From 8c0f7269232ac936aea848bd5e1b5aa50b7919d1 Mon Sep 17 00:00:00 2001 From: Arthur BOUDREAULT <arthur@lydra.fr> Date: Mon, 25 Jul 2022 16:00:04 +0200 Subject: [PATCH] feat: add Ansible role Restic to use S3 backups --- roles/ynh_backup/README-FR.md | 68 ++++++++++++++++++++------- roles/ynh_backup/README.md | 67 +++++++++++++++++++------- roles/ynh_backup/defaults/main.yml | 13 +++-- roles/ynh_backup/tasks/backup.yml | 10 ++-- roles/ynh_backup/tasks/borgbackup.yml | 50 ++++++++++---------- roles/ynh_backup/tasks/main.yml | 13 +++-- roles/ynh_backup/tasks/restic.yml | 39 +++++++++++++++ roles/ynh_backup/vars/main.yml | 1 + 8 files changed, 188 insertions(+), 73 deletions(-) create mode 100644 roles/ynh_backup/tasks/restic.yml diff --git a/roles/ynh_backup/README-FR.md b/roles/ynh_backup/README-FR.md index 178a558..359edab 100644 --- a/roles/ynh_backup/README-FR.md +++ b/roles/ynh_backup/README-FR.md @@ -11,10 +11,11 @@ YunoHost doit déjà être installé sur votre serveur. ## Variables du rôle Les variables par défaut sont disponibles dans `default/main.yml` cependant il est possible de les surcharger selon vos besoins. -Nous avons intégré deux systèmes de sauvegardes différents à ce rôle YunoHost : +Nous avons intégré trois systèmes de sauvegardes différents à ce rôle YunoHost : - sauvegardes natives YunoHost en local -- sauvegardes à distance avec un [depot BorgBackup](https://borgbackup.readthedocs.io/en/stable/) +- sauvegardes à distance avec un [dépôt BorgBackup](https://borgbackup.readthedocs.io/en/stable/) +- sauvegardes à distance avec un [dépôt Restic](https://restic.readthedocs.io/en/stable/) ### Sauvegardes natives YunoHost locales @@ -22,16 +23,15 @@ Nous avons intégré deux systèmes de sauvegardes différents à ce rôle YunoH ```yml ynh_backup: - scheduled: True - directory: "/data/backup" - scheduled_hour: "*" - scheduled_minute: "*/30" + scheduled: True + directory: "/data/backup" + scheduled_hour: "*" + scheduled_minute: "*/30" scheduled_weekday: "*" - scheduled_month: "*" - system: True - apps: True + scheduled_month: "*" + system: True + apps: True number_days_to_keep: "2" - ``` - `ynh_backup.scheduled` : active la fonctionnalité de sauvegarde des applications YunoHost en mettant la valeur à `True`. @@ -48,18 +48,17 @@ ynh_backup: ```yml ynh_borg_backup_scheduled: True -borg_source_directories: - - "/data/yunohost" -borg_repository: "/data/backup/live" +borg_source_directories: "{{ ynh_backup.directory }}" +borg_repository: "/data/backup/live" borg_encryption_passphrase: "PLEASECHANGEME" -borgmatic_config_name: "borgmatic_ynh_config" -borgmatic_cron_name: "borgmatic_ynh_cron" +borgmatic_config_name: "borgmatic_ynh_config" +borgmatic_cron_name: "borgmatic_ynh_cron" borg_retention_policy: keep_daily: "4" ynh_borg_backup_remote_repo: True -borg_ssh_keys_src: "files/prd/ssh_keys/ynh_ed25519.vault" -borg_ssh_keys_dest: "/home/debian/.ssh/ynh_ed25519" -ynh_ssh_borg_command: "ssh_command: ssh -p 7410 -o StrictHostKeychecking=no -i {{ borg_ssh_keys_dest }}" +borg_ssh_keys_src: "files/prd/ssh_keys/ynh_ed25519.vault" +borg_ssh_keys_dest: "/home/debian/.ssh/ynh_ed25519" +ynh_ssh_borg_command: "ssh_command: ssh -p 7410 -o StrictHostKeychecking=no -i {{ borg_ssh_keys_dest }}" ``` - `ynh_borg_backup_scheduled` : Active / désactive la fonctionnalité de sauvegarde