diff --git a/README.md b/README.md
index 3edfbf7..6a58849 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,128 @@
-# role_modele
+# role_borgmatic
-Modèle
\ No newline at end of file
+Rôle de déploiement de borgmatic.
+
+## Variables
+
+### borgmatic_distribution_release
+
+Nom de la version de la distribution.
+
+*Valeur par défaut: `bullseye`*
+
+### borgmatic_keys
+
+Dictionnaire comportant la clef privée (`private`) et la clef publique (`public`) du dépôt Borg.
+
+*Valeur par défaut: aucune*
+
+### borgmatic_checks
+
+Liste des vérifications automatiques.
+
+*Valeur par défaut: `[{frequency: 4 weeks, name: repository}, {frequency: 2 weeks, name: archives}]`*
+
+### borgmatic_healthchecks
+
+URL vers le serveur healtchecks.io.
+
+*Valeur par défaut: aucune*
+
+### borgmatic_exclude_patterns
+
+Liste des éléments exclus de la sauvegarde.
+
+*Valeur par défaut: aucune*
+
+### borgmatic_repositories
+
+Liste des dépôts Borg sur lesquels envoyer la sauvegarde.
+
+*Valeur par défaut: aucune*
+
+### borgmatic_source_directories
+
+Liste des dossiers à sauvegarder.
+
+*Valeur par défaut: aucune*
+
+### borgmatic_retention
+
+Dictionnaire permettant de définir la rétention.
+
+*Valeur par défaut: `{daily: 7, monthly: 0, weekly: 4}`*
+
+### borgmatic_name
+
+Nom de la sauvegarde.
+
+*Valeur par défaut: `{{ inventory_hostname }}_{now}`*
+
+### borgmatic_compression
+
+Algorythme de compression de la sauvegarde.
+
+*Valeur par défaut: `none`*
+
+### borgmatic_passphrase
+
+Phrase de passe de chiffrement de la sauvegarde.
+
+*Valeur par défaut: aucune*
+
+### borgmatic_ssh_command
+
+Commande SSH utilisée pour la sauvegarde.
+
+*Valeur par défaut: `ssh -i /etc/borgmatic/id_ed25519`*
+
+## Exemples
+
+### host_vars/host1.ykn.local
+
+```yaml
+---
+
+borgmatic_keys:
+ private: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 63383766386235373363643632346463656132363834653765656463663636663366396265353937
+ 3732643765363735366437373435616433336134313266340a336638626163633864313363373330
+ 38353632373232303838323438656334353964343539373465643939356536373432323363656434
+ 3737656232623666300a363138623664366461346230666634633739646334373234626533623938
+ 3031
+ public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdANRmMmEeyYMMDWJH6DxJsQUUP+Uudv7DgMXY5O+iQ root@{{ inventory_hostname }}
+borgmatic_healthchecks: https:///healthchecks.ykn.local/ping/7f7332cc-a7d9-4a81-af86-651f856f34b7
+borgmatic_repositories: ["ssh://e7892281@borgwarehouse.ykn.local:22/./repo2"]
+borgmatic_source_directories: ["/srv/vaultwarden"]
+borgmatic_exclude_patterns:
+ - '/srv/vaultwarden/icon_cache'
+ - '/srv/vaultwarden/tmp'
+borgmatic_passphrase: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 36623861393935613563336339333962353436353839653762346633363138616233343433356130
+ 3133353763393231393236306637313437633366623835300a653161356132663864636634626637
+ 63653162393964616339623734613865636535396364396238306664396636353366653439366532
+ 3836666166663163630a643635616164366337626632386336323938366636646463373937616361
+ 3139
+borgmatic_compression: lz4
+```
+
+### playbook.yml
+
+```yaml
+---
+
+- name: Déployer les rôles communs
+ hosts: 'all:!nixos'
+ roles:
+ - name: etc_hosts
+ - name: ifupdown
+ when: network_provider == "ifupdown"
+ - name: nftables
+ - name: ssh
+ - name: fail2ban
+ - name: users
+ - name: healthchecks_io
+ - name: borgmatic
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..b320026
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,26 @@
+---
+# defaults file for borgmatic
+
+borgmatic_distribution_release: bullseye
+
+borgmatic_keys:
+ private: ""
+ public: ""
+
+borgmatic_checks:
+ - frequency: 4 weeks
+ name: repository
+ - frequency: 2 weeks
+ name: archives
+borgmatic_healthchecks: ""
+borgmatic_exclude_patterns: []
+borgmatic_repositories: []
+borgmatic_source_directories: []
+borgmatic_retention:
+ daily: 7
+ monthly: 0
+ weekly: 4
+borgmatic_name: "{{ inventory_hostname }}_{now}"
+borgmatic_compression: none
+borgmatic_passphrase: ""
+borgmatic_ssh_command: ssh -i /etc/borgmatic/id_ed25519
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..dbada13
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,23 @@
+---
+# handlers file for borgmatic
+
+- name: Créer le dépôt
+ ansible.builtin.command:
+ cmd: borgmatic init --encryption repokey
+ become: true
+
+- name: Activer la planification
+ ansible.builtin.systemd:
+ daemon_reload: true
+ enabled: true
+ state: stopped
+ name: borgmatic.timer
+ become: true
+
+- name: Activer et démarrer le service
+ ansible.builtin.systemd:
+ daemon_reload: true
+ enabled: false
+ state: started
+ name: borgmatic.service
+ become: true
diff --git a/meta/main.yml b/meta/main.yml
index c58bebf..f866eb5 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
galaxy_info:
namespace: ykn
author: pulsar89.5
- description: Rôle modèle
+ description: Rôle de déploiement de borgmatic
license: GPL-3.0-or-later
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
new file mode 100644
index 0000000..b13b1d1
--- /dev/null
+++ b/tasks/configuration.yml
@@ -0,0 +1,50 @@
+---
+# tasks file for borgmatic
+
+- name: Déployer la clef privée
+ ansible.builtin.copy:
