---
################################################################################
# Borg Server Host Configuration
################################################################################

# This it the host, as specified in your ansible inventory file, that the
# backups will be made to.
# Ansible will delegate borg-server related tasks to that host.
# Currently there is only a single backup host supported per role run.
# ---
# borg_server_host: SETME

# This is the public key of the ssh server of your borg server.
# It is used for protecting against spoofed borg servers. It is recommended you
# set this variable as a group var in your ansible repository as it is a per
# borg-server configuration. To get this key you can run ssh-keyscan against
# your borg server like this:
# ssh-keyscan -t rsa borg.example.org
# You will need to remove the hostname from the output so that the
# remaining key will look something like this:
# ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
# ---
# borg_server_host_ssh_key: SETME

# This is the host url that will be used for running borg related commands on
# the borg client. The borg server ssh port needs to be reachable from the borg
# borg client under this host.
# This defaults to the borg_server_host which will work as long as the inventory
# hostnames are globally reachable.
borg_server_host_url: '{{ borg_server_host }}'

# The home directory of the borg user that is created on the borg server.
# All borg borg client repositories will be saved in this directory on the borg
# server. e.g. /opt/borg/client1 /opt/borg/client2
borg_server_user_home: /opt/borg


################################################################################
# Borg Repository Configuration
# See: https://borgbackup.readthedocs.io/en/stable/usage/serve.html
################################################################################

# The name of the repository (directory) created on the borg-server
# `{{ borg_server_user_home  }}/{{ borg_repo_name }}`
# This setting is mostly relevant if you use multiple repositories per
# borg-client in which case you have to set a custom repo names / formats to
# avoid clashes.
borg_repo_name: '{{ inventory_hostname }}'

# Should the repo be append only? (--append-only)
# This will deny any request to delete data from the backup repository coming
# from the client host. This is so that an attacker would not be able to simply
# delete the backups from a compromised client.
# With this configuration option enabled you won't have the ability to remove
# old backups directly from the client that pushes the backups.
# See https://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode-forbid-compaction
borg_mode_append_only: false


################################################################################
# Borg Backup Configuration
# See: https://borgbackup.readthedocs.io/en/stable/usage/create.html
################################################################################

# This is the name of the backup in the configured repository
# The default here creates a backup with the hostname and the current time in
# the name. It is important to dynamically generate the backup names by using
# the placeholders so that you don't have colliding backup names.
# Most of the time the default option is fine.
# For more information about the borg placeholder see
# https://borgbackup.readthedocs.io/en/stable/usage/help.html#borg-help-placeholders
borg_backup_name_format: '{hostname}-{now:%Y-%m-%dT%H:%M:%S}'

# Borg has a few compression modes to those from:
# none, lz4, zstd[,L], zlib[,L], lzma[,L], auto,C[,L], obfuscate,SPEC,C[,L].
# For more information see the borg compression page: `borg help compression` or
# https://borgbackup.readthedocs.io/en/stable/usage/help.html#borg-help-compression
borg_compression: zstd

# This is a list of files and directories to be backed up in the systemd job.
# In case you leave this empty, the role will not create an automatic backup job
borg_included_dirs: []

# This is a list of files and directories that you wish to have excluded from
# Your backups. You may need this in case you want to remove a file from a
# folder which you want to have backed up e.g. cache directory in application.
# If you want to backup `/application/data` and `/application/db`
# but not `application/cache` you can add `/application` to `borg_included_dirs`
# and add `application/cache` to `borg_excluded_dirs`.
borg_excluded_dirs: []

# By default the role is configured to only use an encryption key with no
# passphrase. This allows it to use the borgs command on the machine without any
# haste. If you wish to enable the borg passphrase you can do so here. Note that
# The passphrase will be stored in plaintext inside the backup script.
# For more information about the borg passphrase see
# https://borgbackup.readthedocs.io/en/stable/quickstart.html#passphrase-notes
borg_passphrase: ''

# Since borg encrypts the backups on the borg-server you should save the
# encryption keys somewhere to another machine to be able to recover the backup
# without the keys on the backup-client.
# While you need the decryption keys as well as actual access to the borg
# repository to download the backup data, you should still treat the decryption
# keys as rather sensitive information.
# Depending on your use case it may be okay to store them in your git repository.
# If wish to encrypt the decryption keys, you look into third party tools for
# that such as ansible-vault, git-crypt or a completely separate secrets
# management system.
borg_decryption_keys_yaml_path: '{{ inventory_dir }}/decryption_keys.yml'

# The role creates a script for backing up with the configured parameters that
# the regular systemd service then executes. This specifies the default location
# and name where the script is stored. By default, we store it as
# `/usr/local/bin/run_borg_backup` so that you can run `run_borg_backup` from
# your shell to create manual backups.
# When you use multiple backups, this script will trigger all of them. You can
# trigger them individually by calling
# {{ borg_backup_script_location }}@{{ borg_backup_argument }}.
# See: `borg_backup_argument` variable.
borg_backup_script_location: /usr/local/bin/run_borg_backup

# Name of the systemd timer that is created for the borg service.
# The borg backup argument is appended to the timer name, meaning the timer will
# be called {{ borg_backup_timer_name }}@{{ borg_backup_argument }}
borg_backup_timer_name: borg_backup

# Name of the systemd service that is created for the borg service.
# The borg backup argument is appended to the service name, meaning the service
# will be called {{ borg_backup_service_name }}@{{ borg_backup_argument }}
borg_backup_service_name: borg_backup

# The backup argument is appended to systemd timer / systemd service and the
# backup script. It is used to distinguish backup targets from one another
# meaning it should be unique per target.
# By default, we use borg_server_host_url, which is fine as long as you don't
# need multiple backup repositories from the same client on the same server.
borg_backup_argument: '{{ borg_server_host_url }}'

# Configures the systemd timer for how regularly to run the backup. By default,
# the backup will run every night attacker 2AM. For more information on how to
# configure this, see: systemd.timer(5)
borg_systemd_oncalendar: '*-*-* 02:00:00'

# Specify the accuracy the timer shall elapse with. By default, we use 60min
# to distribute the load on the backup server. For more information on how to
# configure this see: systemd.timer(5)
borg_systemd_accuracysec: 60min