3 files changed, 80 insertions, 0 deletions
diff --git a/ansible/roles/backup/meta/main.yml b/ansible/roles/backup/meta/main.yml
new file mode 100644
index 0000000..023023d
--- /dev/null
+++ b/ansible/roles/backup/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  # borgmatic is inside a pip3 package
+  - role: pip3
diff --git a/ansible/roles/backup/tasks/main.yml b/ansible/roles/backup/tasks/main.yml
new file mode 100644
index 0000000..fedc68b
--- /dev/null
+++ b/ansible/roles/backup/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: install borgbackup
+  apt:
+    pkg: borgbackup
+    state: latest
+- name: install borgmatic
+  pip:
+    name: borgmatic
+    state: latest
+- name: create backup config dir
+  file:
+    path: /etc/borgmatic.d
+    owner: "{{ backup.runAs }}"
+    mode: 0700
+    state: directory
+# Create backup config for entire server
+# Ideally we only have one type of data to backup per server and the rest
+# can be re-constructed as necessary through auto-deploy processes
+- name: populate borgmatic config with details for hosts
+  template:
+    src: borgmatic.yml.j2
+    dest: /etc/borgmatic.d/system.backup.yml
+    owner: "{{ backup.runAs }}"
+    mode: 0600
+# Note: right now we aren't populating an 'excludes' file
+# If we need 'excludes' in the future, append '--excludes [excludesDirsFile]'
+# ALSO NOTE: your backup.runAs user MUST MANUALLY ACCEPT THE BACKUP HOST SSH KEY
+# Backup will stall if unattended ssh sees new host fingerprint needing approval
+- name: install backup crontab
+  cron:
+    name: "Backup Offsite"
+    minute: 32
+    hour: 3
+    job: "borgmatic --verbosity 1 -c /etc/borgmatic.d/system.backup.yml"
+    user: "{{ backup.runAs }}"
+    cron_file: backup_offsite
diff --git a/ansible/roles/backup/templates/borgmatic.yml.j2 b/ansible/roles/backup/templates/borgmatic.yml.j2
new file mode 100644
index 0000000..864c8a6
--- /dev/null
+++ b/ansible/roles/backup/templates/borgmatic.yml.j2
@@ -0,0 +1,36 @@
+location:
+    # List of source directories to backup. Globs are expanded.
+    source_directories:
+{% for dir in backup.dirs %}
+        - {{ dir }}
+{% endfor %}
+    # Paths to local or remote repositories.
+    repositories:
+        - {{ backup.host }}:{{ inventory_hostname }}
+    one_file_system: True
+    remote_path: borg1
+    # Any paths matching these patterns are excluded from backups.
+    exclude_patterns:
+        - /home/*/.cache
+storage:
+    encryption_passphrase: {{ backup.phrase }}
+    compression: lz4
+retention:
+    # Retention policy for how many backups to keep in each category.
+    keep_within: 3H
+    keep_daily: 7
+    keep_weekly: 2
+    keep_monthly: 3
+consistency:
+    # List of consistency checks to run: "repository", "archives", or both.
+    checks:
+        - repository
+        - archives
+    check_last: 1

diff --git a/ansible/roles/backup/meta/main.yml b/ansible/roles/backup/meta/main.yml new file mode 100644 index 0000000..023023d --- /dev/null +++ b/ansible/roles/backup/meta/main.yml
@@ -0,0 +1,4 @@
	1	---
	2	dependencies:
	3	# borgmatic is inside a pip3 package
	4	- role: pip3


diff --git a/ansible/roles/backup/tasks/main.yml b/ansible/roles/backup/tasks/main.yml new file mode 100644 index 0000000..fedc68b --- /dev/null +++ b/ansible/roles/backup/tasks/main.yml
@@ -0,0 +1,40 @@
	1	---
	2	- name: install borgbackup
	3	apt:
	4	pkg: borgbackup
	5	state: latest
	6
	7	- name: install borgmatic
	8	pip:
	9	name: borgmatic
	10	state: latest
	11
	12	- name: create backup config dir
	13	file:
	14	path: /etc/borgmatic.d
	15	owner: "{{ backup.runAs }}"
	16	mode: 0700
	17	state: directory
	18
	19	# Create backup config for entire server
	20	# Ideally we only have one type of data to backup per server and the rest
	21	# can be re-constructed as necessary through auto-deploy processes
	22	- name: populate borgmatic config with details for hosts
	23	template:
	24	src: borgmatic.yml.j2
	25	dest: /etc/borgmatic.d/system.backup.yml
	26	owner: "{{ backup.runAs }}"
	27	mode: 0600
	28
	29	# Note: right now we aren't populating an 'excludes' file
	30	# If we need 'excludes' in the future, append '--excludes [excludesDirsFile]'
	31	# ALSO NOTE: your backup.runAs user MUST MANUALLY ACCEPT THE BACKUP HOST SSH KEY
	32	# Backup will stall if unattended ssh sees new host fingerprint needing approval
	33	- name: install backup crontab
	34	cron:
	35	name: "Backup Offsite"
	36	minute: 32
	37	hour: 3
	38	job: "borgmatic --verbosity 1 -c /etc/borgmatic.d/system.backup.yml"
	39	user: "{{ backup.runAs }}"
	40	cron_file: backup_offsite


diff --git a/ansible/roles/backup/templates/borgmatic.yml.j2 b/ansible/roles/backup/templates/borgmatic.yml.j2 new file mode 100644 index 0000000..864c8a6 --- /dev/null +++ b/ansible/roles/backup/templates/borgmatic.yml.j2
@@ -0,0 +1,36 @@
	1	location:
	2	# List of source directories to backup. Globs are expanded.
	3	source_directories:
	4	{% for dir in backup.dirs %}
	5	- {{ dir }}
	6	{% endfor %}
	7
	8	# Paths to local or remote repositories.
	9	repositories:
	10	- {{ backup.host }}:{{ inventory_hostname }}
	11
	12	one_file_system: True
	13	remote_path: borg1
	14
	15	# Any paths matching these patterns are excluded from backups.
	16	exclude_patterns:
	17	- /home/*/.cache
	18
	19	storage:
	20	encryption_passphrase: {{ backup.phrase }}
	21	compression: lz4
	22
	23	retention:
	24	# Retention policy for how many backups to keep in each category.
	25	keep_within: 3H
	26	keep_daily: 7
	27	keep_weekly: 2
	28	keep_monthly: 3
	29
	30	consistency:
	31	# List of consistency checks to run: "repository", "archives", or both.
	32	checks:
	33	- repository
	34	- archives
	35
	36	check_last: 1