diff --git a/inventory/group_vars/prodservers b/inventory/group_vars/prodservers index 6280d97..590bd26 100644 --- a/inventory/group_vars/prodservers +++ b/inventory/group_vars/prodservers @@ -4,3 +4,5 @@ icinga2_master: lime2 icinga2_agent: eumycota relayhost: eumycota relayclient: lime2 +backup_server: eumycota +backup_client: lime2 diff --git a/inventory/group_vars/testservers b/inventory/group_vars/testservers index 35a9d0a..18c8136 100644 --- a/inventory/group_vars/testservers +++ b/inventory/group_vars/testservers @@ -4,3 +4,5 @@ icinga2_master: lime2-test icinga2_agent: eumycota-test relayhost: eumycota-test relayclient: lime2-test +backup_server: eumycota-test +backup_client: lime2-test diff --git a/inventory/hosts b/inventory/hosts index 64f2d0c..4e7d9f3 100644 --- a/inventory/hosts +++ b/inventory/hosts @@ -18,3 +18,7 @@ lime2-test [mailservers] eumycota eumycota-test + +[backupservers] +eumycota +eumycota-test diff --git a/playbooks/all.yml b/playbooks/all.yml index 27dbae0..6b8b0d0 100644 --- a/playbooks/all.yml +++ b/playbooks/all.yml @@ -22,3 +22,6 @@ - name: Set up mail server ansible.builtin.import_playbook: mailserver.yml + +# - name: Set up backups +# ansible.builtin.import_playbook: backup.yml diff --git a/playbooks/backup.yml b/playbooks/backup.yml new file mode 100644 index 0000000..a6efb79 --- /dev/null +++ b/playbooks/backup.yml @@ -0,0 +1,19 @@ +--- + +- name: Setup backup server + gather_facts: true + hosts: backupservers + roles: + - role: common_handlers + tags: always + - role: borg_server + tags: borg + +- name: Setup backup clients + gather_facts: true + hosts: all + roles: + - role: common_handlers + tags: always + - role: borgmatic + tags: borgmatic diff --git a/roles/borg_server/tasks/main.yml b/roles/borg_server/tasks/main.yml new file mode 100644 index 0000000..5ed1b20 --- /dev/null +++ b/roles/borg_server/tasks/main.yml @@ -0,0 +1,69 @@ +--- + +- name: Install needed packages + become: true + ansible.builtin.apt: + name: + - borgbackup + - acl # for become_user: borg + +- name: Create a LV for /var/lib/borg + become: true + community.general.lvol: + vg: "vg_{{ ansible_hostname }}" + lv: borg + state: present + size: 5g + resizefs: true + +- name: Format borg LV to ext4 + become: true + community.general.filesystem: + dev: "/dev/vg_{{ ansible_hostname }}/borg" + fstype: ext4 + resizefs: true + state: present + +- name: Mount /var/lib/borg + become: true + ansible.posix.mount: + src: "/dev/vg_{{ ansible_hostname }}/borg" + path: /var/lib/borg + state: mounted + fstype: ext4 + +- name: Create borg group + become: true + ansible.builtin.group: + name: borg + system: true + state: present + +- name: Create borg user + become: true + ansible.builtin.user: + name: borg + group: borg + home: /var/lib/borg + create_home: false + shell: /bin/bash + system: true + +- name: Set ownership for /var/lib/borg + become: true + ansible.builtin.file: + path: /var/lib/borg + state: directory + owner: borg + group: borg + recurse: true + +- name: Create ~/.ssh dir + become: true + become_user: borg + ansible.builtin.file: + path: ~/.ssh + state: directory + owner: borg + group: borg + mode: 0700 diff --git a/roles/borgmatic/tasks/main.yml b/roles/borgmatic/tasks/main.yml new file mode 100644 index 0000000..9634f97 --- /dev/null +++ b/roles/borgmatic/tasks/main.yml @@ -0,0 +1,36 @@ +--- + +- name: Install borgmatic + become: true + ansible.builtin.apt: + name: borgmatic + +- name: Make sur /root/.ssh dir exists + become: true + ansible.builtin.file: + path: ~/.ssh + state: directory + owner: root + group: root + mode: 0700 + +- name: Create SSH key for root + become: true + ansible.builtin.command: + cmd: ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N '' + creates: /root/.ssh/id_ed25519 + +- name: Slurp SSH pubkey for root + become: true + ansible.builtin.slurp: + src: ~/.ssh/id_ed25519.pub + register: ssh_pubkey + +- name: Authorize root pubkey on backup server + delegate_to: "{{ backup_server }}" + become: true + become_user: borg + ansible.builtin.lineinfile: + path: ~/.ssh/authorized_keys + line: "{{ ssh_pubkey.content | b64decode }}" + create: true