269 lines
7.8 KiB
YAML
269 lines
7.8 KiB
YAML
- name: parse config
|
|
set_fact:
|
|
backup_backend: "{% if backups.mode in ['standalone-restic', 'hypervisor-restic'] %}restic{% else %}False{% endif %}"
|
|
backup_executor: "{% if backups.mode in ['vm-via-hypervisor'] %}False{% else %}True{% endif %}"
|
|
|
|
- name: create config folder
|
|
file:
|
|
path: /etc/backup-client/
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
|
|
- name: setup hosts that actualy run backup code (not vms for example)
|
|
when: backup_executor
|
|
block:
|
|
- name: generate ssh key
|
|
register: backup_ssh_key_task
|
|
community.crypto.openssh_keypair:
|
|
path: /etc/backup-client/id_ed25519
|
|
type: ed25519
|
|
- name: create retention file
|
|
copy:
|
|
dest: /etc/backup-client/retention.env
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
content: |
|
|
export BACKUP_RETENTION_HOURS={{ backups.retention.hours }}
|
|
export BACKUP_RETENTION_DAYS={{ backups.retention.days }}
|
|
export BACKUP_RETENTION_WEEKS={{ backups.retention.weeks }}
|
|
export BACKUP_RETENTION_MONTHS={{ backups.retention.months }}
|
|
export BACKUP_RETENTION_YEARS={{ backups.retention.years }}
|
|
- name: copy backup config
|
|
loop:
|
|
- name: 'enabled'
|
|
flag: '{{ backups.enabled }}'
|
|
file:
|
|
path: /etc/backup-client/{{ item.name }}
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
state: "{% if item.flag %}touch{% else %}absent{% endif %}"
|
|
- name: copy scripts
|
|
loop:
|
|
- backup-retention
|
|
- backup-standalone
|
|
- backup-vm
|
|
- backup-all-vms
|
|
- backup-full
|
|
- backup-cronjob
|
|
- backup-check
|
|
- backup-export
|
|
- status-email-root
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/usr/local/bin/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
validate: /bin/bash -n %s
|
|
- name: copy systemd services
|
|
notify:
|
|
- reload systemd
|
|
loop:
|
|
- backup-check
|
|
- backup-retention
|
|
- backup-run
|
|
- backup-export
|
|
- status-email-root@
|
|
template:
|
|
src: "{{ item }}.service.j2"
|
|
dest: "/etc/systemd/system/{{ item }}.service"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
# validate: /usr/bin/systemd-analyze verify %s
|
|
- name: copy timers
|
|
notify:
|
|
- reload systemd
|
|
- enable timers
|
|
loop:
|
|
- check
|
|
- retention
|
|
- run
|
|
- export
|
|
template:
|
|
src: "timer.j2"
|
|
dest: "/etc/systemd/system/backup-{{ item }}.timer"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
# validate: /usr/bin/systemd-analyze verify %s
|
|
- name: create data folder
|
|
file:
|
|
path: /var/backup-client/
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
|
|
- name: create a remote sftp user if enabled
|
|
when:
|
|
- backups.remote_sftp_user.enabled
|
|
- backup_executor
|
|
delegate_to: "{{ backups.remote_sftp_user.host }}"
|
|
block:
|
|
- name: "create user {{ backups.remote_sftp_user.name }}"
|
|
user:
|
|
name: "{{ backups.remote_sftp_user.name }}"
|
|
createhome: yes
|
|
shell: /sbin/nologin
|
|
system: false
|
|
group: "{{ backups.remote_sftp_user.group }}"
|
|
groups: "{{ backups.remote_sftp_user.groups }}"
|
|
- name: add ssh key to user
|
|
when: not ansible_check_mode
|
|
ansible.posix.authorized_key:
|
|
user: "{{ backups.remote_sftp_user.name }}"
|
|
state: present
|
|
key: '{{ backup_ssh_key_task.public_key }}'
|
|
- name: create chroot folder
|
|
file:
|
|
path: "{{ backups.remote_sftp_user.chroot_basepath }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
state: directory
|
|
- name: create bind mount point in chroot folder
|
|
file:
|
|
path: "{{ backups.remote_sftp_user.chroot_basepath }}/backups"
|
|
owner: "{{ backups.remote_sftp_user.name }}"
|
|
group: "{{ backups.remote_sftp_user.group }}"
|
|
mode: 0700
|
|
state: directory
|
|
- name: create storage folder
|
|
