Merge pull request '[INFO] Création du rôle' (#1) from alpha into master
Reviewed-on: #1
This commit is contained in:
commit
809240330c
129
README.md
129
README.md
@ -1,3 +1,128 @@
|
||||
# role_modele
|
||||
# role_borgmatic
|
||||
|
||||
Modèle
|
||||
Rôle de déploiement de borgmatic.
|
||||
|
||||
## Variables
|
||||
|
||||
### borgmatic_distribution_release
|
||||
|
||||
Nom de la version de la distribution.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> `bullseye`*
|
||||
|
||||
### borgmatic_keys
|
||||
|
||||
Dictionnaire comportant la clef privée (`private`) et la clef publique (`public`) du dépôt Borg.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### borgmatic_checks
|
||||
|
||||
Liste des vérifications automatiques.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> `[{frequency: 4 weeks, name: repository}, {frequency: 2 weeks, name: archives}]`*
|
||||
|
||||
### borgmatic_healthchecks
|
||||
|
||||
URL vers le serveur healtchecks.io.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### borgmatic_exclude_patterns
|
||||
|
||||
Liste des éléments exclus de la sauvegarde.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### borgmatic_repositories
|
||||
|
||||
Liste des dépôts Borg sur lesquels envoyer la sauvegarde.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### borgmatic_source_directories
|
||||
|
||||
Liste des dossiers à sauvegarder.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### borgmatic_retention
|
||||
|
||||
Dictionnaire permettant de définir la rétention.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> `{daily: 7, monthly: 0, weekly: 4}`*
|
||||
|
||||
### borgmatic_name
|
||||
|
||||
Nom de la sauvegarde.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> `{{ inventory_hostname }}_{now}`*
|
||||
|
||||
### borgmatic_compression
|
||||
|
||||
Algorythme de compression de la sauvegarde.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> `none`*
|
||||
|
||||
### borgmatic_passphrase
|
||||
|
||||
Phrase de passe de chiffrement de la sauvegarde.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### borgmatic_ssh_command
|
||||
|
||||
Commande SSH utilisée pour la sauvegarde.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> `ssh -i /etc/borgmatic/id_ed25519`*
|
||||
|
||||
## Exemples
|
||||
|
||||
### host_vars/host1.ykn.local
|
||||
|
||||
```yaml
|
||||
---
|
||||
|
||||
borgmatic_keys:
|
||||
private: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
63383766386235373363643632346463656132363834653765656463663636663366396265353937
|
||||
3732643765363735366437373435616433336134313266340a336638626163633864313363373330
|
||||
38353632373232303838323438656334353964343539373465643939356536373432323363656434
|
||||
3737656232623666300a363138623664366461346230666634633739646334373234626533623938
|
||||
3031
|
||||
public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdANRmMmEeyYMMDWJH6DxJsQUUP+Uudv7DgMXY5O+iQ root@{{ inventory_hostname }}
|
||||
borgmatic_healthchecks: https:///healthchecks.ykn.local/ping/7f7332cc-a7d9-4a81-af86-651f856f34b7
|
||||
borgmatic_repositories: ["ssh://e7892281@borgwarehouse.ykn.local:22/./repo2"]
|
||||
borgmatic_source_directories: ["/srv/vaultwarden"]
|
||||
borgmatic_exclude_patterns:
|
||||
- '/srv/vaultwarden/icon_cache'
|
||||
- '/srv/vaultwarden/tmp'
|
||||
borgmatic_passphrase: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
36623861393935613563336339333962353436353839653762346633363138616233343433356130
|
||||
3133353763393231393236306637313437633366623835300a653161356132663864636634626637
|
||||
63653162393964616339623734613865636535396364396238306664396636353366653439366532
|
||||
3836666166663163630a643635616164366337626632386336323938366636646463373937616361
|
||||
3139
|
||||
borgmatic_compression: lz4
|
||||
```
|
||||
|
||||
### playbook.yml
|
||||
|
||||
```yaml
|
||||
---
|
||||
|
||||
- name: Déployer les rôles communs
|
||||
hosts: 'all:!nixos'
|
||||
roles:
|
||||
- name: etc_hosts
|
||||
- name: ifupdown
|
||||
when: network_provider == "ifupdown"
|
||||
- name: nftables
|
||||
- name: ssh
|
||||
- name: fail2ban
|
||||
- name: users
|
||||
- name: healthchecks_io
|
||||
- name: borgmatic
|
||||
```
|
||||
|
26
defaults/main.yml
Normal file
26
defaults/main.yml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
