six/infra
1
0
Forkuj 0
sforkowany z cisti/infra
Kod Wydania Aktywność
infra/roles/stable/restic/README.md
les 126e3ffd0d add backup restic role
2021-01-04 18:56:12 +01:00

5,1 KiB
Czysty Wina Historia

Ansible role for Restic

This role will setup Restic backups on a Debian/Ubuntu machine using a systemd service and timer.

It supports S3 backend or SFTP backend and will thus setup the SSH config and SSH private keys (see variables below).

Role Variables

Restic installation

The role will download and install the restic binary (version restic_version) into restic_path if the file does not exist.

If you want to force the installation, overwrite the binary or update restic, you can run ansible with --extra-vars restic_install=true.

Restic configuration

  • restic_user: user to run restic as (root)
  • restic_user_home: home directory of the restic_user (/root)
  • restic_password: password used for repository encryption
  • restic_repository_name: the name of the repository (restic)
  • restic_check: run restic check as ExecStartPre if true (false)
  • restic_default_folders: a default list of folders that restic will backup (/etc/, /root and /var/log)
  • restic_folders: the list of folder you want to backup
  • restic_dump_compression_enabled: enable piping to pigz for database dumps

Each folder has a path and an exclude property (which defaults to nothing). The exclude property is the literal argument passed to restic (exemple: --exclude .cache --exclude .local).

restic_default_folders and restic_folders are combined to form the final list of backuped folders.

  • restic_databases: a list of databases to dump

Each database has a name property which will be the name of the restic snapshot ({{ database.name }}.sql). They also have a dump_command property which is the command to dump the database to stdout (like mysqldump dbname).

  • restic_forget: run restic forget as ExecStartPost with --keep-within {{ restic_forget_keep_within }} (true)
  • restic_forget_keep_within: period of time to use with --keep-within (30d)
  • restic_prune: run restic prune as ExecStartPost (true)

SSH/SFTP backend configuration

The SSH configuration will be written in {{ restic_user_home }}/.ssh/config.

  • restic_ssh_host: backend name and SSH alias for the backup host
  • restic_ssh_user: user for SSH connection
  • restic_ssh_hostname: actual SSH hostname of the backup machine
  • restic_ssh_private_key: private SSH key used to connect to the backup host
  • restic_ssh_private_key_path: path of the private key to use (~/.ssh/backup)
  • restic_ssh_port: SSH port to use with the backup machine (23)

S3 backend configuration

  • restic_ssh_enabled: set to false
  • restic_repository_name: set to s3 endpoint + bucket, restic syntax (e.g. s3:https://s3.fr-par.scw.cloud/restic-bucket)
  • restic_aws_access_key_id: AWS_ACCESS_KEY_ID
  • restic_aws_secret_access_key: AWS_SECRET_ACCESS_KEY

Sytemd service and timer

A restic-backup.service service will be created with all the parameters defined above. The service is of type oneshot and will be triggered periodically with restic-backup.timer.

The timer is configurable as follows:

  • restic_systemd_timer_on_calender: defines the OnCalendar directive (*-*-* 03:00:00)
  • restic_systemd_timer_randomized_delay_sec: Delay the timer by a random amount of time between 0 and the specified time value. (0)

See the systemd.timer documentation for more information.

You can see the logs of the backup with journalctl. (journalctl -xefu restic-backup).

Example playbook

---

- hosts: myhost
  roles: restic
  vars:
    restic_ssh_user: backupuser
    restic_ssh_hostname: storage-server.infra.tld
    restic_folders:
      - {path: "/srv"}
      - {path: "/var/www"}
    restic_databases:
    - {name: website, dump_command: sudo -Hiu postgres pg_dump -Fc website}
    - {name: website2, dump_command: mysqldump website2}
    restic_password: mysuperduperpassword
    restic_ssh_private_key: |-
      -----BEGIN OPENSSH PRIVATE KEY-----
      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
      QyNTUxOQAAACAocs5g1I4kFQ1HH/YZiVU+zLhRDu4tfzZ9CmFAfKhL2AAAAJi02XEwtNlx
      MAAAAAtzc2gtZWQyNTUxOQAAACAocs5g1I4kFQ1HH/YZiVU+zLhRDu4tfzZ9CmFAfKhL2A
      AAAEADZf2Pv4G74x+iNtuwSV/ItnR3YQJ/KUaNTH19umA/tChyzmDUjiQVDUcf9hmJVT7M
      uFEO7i1/Nn0KYUB8qEvYAAAAE3N0YW5pc2xhc0BtYnAubG9jYWwBAg==
      -----END OPENSSH PRIVATE KEY-----

S3 example:

---

- hosts: myhost
  roles: restic
  vars:
    restic_ssh_enabled: false
    restic_repository: "s3:https://s3.fr-par.scw.cloud/restic-bucket"
    restic_aws_access_key_id: xxxxx
    restic_aws_secret_access_key: xxxxx
    restic_folders:
      - {path: "/srv"}
      - {path: "/var/www"}
    restic_databases:
    - {name: website, dump_command: sudo -Hiu postgres pg_dump -Fc website}
    - {name: website2, dump_command: mysqldump website2}
    restic_password: mysuperduperpassword

Of course, restic_password and restic_ssh_private_key should be stored using ansible-vault.

License

MIT

Author Information

See my other Ansible roles at angristan/ansible-roles.