when: backups.remote_sftp_user.create_storage_folder
|
|
file:
|
|
path: "{{ backups.remote_sftp_user.storage_path }}"
|
|
owner: "{{ backups.remote_sftp_user.name }}"
|
|
group: "{{ backups.remote_sftp_user.group }}"
|
|
mode: 0700
|
|
state: directory
|
|
- name: "setup bindmount"
|
|
loop:
|
|
- mounted
|
|
- present
|
|
mount:
|
|
path: "{{ backups.remote_sftp_user.chroot_basepath }}/backups"
|
|
src: "{{ backups.remote_sftp_user.storage_path }}"
|
|
opts: "rw,bind,noauto,x-systemd.automount"
|
|
fstype: auto
|
|
passno: "0"
|
|
state: "{{ item }}"
|
|
|
|
- name: handle common restic based setup tasks
|
|
when:
|
|
- backup_backend == 'restic'
|
|
- backup_executor
|
|
block:
|
|
- name: install backend tools (restic)
|
|
apt:
|
|
pkg:
|
|
- restic
|
|
- name: copy exclude file
|
|
copy:
|
|
dest: /etc/backup-client/exclude_files
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
content: "{{ backups.exclude_files|filterEnabled|join('\n') }}"
|
|
- name: copy include file
|
|
copy:
|
|
dest: /etc/backup-client/include_files
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
content: "{{ backups.include_files|filterEnabled|join('\n') }}"
|
|
- name: create repo key for restic
|
|
shell: "umask 177; dd if=/dev/urandom of=/etc/backup-client/restic.key bs=1k count=16"
|
|
args:
|
|
creates: "/etc/backup-client/restic.key"
|
|
- name: set repo key permissions
|
|
file:
|
|
path: /etc/backup-client/restic.key
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
- name: create restic env file
|
|
copy:
|
|
dest: /etc/backup-client/restic.env
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
content: |
|
|
export RESTIC_REPOSITORY="{{ backups.backends.restic.url }}"
|
|
export RESTIC_PASSWORD_FILE="/etc/backup-client/restic.key"
|
|
- name: create restic repository folder
|
|
when:
|
|
- backups.backends.restic.repo_type == 'local'
|
|
- backups.backends.restic.repo_folder_create
|
|
file:
|
|
path: "{{ backups.backends.restic.url }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
- name: create repo for restic
|
|
shell: 'source /etc/backup-client/restic.env; restic snapshots > /dev/null || restic init'
|
|
args:
|
|
executable: /bin/bash
|
|
|
|
- name: handle hypervisor mode
|
|
when: backups.mode == 'hypervisor-restic'
|
|
block:
|
|
- name: create vms config folder
|
|
file:
|
|
path: /etc/backup-client/vms/
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
- name: create vm mount point
|
|
file:
|
|
path: /var/backup-client/vm-mountpoint/
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
|
|
- name: handle vm-via-hypervisor mode
|
|
when: backups.mode == 'vm-via-hypervisor'
|
|
block:
|
|
- name: create config folder on vm host
|
|
delegate_to: "{{ vm['host'] }}"
|
|
file:
|
|
dest: /etc/backup-client/vms/{{ vm['name'] }}
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
- name: copy exclude file to vm host
|
|
delegate_to: "{{ vm['host'] }}"
|
|
copy:
|
|
dest: /etc/backup-client/vms/{{ vm['name'] }}/exclude_files
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
content: "{{ backups.exclude_files|filterEnabled|vmpath2hostpath(mountpoint='/var/backup-client/vm-mountpoint')|join('\n') }}"
|
|
- name: copy include file to vm host
|
|
delegate_to: "{{ vm['host'] }}"
|
|
copy:
|
|
dest: /etc/backup-client/vms/{{ vm['name'] }}/include_files
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
content: "{{ backups.include_files|filterEnabled|vmpath2hostpath(mountpoint='/var/backup-client/vm-mountpoint')|join('\n') }}"
|
|
- name: copy vm backup config to vm host
|
|
delegate_to: "{{ vm['host'] }}"
|
|
loop:
|
|
- name: 'enabled'
|
|
flag: '{{ backups.enabled }}'
|
|
file:
|
|
path: /etc/backup-client/vms/{{ vm['name'] }}/{{ item.name }}
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
state: "{% if item.flag %}touch{% else %}absent{% endif %}"
|
|
|