# defaults file for borgmatic
|
||||
|
||||
borgmatic_distribution_release: bullseye
|
||||
|
||||
borgmatic_keys:
|
||||
private: ""
|
||||
public: ""
|
||||
|
||||
borgmatic_checks:
|
||||
- frequency: 4 weeks
|
||||
name: repository
|
||||
- frequency: 2 weeks
|
||||
name: archives
|
||||
borgmatic_healthchecks: ""
|
||||
borgmatic_exclude_patterns: []
|
||||
borgmatic_repositories: []
|
||||
borgmatic_source_directories: []
|
||||
borgmatic_retention:
|
||||
daily: 7
|
||||
monthly: 0
|
||||
weekly: 4
|
||||
borgmatic_name: "{{ inventory_hostname }}_{now}"
|
||||
borgmatic_compression: none
|
||||
borgmatic_passphrase: ""
|
||||
borgmatic_ssh_command: ssh -i /etc/borgmatic/id_ed25519
|
23
handlers/main.yml
Normal file
23
handlers/main.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
# handlers file for borgmatic
|
||||
|
||||
- name: Créer le dépôt
|
||||
ansible.builtin.command:
|
||||
cmd: borgmatic init --encryption repokey
|
||||
become: true
|
||||
|
||||
- name: Activer la planification
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
enabled: true
|
||||
state: stopped
|
||||
name: borgmatic.timer
|
||||
become: true
|
||||
|
||||
- name: Activer et démarrer le service
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
enabled: false
|
||||
state: started
|
||||
name: borgmatic.service
|
||||
become: true
|
@ -1,7 +1,7 @@
|
||||
galaxy_info:
|
||||
namespace: ykn
|
||||
author: pulsar89.5
|
||||
description: Rôle modèle
|
||||
description: Rôle de déploiement de borgmatic
|
||||
|
||||
license: GPL-3.0-or-later
|
||||
|
||||
|
50
tasks/configuration.yml
Normal file
50
tasks/configuration.yml
Normal file
@ -0,0 +1,50 @@
|
||||
---
|
||||
# tasks file for borgmatic
|
||||
|
||||
- name: Déployer la clef privée
|
||||
ansible.builtin.copy:
|
||||
content: "{{ borgmatic_keys.private }}"
|
||||
dest: /etc/borgmatic/id_ed25519
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=,o=
|
||||
become: true
|
||||
|
||||
- name: Déployer la clef publique
|
||||
ansible.builtin.copy:
|
||||
content: "{{ borgmatic_keys.public }}"
|
||||
dest: /etc/borgmatic/id_ed25519.pub
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=r,o=r
|
||||
become: true
|
||||
|
||||
- name: Déployer la configuration
|
||||
ansible.builtin.template:
|
||||
src: config.yaml.j2
|
||||
dest: /etc/borgmatic/config.yaml
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=,o=
|
||||
become: true
|
||||
notify: Créer le dépôt
|
||||
|
||||
- name: Déployer le service
|
||||
ansible.builtin.template:
|
||||
src: borgmatic.service.j2
|
||||
dest: /etc/systemd/system/borgmatic.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=r,o=r
|
||||
become: true
|
||||
notify: Activer et démarrer le service
|
||||
|
||||
- name: Déployer le service et la planification
|
||||
ansible.builtin.template:
|
||||
src: borgmatic.timer.j2
|
||||
dest: /etc/systemd/system/borgmatic.timer
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=r,o=r
|
||||
become: true
|
||||
notify: Activer la planification
|
27
tasks/installation.yml
Normal file
27
tasks/installation.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
# tasks file for borgmatic
|
||||
|
||||
- name: Installer python3-pip
|
||||
ansible.builtin.apt:
|
||||
name: python3-pip
|
||||
state: latest
|
||||
become: true
|
||||
|
||||
- name: Installer borgbackup
|
||||
ansible.builtin.apt:
|
||||
name: borgbackup
|
||||
state: latest
|
||||
default_release: "{{ borgmatic_distribution_release }}-backports"
|
||||
become: true
|
||||
|
||||
- name: Installer le paquet avec pip
|
||||
ansible.builtin.pip:
|
||||
name: borgmatic
|
||||
state: latest
|
||||
become: true
|
||||
|
||||
- name: Créer l'exemple de configuration
|
||||
ansible.builtin.command:
|
||||
cmd: generate-borgmatic-config
|
||||
creates: /etc/borgmatic/config.yaml
|
||||
become: true
|
8
tasks/main.yml
Normal file
8
tasks/main.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
# tasks file for borgmatic
|
||||
|
||||
- name: Importer les tâches d'installation
|
||||
ansible.builtin.import_tasks: installation.yml
|
||||
|
||||
- name: Importer les tâches de configuration
|
||||
ansible.builtin.import_tasks: configuration.yml
|
64
templates/borgmatic.service.j2
Normal file
64
templates/borgmatic.service.j2
Normal file
@ -0,0 +1,64 @@
|
||||
[Unit]
