Start setting up backups

inventory/group_vars/prodservers

@@ -4,3 +4,5 @@ icinga2_master: lime2
 icinga2_agent: eumycota
 relayhost: eumycota
 relayclient: lime2
+backup_server: eumycota
+backup_client: lime2

inventory/group_vars/testservers

@@ -4,3 +4,5 @@ icinga2_master: lime2-test
 icinga2_agent: eumycota-test
 relayhost: eumycota-test
 relayclient: lime2-test
+backup_server: eumycota-test
+backup_client: lime2-test

inventory/hosts

@@ -18,3 +18,7 @@ lime2-test
 [mailservers]
 eumycota
 eumycota-test
+
+[backupservers]
+eumycota
+eumycota-test

playbooks/all.yml

@@ -22,3 +22,6 @@
 
 - name: Set up mail server
   ansible.builtin.import_playbook: mailserver.yml
+
+# - name: Set up backups
+#   ansible.builtin.import_playbook: backup.yml

playbooks/backup.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Setup backup server
+  gather_facts: true
+  hosts: backupservers
+  roles:
+    - role: common_handlers
+      tags: always
+    - role: borg_server
+      tags: borg
+
+- name: Setup backup clients
+  gather_facts: true
+  hosts: all
+  roles:
+    - role: common_handlers
+      tags: always
+    - role: borgmatic
+      tags: borgmatic

roles/borg_server/tasks/main.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Install needed packages
+  become: true
+  ansible.builtin.apt:
+    name:
+      - borgbackup
+      - acl  # for become_user: borg
+
+- name: Create a LV for /var/lib/borg
+  become: true
+  community.general.lvol:
+    vg: "vg_{{ ansible_hostname }}"
+    lv: borg
+    state: present
+    size: 5g
+    resizefs: true
+
+- name: Format borg LV to ext4
+  become: true
+  community.general.filesystem:
+    dev: "/dev/vg_{{ ansible_hostname }}/borg"
+    fstype: ext4
+    resizefs: true
+    state: present
+
+- name: Mount /var/lib/borg
+  become: true
+  ansible.posix.mount:
+    src: "/dev/vg_{{ ansible_hostname }}/borg"
+    path: /var/lib/borg
+    state: mounted
+    fstype: ext4
+
+- name: Create borg group
+  become: true
+  ansible.builtin.group:
+    name: borg
+    system: true
+    state: present
+
+- name: Create borg user
+  become: true
+  ansible.builtin.user:
+    name: borg
+    group: borg
+    home: /var/lib/borg
+    create_home: false
+    shell: /bin/bash
+    system: true
+
+- name: Set ownership for /var/lib/borg
+  become: true
+  ansible.builtin.file:
+    path: /var/lib/borg
+    state: directory
+    owner: borg
+    group: borg
+    recurse: true
+
+- name: Create ~/.ssh dir
+  become: true
+  become_user: borg
+  ansible.builtin.file:
+    path: ~/.ssh
+    state: directory
+    owner: borg
+    group: borg
+    mode: 0700

roles/borgmatic/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Install borgmatic
+  become: true
+  ansible.builtin.apt:
+    name: borgmatic
+
+- name: Make sur /root/.ssh dir exists
+  become: true
+  ansible.builtin.file:
+    path: ~/.ssh
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Create SSH key for root
+  become: true
+  ansible.builtin.command:
+    cmd: ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ''
+    creates: /root/.ssh/id_ed25519
+
+- name: Slurp SSH pubkey for root
+  become: true
+  ansible.builtin.slurp:
+    src: ~/.ssh/id_ed25519.pub
+  register: ssh_pubkey
+
+- name: Authorize root pubkey on backup server
+  delegate_to: "{{ backup_server }}"
+  become: true
+  become_user: borg
+  ansible.builtin.lineinfile:
+    path: ~/.ssh/authorized_keys
+    line: "{{ ssh_pubkey.content | b64decode }}"
+    create: true