+ content: "{{ borgmatic_keys.private }}"
+ dest: /etc/borgmatic/id_ed25519
+ owner: root
+ group: root
+ mode: u=rw,g=,o=
+ become: true
+
+- name: Déployer la clef publique
+ ansible.builtin.copy:
+ content: "{{ borgmatic_keys.public }}"
+ dest: /etc/borgmatic/id_ed25519.pub
+ owner: root
+ group: root
+ mode: u=rw,g=r,o=r
+ become: true
+
+- name: Déployer la configuration
+ ansible.builtin.template:
+ src: config.yaml.j2
+ dest: /etc/borgmatic/config.yaml
+ owner: root
+ group: root
+ mode: u=rw,g=,o=
+ become: true
+ notify: Créer le dépôt
+
+- name: Déployer le service
+ ansible.builtin.template:
+ src: borgmatic.service.j2
+ dest: /etc/systemd/system/borgmatic.service
+ owner: root
+ group: root
+ mode: u=rw,g=r,o=r
+ become: true
+ notify: Activer et démarrer le service
+
+- name: Déployer le service et la planification
+ ansible.builtin.template:
+ src: borgmatic.timer.j2
+ dest: /etc/systemd/system/borgmatic.timer
+ owner: root
+ group: root
+ mode: u=rw,g=r,o=r
+ become: true
+ notify: Activer la planification
diff --git a/tasks/installation.yml b/tasks/installation.yml
new file mode 100644
index 0000000..8774963
--- /dev/null
+++ b/tasks/installation.yml
@@ -0,0 +1,27 @@
+---
+# tasks file for borgmatic
+
+- name: Installer python3-pip
+ ansible.builtin.apt:
+ name: python3-pip
+ state: latest
+ become: true
+
+- name: Installer borgbackup
+ ansible.builtin.apt:
+ name: borgbackup
+ state: latest
+ default_release: "{{ borgmatic_distribution_release }}-backports"
+ become: true
+
+- name: Installer le paquet avec pip
+ ansible.builtin.pip:
+ name: borgmatic
+ state: latest
+ become: true
+
+- name: Créer l'exemple de configuration
+ ansible.builtin.command:
+ cmd: generate-borgmatic-config
+ creates: /etc/borgmatic/config.yaml
+ become: true
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..4c863ad
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+# tasks file for borgmatic
+
+- name: Importer les tâches d'installation
+ ansible.builtin.import_tasks: installation.yml
+
+- name: Importer les tâches de configuration
+ ansible.builtin.import_tasks: configuration.yml
diff --git a/templates/borgmatic.service.j2 b/templates/borgmatic.service.j2
new file mode 100644
index 0000000..555e154
--- /dev/null
+++ b/templates/borgmatic.service.j2
@@ -0,0 +1,64 @@
+[Unit]
+Description=borgmatic backup
+Wants=network-online.target
+After=network-online.target
+# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
+# want to allow borgmatic to run anytime.
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+
+# Security settings for systemd running as root, optional but recommended to improve security. You
+# can disable individual settings if they cause problems for your use case. For more details, see
+# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+LockPersonality=true
+# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
+# But you can try setting it to "yes" for improved security if you don't use those features.
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
+# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
+# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
+# leaves most of the filesystem read-only to borgmatic.
+ProtectSystem=full
+# ReadWritePaths=-/mnt/my_backup_drive
+# ReadOnlyPaths=-/var/lib/my_backup_source
+# This will mount a tmpfs on top of /root and pass through needed paths
+# ProtectHome=tmpfs
+# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
+
+# May interfere with running external programs within borgmatic hooks.
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
+# Lower CPU and I/O priority.
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+
+Restart=no
+# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
+# doesn't support this (pre-240 or so), you may have to remove this option.
+LogRateLimitIntervalSec=0
+
+# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
+# dbus-user-session to be installed.
+ExecStartPre=sleep 1m
+ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic --verbosity -1 --syslog-verbosity 1
diff --git a/templates/borgmatic.timer.j2 b/templates/borgmatic.timer.j2
new file mode 100644
index 0000000..d51c9b2
--- /dev/null
+++ b/templates/borgmatic.timer.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=Run borgmatic backup
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=3h
+
+[Install]
+WantedBy=timers.target
diff --git a/templates/config.yaml.j2 b/templates/config.yaml.j2
new file mode 100644
index 0000000..76b909f
--- /dev/null
+++ b/templates/config.yaml.j2
@@ -0,0 +1,25 @@
+---
+
+consistency:
+ checks: {{ borgmatic_checks }}
+
+hooks:
+ healthchecks:
+ ping_url: {{ borgmatic_healthchecks }}
+ send_logs: false
+
+location:
+ exclude_patterns: {{ borgmatic_exclude_patterns }}
+ repositories: {{ borgmatic_repositories }}
+ source_directories: {{ borgmatic_source_directories }}
+
+retention:
+ keep_daily: {{ borgmatic_retention.daily }}
+ keep_monthly: {{ borgmatic_retention.monthly }}
+ keep_weekly: {{ borgmatic_retention.weekly }}
+
+storage:
+ archive_name_format: {{ borgmatic_name }}
+ compression: {{ borgmatic_compression }}
+ encryption_passphrase: {{ borgmatic_passphrase }}
+ ssh_command: {{ borgmatic_ssh_command }}