Context navigation

source: main/waeup-ansible/playbook-install-borg.yml @ 15904

Last change on this file since 15904 was 15904, checked in by uli, 5 years ago
Add playbooks and config for borg backup.
File size: 5.9 KB

Line
1	---
2	# This ansible-playbook prepares hosts for use of borg backup
3	#
4	# What it does:
5	# - enable borg ppa
6	# - install borg client
7	# - create SSH key for passwordless login
8	# - generate passphrase for borgi (/root/backup/.borg_passphrase)
9	# - add SSH key at remote storagebox authorized_keys
10	# - create borg dirs (log, root/backup)
11	# - create scripts in /root/backup/ for borg handling
12	# - initialize backup repo on remote machine(s) running borg-init.sh
13	# - install CRON jobs for regular backups
14	# - download generated keyfiles/passwords to local machine (borg-creds/)
15	#
16	##
17	#
18	# This playbook will normally be run like this:
19	#
20	# ansible-playbook -b -i h8.waeup.org, --ask-vault-pass backup-init.yml
21	#
22	# Cf.: https://github.com/noplanman/ansible-role-borgbackup/blob/master/tasks/borg-client.yml
23	#
24	##
25	#
26	# PLEASE NOTE: this playbook requires a gazillion parameters to be set via host vars.
27	# As some of these are hopefully encrypted, you also need the respective
28	# passwords.
29	#
30	##
31	- hosts: h9.waeup.org
32	become: yes
33	vars:
34	backup_server_url: "u220626.your-storagebox.de"
35	backup_server_user: "u220626"
36
37	tasks:
38	- name: "Activate borg PPA"
39	apt_repository:
40	repo: "ppa:costamagnagianfranco/borgbackup"
41	codename: "{{ ansible_distribution_release }}"
42	state: present
43
44	- name: "Install packages for borg backup"
45	apt:
46	name: ['borgbackup', 'pwgen', 'sshpass']
47	state: present
48
49	- name: "Generate ssh-key for backup."
50	openssh_keypair:
51	path: "/root/.ssh/id_backup"
52	type: "ed25519"
53	register: sshkey
54
55	- name: "Create directories for config and logs."
56	file:
57	path: '{{ item.path }}'
58	state: directory
59	owner: root
60	group: root
61	mode: '{{ item.mode }}'
62	loop:
63	- { path: '/root/backup', mode: '0700' }
64	- { path: '/var/log/borg', mode: '0755' }
65
66	- name: "Generate a backup password."
67	shell:
68	cmd: echo 'export BORG_PASSPHRASE="'$(pwgen -s -1 64)'"' > "/root/backup/.borg_passphrase"
69	creates: "/root/backup/.borg_passphrase"
70
71	- name: "Fix file permissions of password."
72	file:
73	path: '/root/backup/.borg_passphrase'
74	owner: root
75	group: root
76	mode: '0600'
77
78	- name: "Get authorized_keys from backup server"
79	shell:
80	cmd: >
81	SSHPASS={{ item.password }}
82	sshpass -e scp
83	-o BatchMode=no -o StrictHostKeyChecking=no
84	{{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys
85	/tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
86	when: item.type in ['hetzner',]
87	with_items: "{{ borgbackup_servers }}"
88	changed_when: false
89	failed_when: false
90
91	- name: "update authorized_keys"
92	authorized_key:
93	user: "root"
94	key: "{{ sshkey.public_key }}"
95	path: /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
96	manage_dir: false
97	when: item.type in ['hetzner', ]
98	with_items: "{{ borgbackup_servers }}"
99	register: authkeys
100
101	- name: "Upload changed authorized_keys"
102	shell:
103	cmd: \|
104	SSHPASS={{ item.password }} sshpass -e sftp -oBatchMode=no -oStrictHostKeyChecking=no {{ item.user }}@{{ item.fqdn }} << EOF
105	mkdir ./.ssh
106	chmod 0700 ./.ssh
107	cd .ssh
108	put /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys authorized_keys
109	chmod 0600 authorized_keys
110	bye
111	EOF
112	when: (item.type in ['hetzner', ]) and (authkeys.changed)
113	with_items: "{{ borgbackup_servers }}"
114
115	- name: "Remove tmp authorized_keys files"
116	file:
117	path: /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
118	state: absent
119	with_items: "{{ borgbackup_servers }}"
120
121	- name: "Disable strict host key checks for backup server"
122	blockinfile:
123	dest: "/root/.ssh/config"
124	create: true
125	marker: "### {mark} ANSIBLE MANAGED BLOCK {{ item.fqdn }} ###"
126	content: \|
127	Host {{ item.fqdn }}
128	StrictHostKeyChecking no
129	IdentityFile /root/.ssh/id_backup
130	{% if item.port is defined %}Port {{ item.port }}{% endif %}
131	with_items: "{{ borgbackup_servers }}"
132
133	- name: "Upload borg-init.sh script"
134	template:
135	src: "borg-init.sh.j2"
136	dest: "/root/backup/borg-init.sh"
137	owner: "root"
138	group: "root"
139	mode: "0744"
140	force: no
141
142	- name: "Upload borg-backup.sh script"
143	template:
144	src: "borg-backup.sh.j2"
145	dest: "/root/backup/borg-backup.sh"
146	owner: "root"
147	group: "root"
148	mode: "0744"
149	force: no
150
151	- name: "Upload sb-ftp.sh script"
152	template:
153	src: "sb-ftp.sh.j2"
154	dest: "/root/backup/sb-ftp.sh"
155	owner: "root"
156	group: "root"
157	mode: "0744"
158	force: no
159
160	- name: "Initialize repo"
161	command: /root/backup/borg-init.sh
162	args:
163	creates: /root/.config/borg/keys/
164
165	- name: "Create backup cronjob"
166	cron:
167	cron_file: "borg-backup"
168	user: "root"
169	name: "borg-backup"
170	minute: "{{ borgbackup_cron_minute }}"
171	hour: "{{ borgbackup_cron_hour }}"
172	day: "{{ borgbackup_cron_day }}"
173	job: "/root/backup/borg-backup.sh > /dev/null 2>&1"
174
175	- name: "Fetch keyfiles to localhost"
176	fetch:
177	src: /root/.config/borg/keys/{{ item.fqdn \| replace('.', '_') \| replace('-', '_') }}__{{ item.home }}{{ item.pool }}_{{ inventory_hostname_short }}
178	dest: borg-creds/
179	flat: yes
180	with_items: "{{ borgbackup_servers }}"
181
182	- name: "Fetch passwordfile to localhost"
183	fetch:
184	src: /root/backup/.borg_passphrase
185	dest: borg-creds/_borg_passphrase-{{ inventory_hostname_short }}
186	flat: yes
187
188	- debug:
189	msg:
190	- "A copy of the keyfile and the borg password were saved to the"
191	- "local borg-creds/ directory."
192	- "Please keep them in a safe place, away from the backup machine"
193	- "and the backuped machine. You might want to encrypt them."
194

Note: See TracBrowser for help on using the repository browser.

Download in other formats: