initial commit

.gitignore

+# Created by .ignore support plugin (hsz.mobi)
+### Python template
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+
+# Generated files
+.idea/**/contentModel.xml
+
+# Sensitive or high-churn files
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+.idea/**/dbnavigator.xml
+
+# Gradle
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# Gradle and Maven with auto-import
+# When using Gradle or Maven with auto-import, you should exclude module files,
+# since they will be recreated, and may cause churn.  Uncomment if using
+# auto-import.
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
+
+# CMake
+cmake-build-*/
+
+# Mongo Explorer plugin
+.idea/**/mongoSettings.xml
+
+# File-based project format
+*.iws
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# Editor-based Rest Client
+.idea/httpRequests
+
+# Android studio 3.1+ serialized cache file
+.idea/caches/build_file_checksums.ser
+
+### Ansible template
+*.retry

.idea/borgbackup_client.iml

+<?xml version="1.0" encoding="UTF-8"?>
+<module type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+  <component name="TemplatesService">
+    <option name="TEMPLATE_FOLDERS">
+      <list>
+        <option value="$MODULE_DIR$/borgbackup_client/templates" />
+      </list>
+    </option>
+  </component>
+</module>
\ No newline at end of file

.idea/misc.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="JavaScriptSettings">
+    <option name="languageLevel" value="ES6" />
+  </component>
+</project>
\ No newline at end of file

.idea/modules.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/borgbackup_client.iml" filepath="$PROJECT_DIR$/.idea/borgbackup_client.iml" />
+    </modules>
+  </component>
+</project>
\ No newline at end of file

.idea/vcs.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="" vcs="Git" />
+  </component>
+</project>
\ No newline at end of file

README.md

+# Borgbackup
+This role will:
+- Generate an SSH key for `root`
+- Deploy that key to `borgbackup_target_host
+`

defaults/main.yml

+---
+borgbackup_compression: "zstd"
+borgbackup_exclude_dirs:
+  - sh:/home/*/.gvfs
+  - sh:/home/*/.cache
+
+  # Google Chrome:
+  - sh:/home/*/.config/google-chrome/ShaderCache
+  - sh:/home/*/.config/google-chrome/Default/Application Cache
+  - sh:/home/*/.config/google-chrome/Default/Service Worker/CacheStorage
+
+  # Chromium:
+  - sh:/home/*/.config/chromium/ShaderCache
+  - sh:/home/*/.config/chromium/Default/Application Cache
+  - sh:/home/*/.config/chromium/Default/Service Worker/CacheStorage
+
+  # LibreOffice cache files
+  - sh:/home/*/.config/libreoffice/*/cache
+
+  # Atom
+  - sh:/home/*/.config/Atom/*Cache
+  - sh:/home/*/.config/Atom/IndexedDB
+
+  # Rust artefacts
+  - sh:/home/*/.cargo
+  - sh:/home/*/.rustup
+
+  # Node stuff
+  - sh:/home/*/**/node_modules
+  - sh:/home/*/**/bower_components
+
+borgbackup_pool: "/mnt/borgpool"

files/borgbackup-check.service

+[Unit]
+Description=Checks borg backups
+OnFailure=borgbackup-panic-email@%N.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/borgmatic --check -v 1

files/borgbackup-check.timer

+[Unit]
+Description=Borgbackup weekly check timer
+
+[Timer]
+# Run every sunday
+OnCalendar=Sun
+# with 24 hours skew
+RandomizedDelaySec=86400
+# and allow to be shifted around by at most 5 minutes by Systemd
+AccuracySec=300
+#do not immediately start after missed timer
+Persistent=false
+
+[Install]
+WantedBy=timers.target

files/borgbackup-panic-email.service

+[Unit]
+Description=Notifies on failed %i
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/borgbackup-panic-email %i

files/borgbackup.service

+[Unit]
+Description=borgmatic backup automator
+OnFailure=borgbackup-panic-email@%N.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/borgmatic --prune --create -v 1

files/borgbackup.timer

+[Unit]
+Description=borgbackup daily timer
+
+[Timer]
+# Run whenever during each hour
+# every hour
+OnCalendar=hourly
+# with a 55 minutes skew
+RandomizedDelaySec=3300
+# and allow to be shifted around by at most 5 minutes by Systemd
+AccuracySec=300
+Persistent=true
+
+[Install]
+WantedBy=timers.target

