From 1f1f6eeaebc148602085515350eb12829f86c315 Mon Sep 17 00:00:00 2001 From: Colin Wilk Date: Mon, 22 May 2023 20:17:27 +0200 Subject: init Signed-off-by: Colin Wilk --- tasks/client_setup.yml | 120 +++++++++++++++++++++++++++++++++++++++++++++++++ tasks/installation.yml | 21 +++++++++ tasks/main.yml | 9 ++++ tasks/server_setup.yml | 22 +++++++++ 4 files changed, 172 insertions(+) create mode 100644 tasks/client_setup.yml create mode 100644 tasks/installation.yml create mode 100644 tasks/main.yml create mode 100644 tasks/server_setup.yml (limited to 'tasks') diff --git a/tasks/client_setup.yml b/tasks/client_setup.yml new file mode 100644 index 0000000..fee0b6b --- /dev/null +++ b/tasks/client_setup.yml @@ -0,0 +1,120 @@ +--- +- name: Create SSH Directory + ansible.builtin.file: + path: /root/.ssh + owner: root + group: root + mode: '0640' + state: directory + become: true + +- name: Add borg server to known_hosts + ansible.builtin.known_hosts: + name: "{{ borg_server_host_url }}" + key: "{{ borg_server_host_url }} {{ borg_server_host_ssh_key }}" + path: /root/.ssh/known_hosts + state: present + become: true + +- name: Generate SSH keys + community.crypto.openssh_keypair: + path: /root/.ssh/id_rsa + owner: root + group: root + mode: '0600' + comment: "root@{{ inventory_hostname }}" + become: true + register: ssh_key + +- name: Deploy Keys to Borg server + ansible.builtin.lineinfile: + path: "{{ borg_server_user_home }}/.ssh/authorized_keys" + line: > + restrict,command="borg serve + {{ "--append-only" if borg_mode_append_only }} + --restrict-to-repository {{ borg_repo_name }}" + {{ ssh_key.public_key }} root@{{ inventory_hostname }} + search_string: "{{ ssh_key.public_key }}" + state: present + become: true + delegate_to: "{{ borg_server_host }}" + +- name: Initialise Borg repository + ansible.builtin.command: > + borg init --encryption=repokey + borg@{{ borg_server_host_url }}:{{ borg_server_user_home }}/{{ borg_repo_name }} + environment: + BORG_PASSPHRASE: "{{ borg_passphrase }}" + become: true + register: init_borg_output + changed_when: init_borg_output.rc != 2 + failed_when: > + init_borg_output.rc != 2 and + init_borg_output.rc != 0 + +- name: Make sure key file exists + ansible.builtin.file: + path: "{{ borg_decryption_keys_yaml_path }}" + state: touch + mode: '0600' + access_time: preserve + modification_time: preserve + delegate_to: localhost + become: false + +- name: Read Vars file + ansible.builtin.include_vars: + file: "{{ borg_decryption_keys_yaml_path }}" + register: local + +- name: Add repository encryption keys to ansible repo + when: not inventory_hostname in local.ansible_facts + throttle: 1 + block: + - name: If host new read encryption keys + ansible.builtin.command: > + borg key export --paper + borg@{{ borg_server_host_url }}:{{ borg_server_user_home }}/{{ borg_repo_name }} + become: true + register: borg_keys + changed_when: borg_keys.rc != 0 + + - name: If host new add encryption keys to vars + ansible.builtin.set_fact: + decryption_keys: "{{ local.ansible_facts | combine({inventory_hostname: borg_keys.stdout}) }}" + +- name: Update encryption vars + ansible.builtin.copy: + content: "{{ decryption_keys | to_nice_yaml(indent=2, width=2048) }}" + dest: "{{ borg_decryption_keys_yaml_path }}" + mode: '0600' + when: decryption_keys is defined + delegate_to: localhost + become: false + +- name: Set up env for cron job + ansible.builtin.cron: + name: BORG_PASSPHRASE + job: "{{ borg_passphrase }}" + state: "{{ 'present' if (borg_included_dirs | length > 0) else 'absent' }}" + env: true + user: root + become: true + +- name: Set up backup cron jobs + ansible.builtin.cron: + name: BORG (Application level backups) + job: > + borg create -C {{ borg_compression }} + borg@{{ borg_server_host_url }}:{{ borg_server_user_home }}/{{ borg_repo_name }}::{{ borg_backup_name_format }} + {{ borg_included_dirs | map('quote') | join(' ') }} + {% for e in (borg_excluded_dirs | map('quote')) %} --exclude {{ e }} {% endfor %} + user: root + state: "{{ 'present' if (borg_included_dirs | length > 0) else 'absent' }}" + minute: "{{ borg_cron_time.minute | default(omit) }}" + hour: "{{ borg_cron_time.hour | default(omit) }}" + weekday: "{{ borg_cron_time.weekday | default(omit) }}" + day: "{{ borg_cron_time.day | default(omit) }}" + month: "{{ borg_cron_time.month | default(omit) }}" + special_time: "{{ borg_cron_time.special_time | default(omit) }}" + become: true diff --git a/tasks/installation.yml b/tasks/installation.yml new file mode 100644 index 0000000..af379e6 --- /dev/null +++ b/tasks/installation.yml @@ -0,0 +1,21 @@ +--- +- name: Install Debian Server dependencies + ansible.builtin.apt: + name: + - borgbackup + state: present + update_cache: true + become: true + when: ansible_facts['os_family'] == "Debian" + delegate_to: "{{ borg_server_host }}" + +- name: Install Debian Client dependencies + ansible.builtin.apt: + name: + - borgbackup + - cron + - ssh + state: present + update_cache: true + become: true + when: ansible_facts['os_family'] == "Debian" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..7ffef06 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: Install dependencies + ansible.builtin.include_tasks: installation.yml + +- name: Run setup on server + ansible.builtin.include_tasks: server_setup.yml + +- name: Run setup on client + ansible.builtin.include_tasks: client_setup.yml diff --git a/tasks/server_setup.yml b/tasks/server_setup.yml new file mode 100644 index 0000000..6b16e29 --- /dev/null +++ b/tasks/server_setup.yml @@ -0,0 +1,22 @@ +--- +- name: Create borg user + ansible.builtin.user: + name: borg + comment: Borgbackup user + create_home: true + home: "{{ borg_server_user_home }}" + generate_ssh_key: true + become: true + delegate_to: "{{ borg_server_host }}" + +- name: Make sure authorized keys exists + ansible.builtin.file: + path: "{{ borg_server_user_home }}/.ssh/authorized_keys" + state: touch + owner: borg + group: borg + mode: '644' + access_time: preserve + modification_time: preserve + become: true + delegate_to: "{{ borg_server_host }}" -- cgit v1.2.3