Merge pull request '[INFO] Création du rôle' (#1) from alpha into master

Reviewed-on: #1
This commit is contained in:
pulsar89.5 2023-05-24 14:28:05 +00:00
commit 809240330c
10 changed files with 361 additions and 3 deletions

129
README.md
View File

@ -1,3 +1,128 @@
# role_modele
# role_borgmatic
Modèle
Rôle de déploiement de borgmatic.
## Variables
### borgmatic_distribution_release
Nom de la version de la distribution.
*<span style="text-decoration: underline">Valeur par défaut:</span> `bullseye`*
### borgmatic_keys
Dictionnaire comportant la clef privée (`private`) et la clef publique (`public`) du dépôt Borg.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### borgmatic_checks
Liste des vérifications automatiques.
*<span style="text-decoration: underline">Valeur par défaut:</span> `[{frequency: 4 weeks, name: repository}, {frequency: 2 weeks, name: archives}]`*
### borgmatic_healthchecks
URL vers le serveur healtchecks.io.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### borgmatic_exclude_patterns
Liste des éléments exclus de la sauvegarde.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### borgmatic_repositories
Liste des dépôts Borg sur lesquels envoyer la sauvegarde.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### borgmatic_source_directories
Liste des dossiers à sauvegarder.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### borgmatic_retention
Dictionnaire permettant de définir la rétention.
*<span style="text-decoration: underline">Valeur par défaut:</span> `{daily: 7, monthly: 0, weekly: 4}`*
### borgmatic_name
Nom de la sauvegarde.
*<span style="text-decoration: underline">Valeur par défaut:</span> `{{ inventory_hostname }}_{now}`*
### borgmatic_compression
Algorythme de compression de la sauvegarde.
*<span style="text-decoration: underline">Valeur par défaut:</span> `none`*
### borgmatic_passphrase
Phrase de passe de chiffrement de la sauvegarde.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### borgmatic_ssh_command
Commande SSH utilisée pour la sauvegarde.
*<span style="text-decoration: underline">Valeur par défaut:</span> `ssh -i /etc/borgmatic/id_ed25519`*
## Exemples
### host_vars/host1.ykn.local
```yaml
---
borgmatic_keys:
private: !vault |
$ANSIBLE_VAULT;1.1;AES256
63383766386235373363643632346463656132363834653765656463663636663366396265353937
3732643765363735366437373435616433336134313266340a336638626163633864313363373330
38353632373232303838323438656334353964343539373465643939356536373432323363656434
3737656232623666300a363138623664366461346230666634633739646334373234626533623938
3031
public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdANRmMmEeyYMMDWJH6DxJsQUUP+Uudv7DgMXY5O+iQ root@{{ inventory_hostname }}
borgmatic_healthchecks: https:///healthchecks.ykn.local/ping/7f7332cc-a7d9-4a81-af86-651f856f34b7
borgmatic_repositories: ["ssh://e7892281@borgwarehouse.ykn.local:22/./repo2"]
borgmatic_source_directories: ["/srv/vaultwarden"]
borgmatic_exclude_patterns:
- '/srv/vaultwarden/icon_cache'
- '/srv/vaultwarden/tmp'
borgmatic_passphrase: !vault |
$ANSIBLE_VAULT;1.1;AES256
36623861393935613563336339333962353436353839653762346633363138616233343433356130
3133353763393231393236306637313437633366623835300a653161356132663864636634626637
63653162393964616339623734613865636535396364396238306664396636353366653439366532
3836666166663163630a643635616164366337626632386336323938366636646463373937616361
3139
borgmatic_compression: lz4
```
### playbook.yml
```yaml
---
- name: Déployer les rôles communs
hosts: 'all:!nixos'
roles:
- name: etc_hosts
- name: ifupdown
when: network_provider == "ifupdown"
- name: nftables
- name: ssh
- name: fail2ban
- name: users
- name: healthchecks_io
- name: borgmatic
```

26
defaults/main.yml Normal file
View File

@ -0,0 +1,26 @@
---
# defaults file for borgmatic
borgmatic_distribution_release: bullseye
borgmatic_keys:
private: ""
public: ""
borgmatic_checks:
- frequency: 4 weeks
name: repository
- frequency: 2 weeks
name: archives
borgmatic_healthchecks: ""
borgmatic_exclude_patterns: []
borgmatic_repositories: []
borgmatic_source_directories: []
borgmatic_retention:
daily: 7
monthly: 0
weekly: 4
borgmatic_name: "{{ inventory_hostname }}_{now}"
borgmatic_compression: none
borgmatic_passphrase: ""
borgmatic_ssh_command: ssh -i /etc/borgmatic/id_ed25519

