Install borgmatic in the playbook

This commit adds borgmatic, to provide automated backups.

3 files changed, 57 insertions, 0 deletions

diff --git a/README.md b/README.md
index 0943edd..c9fd8e6 100644
--- a/README.md
+++ b/README.md
@@ -55,6 +55,13 @@ on the box itself will be taken care of by the playbook):
 
 Install the `ansible` package via your package manager.
 
+### Backup
+
+You will need to initialise a borg repository on some host or managed provider.
+
+Once you have done this, make a note of the private key you will use to access
+the remote server and the address of the repo.
+
 ### Create a prod inventory file
 
 Create an inventory file in `inventory/prod.ini` with the production hosts that
@@ -93,6 +100,9 @@ inventory/
 ```
 
 ```yaml
+borg_passphrase: # the passphrase that borg will encrypt your repo with
+borg_private_key_path: # e.g. /home/matthew/.ssh/some-key
+borg_repo: # the repo to use, e.g. ssh://example.org/./repo
 certbot_email: an email address letsencrypt should use if renewal fails
 virtual_host: the domain of the JID you'd like to use, e.g. koyo.haus
 ```
diff --git a/files/borgmatic_config.yaml.j2 b/files/borgmatic_config.yaml.j2
new file mode 100644
index 0000000..1343351
--- /dev/null
+++ b/files/borgmatic_config.yaml.j2
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+---
+
+location:
+ source_directories:
+  - /etc/prosody
+  - /var/lib/prosody
+ repositories:
+  - "{{ borg_repo }}"
+storage:
+ encryption_passphrase: "{{ borg_passphrase }}"
+ ssh_command: ssh -i /root/.ssh/borg_key
+ archive_name_format: "{{ virtual_host }}-{now}"
+retention:
+ keep_daily: 7
+ keep_weekly: 4
+ keep_monthly: 12
+ keep_yearly: 10
+ prefix: "{{ virtual_host }}-"
+consistency:
+ checks:
+  - name: disabled
diff --git a/playbook.yaml b/playbook.yaml
index 1a2a1e9..6c61e68 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -10,6 +10,7 @@
    - name: Ensure required packages are installed
      ansible.builtin.package:
       name:
+       - borgmatic
        - certbot
        - prosody
        - prosody-modules
@@ -74,6 +75,23 @@
       name: prosody
       enabled: true
      become: true
+   - name: Ensure borgmatic private key is installed
+     ansible.builtin.copy:
+      src: "{{ borg_private_key_path }}"
+      dest: /root/.ssh/borg_key
+      owner: root
+      group: root
+      mode: "0600"
+     become: true
+   - name: Ensure borgmatic is configured
+     ansible.builtin.template:
+      src: "{{ playbook_dir }}/files/borgmatic_config.yaml.j2"
+      dest: "/etc/borgmatic/config.yaml"
+      owner: root
+      group: root
+      mode: "0600"
+     become: true
+     notify: Validate borgmatic config
 
   handlers:
    - name: Reload prosody
@@ -81,3 +99,7 @@
       name: prosody
       state: reloaded
      become: true
+   - name: Validate borgmatic config
+     ansible.builtin.command: validate-borgmatic-config
+     become: true
+     changed_when: false