diff options
| -rw-r--r-- | README.md | 10 | ||||
| -rw-r--r-- | files/borgmatic_config.yaml.j2 | 25 | ||||
| -rw-r--r-- | playbook.yaml | 22 |
3 files changed, 57 insertions, 0 deletions
@@ -55,6 +55,13 @@ on the box itself will be taken care of by the playbook): Install the `ansible` package via your package manager. +### Backup + +You will need to initialise a borg repository on some host or managed provider. + +Once you have done this, make a note of the private key you will use to access +the remote server and the address of the repo. + ### Create a prod inventory file Create an inventory file in `inventory/prod.ini` with the production hosts that @@ -93,6 +100,9 @@ inventory/ ``` ```yaml +borg_passphrase: # the passphrase that borg will encrypt your repo with +borg_private_key_path: # e.g. /home/matthew/.ssh/some-key +borg_repo: # the repo to use, e.g. ssh://example.org/./repo certbot_email: an email address letsencrypt should use if renewal fails virtual_host: the domain of the JID you'd like to use, e.g. koyo.haus ``` diff --git a/files/borgmatic_config.yaml.j2 b/files/borgmatic_config.yaml.j2 new file mode 100644 index 0000000..1343351 --- /dev/null +++ b/files/borgmatic_config.yaml.j2 @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev> +# +# SPDX-License-Identifier: AGPL-3.0-only + +--- + +location: + source_directories: + - /etc/prosody + - /var/lib/prosody + repositories: + - "{{ borg_repo }}" +storage: + encryption_passphrase: "{{ borg_passphrase }}" + ssh_command: ssh -i /root/.ssh/borg_key + archive_name_format: "{{ virtual_host }}-{now}" +retention: + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 12 + keep_yearly: 10 + prefix: "{{ virtual_host }}-" +consistency: + checks: + - name: disabled diff --git a/playbook.yaml b/playbook.yaml index 1a2a1e9..6c61e68 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -10,6 +10,7 @@ - name: Ensure required packages are installed ansible.builtin.package: name: + - borgmatic - certbot - prosody - prosody-modules @@ -74,6 +75,23 @@ name: prosody enabled: true become: true + - name: Ensure borgmatic private key is installed + ansible.builtin.copy: + src: "{{ borg_private_key_path }}" + dest: /root/.ssh/borg_key + owner: root + group: root + mode: "0600" + become: true + - name: Ensure borgmatic is configured + ansible.builtin.template: + src: "{{ playbook_dir }}/files/borgmatic_config.yaml.j2" + dest: "/etc/borgmatic/config.yaml" + owner: root + group: root + mode: "0600" + become: true + notify: Validate borgmatic config handlers: - name: Reload prosody @@ -81,3 +99,7 @@ name: prosody state: reloaded become: true + - name: Validate borgmatic config + ansible.builtin.command: validate-borgmatic-config + become: true + changed_when: false |