23
handlers/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
# handlers file for borgmatic
- name: Créer le dépôt
ansible.builtin.command:
cmd: borgmatic init --encryption repokey
become: true
- name: Activer la planification
ansible.builtin.systemd:
daemon_reload: true
enabled: true
state: stopped
name: borgmatic.timer
become: true
- name: Activer et démarrer le service
ansible.builtin.systemd:
daemon_reload: true
enabled: false
state: started
name: borgmatic.service
become: true

View File

@ -1,7 +1,7 @@
galaxy_info:
namespace: ykn
author: pulsar89.5
description: Rôle modèle
description: Rôle de déploiement de borgmatic
license: GPL-3.0-or-later

50
tasks/configuration.yml Normal file
View File

@ -0,0 +1,50 @@
---
# tasks file for borgmatic
- name: Déployer la clef privée
ansible.builtin.copy:
content: "{{ borgmatic_keys.private }}"
dest: /etc/borgmatic/id_ed25519
owner: root
group: root
mode: u=rw,g=,o=
become: true
- name: Déployer la clef publique
ansible.builtin.copy:
content: "{{ borgmatic_keys.public }}"
dest: /etc/borgmatic/id_ed25519.pub
owner: root
group: root
mode: u=rw,g=r,o=r
become: true
- name: Déployer la configuration
ansible.builtin.template:
src: config.yaml.j2
dest: /etc/borgmatic/config.yaml
owner: root
group: root
mode: u=rw,g=,o=
become: true
notify: Créer le dépôt
- name: Déployer le service
ansible.builtin.template:
src: borgmatic.service.j2
dest: /etc/systemd/system/borgmatic.service
owner: root
group: root
mode: u=rw,g=r,o=r
become: true
notify: Activer et démarrer le service
- name: Déployer le service et la planification
ansible.builtin.template:
src: borgmatic.timer.j2
dest: /etc/systemd/system/borgmatic.timer
owner: root
group: root
mode: u=rw,g=r,o=r
become: true
notify: Activer la planification

27
tasks/installation.yml Normal file
View File

@ -0,0 +1,27 @@
---
# tasks file for borgmatic
- name: Installer python3-pip
ansible.builtin.apt:
name: python3-pip
state: latest
become: true
- name: Installer borgbackup
ansible.builtin.apt:
name: borgbackup
state: latest
default_release: "{{ borgmatic_distribution_release }}-backports"
become: true
- name: Installer le paquet avec pip
ansible.builtin.pip:
name: borgmatic
state: latest
become: true
- name: Créer l'exemple de configuration
ansible.builtin.command:
cmd: generate-borgmatic-config
creates: /etc/borgmatic/config.yaml
become: true

8
tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
# tasks file for borgmatic
- name: Importer les tâches d'installation
ansible.builtin.import_tasks: installation.yml
- name: Importer les tâches de configuration
ansible.builtin.import_tasks: configuration.yml

View File

@ -0,0 +1,64 @@
[Unit]
Description=borgmatic backup
Wants=network-online.target
After=network-online.target
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
# want to allow borgmatic to run anytime.
ConditionACPower=true
[Service]
Type=oneshot
# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
# leaves most of the filesystem read-only to borgmatic.
ProtectSystem=full
# ReadWritePaths=-/mnt/my_backup_drive
# ReadOnlyPaths=-/var/lib/my_backup_source
# This will mount a tmpfs on top of /root and pass through needed paths
# ProtectHome=tmpfs
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
# May interfere with running external programs within borgmatic hooks.
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
# Lower CPU and I/O priority.
Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100
Restart=no
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
# doesn't support this (pre-240 or so), you may have to remove this option.
LogRateLimitIntervalSec=0
# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
# dbus-user-session to be installed.
ExecStartPre=sleep 1m
ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic --verbosity -1 --syslog-verbosity 1

View File

@ -0,0 +1,10 @@
[Unit]
Description=Run borgmatic backup
[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=3h
[Install]
WantedBy=timers.target

25
templates/config.yaml.j2 Normal file
View File

@ -0,0 +1,25 @@
---
consistency:
checks: {{ borgmatic_checks }}
hooks:
healthchecks:
ping_url: {{ borgmatic_healthchecks }}
send_logs: false
location:
exclude_patterns: {{ borgmatic_exclude_patterns }}
repositories: {{ borgmatic_repositories }}
source_directories: {{ borgmatic_source_directories }}
retention:
keep_daily: {{ borgmatic_retention.daily }}
keep_monthly: {{ borgmatic_retention.monthly }}
keep_weekly: {{ borgmatic_retention.weekly }}
storage:
archive_name_format: {{ borgmatic_name }}
compression: {{ borgmatic_compression }}
encryption_passphrase: {{ borgmatic_passphrase }}
ssh_command: {{ borgmatic_ssh_command }}