Add borgmatic

2025-03-31 03:15:14 +03:00
parent 0deed89c3f
commit 0db60e2d60
12 changed files with 344 additions and 0 deletions
--- a/roles/borgmatic/meta/argument_specs.yaml
+++ b/roles/borgmatic/meta/argument_specs.yaml
@@ -0,0 +1,22 @@
+---
+argument_specs:
+  main:
+    short_description: Borgmatic
+    description:
+      - Installs borgmatic
+    options:
+      borgmatic_targets:
+        description: List of backup targets
+        type: list
+        required: true
+        elements: dict
+        options:
+          host:
+            description: Target hostname
+            type: str
+            required: true
+          directories:
+            description: Directories on the host where backup repos will be created under
+            type: list
+            required: true
+            elements: str
--- a/roles/borgmatic/tasks/main.yaml
+++ b/roles/borgmatic/tasks/main.yaml
@@ -0,0 +1,55 @@
+---
+- name: Ensure host distribution is supported
+  ansible.builtin.import_role:
+    name: compatcheck
+  vars:
+    compatcheck_supported_distributions:
+      - name: debian
+        version_min: 11
+      - name: ubuntu
+        version_min: 22
+
+- name: Install borgmatic
+  ansible.builtin.apt:
+    name: borgmatic
+
+- name: Disable borgmatic global timer
+  ansible.builtin.systemd_service:
+    name: borgmatic.timer
+    state: stopped
+    enabled: false
+
+- name: Add systemd drop-in service for borgmatic
+  ansible.builtin.template:
+    src: borgmatic@.service.j2
+    dest: /etc/systemd/system/borgmatic@.service
+    mode: "0644"
+
+- name: Create borgmatic configurations directory
+  ansible.builtin.file:
+    path: /etc/borgmatic.d
+    state: directory
+    mode: "0755"
+
+- name: Generate ssh key for borg
+  community.crypto.openssh_keypair:
+    type: ed25519
+    path: "{{ ansible_user_dir }}/.ssh/id_ed25519_borg"
+    comment: "{{ ansible_user_id }}@{{ ansible_fqdn }} borg"
+  register: _borgmatic_key
+
+- name: Setup backup targets
+  ansible.builtin.include_tasks:
+    file: target.yaml
+    apply:
+      delegate_to: "{{ target.host }}"
+      become: false
+  loop: "{{ borgmatic_targets }}"
+  loop_control:
+    loop_var: target
+
+- name: Add borg target ssh host keys to known hosts
+  ansible.builtin.known_hosts:
+    name: "{{ item }}"
+    key: "{{ item }} ssh-ed25519 {{ hostvars[item].ansible_ssh_host_key_ed25519_public }}"
+  loop: "{{ borgmatic_targets | map(attribute='host') }}"
--- a/roles/borgmatic/tasks/target.yaml
+++ b/roles/borgmatic/tasks/target.yaml
@@ -0,0 +1,26 @@
+---
+- name: Gather facts
+  ansible.builtin.setup:
+  delegate_facts: true
+
+- name: Add ssh key to authorized_keys
+  ansible.posix.authorized_key:
+    user: "{{ hostvars[target.host].ansible_user_id }}"
+    key: >-
+      {{
+        _borgmatic_key.public_key + ' ' + _borgmatic_key.comment
+        if not (ansible_check_mode and _borgmatic_key.changed)
+        else 'ssh-ed25519 AAAA'
+      }}
+    key_options: >-
+      command="borg
+      serve{% for directory in target.directories %}
+      --restrict-to-path
+      {{ hostvars[target.host].ansible_user_dir }}/{{ directory }}/{{ ansible_fqdn }}{%- endfor -%}",restrict
+
+- name: Create backup directories
+  ansible.builtin.file:
+    path: "{{ hostvars[target.host].ansible_user_dir }}/{{ item }}/{{ ansible_fqdn }}"
+    state: directory
+    mode: "0700"
+  loop: "{{ target.directories }}"
--- a/roles/borgmatic/templates/borgmatic@.service.j2
+++ b/roles/borgmatic/templates/borgmatic@.service.j2
@@ -0,0 +1,63 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=borgmatic backup %i
+Wants=network-online.target
+After=network-online.target
+Documentation=https://torsion.org/borgmatic/
+
+[Service]
+Type=oneshot
+RuntimeDirectory=borgmatic
+StateDirectory=borgmatic
+
+# Security settings for systemd running as root, optional but recommended to improve security. You
+# can disable individual settings if they cause problems for your use case. For more details, see
+# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+LockPersonality=true
+# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
+# But you can try setting it to "yes" for improved security if you don't use those features.
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+# To restrict write access further, change "ProtectSystem" to "strict" and
+# uncomment "ReadWritePaths", "TemporaryFileSystem", "BindPaths" and
+# "BindReadOnlyPaths". Then add any local repository paths to the list of
+# "ReadWritePaths". This leaves most of the filesystem read-only to borgmatic.
+ProtectSystem=full
+# ReadWritePaths=-/mnt/my_backup_drive
+# This will mount a tmpfs on top of /root and pass through needed paths
+# TemporaryFileSystem=/root:ro
+# BindPaths=-/root/.cache/borg -/root/.config/borg -/root/.borgmatic
+# BindReadOnlyPaths=-/root/.ssh
+
+# May interfere with running external programs within borgmatic hooks.
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
+# Lower CPU and I/O priority.
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+
+Restart=no
+# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
+# doesn't support this (pre-240 or so), you may have to remove this option.
+LogRateLimitIntervalSec=0
+
+ExecStart=systemd-inhibit --who="borgmatic" --what="sleep:shutdown" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic -c "/etc/borgmatic.d/%I.yaml" --verbosity -2 --syslog-verbosity 1