EOX GitLab Instance

Commit 16ec3b5c authored by Karl Grube's avatar Karl Grube
Browse files

encryption support for borg

parent 7afef2ca
---
backup_storage_quota: '4000G'
backup_storage_quota: '20G'
backup_servers: "{{groups.backup_server}}"
backup_clientname: "srv_{{inventory_hostname}}"
backup_encryption: 'none'
backup_keep_daily: 14
backup_keep_weekly: 4
backup_keep_monthly: 12
......
......@@ -22,12 +22,19 @@
marker: "#{mark} ANSIBLE MANAGED SERVICE BACKUP FOR {{service_name}}"
block: |
{% for backup_server in backup_servers %}
{% if backup_encryption != 'none' %}
{% if backup_server.encryption != 'none' %}
export BORG_PASSCOMMAND="cat /root/.borg_password"
{% endif %}
borg create backup@{{backup_server}}:{{service_name}}::$(date -I) {{backup_path}}
borg create backup@{{backup_server.name}}:{{service_name}}::$(date -I) {{backup_path}}
{% endfor %}
when: backup_path is defined
- name: prune backups
cron:
name: "prune backups"
minute: '10'
hour: '2'
job: '/usr/local/bin/prune_backups'
when: backup_prune == True
---
- name: python3-pip
package:
name: python3-pip
- name: expect
pip:
name: pexpect
- name: random_password generation
set_fact:
borg_random_passwd: "{{ pwgen(128) }}"
- name: borg password file
copy:
path: '/root/.borg_password'
mode: '400'
owner: root
group: root
content: "{{ borg_random_passwd }}"
force: no
......@@ -29,3 +29,46 @@
- name: set backupkey variable
set_fact:
backup_key: "{{backupkey_slurp['content'] |b64decode }}"
#- name: python3-pip
# package:
# name: python3-pip
#
#- name: expect
# pip:
# name: pexpect
- name: random_password generation
set_fact:
borg_random_passwd: "{{ 128|pwgen }}"
- name: borg password file
copy:
dest: '/root/.borg_password'
mode: '400'
owner: root
group: root
content: "{{ borg_random_passwd }}"
force: no
- name: borg pruning script (encrypted)
blockinfile:
create: yes
owner: root
mode: 0700
path: /usr/local/bin/prune_backups
marker: "#{mark} ANSIBLE MANAGED SERVICE Pruning FOR {{service_name}}"
block: |
export BORG_PASSCOMMAND="cat /root/.borg_password"
{% for backup_server in backup_servers %}
{% if backup_server.encryption != 'none' %}
borg prune backup@{{backup_server.name}}:{{service_name}} --keep-daily {{backup_keep_daily}} --keep-weekly {{backup_keep_weekly}} --keep-monthly {{backup_keep_monthly}} --keep-yearly {{backup_keep_yearly}}
{% endif %}
{% endfor %}
- name: fetch password file
fetch:
src: /root/.borg_password
dest: "extra_vars/borg/{{inventory_hostname}}/"
flat: yes
tags: fetch
......@@ -3,11 +3,11 @@
- import_tasks: local.yml
- import_tasks: encrypted.yml
when: backup_encryption != 'none'
- include_tasks: remote.yml
with_items: "{{backup_servers}}"
loop_control:
loop_var: backup_server
tags: fetch,remote
- import_tasks: backup.yml
......@@ -2,31 +2,31 @@
- name: print current backup_server
debug:
msg: "{{backup_server}}"
msg: "{{backup_server.name}}"
- name: check for backup directory
stat:
path: "/home/backup/repos/{{backup_clientname}}/{{service_name}}"
register: remote_backup_directory
delegate_to: "{{backup_server}}"
delegate_to: "{{backup_server.name}}"
- name: slurp host_key from {{backup_server}}
- name: slurp host_key from {{backup_server.name}}
slurp:
path: /etc/ssh/ssh_host_ed25519_key.pub
register: remote_backup_key
delegate_to: "{{backup_server}}"
delegate_to: "{{backup_server.name}}"
- name: add backup server to known_hosts file
known_hosts:
key: "{{backup_server}} {{remote_backup_key['content'] |b64decode }}"
name: "{{backup_server}}"
key: "{{backup_server.name}} {{remote_backup_key['content'] |b64decode }}"
name: "{{backup_server.name}}"
- name: line in authorized_keys
lineinfile:
path: /home/backup/.ssh/authorized_keys
line: restrict,command="cd /home/backup/repos/{{backup_clientname}};borg serve --restrict-to-path /home/backup/repos/{{backup_clientname}} --append-only --storage-quota {{backup_storage_quota}}" {{backup_key}}
regex: ".*{{backup_clientname}}.*"
delegate_to: "{{backup_server}}"
delegate_to: "{{backup_server.name}}"
- name: new backup repository for this server
......@@ -37,28 +37,38 @@
state: directory
owner: backup
group: backup
delegate_to: "{{backup_server}}"
delegate_to: "{{backup_server.name}}"
- name: initialize backup without encryption
command: "borg init backup@{{backup_server}}:{{service_name}} -e {{backup_encryption}}"
when: backup_encryption == 'none'
command: "borg init backup@{{backup_server.name}}:{{service_name}} -e {{backup_server.encryption}}"
when: backup_server.encryption == 'none'
- name: initialize backup with encryption
expect:
command: "borg init backup@{{backup_server}}:{{service_name}} -e {{backup_encryption}}"
responses:
passphrase:
- "{{ borg_passwd }}"
- "{{ borg_passwd }}"
- "n"
- ""
when: backup_encryption != 'none'
shell: "export BORG_PASSCOMMAND='cat /root/.borg_password'; borg init backup@{{backup_server.name}}:{{service_name}} -e {{backup_server.encryption}}"
when: backup_server.encryption != 'none'
when: remote_backup_directory.stat.exists == False
- name: borg pruning
- name: borg pruning (unencrypted)
cron:
name: "prune {{backup_clientname}} {{service_name}}"
minute: '10'
hour: '1'
job: 'borg prune /home/backup/repos/{{backup_clientname}}/{{service_name}} --keep-daily {{backup_keep_daily}} --keep-monthly {{backup_keep_monthly}} --keep-yearly {{backup_keep_yearly}}'
user: backup
delegate_to: "{{backup_server}}"
when: backup_prune == True
delegate_to: "{{backup_server.name}}"
when:
- backup_prune == True
- backup_server.encryption == 'none'
- name: append only mode
lineinfile:
regex: "^append_only"
line: "append_only = 1"
path: "/home/backup/repos/{{backup_clientname}}/{{service_name}}/config"
insertafter: "^[repository]$"
delegate_to: "{{backup_server.name}}"
- name: fetch key file
fetch:
src: "/root/.config/borg/keys/{{backup_server.name|replace('.','_')}}__{{service_name}}"
dest: "extra_vars/borg/{{inventory_hostname}}/"
flat: yes
tags: fetch
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment