From f324bbdef4a71d33d4dd0adbd9037f600a058ad5 Mon Sep 17 00:00:00 2001 From: Matthew Fennell Date: Mon, 8 Jan 2024 22:53:42 +0000 Subject: Install borgmatic in the playbook This commit adds borgmatic, to provide automated backups. --- README.md | 10 ++++++++++ files/borgmatic_config.yaml.j2 | 25 +++++++++++++++++++++++++ playbook.yaml | 22 ++++++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 files/borgmatic_config.yaml.j2 diff --git a/README.md b/README.md index 0943edd..c9fd8e6 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,13 @@ on the box itself will be taken care of by the playbook): Install the `ansible` package via your package manager. +### Backup + +You will need to initialise a borg repository on some host or managed provider. + +Once you have done this, make a note of the private key you will use to access +the remote server and the address of the repo. + ### Create a prod inventory file Create an inventory file in `inventory/prod.ini` with the production hosts that @@ -93,6 +100,9 @@ inventory/ ``` ```yaml +borg_passphrase: # the passphrase that borg will encrypt your repo with +borg_private_key_path: # e.g. /home/matthew/.ssh/some-key +borg_repo: # the repo to use, e.g. ssh://example.org/./repo certbot_email: an email address letsencrypt should use if renewal fails virtual_host: the domain of the JID you'd like to use, e.g. koyo.haus ``` diff --git a/files/borgmatic_config.yaml.j2 b/files/borgmatic_config.yaml.j2 new file mode 100644 index 0000000..1343351 --- /dev/null +++ b/files/borgmatic_config.yaml.j2 @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: 2024 Matthew Fennell +# +# SPDX-License-Identifier: AGPL-3.0-only + +--- + +location: + source_directories: + - /etc/prosody + - /var/lib/prosody + repositories: + - "{{ borg_repo }}" +storage: + encryption_passphrase: "{{ borg_passphrase }}" + ssh_command: ssh -i /root/.ssh/borg_key + archive_name_format: "{{ virtual_host }}-{now}" +retention: + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 12 + keep_yearly: 10 + prefix: "{{ virtual_host }}-" +consistency: + checks: + - name: disabled diff --git a/playbook.yaml b/playbook.yaml index 1a2a1e9..6c61e68 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -10,6 +10,7 @@ - name: Ensure required packages are installed ansible.builtin.package: name: + - borgmatic - certbot - prosody - prosody-modules @@ -74,6 +75,23 @@ name: prosody enabled: true become: true + - name: Ensure borgmatic private key is installed + ansible.builtin.copy: + src: "{{ borg_private_key_path }}" + dest: /root/.ssh/borg_key + owner: root + group: root + mode: "0600" + become: true + - name: Ensure borgmatic is configured + ansible.builtin.template: + src: "{{ playbook_dir }}/files/borgmatic_config.yaml.j2" + dest: "/etc/borgmatic/config.yaml" + owner: root + group: root + mode: "0600" + become: true + notify: Validate borgmatic config handlers: - name: Reload prosody @@ -81,3 +99,7 @@ name: prosody state: reloaded become: true + - name: Validate borgmatic config + ansible.builtin.command: validate-borgmatic-config + become: true + changed_when: false -- cgit v1.2.3