initial version: hadoly's

README.md

@@ -0,0 +1,59 @@
+Role Name
+=========
+
+Install borg software + config file + cronjob
+
+Todo
+----
+
+<del>le script borg.sh devrait être dans un répo à part et ce playbook devrait récupérer une version précise.</del>
+
+chaque serveur devrait avoir sa propre clé de chiffrement.
+
+
+Role Variables
+--------------
+
+Defaults set in defaults/main.yml
+
+borg_dirs - list of directories to backup - default to /root and /etc
+borg_release - default to 1.1.4
+borg_key - encryption key - définie dans group_vars/all
+borg_server - default to vm2
+borg_account - default to backup
+borg_remote_dir - remote base directory for repos - default to /var/backups/borg
+borg_passphrase - no default, should be set on a per host basis
+borg_rotate - num of days of backup we keep - default 15
+borg_script_dir - defaults to /root/bin/borg/
+
+Some variables should be set on a per host basis ( key, dir, ...)
+Dependencies
+------------
+
+None
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+---
+- hosts: leodagan.hadoly.fr
+  become: true
+  remote_user: thomas
+  roles:
+  - borg_client
+
+ansible-playbook -K test_borg.yml  --vault-id=~/.ansible_hadoly.secret
+
+ansible_hadoly.secret contient la clé de chiffrement 
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

defaults/main.yml

@@ -0,0 +1,9 @@
+---
+# defaults file for borg_client
+borg_release: 1.1.4
+borg_dirs: "/etc /root"
+borg_server: vm2.hadoly.fr
+borg_remote_dir: /var/backups/borg
+borg_account: backup
+borg_rotate: 15
+borg_script_dir: /root/bin

files/borg.sh

@@ -0,0 +1,55 @@
+#! /bin/bash
+
+# wrapper around borgbackup
+# need a borg.conf file - see example file
+# need passwordless ssh access if using remote repo
+conf=$(dirname $0)/borg.conf
+if [ ! -f $conf ] ; then
+   echo config file not found
+   exit 5
+fi
+
+source $conf
+
+TODAY=$(date "+%Y%m%d")
+
+case $1 in
+   ("list")
+      if [ ! -z $2 ] ; then
+         ${borg} list $options ${REPOSITORY}::${2}
+      ret=$?
+      else
+         ${borg} list $options $REPOSITORY
+      ret=$?
+      fi
+      ;;
+   ("check")
+         shift
+# if arg: check archive, if not: check whole repo
+         if [ $# -eq 1 ] ; then
+            target=${REPOSITORY}::${1}
+         else
+            target=${REPOSITORY}
+         fi
+      ${borg} check -v ${target}
+      ret=$?
+      ;;
+   (info)
+      yesterday=$(date -d "yesterday 13:00 " '+%Y%m%d')
+      yesterday_archive=${REPOSITORY}::$(hostname)_${yesterday}
+      $borg check -v $yesterday_archive
+      ret=$?
+      ;;
+   ("extract")
+      ${borg} extract ${REPOSITORY}::${2} ${3}
+      ret=$?
+      ;;
+   (*)
+      ${borg} create $options --compression lzma,5 $REPOSITORY::$(hostname)_${TODAY} ${src}
+      ret=$?
+      if [ $ret -eq 0 ] ; then
+         ${borg} prune $options $REPOSITORY --prefix $(hostname)_ --keep-daily=${rotate}
+      fi
+      ;;
+esac
+exit $ret

handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for borg_client

meta/main.yml

@@ -0,0 +1,53 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.9
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
+  

tasks/cleanup.yml

@@ -0,0 +1,6 @@
+---
+- name: remove old cron entry
+  lineinfile:
+    path: /etc/crontab
+    regexp: '.*/root/bin/borg.sh.*'
+    state: absent