meta/main.yml

+---
+dependencies:
+  - borgbackup
+  - msmtp_relay

tasks/main.yml

+---
+- name: Generate SSH key
+  user:
+    name: root
+    generate_ssh_key: true
+
+- name: Get public key
+  shell: "cat /root/.ssh/id_rsa.pub"
+  register: hostkey
+  changed_when: false
+
+- import_tasks: onserver.yml
+  vars:
+    borgbackup_source_key: "{{hostkey.stdout}}"
+    borgbackup_source_host: "{{ansible_hostname}}"
+  delegate_to: "{{borgbackup_target_host}}"
+
+- name: Check if Repo already exists
+  stat:
+    path: "{{ borgbackup_pool }}/{{ ansible_hostname }}/backup"
+  register: repo
+  delegate_to: "{{borgbackup_target_host}}"
+
+- name: Gather facts for backup target
+  setup:
+  delegate_to: "{{ borgbackup_target_host }}"
+  delegate_facts: True
+  when: hostvars[borgbackup_target_host]['ansible_default_ipv4'] is not defined
+
+- name: Set target IP
+  set_fact:
+    borgbackup_target_ip: "{{ borgbackup_target_ip | default(hostvars[borgbackup_target_host]['ansible_default_ipv4']['address'], true) }}"
+
+- name: Add backup target key to known hosts
+  known_hosts:
+    name: "{{ borgbackup_target_ip }}"
+    key: "{{ borgbackup_target_ip }} ssh-ed25519 {{ hostvars[borgbackup_target_host]['ansible_ssh_host_key_ed25519_public'] }}"
+
+- name: Create Borg Repo
+  shell: "BORG_PASSPHRASE={{ borgbackup_key }} borg init -e repokey borgbackup@{{ borgbackup_target_ip }}:backup"
+  when: repo.stat.exists == False
+
+- name: Install borgmatic
+  pip:
+    name: borgmatic
+    state: latest
+    executable: pip3
+
+- name: Create borgmatic config folder
+  file:
+    path: /etc/borgmatic
+    state: directory
+
+- name: Copy borgmatic config
+  template:
+    src: config.yaml.j2
+    dest: /etc/borgmatic/config.yaml
+
+- name: Add borgbackup service
+  copy:
+    src: "borgbackup.service"
+    dest: "/etc/systemd/system/borgbackup.service"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  register: service
+
+- name: Add borgbackup timer
+  copy:
+    src: "borgbackup.timer"
+    dest: "/etc/systemd/system/borgbackup.timer"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  register: timer
+
+- name: Add borgbackup-check service
+  copy:
+    src: "borgbackup-check.service"
+    dest: "/etc/systemd/system/borgbackup-check.service"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  register: check_service
+
+- name: Add borgbackup-check timer
+  copy:
+    src: "borgbackup-check.timer"
+    dest: "/etc/systemd/system/borgbackup-check.timer"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  register: check_timer
+
+- name: Copy notify script
+  template:
+    src: borgbackup-panic-email.sh
+    dest: /usr/local/bin/borgbackup-panic-email
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Copy notify service
+  copy:
+    src: borgbackup-panic-email.service
+    dest: /etc/systemd/system/borgbackup-panic-email@.service
+    owner: root
+    group: root
+    mode: 0644
+  register: notify
+
+- name: Reload systemctl
+  command: systemctl daemon-reload
+  when: "service.changed or timer.changed or notify.changed"
+
+- name: Enable borgmatic timer
+  service:
+    name: "borgbackup.timer"
+    enabled: yes
+    state: started
+
+- name: Enable borgmatic-check timer
+  service:
+    name: "borgbackup-check.timer"
+    enabled: yes
+    state: started

tasks/onserver.yml

+---
+- name: Create Group
+  group:
+    name: "borgbackup"
+
+- name: Create User
+  user:
+    name: "borgbackup"
+    group: "borgbackup"
+
+- name: Set permissions
+  file:
+    path: "{{item}}"
+    owner: "borgbackup"
+    group: "borgbackup"
+    mode: 0700
+    state: directory
+  with_items:
+    - "{{ borgbackup_pool }}"
+    - "{{ borgbackup_pool }}/{{ borgbackup_source_host }}"
+
+- name: Add public key
+  authorized_key:
+    user: "borgbackup"
+    key: "{{borgbackup_source_key}}"
+    key_options: "command=\"cd {{ borgbackup_pool }}/{{ borgbackup_source_host }};borg serve --restrict-to-path {{ borgbackup_pool }}/{{ borgbackup_source_host }}\",restrict"

templates/borgbackup-panic-email.sh

+#!/bin/bash
+
+msmtp root << EOF
+From: $1 on $(hostname) <notifications@oh14.de>
+Subject: $1 failed on host $(hostname)
+
+Oh no :(
+The service $1.service on host $(hostname) failed.
+
+$(systemctl status -l -n 1000 $1.service)
+EOF

templates/config.yaml.j2

+location:
+  # List of source directories to backup. Globs are expanded.
+  source_directories:
+  {% for item in borgbackup_source_dirs %}
+  - {{ item }}
+  {% endfor %}
+
+  # Paths to local or remote repositories.
+  repositories:
+  - borgbackup@{{ borgbackup_target_ip }}:backup
+
+  exclude_patterns:
+  {% for item in borgbackup_exclude_dirs %}
+  - {{ item }}
+  {% endfor %}
+
+
+storage:
+  compression: {{ borgbackup_compression }}
+  encryption_passphrase: {{ borgbackup_key }}
+
+retention:
+# Retention policy for how many backups to keep in each category.
+  keep_within: 7d
+  keep_daily: 21
+  keep_weekly: 8
+  keep_monthly: 6
+  keep_yearly: 0
+
+consistency:
+  checks:
+  - repository
+  - archives
+  check_last: 3