Ansible role do install and setup regular backups with either
The role performs the following steps:
-
[Optional] Delete existing repository
-
Initialize a repository
- borg:
backup_borg_protocol://backup_borg_server:backup_target_dirfor a remote backup orbackup_target_dirfor a local backup
- [restic][restic init]:
backup_restic_repofor a remote backup orbackup_target_dirfor a local backup
Notes
In case the repo
backup_target_diralready exists, the initalization will be skipped Ifbackup_borg_servernorbackup_restic_repoare not specified role assumes a local backup i.e. to a local directory - borg:
-
Create a
systemdservice which regularly (according tobackup_schedule) runs script- borg:
borg.shfrom borgbackup.org - restic:
restic.sha modifiedborg.shscript considering restic command
- borg:
-
There will be an individual script named
automatic-backup-{{service_name}}.shin/opt/backupwhich is customized withbackup_source_dirbackup_exclude_fileorbackup_exclude_listbackup_schedule
None
To keep sensitive information hidden I recommend to use ansible-vault
You can define the password file in ansible.cfg so none vault parameter has to be specified. Thus, the encrypted variable backup_encryption_key can be created as follows:
ansible-vault encrypt_string'SupersecretPa$$phrase' --name 'backup_encryption_key'These are all variables
| Parameter | Description | Default Value |
|---|---|---|
backup_engine |
Name of engine (borg or restic to use for your backups |
- |
backup_name |
[mandatory] Name of backup | |
backup_target_dir |
Target directory of the backups on the backup_borg_server or backup_restic_repo |
"./backups/{{ backup_name }}" |
backup_delete |
WARNING If set to true then existing backup repository will be deleted |
false |
backup_create |
Creation of repository. You can use the role to explicitly delete an existing repository by running the role with -e backup_delete=true -e backup_create=false |
true |
systemd_script_user |
User for permissions of script | root |
systemd_script_group |
User group for permissions of script | wheel |
backup_schedule |
Systemd schedule notation for the daily backup to run | *-*-* 03:00:00 |
backup_include_list |
List of source directories to backup | - |
backup_exclude_file |
EXCLUDEFILE which contains exclude patternsTakes precedence over backup_exclude_list |
- |
backup_exclude_list |
List of patterns which will be added as --exclude 'PATTERN' |
- |
| Parameter | Description | Default Value |
|---|---|---|
backup_restic_repo |
Name of repo endpoint. local will create a local repo using backup_target_path. For anything else specify the Repo format according to the list below |
local |
backup_exclude_larger_than |
Specified once to excludes files larger than the given size | - |
Restic supports the following repo types with the expected repo format for backup_restic_repo:
| Repo Type | Repo format |
|---|---|
| local | /srv/restic-repo |
| rest server | rest:https://user:pass@host:8000/PATH |
| s3 (Amazon S3, minio, ...) | s3:s3.amazonaws.com/bucket_name/PATH |
| sftp | sftp:user@host:PATH |
| Alibaba Cloud (Aliyun) Object Storage System (OSS) |
-o s3.bucket-lookup=dns -o s3.region=<OSS-REGION> -r s3:https://<OSS-ENDPOINT>/<OSS-BUCKET-NAME> |
| Openstack Swift | see here |
| Backblaze B2 | b2:bucketname:PATH |
| Microsoft Azure Blob Storage | azure:foo:/PATH |
| Google Cloud Storage | gs:foo:/PATH |
Restic also need environment variables for authentication, so they have to be set by defining them in your playbook
| Parameter | Description | Default Value |
|---|---|---|
| aws_access_key_id | Amazon S3 access key ID | - |
| aws_secret_access_key | Amazon S3 secret access key | - |
| aws_default_region | Amazon S3 default region | - |
| st_auth | Auth URL for keystone v1 authentication | - |
| st_user | Username for keystone v1 authentication | - |
| st_key | Password for keystone v1 authentication | - |
| os_auth_url | Auth URL for keystone authentication | - |
| os_region_name | Region name for keystone authentication | - |
| os_username | Username for keystone authentication | - |
| os_user_id | User ID for keystone v3 authentication | - |
| os_password | Password for keystone authentication | - |
| os_tenant_id | Tenant ID for keystone v2 authentication | - |
| os_tenant_name | Tenant name for keystone v2 authentication | - |
| os_user_domain_name | User domain name for keystone authentication | - |
| os_user_domain_id | User domain ID for keystone v3 authentication | - |
| os_project_name | Project name for keystone authentication | - |
| os_project_domain_name | Project domain name for keystone authentication | - |
| os_project_domain_id | Project domain ID for keystone v3 authentication | - |
| os_trust_id | Trust ID for keystone v3 authentication | - |
| os_application_credential_id | Application Credential ID (keystone v3) | - |
| os_application_credential_name | Application Credential Name (keystone v3) | - |
| OS_APPLICATION_CREDENTIAL_SECRET | Application Credential Secret (keystone v3) | - |
| os_storage_url | Storage URL for token authentication | - |
| os_auth_token | Auth token for token authentication | - |
| b2_account_id | Account ID or applicationKeyId for Backblaze B2 | - |
| b2_account_key | Account Key or applicationKey for Backblaze B2 | - |
| azure_account_name | Account name for Azure | - |
| azure_account_key | Account key for Azure | - |
| google_project_id | Project ID for Google Cloud Storage | - |
| google_application_credentials | Application Credentials for Google Cloud Storage | - |
| Parameter | Description | Default Value |
|---|---|---|
backup_borg_server |
Name of the backup server - if not defined, it assumes a local backup | - |
