fork https://github.com/mattsta/mailwebHEADmaster

3 files changed, 80 insertions, 0 deletions

diff --git a/ansible/roles/backup/meta/main.yml b/ansible/roles/backup/meta/main.yml
new file mode 100644
index 0000000..023023d
--- /dev/null
+++ b/ansible/roles/backup/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  # borgmatic is inside a pip3 package
+  - role: pip3
diff --git a/ansible/roles/backup/tasks/main.yml b/ansible/roles/backup/tasks/main.yml
new file mode 100644
index 0000000..fedc68b
--- /dev/null
+++ b/ansible/roles/backup/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: install borgbackup
+  apt:
+    pkg: borgbackup
+    state: latest
+
+- name: install borgmatic
+  pip:
+    name: borgmatic
+    state: latest
+
+- name: create backup config dir
+  file:
+    path: /etc/borgmatic.d
+    owner: "{{ backup.runAs }}"
+    mode: 0700
+    state: directory
+
+# Create backup config for entire server
+# Ideally we only have one type of data to backup per server and the rest
+# can be re-constructed as necessary through auto-deploy processes
+- name: populate borgmatic config with details for hosts
+  template:
+    src: borgmatic.yml.j2
+    dest: /etc/borgmatic.d/system.backup.yml
+    owner: "{{ backup.runAs }}"
+    mode: 0600
+
+# Note: right now we aren't populating an 'excludes' file
+# If we need 'excludes' in the future, append '--excludes [excludesDirsFile]'
+# ALSO NOTE: your backup.runAs user MUST MANUALLY ACCEPT THE BACKUP HOST SSH KEY
+# Backup will stall if unattended ssh sees new host fingerprint needing approval
+- name: install backup crontab
+  cron:
+    name: "Backup Offsite"
+    minute: 32
+    hour: 3
+    job: "borgmatic --verbosity 1 -c /etc/borgmatic.d/system.backup.yml"
+    user: "{{ backup.runAs }}"
+    cron_file: backup_offsite
diff --git a/ansible/roles/backup/templates/borgmatic.yml.j2 b/ansible/roles/backup/templates/borgmatic.yml.j2
new file mode 100644
index 0000000..864c8a6
--- /dev/null
+++ b/ansible/roles/backup/templates/borgmatic.yml.j2
@@ -0,0 +1,36 @@
+location:
+    # List of source directories to backup. Globs are expanded.
+    source_directories:
+{% for dir in backup.dirs %}
+        - {{ dir }}
+{% endfor %}
+
+    # Paths to local or remote repositories.
+    repositories:
+        - {{ backup.host }}:{{ inventory_hostname }}
+
+    one_file_system: True
+    remote_path: borg1
+
+    # Any paths matching these patterns are excluded from backups.
+    exclude_patterns:
+        - /home/*/.cache
+
+storage:
+    encryption_passphrase: {{ backup.phrase }}
+    compression: lz4
+
+retention:
+    # Retention policy for how many backups to keep in each category.
+    keep_within: 3H
+    keep_daily: 7
+    keep_weekly: 2
+    keep_monthly: 3
+
+consistency:
+    # List of consistency checks to run: "repository", "archives", or both.
+    checks:
+        - repository
+        - archives
+
+    check_last: 1