[INFO] Création du rôle #1
129
README.md
129
README.md
@ -1,3 +1,128 @@
|
|||||||
# role_modele
|
# role_borgmatic
|
||||||
|
|
||||||
Modèle
|
Rôle de déploiement de borgmatic.
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
### borgmatic_distribution_release
|
||||||
|
|
||||||
|
Nom de la version de la distribution.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> `bullseye`*
|
||||||
|
|
||||||
|
### borgmatic_keys
|
||||||
|
|
||||||
|
Dictionnaire comportant la clef privée (`private`) et la clef publique (`public`) du dépôt Borg.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||||
|
|
||||||
|
### borgmatic_checks
|
||||||
|
|
||||||
|
Liste des vérifications automatiques.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> `[{frequency: 4 weeks, name: repository}, {frequency: 2 weeks, name: archives}]`*
|
||||||
|
|
||||||
|
### borgmatic_healthchecks
|
||||||
|
|
||||||
|
URL vers le serveur healtchecks.io.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||||
|
|
||||||
|
### borgmatic_exclude_patterns
|
||||||
|
|
||||||
|
Liste des éléments exclus de la sauvegarde.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||||
|
|
||||||
|
### borgmatic_repositories
|
||||||
|
|
||||||
|
Liste des dépôts Borg sur lesquels envoyer la sauvegarde.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||||
|
|
||||||
|
### borgmatic_source_directories
|
||||||
|
|
||||||
|
Liste des dossiers à sauvegarder.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||||
|
|
||||||
|
### borgmatic_retention
|
||||||
|
|
||||||
|
Dictionnaire permettant de définir la rétention.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> `{daily: 7, monthly: 0, weekly: 4}`*
|
||||||
|
|
||||||
|
### borgmatic_name
|
||||||
|
|
||||||
|
Nom de la sauvegarde.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> `{{ inventory_hostname }}_{now}`*
|
||||||
|
|
||||||
|
### borgmatic_compression
|
||||||
|
|
||||||
|
Algorythme de compression de la sauvegarde.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> `none`*
|
||||||
|
|
||||||
|
### borgmatic_passphrase
|
||||||
|
|
||||||
|
Phrase de passe de chiffrement de la sauvegarde.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||||
|
|
||||||
|
### borgmatic_ssh_command
|
||||||
|
|
||||||
|
Commande SSH utilisée pour la sauvegarde.
|
||||||
|
|
||||||
|
*<span style="text-decoration: underline">Valeur par défaut:</span> `ssh -i /etc/borgmatic/id_ed25519`*
|
||||||
|
|
||||||
|
## Exemples
|
||||||
|
|
||||||
|
### host_vars/host1.ykn.local
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
|
||||||
|
borgmatic_keys:
|
||||||
|
private: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
63383766386235373363643632346463656132363834653765656463663636663366396265353937
|
||||||
|
3732643765363735366437373435616433336134313266340a336638626163633864313363373330
|
||||||
|
38353632373232303838323438656334353964343539373465643939356536373432323363656434
|
||||||
|
3737656232623666300a363138623664366461346230666634633739646334373234626533623938
|
||||||
|
3031
|
||||||
|
public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdANRmMmEeyYMMDWJH6DxJsQUUP+Uudv7DgMXY5O+iQ root@{{ inventory_hostname }}
|
||||||
|
borgmatic_healthchecks: https:///healthchecks.ykn.local/ping/7f7332cc-a7d9-4a81-af86-651f856f34b7
|
||||||
|
borgmatic_repositories: ["ssh://e7892281@borgwarehouse.ykn.local:22/./repo2"]
|
||||||
|
borgmatic_source_directories: ["/srv/vaultwarden"]
|
||||||
|
borgmatic_exclude_patterns:
|
||||||
|
- '/srv/vaultwarden/icon_cache'
|
||||||
|
- '/srv/vaultwarden/tmp'
|
||||||
|
borgmatic_passphrase: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
36623861393935613563336339333962353436353839653762346633363138616233343433356130
|
||||||
|
3133353763393231393236306637313437633366623835300a653161356132663864636634626637
|
||||||
|
63653162393964616339623734613865636535396364396238306664396636353366653439366532
|
||||||
|
3836666166663163630a643635616164366337626632386336323938366636646463373937616361
|
||||||
|
3139
|
||||||
|
borgmatic_compression: lz4
|
||||||
|
```
|
||||||
|
|
||||||
|
### playbook.yml
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Déployer les rôles communs
|
||||||
|
hosts: 'all:!nixos'
|
||||||
|
roles:
|
||||||
|
- name: etc_hosts
|
||||||
|
- name: ifupdown
|
||||||
|
when: network_provider == "ifupdown"
|
||||||
|
- name: nftables
|
||||||
|
- name: ssh
|
||||||
|
- name: fail2ban
|
||||||
|