avec BorgBackup. @@ -76,6 +75,39 @@ ynh_ssh_borg_command: "ssh_command: ssh -p 7410 -o StrictHostKeychecking=no -i { N'hésitez pas à regarder les variables disponibles dans le [rôle](https://github.com/borgbase/ansible-role-borgbackup). +### Sauvegardes distantes avec Restic + +- Les sauvegardes avec [Restic](https://restic.net/) : Grâce au rôle Ansible `do1jlr.restic`, nous pouvons automatiser le processus d'installation et de configuration de Restic sur un serveur YunoHost. Les sauvegardes Borg Restic accessibles sur un dépôt Restic en local ou à distance et compatible stockage objet S3. Plus d'info sur ce rôle [ici](https://github.com/roles-ansible/ansible_role_restic). + +âš ï¸ Attention, pour pouvoir utiliser le rôle Ansible `do1jlr.restic`, vous devez avoir les paquets suivants installé sur la machine qui exécute Ansible : `bzip2` (binaire disponible sur la plupart des systèmes Linux) et `jmespath` (paquet python, installable avec pip). + +```yml + +restic_repos: + s3_ynh_restic_repo: + location: "s3:s3.fr-par.scw.cloud/dummy_bucket_name" + password: "dummy_restic_repo_password" + aws_access_key: "dummy_access_key" + aws_secret_access_key: "dummy_secret_access_key" + aws_default_region: "fr-par" + init: true + +restic_backups: + YunoHost_remote: + name: "remote_ynh_restic" + repo: "s3_ynh_restic_repo" + src: "{{ ynh_backup.directory }}" + tags: + - yunohost + - remote + keep_within: "{{ restic_keep_time }}" + scheduled: true + schedule_hour: 1 + schedule_minute: 0 +``` + +N'hésitez pas à regarder les variables disponibles dans le [rôle](https://github.com/borgbase/ansible-role-borgbackup). + ## Dépendances Le rôle `m3nu.ansible_role_borgbackup` sera installé sur la machine exécutant Ansible pour que les tâches liées à Borg fonctionnent. Un fichier `requirements.yml` est à la racine du rôle et va télécharger le rôle (par défaut vers `~/.ansible/roles`). diff --git a/roles/ynh_backup/README.md b/roles/ynh_backup/README.md index 59ba516..0521744 100644 --- a/roles/ynh_backup/README.md +++ b/roles/ynh_backup/README.md @@ -11,10 +11,11 @@ YunoHost needs to be installed on your server. ## Role Variables The default variables are available in `default/main.yml` however it is possible to override them according to your needs. -We have integrated two different backup systems to this YunoHost role: +We have integrated three different backup systems to this YunoHost role: - YunoHost native local backups - Remote backups with a [BorgBackup repository](https://borgbackup.readthedocs.io/en/stable/) +- Remote backups with a [Restic repository](https://restic.readthedocs.io/en/stable/) ### YunoHost native local backups @@ -22,16 +23,15 @@ YunoHost provides its own native backup system. It is able to back up YunoHost c ```yml ynh_backup: - scheduled: True - directory: "/data/backup" - scheduled_hour: "*" - scheduled_minute: "*/30" + scheduled: True + directory: "/data/backup" + scheduled_hour: "*" + scheduled_minute: "*/30" scheduled_weekday: "*" - scheduled_month: "*" - system: True - apps: True - src_script: "templates/ynh_backup.sh.j2" - dest_script: "/usr/bin" + scheduled_month: "*" + system: True + apps: True + number_days_to_keep: "2" ``` - `ynh_backup.scheduled`: Enable the YunoHost applications backup feature by setting the value to `True`. @@ -48,22 +48,22 @@ ynh_backup: ```yml ynh_borg_backup_scheduled: True -borg_source_directories: - - "/data/yunohost" -borg_repository: "/data/backup/live" +borg_source_directories: "{{ ynh_backup.directory }}" +borg_repository: "/data/backup/live" borg_encryption_passphrase: "PLEASECHANGEME" -borgmatic_config_name: "borgmatic_ynh_config" -borgmatic_cron_name: "borgmatic_ynh_cron" +borgmatic_config_name: "borgmatic_ynh_config" +borgmatic_cron_name: "borgmatic_ynh_cron" borg_retention_policy: keep_daily: "4" ynh_borg_backup_remote_repo: True -borg_ssh_keys_src: "files/prd/ssh_keys/ynh_ed25519.vault" -borg_ssh_keys_dest: "/home/debian/.ssh/ynh_ed25519" +borg_ssh_keys_src: "files/prd/ssh_keys/ynh_ed25519.vault" +borg_ssh_keys_dest: "/home/debian/.ssh/ynh_ed25519" +ynh_ssh_borg_command: "ssh_command: ssh -p 7410 -o StrictHostKeychecking=no -i {{ borg_ssh_keys_dest }}" ``` - `ynh_borg_backup_scheduled`: Enable / disable the backup feature with BorgBackup. - `ynh_borg_backup_remote_repo`: Enable / disable the backup functionality on a BorgBackup remote repository (tasks related to SSH keys setup). If you enable this feature, then you will need to use `borg_ssh_keys_src` and `borg_ssh_keys_dest` variables. -- `borg_source_directories`: List of source folders to back up. By default, this is the folder containing all YunoHost data (configuration, applications). +- `borg_source_directories`: List of source folders to back up. By default, this is the folder in which YunoHost local backups are located. - `borg_repository`: Full path to the Borg repository. Possibility to give a list of repositories to save data in several places. - `borg_encryption_passphrase` : **Mandatory**, password to use for the Borg repository encryption key. - `borgmatic_config_name`: **Optional**, name of the Borgmatic configuration file. @@ -75,6 +75,37 @@ borg_ssh_keys_dest: "/home/debian/.ssh/ynh_ed25519" Feel free to look at the variables available in the [role](https://github.com/borgbase/ansible-role-borgbackup). +### remote backups with YunoHost Restic + +- Backups with [Restic](https://restic.net/): Thanks to the Ansible role `do1jlr.restic` we can automate the installation and configuration process of Restic on a YunoHost server. Restic backups are accessible on a local or a remote Restic repository and compatible with S3 object storage. More info about this role [here](https://github.com/roles-ansible/ansible_role_restic). + +```yml + +restic_repos: + s3_ynh_restic_repo: + location: "s3:s3.fr-par.scw.cloud/dummy_bucket_name" + password: "dummy_restic_repo_password" + aws_access_key: "dummy_access_key" + aws_secret_access_key: "dummy_secret_access_key" + aws_default_region: "fr-par" + init: true + +restic_backups: + YunoHost_remote: + name: "remote_ynh_restic" + repo: "s3_ynh_restic_repo" + src: "{{ ynh_backup.directory }}" + tags: + - yunohost + - remote + keep_within: "{{ restic_keep_time }}" + scheduled: true + schedule_hour: 1 + schedule_minute: 0 +``` + +Feel free to look at the variables available in the [role](https://github.com/roles-ansible/ansible_role_restic). + ## Dependencies The `m3nu.ansible_role_borgbackup` role will be installed on the machine running Ansible for Borg-related tasks to work. A `requirements.yml` file is in the root of the role and will download the role (by default to `~/.ansible/roles`). diff --git a/roles/ynh_backup/defaults/main.yml b/roles/ynh_backup/defaults/main.yml index 7b616ac..b68ee3b 100644 --- a/roles/ynh_backup/defaults/main.yml +++ b/roles/ynh_backup/defaults/main.yml @@ -23,10 +23,15 @@ ynh_backup: scheduled: False # Variables for YunoHost BorgBackup -ynh_borg_backup_scheduled: False +ynh_borg_backup_scheduled: False borg_source_directories: - "/data/yunohost" -borg_repository: "/data/backup/live" -borg_init_command: "borgmatic init -c /etc/borgmatic/{{ borgmatic_config_name }} -e repokey --syslog-verbosity 1" -borg_archive_name_format: "'{hostname}-yunohost-live-data-{now:%Y-%m-%d-%H%M%S}'" +borg_repository: "/data/backup/live" +borg_init_command: "borgmatic init -c /etc/borgmatic/{{ borgmatic_config_name }} -e repokey --syslog-verbosity 1" +borg_archive_name_format: "'{hostname}-yunohost-live-data-{now:%Y-%m-%d-%H%M%S}'" ynh_borg_backup_remote_repo: False + +# Variables for YunoHost Restic +# https://github.com/roles-ansible/ansible_role_restic +ynh_restic_backup_scheduled: False +restic_schedule_type: "cronjob" diff --git a/roles/ynh_backup/tasks/backup.yml b/roles/ynh_backup/tasks/backup.yml index 94ebd0b..7e6d6a3 100644 --- a/roles/ynh_backup/tasks/backup.yml +++ b/roles/ynh_backup/tasks/backup.yml @@ -25,19 +25,19 @@ - name: Create backup folder if doesn't already exist ansible.builtin.file: - path: "{{ ynh_backup.directory }}" + path: "{{ ynh_backup.directory }}" state: directory - mode: '0750' + mode: '0750' when: ynh_backup.directory is defined tags: backup - name: Create backup script ansible.builtin.template: - src: "{{ ynh_backup_src_script }}" - dest: "{{ ynh_backup_dest_script }}" + src: "{{ ynh_backup_src_script }}" + dest: "{{ ynh_backup_dest_script }}" owner: root group: root - mode: '0740' + mode: '0740' tags: backup - name: Create cron task to schedule YNH backup script diff --git a/roles/ynh_backup/tasks/borgbackup.yml b/roles/ynh_backup/tasks/borgbackup.yml index 9cb46ee..2dbfc28 100644 --- a/roles/ynh_backup/tasks/borgbackup.yml +++ b/roles/ynh_backup/tasks/borgbackup.yml @@ -18,12 +18,12 @@ # # #-----------------------------------------------------------------------------# - name: Download BorgBackup role on localhost - ansible.builtin.command: ansible-galaxy install m3nu.ansible_role_borgbackup,v0.9.0 -p ~/.ansible/roles + ansible.builtin.command: ansible-galaxy install m3nu.ansible_role_borgbackup,v0.9.0 -p "{{ _ansible_role_directory }}" delegate_to: localhost become: False tags: - - backup - - borg + - backup + - borg - name: Gather facts for BorgBackup role ansible.builtin.setup: @@ -35,8 +35,8 @@ ansible.builtin.import_role: name: m3nu.ansible_role_borgbackup tags: - - backup - - borg + - backup + - borg - name: Create backup folder for BorgBackup repository ansible.builtin.file: @@ -44,29 +44,29 @@ state: directory mode: '0750' tags: - - backup - - borg + - backup + - borg - name: Configure host for Borg Remote repository tags: - - backup - - borg + - backup + - borg block: - name: deploy ssh public key for BorgBackup ansible.builtin.copy: - src: "{{ borg_ssh_keys_src }}.pub" - dest: "{{ borg_ssh_keys_dest }}.pub" + src: "{{ borg_ssh_keys_src }}.pub" + dest: "{{ borg_ssh_keys_dest }}.pub" owner: "root" group: "root" - mode: 0600 + mode: 0600 - name: deploy ssh private key for BorgBackup ansible.builtin.copy: - src: "{{ borg_ssh_keys_src }}.vault" - dest: "{{ borg_ssh_keys_dest }}" + src: "{{ borg_ssh_keys_src }}.vault" + dest: "{{ borg_ssh_keys_dest }}" owner: "root" group: "root" - mode: 0600 + mode: 0600 when: ynh_borg_backup_remote_repo - name: change SSH command in "/etc/borgmatic/{{ borgmatic_config_name }}" @@ -77,19 +77,19 @@ state: present when: ynh_ssh_borg_command is defined tags: - - backup - - borg + - backup + - borg - name: change archive name in "/etc/borgmatic/{{ borgmatic_config_name }}" ansible.builtin.lineinfile: - path: "/etc/borgmatic/{{ borgmatic_config_name }}" + path: "/etc/borgmatic/{{ borgmatic_config_name }}" regexp: "archive_name_format:" line: " archive_name_format: {{ borg_archive_name_format }}" state: present tags: - - backup - - borg + - backup + - borg - name: Create borg launch script in /usr/local/bin ansible.builtin.copy: @@ -97,16 +97,16 @@ #!/bin/bash . /opt/borgmatic/bin/activate borg "$@" - dest: /usr/local/bin/borg + dest: /usr/local/bin/borg owner: root group: root mode: "0755" tags: - - backup - - borg + - backup + - borg - name: Initialize a new Borg repository ansible.builtin.command: "{{ borg_init_command }}" tags: - - backup - - borg + - backup + - borg diff --git a/roles/ynh_backup/tasks/main.yml b/roles/ynh_backup/tasks/main.yml index ac16ba4..e932c65 100644 --- a/roles/ynh_backup/tasks/main.yml +++ b/roles/ynh_backup/tasks/main.yml @@ -23,9 +23,16 @@ when: ynh_backup.scheduled tags: backup -- name: Use Borg Backup with YunoHost +- name: Use BorgBackup with YunoHost ansible.builtin.include_tasks: borgbackup.yml when: ynh_borg_backup_scheduled tags: - - backup - - borg + - backup + - borg + +- name: Use Restic with YunoHost + ansible.builtin.include_tasks: restic.yml + when: ynh_restic_backup_scheduled + tags: + - backup + - restic diff --git a/roles/ynh_backup/tasks/restic.yml b/roles/ynh_backup/tasks/restic.yml new file mode 100644 index 0000000..afe3722 --- /dev/null +++ b/roles/ynh_backup/tasks/restic.yml @@ -0,0 +1,39 @@ +--- +#-----------------------------------------------------------------------------# +# ansible-yunohost allows to deploy Yunohost using Ansible # +# Copyright 2021-present Lydra https://www.lydra.fr/ # +# # +# this program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# this program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see <http://www.gnu.org/licenses/>. # +# # +#-----------------------------------------------------------------------------# +- name: Download Restic role on localhost + ansible.builtin.command: ansible-galaxy install do1jlr.restic,v0.7.1 -p "{{ _ansible_role_directory }}" + delegate_to: localhost + become: False + tags: + - backup + - restic + +- name: Gather facts for Restic role + ansible.builtin.setup: + tags: + - backup + - restic + +- name: run Restic role + ansible.builtin.import_role: + name: do1jlr.restic + tags: + - backup + - restic diff --git a/roles/ynh_backup/vars/main.yml b/roles/ynh_backup/vars/main.yml index 2b41c9e..4b5fa40 100644 --- a/roles/ynh_backup/vars/main.yml +++ b/roles/ynh_backup/vars/main.yml @@ -22,3 +22,4 @@ ynh_backup_src_script: "templates/ynh_backup.sh.j2" ynh_backup_dest_script: "/usr/local/bin/ynh_backup.sh" _ynh_backup_directory: "/home/yunohost.backup/archives" +_ansible_role_directory: "~/.ansible/roles" -- GitLab