tasks/cron.yml

@@ -0,0 +1,32 @@
+- name: Deploy cronjob backup_temoin
+  vars:
+    minutes: "{{ 59 | random(seed=inventory_hostname) }}"
+  cron:
+    name: backup_temoin
+    cron_file: backup_temoin
+    user: root
+    hour: "7"
+    minute: "{{ minutes }}"
+    job: "/bin/touch /root/temoinbackup"
+
+- name: Deploy cronjob backup_extract
+  vars:
+    minutes: "{{ 59 | random(seed=inventory_hostname) }}"
+  cron:
+    name: backup_extract
+    cron_file: backup_extract
+    user: root
+    hour: "8"
+    minute: "{{ minutes }}"
+    job: 'cd /tmp/ ; {{ borg_script_dir }}/borg.sh extract {{ ansible_hostname }}_$( date +\%Y\%m\%d) root/temoinbackup ; chmod 755 /tmp/root'
+
+- name: Deploy cronjob backup_tout_court
+  vars:
+    minutes: "{{ 59 | random(seed=inventory_hostname) }}"
+  cron:
+    name: backup
+    cron_file: backup
+    user: root
+    hour: "2"
+    minute: "{{ minutes }}"
+    job: "{{ borg_script_dir }}/borg.sh"

tasks/install.yml

@@ -0,0 +1,28 @@
+---
+- name: get borg binary
+  get_url:
+    dest: /usr/bin/borg
+    owner: root
+    group: backup
+    mode: "0750"
+    url: https://github.com/borgbackup/borg/releases/download/{{ borg_release }}/borg-linux64
+
+- name: ensure /root/bin exists
+  file:
+    path: "{{ borg_script_dir }}"
+    state: directory
+
+- name: get borgbackup script
+  tags: wip
+  get_url:
+    url: "{{ item.url }}"
+    mode: "{{ item.mode }}"
+    dest: "{{ borg_script_dir }}"
+  loop:
+  - { url: "https://git.hadoly.fr/CS_CT/borg/raw/tag/1.0/borg.sh", mode: "0700" }
+
+- name: get borgbackup config
+  template:
+    src: borg.conf.jj
+    dest: "{{ borg_script_dir }}/borg.conf"
+    mode: 0600

tasks/main.yml

@@ -0,0 +1,6 @@
+---
+# tasks file for borg_client
+- include_tasks: cleanup.yml
+- include_tasks: install.yml
+- include_tasks: cron.yml
+- include_tasks: repo.yml

tasks/repo.yml

@@ -0,0 +1,39 @@
+---
+# Here we mostly work on {{ borg_server }} to:
+# * create repository
+# * configure authorized key for backup user
+- name: create root ssh private key
+  openssh_keypair:
+    comment: "passwordless access to vm2, as backup user"
+    path: /root/.ssh/id_rsa
+    owner: root
+    group: root
+
+- name: create repo
+  file:
+    path: "/var/backups/borg/{{ ansible_hostname }}"
+    state: directory
+    owner: backup
+    group: backup
+  delegate_to: "{{ borg_server }}"
+
+- name: get public key
+  command: "cat /root/.ssh/id_rsa.pub"
+  register: pubkey
+
+- name: set pubkey as variable
+  set_fact:
+    public_key: "{{ pubkey.stdout }}"
+
+# can't use authorized_key module here
+- name: install ssh key
+  lineinfile:
+    path: /var/backups/.ssh/authorized_keys
+    line: 'command="borg serve --restrict-to-path /var/backups/borg/" {{ public_key }} from {{ ansible_hostname }}'
+    create: true
+    owner: backup
+    group: backup
+    mode: 0600
+  delegate_to: "{{ borg_server }}"
+
+

templates/borg.conf.jj

@@ -0,0 +1,5 @@
+REPOSITORY={{ borg_account }}@{{ borg_server }}:{{ borg_remote_dir }}/{{ ansible_hostname }}
+export BORG_PASSPHRASE={{ borg_passphrase }}
+borg=/usr/bin/borg
+rotate={{ borg_rotate }}
+src="{{ borg_dirs }}"

tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - borg_client

vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for borg_client