- name: users
|
||||||
|
- name: healthchecks_io
|
||||||
|
- name: borgmatic
|
||||||
|
```
|
||||||
|
26
defaults/main.yml
Normal file
26
defaults/main.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
# defaults file for borgmatic
|
||||||
|
|
||||||
|
borgmatic_distribution_release: bullseye
|
||||||
|
|
||||||
|
borgmatic_keys:
|
||||||
|
private: ""
|
||||||
|
public: ""
|
||||||
|
|
||||||
|
borgmatic_checks:
|
||||||
|
- frequency: 4 weeks
|
||||||
|
name: repository
|
||||||
|
- frequency: 2 weeks
|
||||||
|
name: archives
|
||||||
|
borgmatic_healthchecks: ""
|
||||||
|
borgmatic_exclude_patterns: []
|
||||||
|
borgmatic_repositories: []
|
||||||
|
borgmatic_source_directories: []
|
||||||
|
borgmatic_retention:
|
||||||
|
daily: 7
|
||||||
|
monthly: 0
|
||||||
|
weekly: 4
|
||||||
|
borgmatic_name: "{{ inventory_hostname }}_{now}"
|
||||||
|
borgmatic_compression: none
|
||||||
|
borgmatic_passphrase: ""
|
||||||
|
borgmatic_ssh_command: ssh -i /etc/borgmatic/id_ed25519
|
23
handlers/main.yml
Normal file
23
handlers/main.yml
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
---
|
||||||
|
# handlers file for borgmatic
|
||||||
|
|
||||||
|
- name: Créer le dépôt
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: borgmatic init --encryption repokey
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Activer la planification
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
enabled: true
|
||||||
|
state: stopped
|
||||||
|
name: borgmatic.timer
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Activer et démarrer le service
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
enabled: false
|
||||||
|
state: started
|
||||||
|
name: borgmatic.service
|
||||||
|
become: true
|
@ -1,7 +1,7 @@
|
|||||||
galaxy_info:
|
galaxy_info:
|
||||||
namespace: ykn
|
namespace: ykn
|
||||||
author: pulsar89.5
|
author: pulsar89.5
|
||||||
description: Rôle modèle
|
description: Rôle de déploiement de borgmatic
|
||||||
|
|
||||||
license: GPL-3.0-or-later
|
license: GPL-3.0-or-later
|
||||||
|
|
||||||
|
50
tasks/configuration.yml
Normal file
50
tasks/configuration.yml
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
---
|
||||||
|
# tasks file for borgmatic
|
||||||
|
|
||||||
|
- name: Déployer la clef privée
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: "{{ borgmatic_keys.private }}"
|
||||||
|
dest: /etc/borgmatic/id_ed25519
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=,o=
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Déployer la clef publique
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: "{{ borgmatic_keys.public }}"
|
||||||
|
dest: /etc/borgmatic/id_ed25519.pub
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=r,o=r
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Déployer la configuration
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: config.yaml.j2
|
||||||
|
dest: /etc/borgmatic/config.yaml
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=,o=
|
||||||
|
become: true
|
||||||
|
notify: Créer le dépôt
|
||||||
|
|
||||||
|
- name: Déployer le service
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: borgmatic.service.j2
|
||||||
|
dest: /etc/systemd/system/borgmatic.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=r,o=r
|
||||||
|
become: true
|
||||||
|
notify: Activer et démarrer le service
|
||||||
|
|
||||||
|
- name: Déployer le service et la planification
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: borgmatic.timer.j2
|
||||||
|
dest: /etc/systemd/system/borgmatic.timer
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=r,o=r
|
||||||
|
become: true
|
||||||
|
notify: Activer la planification
|
27
tasks/installation.yml
Normal file
27
tasks/installation.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
---
|
||||||
|
# tasks file for borgmatic
|
||||||
|
|
||||||
|
- name: Installer python3-pip
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: python3-pip
|
||||||
|
state: latest
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Installer borgbackup
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: borgbackup
|
||||||
|
state: latest
|
||||||
|
default_release: "{{ borgmatic_distribution_release }}-backports"
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Installer le paquet avec pip
|
||||||
|
ansible.builtin.pip:
|
||||||
|
name: borgmatic
|
||||||
|
state: latest
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Créer l'exemple de configuration
