From 3f3b7da7cc24e0a307bc7000ff8735d661ad8ab5 Mon Sep 17 00:00:00 2001
From: Tunui Franken <tfranken@protonmail.com>
Date: Sat, 29 Mar 2025 19:20:24 +0100
Subject: [PATCH] Add borgmatic config

---
 inventory/group_vars/lime2servers             | 10 +++
 inventory/group_vars/mailservers              |  6 ++
 inventory/host_vars/eumycota                  | 11 +++
 inventory/host_vars/lime2                     | 11 +++
 roles/borgmatic/defaults/main.yml             |  3 +
 roles/borgmatic/tasks/main.yml                | 19 ++++
 .../templates/borgmatic.d/config.yml.j2       | 87 +++++++++++++++++++
 7 files changed, 147 insertions(+)
 create mode 100644 inventory/group_vars/lime2servers
 create mode 100644 roles/borgmatic/defaults/main.yml
 create mode 100644 roles/borgmatic/templates/borgmatic.d/config.yml.j2

diff --git a/inventory/group_vars/lime2servers b/inventory/group_vars/lime2servers
new file mode 100644
index 0000000..f03b5b6
--- /dev/null
+++ b/inventory/group_vars/lime2servers
@@ -0,0 +1,10 @@
+---
+
+backup_additional_source_directories:
+  - /var/lib/forgejo/forgejo-dumps
+  - /var/www/tunuifranken.info
+borgmatic_hooks:
+  before_backup:
+    - sudo -Hiu git /usr/local/bin/forgejo-backup.sh backup
+  after_backup:
+    - sudo -Hiu git /usr/local/bin/forgejo-backup.sh prune 1
diff --git a/inventory/group_vars/mailservers b/inventory/group_vars/mailservers
index d9e316a..10a96fd 100644
--- a/inventory/group_vars/mailservers
+++ b/inventory/group_vars/mailservers
@@ -6,3 +6,9 @@ virtual_domains:
 add_cert_email: "dns@{{ virtual_domains.0 }}"
 add_cert_domain: "{{ ansible_hostname }}.{{ virtual_domains.0 }}"
 add_cert_post_hook: systemctl restart postfix dovecot
+
+backup_additional_source_directories:
+  - /var/vmail
+borgmatic_hooks:
+  postgresql_databases:
+    - name: all
diff --git a/inventory/host_vars/eumycota b/inventory/host_vars/eumycota
index dc7698f..ee46420 100644
--- a/inventory/host_vars/eumycota
+++ b/inventory/host_vars/eumycota
@@ -51,3 +51,14 @@ vault_virtual_user_0_pwd: !vault |
 
 smart_devices:
   - /dev/sda
+
+borg_passphrase: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33303731373664306163306132663835653431663261373761326135613830373730336139613861
+          3531336332306137643135303537643936393430633834340a623838666330333337623239383364
+          30336162396530653738363633383036616234323138643639333664346331363434393662616438
+          3835336461366164310a613261653862633962323164386465653066363363363836663632646332
+          34363065343464616231303839353332663566633439336639626135653538353665346634663439
+          37376231356435353938656634653530646234316237303533323336663266613463626432623836
+          65386664653330613231633464666666623061333364393331366232333465333736633764373561
+          61613436393939316133
diff --git a/inventory/host_vars/lime2 b/inventory/host_vars/lime2
index 1124f18..f7e609d 100644
--- a/inventory/host_vars/lime2
+++ b/inventory/host_vars/lime2
@@ -184,3 +184,14 @@ nagstamon_pwd: !vault |
           35333633613530373864373530653936376532663933346431376435356665373863356461393734
           6435363230366562630a636364653531366563313335303464666337356138656634373063643431
           33613664333030643233303738343930376263353038653762633461646330346436
+
+borg_passphrase: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          37663238393036376561383533383163363262626264316266306439383765383366323837313730
+          3963633235303435646431646431623862353965626538300a636633633865346133633133316663
+          38383763316231396232613031303332616236363166336263653364653539303131346439356337
+          6664653661643331380a343533306463326566356531666533363534643831333139303066623562
+          33313530646662333366383230383964306336393830653766303136646430613838613362623132
+          36616462633761303338333235393737336161306661343639303061393737343562636439306131
+          34353934333132633062653239333236386530383637313535333836623164663964313536303133
+          39623431313463303766
diff --git a/roles/borgmatic/defaults/main.yml b/roles/borgmatic/defaults/main.yml
new file mode 100644
index 0000000..a705267
--- /dev/null
+++ b/roles/borgmatic/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+borg_passphrase: foo
diff --git a/roles/borgmatic/tasks/main.yml b/roles/borgmatic/tasks/main.yml
index 1633e4c..2eb16cb 100644
--- a/roles/borgmatic/tasks/main.yml
+++ b/roles/borgmatic/tasks/main.yml
@@ -34,3 +34,22 @@
     path: ~/.ssh/authorized_keys
     line: "{{ ssh_pubkey.content | b64decode | trim }}"
     create: true
+    mode: 0600
+
+- name: Create /etc/borgmatic.d directory
+  become: true
+  ansible.builtin.file:
+    path: /etc/borgmatic.d
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Copy borgmatic config
+  become: true
+  ansible.builtin.template:
+    src: borgmatic.d/config.yml.j2
+    dest: "/etc/borgmatic.d/{{ ansible_hostname }}.yml"
+    owner: root
+    group: root
+    mode: 0600
diff --git a/roles/borgmatic/templates/borgmatic.d/config.yml.j2 b/roles/borgmatic/templates/borgmatic.d/config.yml.j2
new file mode 100644
index 0000000..3441ad3
--- /dev/null
+++ b/roles/borgmatic/templates/borgmatic.d/config.yml.j2
@@ -0,0 +1,87 @@
+# {{ ansible_managed }}
+
+location:
+    repositories:
+        - ssh://borg@{{ backup_server }}/./{hostname}
+
+    source_directories:
+        - /root
+        - /etc
+        - /home
+        - /var/log
+        - /var/mail
+        - /var/lib/icinga2
+{% for source_directory in backup_additional_source_directories %}
+        - {{ source_directory }}
+{% endfor %}
+    one_file_system: true
+
+    exclude_patterns:
+        - '*.pyc'
+        - /home/*/.cache
+        - /etc/ssl
+        - /var/lib/icinga2/api
+        - /var/lib/icinga2/icinga2.state
+        - /var/lib/icinga2/modified-attributes.conf
+
+storage:
+    encryption_passphrase: "{{ borg_passphrase }}"
+
+retention:
+    keep_daily: 7
+    keep_weekly: 4
+    keep_monthly: 6
+    keep_yearly: 1
+
+hooks:
+{% if borgmatic_hooks.before_everything is defined %}
+    before_everything:
+{% for hook in borgmatic_hooks.before_everything %}
+        - {{ hook }}
+{% endfor %}
+{% endif %}
+{% if borgmatic_hooks.before_backup is defined %}
+    before_backup:
+{% for hook in borgmatic_hooks.before_backup %}
+        - {{ hook }}
+{% endfor %}
+{% endif %}
+{% if borgmatic_hooks.after_backup is defined %}
+    after_backup:
+{% for hook in borgmatic_hooks.after_backup %}
+        - {{ hook }}
+{% endfor %}
+{% endif %}
+{% if borgmatic_hooks.after_everything is defined %}
+    after_everything:
+{% for hook in borgmatic_hooks.after_everything %}
+        - {{ hook }}
+{% endfor %}
+{% endif %}
+{% if borgmatic_hooks.on_error is defined %}
+    on_error:
+{% for hook in borgmatic_hooks.on_error %}
+        - {{ hook }}
+{% endfor %}
+{% endif %}
+{% if borgmatic_hooks.postgresql_databases is defined %}
+    postgresql_databases:
+{% for hook in borgmatic_hooks.postgresql_databases %}
+        - name: {{ hook.name | default('all') }}
+          username: {{ hook.username | default('postgres') }}
+          format: {{ hook.format | default('custom') }}
+{% endfor %}
+{% endif %}
+{% if borgmatic_hooks.mysql_databases is defined %}
+    mysql_databases:
+{% for hook in borgmatic_hooks.mysql_databases %}
+        - name: {{ hook.name | default('all') }}
+{% if hook.username is defined %}
+          username: {{ hook.username }}
+{% endif %}
+{% if hook.password is defined %}
+          password: {{ hook.password }}
+{% endif %}
+          format: {{ hook.format | default('sql') }}
+{% endfor %}
+{% endif %}