backup_user |
Name of the user to connect to the server | - |
backup_borg_protocol |
backup_borg_protocol used to connect to backup_borg_server |
ssh |
backup_port |
Port to connect to backup_borg_server |
- |
backup_encryption_key |
[mandatory] Passphrase for the encryption key using repokey |
- |
backup_borg_encryption_method |
Borg encryption method, currently only repokey implemented |
repokey |
The following parameters are related to the systemd service file:
| Parameter | Description | Default Value |
|---|---|---|
backup_systemd_backup_target_dir |
Location where to copy .service-files |
/etc/systemd/system/ |
backup_systemd_user |
User for systemd service | backup |
backup_systemd_group |
Group for systemd service | backup |
backup_systemd_on_failure |
If set it will make an OnFailure entry in the service file | - |
systemd_script_mode |
Mode of the script file | 0774 |
systemd_service_mode |
Mode of the service file | 0644 |
The script which is deployed also defines the options for prune (borg) or forget (restic)
The variables are not set and have to be explicitly defined in your playbook:
| Parameter | Description | Default Value |
|---|---|---|
backup_prune_keep_within |
--keep-within INTERVAL keep all archives within this time interval |
- |
backup_prune_keep_last |
--keep-last, --keep-secondly INTERVAL number of secondly archives to keep |
- |
backup_prune_keep_minutely |
--keep-minutely INTERVAL number of minutely archives to keep |
- |
backup_prune_keep_hourly |
-H, --keep-hourly INTERVAL number of hourly archives to keep |
- |
backup_prune_keep_daily |
-d, --keep-daily INTERVAL number of daily archives to keep |
- |
backup_prune_keep_weekly |
-w, --keep-weekly INTERVAL number of weekly archives to keep |
- |
backup_prune_keep_monthly |
-m, --keep-monthly INTERVAL number of monthly archives to keep |
- |
backup_prune_keep_yearly |
-y, --keep-yearly INTERVAL number of yearly archives to keep |
- |
backup_prune_save_space |
--save-space work slower, but using less space |
false |
For borg there are some additional variables
| Parameter | Description | Default Value |
|---|---|---|
backup_prune_dryrun |
-n, --dry-run do not change repository |
false |
backup_prune_force |
--force force pruning of corrupted archives |
false |
backup_prune_stats |
-s, --stats print statistics for the deleted archive |
true |
backup_prune_list |
--list output verbose list of archives it keeps/prunes |
true |
For restic there are some additional variables
| Parameter | Description | Default Value |
|---|---|---|
backup_prune_keep_within_hourly |
-y, --keep-within-hourly INTERVAL keep all hourly snapshots made within specified duration of the latest snapshot. The duration is specified in the same way as for --keep-within and the method for determining hourly snapshots is the same as for --keep-hourly |
- |
backup_prune_keep_within_daily |
-y, --keep-within-daily INTERVAL keep all daily snapshots made within specified duration of the latest snapshot |
- |
backup_prune_keep_within_weekly |
-y, --keep-within-weekly INTERVAL keep all weekly snapshots made within specified duration of the latest snapshot |
- |
backup_prune_keep_within_monthly |
-y, --keep-within-monthly INTERVAL keep all monthly snapshots made within specified duration of the latest snapshot |
- |
backup_prune_keep_within_yearly |
-y, --keep-within-yearly INTERVAL keep all yearly snapshots made within specified duration of the latest snapshot |
- |
None
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: localhost
vars:
- backup_engine: borg
- backup_borg_server: borg.intra
- backup_user: borguser
- backup_name: mybackupname
- backup_encryption_key: test
- backup_port: 23
- backup_target_dir: "/var/backups/"
- backup_schedule: "*-*-* 03:00:00"
- backup_exclude_list:
- "*/Downloads"
- "*/google-chrome*"
- backup_include_list:
- /home/papanito
- backup_prune_keep_daily: 7
- backup_prune_keep_weekly: 5
- backup_prune_keep_monthly: 6
- backup_prune_keep_yearly: 1
roles:
- role: papanito.backupThis will create a backup at ssh://[email protected]:/var/backup/mybackupname and the following systemd files
/opt/borg_backup/automatic-backup-mybackupname-borg.intra.sh(backup script)/etc/systemd/system/automatic-backup-mybackupname-borg.intra.service(systemd service file)/etc/systemd/system/automatic-backup-mybackupname-borg.intra.timer(systemd timers file)
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: localhost
vars:
- backup_engine: borg
- backup_name: mybackupname
- backup_encryption_key: test
- backup_target_dir: "/var/backup/"
- backup_schedule: "*-*-* 03:00:00"
- backup_exclude_list:
- "*/Downloads"
- "*/google-chrome*"
- backup_include_list:
- /home/papanito
- backup_prune_keep_daily: 7
- backup_prune_keep_weekly: 5
- backup_prune_keep_monthly: 6
- backup_prune_keep_yearly: 1
roles:
- papanito.backupThis will create a backup at /var/backup/mybackupname and the following systemd files
/opt/borg_backups/automatic-backup-mybackupname-local.sh(backup script)/etc/systemd/system/automatic-backup-mybackupname-local.service(systemd service file)/etc/systemd/system/automatic-backup-mybackupname-local.timer(systemd timers file)
- hosts: localhost
remote_user: root
vars:
- backup_engine: restic
- backup_include_list :
- /home/aedu/Downloads/Fotos
- backup_engine: restic
- backup_systemd_user: root
- backup_name: test
- backup_encryption_key: test
- backup_target_dir: "/test"
- backup_delete: true
- backup_create: true
- backup_source_dir: ./defaults
- b2_account_id: XXXX
- b2_account_key: XXXX
roles:
- papanito.backupThis is Free Software, released under the terms of the Apache v2 license.