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: generate-borgmatic-config
|
||||||
|
creates: /etc/borgmatic/config.yaml
|
||||||
|
become: true
|
8
tasks/main.yml
Normal file
8
tasks/main.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
# tasks file for borgmatic
|
||||||
|
|
||||||
|
- name: Importer les tâches d'installation
|
||||||
|
ansible.builtin.import_tasks: installation.yml
|
||||||
|
|
||||||
|
- name: Importer les tâches de configuration
|
||||||
|
ansible.builtin.import_tasks: configuration.yml
|
64
templates/borgmatic.service.j2
Normal file
64
templates/borgmatic.service.j2
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=borgmatic backup
|
||||||
|
Wants=network-online.target
|
||||||
|
After=network-online.target
|
||||||
|
# Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you
|
||||||
|
# want to allow borgmatic to run anytime.
|
||||||
|
ConditionACPower=true
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
|
||||||
|
# Security settings for systemd running as root, optional but recommended to improve security. You
|
||||||
|
# can disable individual settings if they cause problems for your use case. For more details, see
|
||||||
|
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
||||||
|
LockPersonality=true
|
||||||
|
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
|
||||||
|
# But you can try setting it to "yes" for improved security if you don't use those features.
|
||||||
|
MemoryDenyWriteExecute=no
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
SystemCallErrorNumber=EPERM
|
||||||
|
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
|
||||||
|
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
|
||||||
|
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
|
||||||
|
# leaves most of the filesystem read-only to borgmatic.
|
||||||
|
ProtectSystem=full
|
||||||
|
# ReadWritePaths=-/mnt/my_backup_drive
|
||||||
|
# ReadOnlyPaths=-/var/lib/my_backup_source
|
||||||
|
# This will mount a tmpfs on top of /root and pass through needed paths
|
||||||
|
# ProtectHome=tmpfs
|
||||||
|
# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
|
||||||
|
|
||||||
|
# May interfere with running external programs within borgmatic hooks.
|
||||||
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
|
||||||
|
|
||||||
|
# Lower CPU and I/O priority.
|
||||||
|
Nice=19
|
||||||
|
CPUSchedulingPolicy=batch
|
||||||
|
IOSchedulingClass=best-effort
|
||||||
|
IOSchedulingPriority=7
|
||||||
|
IOWeight=100
|
||||||
|
|
||||||
|
Restart=no
|
||||||
|
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
|
||||||
|
# doesn't support this (pre-240 or so), you may have to remove this option.
|
||||||
|
LogRateLimitIntervalSec=0
|
||||||
|
|
||||||
|
# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
|
||||||
|
# dbus-user-session to be installed.
|
||||||
|
ExecStartPre=sleep 1m
|
||||||
|
ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/local/bin/borgmatic --verbosity -1 --syslog-verbosity 1
|
10
templates/borgmatic.timer.j2
Normal file
10
templates/borgmatic.timer.j2
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Run borgmatic backup
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar=daily
|
||||||
|
Persistent=true
|
||||||
|
RandomizedDelaySec=3h
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
25
templates/config.yaml.j2
Normal file
25
templates/config.yaml.j2
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
consistency:
|
||||||
|
checks: {{ borgmatic_checks }}
|
||||||
|
|
||||||
|
hooks:
|
||||||
|
healthchecks:
|
||||||
|
ping_url: {{ borgmatic_healthchecks }}
|
||||||
|
send_logs: false
|
||||||
|
|
||||||
|
location:
|
||||||
|
exclude_patterns: {{ borgmatic_exclude_patterns }}
|
||||||
|
repositories: {{ borgmatic_repositories }}
|
||||||
|
source_directories: {{ borgmatic_source_directories }}
|
||||||
|
|
||||||
|
retention:
|
||||||
|
keep_daily: {{ borgmatic_retention.daily }}
|
||||||
|
keep_monthly: {{ borgmatic_retention.monthly }}
|
||||||
|
keep_weekly: {{ borgmatic_retention.weekly }}
|
||||||
|
|
||||||
|
storage:
|
||||||
|
archive_name_format: {{ borgmatic_name }}
|
||||||
|
compression: {{ borgmatic_compression }}
|
||||||
|
encryption_passphrase: {{ borgmatic_passphrase }}
|
||||||
|
ssh_command: {{ borgmatic_ssh_command }}
|
Loading…
Reference in New Issue
Block a user