/files/default/exclude/home--00-global.managed b/roles/base/backup/files/default/exclude/home--00-global.managed new file mode 100644 index 0000000..51e60f7 --- /dev/null +++ b/roles/base/backup/files/default/exclude/home--00-global.managed @@ -0,0 +1,12 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# /home + +/home/lost+found +/home/*/.cache +/home/**/*.NOBACKUP diff --git a/roles/base/backup/files/default/exclude/home--10-host.managed b/roles/base/backup/files/default/exclude/home--10-host.managed new file mode 100644 index 0000000..83059f9 --- /dev/null +++ b/roles/base/backup/files/default/exclude/home--10-host.managed @@ -0,0 +1,10 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# host specific +# +# /home diff --git a/roles/base/backup/files/default/exclude/root--00-global.managed b/roles/base/backup/files/default/exclude/root--00-global.managed new file mode 100644 index 0000000..fd1a230 --- /dev/null +++ b/roles/base/backup/files/default/exclude/root--00-global.managed @@ -0,0 +1,13 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# /root + +/root/.ansible +/root/.cache + +/root/lost+found diff --git a/roles/base/backup/files/default/exclude/root--10-host.managed b/roles/base/backup/files/default/exclude/root--10-host.managed new file mode 100644 index 0000000..6c29d37 --- /dev/null +++ b/roles/base/backup/files/default/exclude/root--10-host.managed @@ -0,0 +1,10 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# host specific +# +# /root diff --git a/roles/base/backup/files/default/exclude/srv--00-global.managed b/roles/base/backup/files/default/exclude/srv--00-global.managed new file mode 100644 index 0000000..01c3fd4 --- /dev/null +++ b/roles/base/backup/files/default/exclude/srv--00-global.managed @@ -0,0 +1,20 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# /srv + +/srv/lost+found + + +##################### +## likely unwanted ## +##################### +# anope-mate db-backups. +/srv/anope/db/backups + +# never backup logs. +/srv/gitolite/.gitolite/logs diff --git a/roles/base/backup/files/default/exclude/srv--10-host.managed b/roles/base/backup/files/default/exclude/srv--10-host.managed new file mode 100644 index 0000000..cf31624 --- /dev/null +++ b/roles/base/backup/files/default/exclude/srv--10-host.managed @@ -0,0 +1,10 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# host specific +# +# /srv diff --git a/roles/base/backup/files/default/exclude/var--00-global.managed b/roles/base/backup/files/default/exclude/var--00-global.managed new file mode 100644 index 0000000..00b9098 --- /dev/null +++ b/roles/base/backup/files/default/exclude/var--00-global.managed @@ -0,0 +1,46 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# /var +# + +/var/ansible/.ansible +/var/ansible/ansible + +/var/backups +/var/cache +/var/lib/apt/lists +/var/lib/fwupd/remotes.d +/var/lib/mlocate/mlocate.db +/var/lib/munin-async +/var/lib/systemd +/var/log +/var/lost+found +/var/tmp + + +##################### +## likely unwanted ## +##################### +# cyrus stuff that should be mounted as tmpfs anyways. +/var/lib/cyrus/proc +/var/lib/cyrus/lock +/var/lib/cyrus/socket + +# nothing from docker, except for possible userdata. +/var/lib/containerd/ +/var/lib/docker +!/var/lib/docker/volumes + +# usually only a bunch of sockets. +/var/lib/nginx + +# temp. php sessiondata. +/var/lib/php/sessions + +# postgresql: do not backup binary data. +/var/lib/postgresql diff --git a/roles/base/backup/files/default/exclude/var--10-host.managed b/roles/base/backup/files/default/exclude/var--10-host.managed new file mode 100644 index 0000000..db013a2 --- /dev/null +++ b/roles/base/backup/files/default/exclude/var--10-host.managed @@ -0,0 +1,10 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# host specific +# +# /var diff --git a/roles/base/backup/tasks/main.yml b/roles/base/backup/tasks/main.yml new file mode 100644 index 0000000..0f56598 --- /dev/null +++ b/roles/base/backup/tasks/main.yml @@ -0,0 +1,308 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# system backup script + systemd timer +# +--- +- name: install backup tool + apt: + pkg: + - borgbackup + - python3-pyfuse3 + state: present + policy_rc_d: 101 + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: create dir /bkp + file: + path: "/bkp" + state: directory + mode: 0711 + owner: "root" + group: "root" + + +- name: create dir /bkp/local + file: + path: "/bkp/local" + state: directory + mode: 0700 + owner: "root" + group: "root" + + +- name: create dir /bkp/storage-local + file: + path: "/bkp/storage-local" + state: directory + mode: "u+rwX,go-rwx" + owner: "root" + group: "root" + recurse: yes + + +- name: copy backup.sh to /bkp/local + copy: + src: "{{item}}" + dest: "/bkp/local/backup.sh" + mode: 0700 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/backup.sh" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/backup.sh" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/backup.sh" + - "default/backup.sh" + + +- name: copy backup.conf.managed to /bkp/local + copy: + src: "{{item}}" + dest: "/bkp/local/backup.conf.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/backup.conf.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/backup.conf.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/backup.conf.managed" + - "default/backup.conf.managed" + + +- name: create dir /bkp/local/exclude.conf.d + file: + path: "/bkp/local/exclude.conf.d" + state: directory + mode: 0700 + owner: "root" + group: "root" + + +- name: copy etc--00-global.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--etc--00-global.