source: main/waeup-ansible/playbook-install-borg.yml @ 15932

Last change on this file since 15932 was 15928, checked in by uli, 5 years ago

Install scripts to set borg env vars.

When installing borg, provide scripts for all repositories to set local env
vars, namly repository URLs and the borg passphrase. These are normally
cumbersome to in shell commands.

File size: 6.1 KB
Line 
1---
2# This ansible-playbook prepares hosts for use of borg backup
3#
4# What it does:
5#   - enable borg ppa
6#   - install borg client
7#   - create SSH key for passwordless login
8#   - generate passphrase for borgi (/root/backup/.borg_passphrase)
9#   - add SSH key at remote storagebox authorized_keys
10#   - create borg dirs (log, root/backup)
11#   - create scripts in /root/backup/ for borg handling
12#   - initialize backup repo on remote machine(s) running borg-init.sh
13#   - install CRON jobs for regular backups
14#   - download generated keyfiles/passwords to local machine (borg-creds/)
15#
16##
17#
18# This playbook will normally be run like this:
19#
20#  ansible-playbook -b -i h8.waeup.org, --ask-vault-pass playbook-install-borg.yml
21#
22# Cf.: https://github.com/noplanman/ansible-role-borgbackup/blob/master/tasks/borg-client.yml
23#
24##
25#
26# PLEASE NOTE: this playbook requires a gazillion parameters to be set via host vars.
27#              As some of these are hopefully encrypted, you also need the respective
28#              passwords.
29#
30##
31- hosts: h9.waeup.org
32  become: yes
33  vars:
34  tasks:
35  - name: "Activate borg PPA"
36    apt_repository:
37        repo: "ppa:costamagnagianfranco/borgbackup"
38        codename: "{{ ansible_distribution_release }}"
39        state: present
40
41  - name: "Install packages for borg backup"
42    apt:
43        name: ['borgbackup', 'pwgen', 'sshpass']
44        state: present
45
46  - name: "Generate ssh-key for backup."
47    openssh_keypair:
48        path: "/root/.ssh/id_backup"
49        type: "ed25519"
50    register: sshkey
51
52  - name: "Create directories for config and logs."
53    file:
54        path: '{{ item.path }}'
55        state: directory
56        owner: root
57        group: root
58        mode: '{{ item.mode }}'
59    loop:
60        - { path: '/root/backup', mode: '0700' }
61        - { path: '/var/log/borg', mode: '0755' }
62
63  - name: "Generate a backup password."
64    shell:
65        cmd: echo 'export BORG_PASSPHRASE="'$(pwgen -s -1 64)'"' > "/root/backup/.borg_passphrase"
66        creates: "/root/backup/.borg_passphrase"
67
68  - name: "Fix file permissions of password."
69    file:
70        path: '/root/backup/.borg_passphrase'
71        owner: root
72        group: root
73        mode: '0600'
74
75  - name: "Get authorized_keys from backup server"
76    shell:
77        cmd: >
78            SSHPASS={{ item.password }}
79            sshpass -e scp
80            -o BatchMode=no -o StrictHostKeyChecking=no
81            {{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys
82            /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
83    when: item.type in ['hetzner',]
84    with_items: "{{ borgbackup_servers }}"
85    changed_when: false
86    failed_when: false
87
88  - name: "update authorized_keys"
89    authorized_key:
90        user: "root"
91        key: "{{ sshkey.public_key }}"
92        path: /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
93        manage_dir: false
94    when: item.type in ['hetzner', ]
95    with_items: "{{ borgbackup_servers }}"
96    register: authkeys
97
98  - name: "Upload changed authorized_keys"
99    shell:
100        cmd: |
101            SSHPASS={{ item.password }} sshpass -e sftp -oBatchMode=no -oStrictHostKeyChecking=no {{ item.user }}@{{ item.fqdn }} << EOF
102              mkdir ./.ssh
103              chmod 0700 ./.ssh
104              cd .ssh
105              put /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys authorized_keys
106              chmod 0600 authorized_keys
107              bye
108            EOF
109    when: (item.type in ['hetzner', ]) and (authkeys.changed)
110    with_items: "{{ borgbackup_servers }}"
111
112  - name: "Remove tmp authorized_keys files"
113    file:
114        path: /tmp/authkeys-{{ item.type }}-{{ item.fqdn }}-authkeys
115        state: absent
116    with_items: "{{ borgbackup_servers }}"
117
118  - name: "Disable strict host key checks for backup server"
119    blockinfile:
120        dest: "/root/.ssh/config"
121        create: true
122        marker: "### {mark} ANSIBLE MANAGED BLOCK {{ item.fqdn }} ###"
123        content: |
124            Host {{ item.fqdn  }}
125              StrictHostKeyChecking no
126              IdentityFile /root/.ssh/id_backup
127              {% if item.port is defined %}Port {{ item.port }}{% endif %}
128    with_items: "{{ borgbackup_servers }}"
129
130  - name: "Upload borg-init.sh script"
131    template:
132        src: "borg-init.sh.j2"
133        dest: "/root/backup/borg-init.sh"
134        owner: "root"
135        group: "root"
136        mode: "0744"
137        force: no
138
139  - name: "Upload borg-backup.sh script"
140    template:
141        src: "borg-backup.sh.j2"
142        dest: "/root/backup/borg-backup.sh"
143        owner: "root"
144        group: "root"
145        mode: "0744"
146        force: no
147
148  - name: "Upload sb-ftp.sh script"
149    template:
150        src: "sb-ftp.sh.j2"
151        dest: "/root/backup/sb-ftp.sh"
152        owner: "root"
153        group: "root"
154        mode: "0744"
155        force: no
156
157  - name: "Create env scripts"
158    template:
159        src: "borg-env.sh.j2"
160        dest: "/root/backup/env-{{ item.fqdn }}.sh"
161        owner: "root"
162        group: "root"
163        mode: "0600"
164        force: no
165    with_items: "{{ borgbackup_servers }}"
166
167  - name: "Initialize repo"
168    command: /root/backup/borg-init.sh
169    args:
170        creates: /root/.config/borg/keys/
171
172  - name: "Create backup cronjob"
173    cron:
174      cron_file: "borg-backup"
175      user: "root"
176      name: "borg-backup"
177      minute: "{{ borgbackup_cron_minute }}"
178      hour: "{{ borgbackup_cron_hour }}"
179      day: "{{ borgbackup_cron_day }}"
180      job: "/root/backup/borg-backup.sh > /dev/null 2>&1"
181
182  - name: "Fetch keyfiles to localhost"
183    fetch:
184      src: /root/.config/borg/keys/{{ item.fqdn | replace('.', '_') | replace('-', '_') }}__{{ item.home }}{{ item.pool }}_{{ inventory_hostname_short }}
185      dest: borg-creds/
186      flat: yes
187    with_items: "{{ borgbackup_servers }}"
188
189  - name: "Fetch passwordfile to localhost"
190    fetch:
191      src: /root/backup/.borg_passphrase
192      dest: borg-creds/_borg_passphrase-{{ inventory_hostname_short }}
193      flat: yes
194
195  - debug:
196      msg:
197         - "A copy of the keyfile and the borg password were saved to the"
198         - "local borg-creds/ directory."
199         - "Please keep them in a safe place, away from the backup machine"
200         - "and the backuped machine. You might want to encrypt them."
201
Note: See TracBrowser for help on using the repository browser.