From aa22b3d7396ec4ee4eec20a2982a86fa5af756bd Mon Sep 17 00:00:00 2001
From: "pulsar89.5" <pulsar@ykn.fr>
Date: Tue, 7 Mar 2023 00:13:54 +0100
Subject: [PATCH] =?UTF-8?q?[INFO]=20Cr=C3=A9ation=20du=20r=C3=B4le?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                      | 129 ++++++++++++++++++++++++++++++++-
 defaults/main.yml              |  26 +++++++
 handlers/main.yml              |  23 ++++++
 meta/main.yml                  |   2 +-
 tasks/configuration.yml        |  50 +++++++++++++
 tasks/installation.yml         |  27 +++++++
 tasks/main.yml                 |   8 ++
 templates/borgmatic.service.j2 |  64 ++++++++++++++++
 templates/borgmatic.timer.j2   |  10 +++
 templates/config.yaml.j2       |  25 +++++++
 10 files changed, 361 insertions(+), 3 deletions(-)
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/configuration.yml
 create mode 100644 tasks/installation.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/borgmatic.service.j2
 create mode 100644 templates/borgmatic.timer.j2
 create mode 100644 templates/config.yaml.j2

diff --git a/README.md b/README.md
index 3edfbf7..6a58849 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,128 @@
-# role_modele
+# role_borgmatic
 
-Modèle
\ No newline at end of file
+Rôle de déploiement de borgmatic.
+
+## Variables
+
+### borgmatic_distribution_release
+
+Nom de la version de la distribution.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> `bullseye`*
+
+### borgmatic_keys
+
+Dictionnaire comportant la clef privée (`private`) et la clef publique (`public`) du dépôt Borg.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### borgmatic_checks
+
+Liste des vérifications automatiques.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> `[{frequency: 4 weeks, name: repository}, {frequency: 2 weeks, name: archives}]`*
+
+### borgmatic_healthchecks
+
+URL vers le serveur healtchecks.io.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### borgmatic_exclude_patterns
+
+Liste des éléments exclus de la sauvegarde.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### borgmatic_repositories
+
+Liste des dépôts Borg sur lesquels envoyer la sauvegarde.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### borgmatic_source_directories
+
+Liste des dossiers à sauvegarder.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### borgmatic_retention
+
+Dictionnaire permettant de définir la rétention.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> `{daily: 7, monthly: 0, weekly: 4}`*
+
+### borgmatic_name
+
+Nom de la sauvegarde.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> `{{ inventory_hostname }}_{now}`*
+
+### borgmatic_compression
+
+Algorythme de compression de la sauvegarde.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> `none`*
+
+### borgmatic_passphrase
+
+Phrase de passe de chiffrement de la sauvegarde.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### borgmatic_ssh_command
+
+Commande SSH utilisée pour la sauvegarde.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> `ssh -i /etc/borgmatic/id_ed25519`*
+
+## Exemples
+
+### host_vars/host1.ykn.local
+
+```yaml
+---
+
+borgmatic_keys:
+  private: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    63383766386235373363643632346463656132363834653765656463663636663366396265353937
+    3732643765363735366437373435616433336134313266340a336638626163633864313363373330
+    38353632373232303838323438656334353964343539373465643939356536373432323363656434
+    3737656232623666300a363138623664366461346230666634633739646334373234626533623938
+    3031 
+  public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdANRmMmEeyYMMDWJH6DxJsQUUP+Uudv7DgMXY5O+iQ root@{{ inventory_hostname }}
+borgmatic_healthchecks: https:///healthchecks.ykn.local/ping/7f7332cc-a7d9-4a81-af86-651f856f34b7
+borgmatic_repositories: ["ssh://e7892281@borgwarehouse.ykn.local:22/./repo2"]
+borgmatic_source_directories: ["/srv/vaultwarden"]
+borgmatic_exclude_patterns:
+  - '/srv/vaultwarden/icon_cache'
+  - '/srv/vaultwarden/tmp'
+borgmatic_passphrase: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  36623861393935613563336339333962353436353839653762346633363138616233343433356130
+  3133353763393231393236306637313437633366623835300a653161356132663864636634626637
+  63653162393964616339623734613865636535396364396238306664396636353366653439366532
+  3836666166663163630a643635616164366337626632386336323938366636646463373937616361
+  3139
+borgmatic_compression: lz4
+```
+
+### playbook.yml
+
+```yaml
+---
+
+- name: Déployer les rôles communs
+  hosts: 'all:!nixos'
+  roles:
+    - name: etc_hosts
+    - name: ifupdown
+      when: network_provider == "ifupdown"
+    - name: nftables
+    - name: ssh
+    - name: fail2ban
+    - name: users
+    - name: healthchecks_io
+    - name: borgmatic
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..b320026
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,26 @@
+---
+# defaults file for borgmatic
+
+borgmatic_distribution_release: bullseye
+
+borgmatic_keys:
+  private: ""
+  public: ""
+
+borgmatic_checks:
+  - frequency: 4 weeks
+    name: repository
+  - frequency: 2 weeks
+    name: archives
+borgmatic_healthchecks: ""
+borgmatic_exclude_patterns: []
+borgmatic_repositories: []
+borgmatic_source_directories: []
+borgmatic_retention:
+  daily: 7
+  monthly: 0
+  weekly: 4
+borgmatic_name: "{{ inventory_hostname }}_{now}"
+borgmatic_compression: none
+borgmatic_passphrase: ""
+borgmatic_ssh_command: ssh -i /etc/borgmatic/id_ed25519
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..dbada13
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,23 @@
+---
+# handlers file for borgmatic
+
+- name: Créer le dépôt
+  ansible.builtin.command:
+    cmd: borgmatic init --encryption repokey
+  become: true
+
+- name: Activer la planification
+  ansible.builtin.systemd:
+    daemon_reload: true
+    enabled: true
+    state: stopped
+    name: borgmatic.timer
+  become: true
+
+- name: Activer et démarrer le service
+  ansible.builtin.systemd:
+    daemon_reload: true
+    enabled: false
+    state: started
+    name: borgmatic.service
+  become: true
diff --git a/meta/main.yml b/meta/main.yml
index c58bebf..f866eb5 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle modèle
+  description: Rôle de déploiement de borgmatic
 
   license: GPL-3.0-or-later
 
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
new file mode 100644
index 0000000..b13b1d1
--- /dev/null
+++ b/tasks/configuration.yml
@@ -0,0 +1,50 @@
+---
+# tasks file for borgmatic
+
+- name: Déployer la clef privée
+  ansible.builtin.copy:
+    content: "{{ borgmatic_keys.private }}"
+    dest: /etc/borgmatic/id_ed25519
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+  become: true
+
+- name: Déployer la clef publique
+  ansible.builtin.copy:
+    content: "{{ borgmatic_keys.public }}"
+    dest: /etc/borgmatic/id_ed25519.pub
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  become: true
+
+- name: Déployer la configuration
+  ansible.builtin.template:
+    src: config.yaml.j2
+    dest: /etc/borgmatic/config.yaml
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+  become: true
+  notify: Créer le dépôt
+
+- name: Déployer le service
+  ansible.builtin.template:
+    src: borgmatic.service.j2
+    dest: /etc/systemd/system/borgmatic.service
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  become: true
+  notify: Activer et démarrer le service
+
+- name: Déployer le service et la planification
+  ansible.builtin.template:
+    src: borgmatic.timer.j2
+    dest: /etc/systemd/system/borgmatic.timer
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  become: true
+  notify: Activer la planification
diff --git a/tasks/installation.yml b/tasks/installation.yml
new file mode 100644
index 0000000..8774963
--- /dev/null
+++ b/tasks/installation.yml
@@ -0,0 +1,27 @@
+---
+# tasks file for borgmatic
+
+- name: Installer python3-pip
+  ansible.builtin.apt:
+    name: python3-pip
+    state: latest
+  become: true
+
+- name: Installer borgbackup
+  ansible.builtin.apt:
+    name: borgbackup
+    state: latest
+    default_release: "{{ borgmatic_distribution_release }}-backports"
+  become: true
+
+- name: Installer le paquet avec pip
+  ansible.builtin.pip:
+    name: borgmatic
+    state: latest
+  become: true
+
+- name: Créer l'exemple de configuration
+  ansible.builtin.command:
+    cmd: generate-borgmatic-config
+    creates: /etc/borgmatic/config.yaml
+  become: true
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..4c863ad
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+# tasks file for borgmatic
+
+- name: Importer les tâches d'installation
+  ansible.builtin.import_tasks: installation.yml
+
+- name: Importer les tâches de configuration
+  ansible.builtin.import_tasks: configuration.yml
diff --git a/templates/borgmatic.service.j2 b/templates/borgmatic.service.j2
new file mode 100644
index 0000000..555e154
--- /dev/null
+++ b/templates/borgmatic.service.j2
@@ -0,0 +1,64 @@
+[Unit]
+Description=borgmatic backup
+Wants=network-online.target
+After=network-online.target
+# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
+# want to allow borgmatic to run anytime.
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+
+# Security settings for systemd running as root, optional but recommended to improve security. You
+# can disable individual settings if they cause problems for your use case. For more details, see
+# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+LockPersonality=true
+# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
+# But you can try setting it to "yes" for improved security if you don't use those features.
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
+# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
+# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
+# leaves most of the filesystem read-only to borgmatic.
+ProtectSystem=full
+# ReadWritePaths=-/mnt/my_backup_drive
+# ReadOnlyPaths=-/var/lib/my_backup_source
+# This will mount a tmpfs on top of /root and pass through needed paths
+# ProtectHome=tmpfs
+# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
+
+# May interfere with running external programs within borgmatic hooks.
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
+# Lower CPU and I/O priority.
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+
+Restart=no
+# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
+# doesn't support this (pre-240 or so), you may have to remove this option.
+LogRateLimitIntervalSec=0
+
+# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
+# dbus-user-session to be installed.
+ExecStartPre=sleep 1m
+ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic --verbosity -1 --syslog-verbosity 1
diff --git a/templates/borgmatic.timer.j2 b/templates/borgmatic.timer.j2
new file mode 100644
index 0000000..d51c9b2
--- /dev/null
+++ b/templates/borgmatic.timer.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=Run borgmatic backup
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=3h
+
+[Install]
+WantedBy=timers.target
diff --git a/templates/config.yaml.j2 b/templates/config.yaml.j2
new file mode 100644
index 0000000..76b909f
--- /dev/null
+++ b/templates/config.yaml.j2
@@ -0,0 +1,25 @@
+---
+
+consistency:
+  checks: {{ borgmatic_checks }}
+
+hooks:
+  healthchecks:
+    ping_url: {{ borgmatic_healthchecks }}
+    send_logs: false
+
+location:
+  exclude_patterns: {{ borgmatic_exclude_patterns }}
+  repositories: {{ borgmatic_repositories }}
+  source_directories: {{ borgmatic_source_directories }}
+
+retention:
+  keep_daily: {{ borgmatic_retention.daily }}
+  keep_monthly: {{ borgmatic_retention.monthly }}
+  keep_weekly: {{ borgmatic_retention.weekly }}
+
+storage:
+  archive_name_format: {{ borgmatic_name }}
+  compression: {{ borgmatic_compression }}
+  encryption_passphrase: {{ borgmatic_passphrase }}
+  ssh_command: {{ borgmatic_ssh_command }}