|
||||
Description=borgmatic backup
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
|
||||
# want to allow borgmatic to run anytime.
|
||||
ConditionACPower=true
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
||||
# Security settings for systemd running as root, optional but recommended to improve security. You
|
||||
# can disable individual settings if they cause problems for your use case. For more details, see
|
||||
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||
LockPersonality=true
|
||||
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
|
||||
# But you can try setting it to "yes" for improved security if you don't use those features.
|
||||
MemoryDenyWriteExecute=no
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallErrorNumber=EPERM
|
||||
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
|
||||
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
|
||||
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
|
||||
# leaves most of the filesystem read-only to borgmatic.
|
||||
ProtectSystem=full
|
||||
# ReadWritePaths=-/mnt/my_backup_drive
|
||||
# ReadOnlyPaths=-/var/lib/my_backup_source
|
||||
# This will mount a tmpfs on top of /root and pass through needed paths
|
||||
# ProtectHome=tmpfs
|
||||
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
||||
|
||||
# May interfere with running external programs within borgmatic hooks.
|
||||
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
||||
|
||||
# Lower CPU and I/O priority.
|
||||
Nice=19
|
||||
CPUSchedulingPolicy=batch
|
||||
IOSchedulingClass=best-effort
|
||||
IOSchedulingPriority=7
|
||||
IOWeight=100
|
||||
|
||||
Restart=no
|
||||
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
|
||||
# doesn't support this (pre-240 or so), you may have to remove this option.
|
||||
LogRateLimitIntervalSec=0
|
||||
|
||||
# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
|
||||
# dbus-user-session to be installed.
|
||||
ExecStartPre=sleep 1m
|
||||
ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic --verbosity -1 --syslog-verbosity 1
|
10
templates/borgmatic.timer.j2
Normal file
10
templates/borgmatic.timer.j2
Normal file
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description=Run borgmatic backup
|
||||
|
||||
[Timer]
|
||||
OnCalendar=daily
|
||||
Persistent=true
|
||||
RandomizedDelaySec=3h
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
25
templates/config.yaml.j2
Normal file
25
templates/config.yaml.j2
Normal file
@ -0,0 +1,25 @@
|
||||
---
|
||||
|
||||
consistency:
|
||||
checks: {{ borgmatic_checks }}
|
||||
|
||||
hooks:
|
||||
healthchecks:
|
||||
ping_url: {{ borgmatic_healthchecks }}
|
||||
send_logs: false
|
||||
|
||||
location:
|
||||
exclude_patterns: {{ borgmatic_exclude_patterns }}
|
||||
repositories: {{ borgmatic_repositories }}
|
||||
source_directories: {{ borgmatic_source_directories }}
|
||||
|
||||
retention:
|
||||
keep_daily: {{ borgmatic_retention.daily }}
|
||||
keep_monthly: {{ borgmatic_retention.monthly }}
|
||||
keep_weekly: {{ borgmatic_retention.weekly }}
|
||||
|
||||
storage:
|
||||
archive_name_format: {{ borgmatic_name }}
|
||||
compression: {{ borgmatic_compression }}
|
||||
encryption_passphrase: {{ borgmatic_passphrase }}
|
||||
ssh_command: {{ borgmatic_ssh_command }}
|
Loading…
Reference in New Issue
Block a user