add export service

2021-06-06 01:37:01 +02:00 · 2021-06-06 01:37:01 +02:00 · dbb78ed37f
commit dbb78ed37f
parent d01de238a7
7 changed files with 86 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -5,6 +5,29 @@
 All configuration is to be placed inside the `backups` dict.

 ```
+# Settings for all backup related timers.
+jobs:
+	retention:
+		# Can be used to enable/disable the job
+		enabled: true
+		# Time this job runs on, random by default
+		OnCalendar: "hh:mm"
+	run:
+		# Can be used to enable/disable the job
+		enabled: true
+		# Time this job runs on, random by default
+		OnCalendar: "hh:mm"
+	check:
+		# Can be used to enable/disable the job
+		enabled: true
+		# Time this job runs on, random by default
+		OnCalendar: "hh:mm"
+	export:
+		# Can be used to enable/disable the job
+		enabled: false
+		# Time this job runs on, random by default
+		OnCalendar: "hh:mm"
+
 # backend specific settings
 backends:
 	# restic specific settings
@ -33,6 +56,18 @@ retention:
 	months: 12
 	years: 3

+# Settings for the export task
+export:
+	# list of all remote destinations the backup should be exported to
+	destinations: []
+	# every element of this list describes an export target
+#	- user: root
+#	  host: localhost
+#	  remotepath: /
+#	  type: rsync
+#	  port: 22
+#	  key: "/etc/backup-client/id_ed25519"
+
 # keys are strings with glob patterns of files to be excluded. Value musst be true to enable the exclude, false to disable it
 # Only supportet in restic based backups
 exclude_files: {}
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -9,6 +9,9 @@ backups:
    check:
      enabled: true
      OnCalendar: "monday 5:{{ 60|random(seed=(inventory_hostname + 'backups_jobs')) }}"
+    export:
+      enabled: false
+      OnCalendar: "{{ [21,22,23]|random(seed=(inventory_hostname + 'backups_export_h')) }}:{{ 60|random(seed=(inventory_hostname + 'backups_export_m')) }}"
  backends:
    restic:
      url: /var/backup-client/restic
@ -21,6 +24,8 @@ backups:
    weeks: 16
    months: 12
    years: 3
+  export:
+    destinations: []
  exclude_files:
    '/tmp': true
    '/var/tmp': true
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -7,6 +7,7 @@
    - check
    - retention
    - run
+    - export
  systemd:
    name: "backup-{{ item }}.timer"
    enabled: "{{ backups.jobs[item].enabled }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -3,9 +3,6 @@
    backup_backend: "{% if backups.mode in ['standalone-restic', 'hypervisor-restic'] %}restic{% else %}False{% endif %}"
    backup_executor: "{% if backups.mode in ['vm-via-hypervisor'] %}False{% else %}True{% endif %}"

- debug:
-    var: backup_backend
-
 - name: create config folder
  file:
    path: /etc/backup-client/
@ -17,6 +14,10 @@
 - name: setup hosts that actualy run backup code (not vms for example)
  when: backup_executor
  block:
+  - name: generate ssh key
+    community.crypto.openssh_keypair:
+      path: /etc/backup-client/id_ed25519
+      type: ed25519
  - name: create retention file
    copy:
      dest: /etc/backup-client/retention.env
@ -48,6 +49,7 @@
      - backup-full
      - backup-cronjob
      - backup-check
+      - backup-export
      - status-email-root
    template:
      src: "{{ item }}.j2"
@ -63,6 +65,7 @@
      - backup-check
      - backup-retention
      - backup-run
+      - backup-export
      - status-email-root@
    template:
      src: "{{ item }}.service.j2"
@ -79,6 +82,7 @@
      - check
      - retention
      - run
+      - export
    template:
      src: "timer.j2"
      dest: "/etc/systemd/system/backup-{{ item }}.timer"
@ -116,9 +120,15 @@
      mode: 0600
      content: "{{ backups.include_files|filterEnabled|join('\n') }}"
  - name: create repo key for restic
-    command: "dd if=/dev/urandom of=/etc/backup-client/restic.key bs=1k count=16"
+    shell: "umask 177; dd if=/dev/urandom of=/etc/backup-client/restic.key bs=1k count=16"
    args:
      creates: "/etc/backup-client/restic.key"
+  - name: set repo key permissions
+    file:
+      path: /etc/backup-client/restic.key
+      owner: root
+      group: root
+      mode: 0600
  - name: create restic env file
    copy:
      dest: /etc/backup-client/restic.env
--- a/templates/backup-export.
+++ b/templates/backup-export.
--- a/templates/backup-export.j2
+++ b/templates/backup-export.j2
@ -0,0 +1,21 @@
+#!/bin/bash
+set -euo pipefail
+
+echo "Starting to export backups..."
+
+{% if backup_backend == 'restic' %}
+# restic backend
+source /etc/backup-client/restic.env
+
+{% for i in backups.export.destinations if i.type == "rsync" %}
+echo "exporting to {{ i.host }}"
+rsync -h -r -a --append-verify --delete --stats  -e "ssh -p {{ i.port|d(22) }} -i {{ i.key|d('/etc/backup-client/id_ed25519') }}" "${RESTIC_REPOSITORY}/" "{{ i.user }}@{{ i.host }}:{{ i.remotepath }}"
+{% endfor %}
+
+{% endif %}
+
+{% if not backup_backend %}
+echo "Noop, backup is handled external"
+{% endif %}
+
+echo "done!"
--- a/templates/backup-export.service.j2
+++ b/templates/backup-export.service.j2
@ -0,0 +1,10 @@
+[Unit]
+Description=Export backups to an external host
+OnFailure=status-email-root@%n.service
+
+[Service]
+Nice=19
+IOSchedulingClass=idle
+Type=simple
+ExecStart=/usr/local/bin/backup-export
+