source: main/waeup-ansible/playbook-install-borg.yml @ 16358

Last change on this file since 16358 was 15936, checked in by uli, 5 years ago

Minor fixes in borg playbook.

Fix permissions set and creat README with usage instructions in backup dir.

File size: 6.3 KB
RevLine 
[15904]1---
2# This ansible-playbook prepares hosts for use of borg backup
3#
4# What it does:
5#   - enable borg ppa
6#   - install borg client
7#   - create SSH key for passwordless login
8#   - generate passphrase for borgi (/root/backup/.borg_passphrase)
9#   - add SSH key at remote storagebox authorized_keys
10#   - create borg dirs (log, root/backup)
11#   - create scripts in /root/backup/ for borg handling
12#   - initialize backup repo on remote machine(s) running borg-init.sh
13#   - install CRON jobs for regular backups
14#   - download generated keyfiles/passwords to local machine (borg-creds/)
15#
16##
17#
18# This playbook will normally be run like this:
19#
[15906]20#  ansible-playbook -b -i h8.waeup.org, --ask-vault-pass playbook-install-borg.yml
[15904]21#
22# Cf.: https://github.com/noplanman/ansible-role-borgbackup/blob/master/tasks/borg-client.yml
23#
24##
25#
26# PLEASE NOTE: this playbook requires a gazillion parameters to be set via host vars.
27#              As some of these are hopefully encrypted, you also need the respective
28#              passwords.
29#
30##
[15936]31- hosts: all
[15904]32  become: yes
33  vars:
34  tasks:
35  - name: "Activate borg PPA"
36    apt_repository:
37        repo: "ppa:costamagnagianfranco/borgbackup"
38        codename: "{{ ansible_distribution_release }}"
39        state: present
40
41  - name: "Install packages for borg backup"
42    apt:
43        name: ['borgbackup', 'pwgen', 'sshpass']
44        state: present
45
46  - name: "Generate ssh-key for backup."
47    openssh_keypair:
48        path: "/root/.ssh/id_backup"
49        type: "ed25519"
50    register: sshkey
51
52  - name: "Create directories for config and logs."
53    file:
54        path: '{{ item.path }}'
55        state: directory
56        owner: root
57        group: root
58        mode: '{{ item.mode }}'
59    loop:
60        - { path: '/root/backup', mode: '0700' }
61        - { path: '/var/log/borg', mode: '0755' }
62
63  - name: "Generate a backup password."
64    shell:
65        cmd: echo 'export BORG_PASSPHRASE="'$(pwgen -s -1 64)'"' > "/root/backup/.borg_passphrase"
66        creates: "/root/backup/.borg_passphrase"
67
68  - name: "Fix file permissions of password."
69    file:
70        path: '/root/backup/.borg_passphrase'
71        owner: root
72        group: root
73        mode: '0600'
74
75  - name: "Get authorized_keys from backup server"
76    shell:
77        cmd: >
78            SSHPASS={{ item.password }}
79            sshpass -e scp
80            -o BatchMode=no -o StrictHostKeyChecking=no
81            {{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys
82            /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
83    when: item.type in ['hetzner',]
84    with_items: "{{ borgbackup_servers }}"
85    changed_when: false
86    failed_when: false
87
88  - name: "update authorized_keys"
89    authorized_key:
90        user: "root"
91        key: "{{ sshkey.public_key }}"
92        path: /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
93        manage_dir: false
94    when: item.type in ['hetzner', ]
95    with_items: "{{ borgbackup_servers }}"
96    register: authkeys
97
98  - name: "Upload changed authorized_keys"
99    shell:
100        cmd: |
101            SSHPASS={{ item.password }} sshpass -e sftp -oBatchMode=no -oStrictHostKeyChecking=no {{ item.user }}@{{ item.fqdn }} << EOF
102              mkdir ./.ssh
103              chmod 0700 ./.ssh
104              cd .ssh
105              put /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys authorized_keys
106              chmod 0600 authorized_keys
107              bye
108            EOF
109    when: (item.type in ['hetzner', ]) and (authkeys.changed)
110    with_items: "{{ borgbackup_servers }}"
111
112  - name: "Remove tmp authorized_keys files"
113    file:
114        path: /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
115        state: absent
116    with_items: "{{ borgbackup_servers }}"
117
118  - name: "Disable strict host key checks for backup server"
119    blockinfile:
120        dest: "/root/.ssh/config"
121        create: true
122        marker: "### {mark} ANSIBLE MANAGED BLOCK {{ item.fqdn }} ###"
123        content: |
124            Host {{ item.fqdn  }}
125              StrictHostKeyChecking no
126              IdentityFile /root/.ssh/id_backup
127              {% if item.port is defined %}Port {{ item.port }}{% endif %}
128    with_items: "{{ borgbackup_servers }}"
129
130  - name: "Upload borg-init.sh script"
131    template:
132        src: "borg-init.sh.j2"
133        dest: "/root/backup/borg-init.sh"
134        owner: "root"
135        group: "root"
136        mode: "0744"
137        force: no
138
139  - name: "Upload borg-backup.sh script"
140    template:
141        src: "borg-backup.sh.j2"
142        dest: "/root/backup/borg-backup.sh"
143        owner: "root"
144        group: "root"
[15936]145        mode: "0700"
[15904]146        force: no
147
148  - name: "Upload sb-ftp.sh script"
149    template:
150        src: "sb-ftp.sh.j2"
151        dest: "/root/backup/sb-ftp.sh"
152        owner: "root"
153        group: "root"
[15936]154        mode: "0700"
[15904]155        force: no
156
[15928]157  - name: "Create env scripts"
158    template:
159        src: "borg-env.sh.j2"
160        dest: "/root/backup/env-{{ item.fqdn }}.sh"
161        owner: "root"
162        group: "root"
163        mode: "0600"
164        force: no
165    with_items: "{{ borgbackup_servers }}"
166
[15936]167  - name: "Create borg README on server"
168    template:
169        src: "borg-README.txt.j2"
170        dest: "/root/backup/README-borg.txt"
171        owner: "root"
172        group: "root"
173        mode: "0600"
174        force: no
175
[15904]176  - name: "Initialize repo"
177    command: /root/backup/borg-init.sh
178    args:
179        creates: /root/.config/borg/keys/
180
181  - name: "Create backup cronjob"
182    cron:
183      cron_file: "borg-backup"
184      user: "root"
185      name: "borg-backup"
186      minute: "{{ borgbackup_cron_minute }}"
187      hour: "{{ borgbackup_cron_hour }}"
188      day: "{{ borgbackup_cron_day }}"
189      job: "/root/backup/borg-backup.sh > /dev/null 2>&1"
190
191  - name: "Fetch keyfiles to localhost"
192    fetch:
193      src: /root/.config/borg/keys/{{ item.fqdn | replace('.', '_') | replace('-', '_') }}__{{ item.home }}{{ item.pool }}_{{ inventory_hostname_short }}
194      dest: borg-creds/
195      flat: yes
196    with_items: "{{ borgbackup_servers }}"
197
198  - name: "Fetch passwordfile to localhost"
199    fetch:
200      src: /root/backup/.borg_passphrase
201      dest: borg-creds/_borg_passphrase-{{ inventory_hostname_short }}
202      flat: yes
203
204  - debug:
205      msg:
206         - "A copy of the keyfile and the borg password were saved to the"
207         - "local borg-creds/ directory."
208         - "Please keep them in a safe place, away from the backup machine"
209         - "and the backuped machine. You might want to encrypt them."
210
Note: See TracBrowser for help on using the repository browser.