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/etc--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/etc--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/etc--00-global.managed" + - "default/exclude/etc--00-global.managed" + + +- name: copy etc--10-host.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--etc--10-host.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/etc--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/etc--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/etc--10-host.managed" + - "default/exclude/etc--10-host.managed" + + +- name: copy root--00-global.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--root--00-global.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/root--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/root--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/root--00-global.managed" + - "default/exclude/root--00-global.managed" + + +- name: copy root--10-host.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--root--10-host.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/root--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/root--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/root--10-host.managed" + - "default/exclude/root--10-host.managed" + + +- name: copy srv--00-global.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--srv--00-global.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/srv--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/srv--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/srv--00-global.managed" + - "default/exclude/srv--00-global.managed" + + +- name: copy srv--10-host.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--srv--10-host.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/srv--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/srv--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/srv--10-host.managed" + - "default/exclude/srv--10-host.managed" + + +- name: copy var--00-global.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--var--00-global.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/var--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/var--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/var--00-global.managed" + - "default/exclude/var--00-global.managed" + + +- name: copy var--10-host.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--var--10-host.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/var--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/var--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/var--10-host.managed" + - "default/exclude/var--10-host.managed" + + +- name: copy backup.service to /etc/systemd/system/ + copy: + src: "{{item}}" + dest: "/etc/systemd/system/backup.service" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/backup.service" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/backup.service" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/backup.service" + - "default/backup.service" + + +- name: copy home--00-global.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--home--00-global.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/home--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/home--00-global.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/home--00-global.managed" + - "default/exclude/home--00-global.managed" + + +- name: copy home--10-host.managed to /bkp/local/exclude.conf.d + copy: + src: "{{item}}" + dest: "/bkp/local/exclude.conf.d/{{inventory_hostname}}--home--10-host.managed" + mode: 0600 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/exclude/home--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/exclude/home--10-host.managed" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/exclude/home--10-host.managed" + - "default/exclude/home--10-host.managed" + + +- name: copy backup.timer to /etc/systemd/system/ + copy: + src: "{{item}}" + dest: "/etc/systemd/system/backup.timer" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/backup.timer" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/backup.timer" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/backup.timer" + - "default/backup.timer" + + +- name: enable and start backup.timer + include_role: name="base/systemd/enable-and-start" + vars: + service_name: backup.timer + + + +############################### +# setup backup storage server # +############################### +- name: create borg-storage user + user: + name: "borg-storage" + home: "/bkp/storage-server" + shell: "/bin/bash" + createhome: no + system: yes + state: present + when: setup_backup_storage_server | bool + + +- name: create dir /bkp/storage-server + file: + path: "/bkp/storage-server" + state: directory + mode: "u+rwX,go-rwx" + owner: "borg-storage" + group: "borg-storage" + recurse: yes + when: setup_backup_storage_server | bool + + +- name: create dir /bkp/storage-server/.ssh + file: + path: "/bkp/storage-server/.ssh" + state: directory + mode: 0700 + owner: "borg-storage" + group: "borg-storage" + when: setup_backup_storage_server | bool + + +- name: copy authorized_keys to /bkp/storage-server/.ssh/authorized_keys + copy: + src: "{{item}}" + dest: "/bkp/storage-server/.ssh/authorized_keys" + mode: 0600 + owner: "borg-storage" + group: "borg-storage" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/backup-server.authorized_keys" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/backup-server.authorized_keys" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/backup-server.authorized_keys" + - "default/backup-server.authorized_keys" + when: setup_backup_storage_server | bool -- 2.43.0