initial pfannkuchen

roles/borg/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+backup_source: /app-config
+borg_ssh_key: /root/.ssh/id_borg
+borg_passphrase: "{{ vault_borg_passphrase }}"
+borg_repo: "ssh://storagebox/home/{{ inventory_hostname }}"
+borg_retention_daily: 7
+borg_retention_weekly: 4
+borg_retention_monthly: 6
+borg_compression: lz4
+borg_remote_path: borg-1.4
+borg_logfile: /var/log/borg-backup.log
+hetzner_storage_host: "{{ vault_hetzner_storage_host }}"
+hetzner_storage_user: "{{ vault_hetzner_storage_user }}"
+hetzner_storage_port: 23

roles/borg/tasks/main.yml

@@ -0,0 +1,94 @@
+---
+- name: Borg installieren
+  apt:
+    name: borgbackup
+    state: present
+    update_cache: yes
+
+- name: SSH Private Key deployen
+  copy:
+    src: id_rsa
+    dest: "{{ borg_ssh_key }}"
+    mode: '0600'
+
+- name: SSH Public Key deployen
+  copy:
+    src: id_rsa.pub
+    dest: "{{ borg_ssh_key }}.pub"
+    mode: '0644'
+
+- name: SSH Config für Storage Box
+  blockinfile:
+    path: /root/.ssh/config
+    create: yes
+    mode: '0600'
+    marker: "# {mark} BORG STORAGEBOX"
+    block: |
+      Host storagebox
+        Hostname {{ hetzner_storage_host }}
+        User {{ hetzner_storage_user }}
+        Port {{ hetzner_storage_port }}
+        IdentityFile {{ borg_ssh_key }}
+        IdentitiesOnly yes
+        StrictHostKeyChecking accept-new
+
+- name: Backup-Verzeichnis auf Storage Box anlegen
+  command: ssh storagebox mkdir -p home/{{ inventory_hostname }}
+  changed_when: false
+
+- name: Borg Repo initialisieren
+  environment:
+    BORG_PASSPHRASE: "{{ borg_passphrase }}"
+  command: borg init --encryption=repokey {{ borg_repo }}
+  register: borg_init
+  failed_when: borg_init.rc != 0 and 'already exists' not in borg_init.stderr
+  changed_when: borg_init.rc == 0
+
+- name: Passphrase-Datei deployen
+  copy:
+    dest: /root/.borg-passphrase
+    content: "{{ borg_passphrase }}"
+    mode: '0400'
+
+- name: Backup-Script deployen
+  template:
+    src: borg-backup.sh.j2
+    dest: /usr/local/bin/borg-backup.sh
+    mode: '0700'
+
+- name: Systemd Timer Unit
+  copy:
+    dest: /etc/systemd/system/borg-backup.timer
+    content: |
+      [Unit]
+      Description=Borg Backup Timer
+
+      [Timer]
+      OnCalendar=*-*-* 03:00:00
+      RandomizedDelaySec=1800
+      Persistent=true
+
+      [Install]
+      WantedBy=timers.target
+
+- name: Systemd Service Unit
+  copy:
+    dest: /etc/systemd/system/borg-backup.service
+    content: |
+      [Unit]
+      Description=Borg Backup
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      Type=oneshot
+      ExecStart=/usr/local/bin/borg-backup.sh
+      Nice=19
+      IOSchedulingClass=idle
+
+- name: Timer aktivieren und starten
+  systemd:
+    name: borg-backup.timer
+    enabled: true
+    state: started
+    daemon_reload: true

roles/borg/templates/borg-backup.sh.j2

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -euo pipefail
+
+export BORG_PASSPHRASE=$(cat /root/.borg-passphrase)
+REPO="{{ borg_repo }}"
+LOGFILE="{{ borg_logfile }}"
+
+echo "[$(date)] Starte Backup: {{ inventory_hostname }}" >> "$LOGFILE"
+
+borg create \
+  --verbose \
+  --filter AME \
+  --remote-path={{ borg_remote_path }} \
+  --stats \
+  --show-rc \
+  --compression {{ borg_compression }} \
+  "${REPO}::{{ inventory_hostname }}-$(date +%Y-%m-%d_%H-%M)" \
+  {{ backup_source }} >> "$LOGFILE" 2>&1
+
+BACKUP_RC=$?
+
+borg prune -v --list "${REPO}" \
+  --keep-daily={{ borg_retention_daily }} \
+  --keep-weekly={{ borg_retention_weekly }} \
+  --keep-monthly={{ borg_retention_monthly }} >> "$LOGFILE" 2>&1
+
+PRUNE_RC=$?
+
+borg compact "${REPO}" >> "$LOGFILE" 2>&1
+
+GLOBAL_RC=$(( BACKUP_RC > PRUNE_RC ? BACKUP_RC : PRUNE_RC ))
+echo "[$(date)] Backup beendet mit Code $GLOBAL_RC" >> "$LOGFILE"
+exit $GLOBAL_RC