various fix

switch from cron to systemd
bypass hadoly anubis protection

README.md

@@ -16,12 +16,10 @@ Role Variables
 
 Defaults set in defaults/main.yml
 
-borg_dirs - list of directories to backup - default to /root and /etc
+borg_dirs - list of directories to backup - default to "{{ burp_folders }}"
-borg_release - default to 1.1.4
+borg_server - default to maison.opendoor.fr
-borg_key - encryption key - définie dans group_vars/all
+borg_account - default to backup_borg
-borg_server - default to vm2
+borg_remote_dir - remote base directory for repos - default to /media/Backups/
-borg_account - default to backup
-borg_remote_dir - remote base directory for repos - default to /var/backups/borg
 borg_passphrase - no default, should be set on a per host basis
 borg_rotate - num of days of backup we keep - default 15
 borg_script_dir - defaults to /root/bin/borg/

defaults/main.yml

@@ -1,9 +1,8 @@
 ---
 # defaults file for borg_client
-borg_release: 1.1.4
+borg_dirs: "{{ burp_folders }}"
-borg_dirs: "/etc /root"
+borg_remote_dir: /media/Backups/
-borg_server: vm2.hadoly.fr
+borg_account: backup_borg
-borg_remote_dir: /var/backups/borg
+borg_server: maison.opendoor.fr
-borg_account: backup
 borg_rotate: 15
 borg_script_dir: /root/bin

handlers/main.yml

@@ -1,2 +1,5 @@
 ---
-# handlers file for borg_client
+# handlers file for borg_client
+- name: reload systemd
+  ansible.builtin.systemd_service:
+    daemon_reload: true

meta/main.yml

@@ -47,7 +47,8 @@ galaxy_info:
     # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
     #       Maximum 20 tags per role.
 
-dependencies: []
+dependencies:
+  - { role: tco.changelog, myrole_name: ansible_borg_client }
   # List your role dependencies here, one per line. Be sure to remove the '[]' above,
   # if you add dependencies to this list.
   

tasks/cleanup.yml

@@ -1,6 +0,0 @@
----
-- name: remove old cron entry
-  lineinfile:
-    path: /etc/crontab
-    regexp: '.*/root/bin/borg.sh.*'
-    state: absent

tasks/cron.yml

@@ -1,32 +1,21 @@
-- name: Deploy cronjob backup_temoin
+- name: remove old cronfile
-  vars:
+  ansible.builtin.file:
-    minutes: "{{ 59 | random(seed=inventory_hostname) }}"
+    path: /etc/cron.d/backup
-  cron:
+    state: absent
-    name: backup_temoin
-    cron_file: backup_temoin
-    user: root
-    hour: "7"
-    minute: "{{ minutes }}"
-    job: "/bin/touch /root/temoinbackup"
 
-- name: Deploy cronjob backup_extract
+- name: Deploy systemd service and timer unit files
-  vars:
+  ansible.builtin.template:
-    minutes: "{{ 59 | random(seed=inventory_hostname) }}"
+    src: "{{ item }}"
-  cron:
+    dest: /etc/systemd/system/
-    name: backup_extract
+  notify: reload systemd
-    cron_file: backup_extract
+  loop:
-    user: root
+  - borg_backup.service
-    hour: "8"
+  - borg_backup.timer
-    minute: "{{ minutes }}"
-    job: 'cd /tmp/ ; {{ borg_script_dir }}/borg.sh extract {{ ansible_hostname }}_$( date +\%Y\%m\%d) root/temoinbackup ; chmod 755 /tmp/root'
 
-- name: Deploy cronjob backup_tout_court
+- ansible.builtin.meta: flush_handlers
-  vars:
+
-    minutes: "{{ 59 | random(seed=inventory_hostname) }}"
+- name: enable and start timer
-  cron:
+  ansible.builtin.systemd:
-    name: backup
+    name: borg_backup.timer
-    cron_file: backup
+    state: started
-    user: root
+    enabled: true
-    hour: "2"
-    minute: "{{ minutes }}"
-    job: "{{ borg_script_dir }}/borg.sh"

tasks/install.yml

@@ -1,28 +1,47 @@
 ---
+- name: configure ssh
+  block:
+  - name: .ssh dir
+    ansible.builtin.file:
+      path: /root/.ssh
+      mode: 0700
+      state: directory
+  - name: .ssh/config 
+    ansible.builtin.copy:
+      dest: /root/.ssh/config
+      content: |
+        Host *
+          Port 2222
+
 - name: get borg binary
-  get_url:
+  ansible.builtin.package:
-    dest: /usr/bin/borg
+    name: borgbackup
-    owner: root
+    state: present
-    group: backup
-    mode: "0750"
-    url: https://github.com/borgbackup/borg/releases/download/{{ borg_release }}/borg-linux64
 
 - name: ensure /root/bin exists
-  file:
+  ansible.builtin.file:
     path: "{{ borg_script_dir }}"
     state: directory
 
 - name: get borgbackup script
-  tags: wip
+  delegate_to: localhost
-  get_url:
+  become: false
-    url: "{{ item.url }}"
+  ansible.builtin.git:
-    mode: "{{ item.mode }}"
+    repo: "ssh://git@git-ssh.hadoly.fr:6900/CS_CT/borg.git"
+    dest: "/home/tom/tmp/borg"
+
+- name: copy script
+  ansible.builtin.copy:
+    src: /home/tom/tmp/borg/borg.sh
     dest: "{{ borg_script_dir }}"
-  loop:
+    mode: 0700
-  - { url: "https://git.hadoly.fr/CS_CT/borg/raw/tag/1.0/borg.sh", mode: "0700" }
+    owner: root
+    group: root
 
 - name: get borgbackup config
-  template:
+  vars:
+    borg_dirs_serialized: "{{ borg_dirs | join( ' ' ) }}"
+  ansible.builtin.template:
     src: borg.conf.jj
     dest: "{{ borg_script_dir }}/borg.conf"
     mode: 0600

tasks/main.yml

@@ -1,6 +1,5 @@
 ---
 # tasks file for borg_client
-- include_tasks: cleanup.yml
 - include_tasks: install.yml
 - include_tasks: cron.yml
 - include_tasks: repo.yml

tasks/repo.yml

@@ -4,17 +4,17 @@
 # * configure authorized key for backup user
 - name: create root ssh private key
   openssh_keypair:
-    comment: "passwordless access to vm2, as backup user"
+    comment: "passwordless access to {{ borg_server }}, as backup user"
     path: /root/.ssh/id_rsa
     owner: root
     group: root
 
-- name: create repo
+- name: create repo directory
   file:
-    path: "/var/backups/borg/{{ ansible_hostname }}"
+    path: "{{ borg_remote_dir }}{{ inventory_hostname }}"
     state: directory
-    owner: backup
+    owner: "{{ borg_account }}"
-    group: backup
+    group:  "backup"
   delegate_to: "{{ borg_server }}"
 
 - name: get public key
@@ -28,12 +28,23 @@
 # can't use authorized_key module here
 - name: install ssh key
   lineinfile:
-    path: /var/backups/.ssh/authorized_keys
+    path: "{{ borg_remote_dir }}/.ssh/authorized_keys"
-    line: 'command="borg serve --restrict-to-path /var/backups/borg/" {{ public_key }} from {{ ansible_hostname }}'
+    line: 'command="borg serve --restrict-to-path {{ borg_remote_dir }}" {{ public_key }} from {{ inventory_hostname }}'
     create: true
-    owner: backup
+    owner: "{{ borg_account }}"
-    group: backup
+    group: "backup"
     mode: 0600
   delegate_to: "{{ borg_server }}"
 
+- name: check if repository is created
+  delegate_to: "{{ borg_server }}"
+  ansible.builtin.stat:
+    path: "{{ borg_remote_dir }}{{ inventory_hostname }}/config"
+  register: repo_content
+
+- name: create repository
+  when: repo_content.stat.exists == false
+  ansible.builtin.command: "/usr/bin/borg init --encryption=keyfile {{ borg_account }}@{{ borg_server }}:{{ borg_remote_dir }}{{ inventory_hostname }}"
+  environment:
+    BORG_PASSPHRASE: "{{ borg_passphrase }}"
 

templates/borg.conf.jj

@@ -1,5 +1,6 @@
-REPOSITORY={{ borg_account }}@{{ borg_server }}:{{ borg_remote_dir }}/{{ ansible_hostname }}
+REPOSITORY={{ borg_account }}@{{ borg_server }}:{{ borg_remote_dir }}/{{ inventory_hostname }}
 export BORG_PASSPHRASE={{ borg_passphrase }}
 borg=/usr/bin/borg
 rotate={{ borg_rotate }}
-src="{{ borg_dirs }}"
+src="{{ borg_dirs_serialized }}"
+status_file=/run/zabbix/{{ inventory_hostname}}_borg.status

templates/borg_backup.service

@@ -0,0 +1,9 @@
+# {{ansible_managed}}
+# this file was created from the role: {{ ansible_role_name }}
+[Unit]
+Description = do a borg backup
+
+[Service]
+Type = oneshot
+ExecStart = {{ borg_script_dir }}/borg.sh create
+User = root

templates/borg_backup.timer

@@ -0,0 +1,8 @@
+# {{ansible_managed}}
+# this file was created from the role: {{ ansible_role_name }}
+[Unit]
+Description= daily borg backup
+[Timer]
+OnCalendar=*-*-* 22:{{ 59|random( seed=inventory_hostname ) }}:0
+[Install]
+WantedBy=multi-user.target