add simple borg backup role

roles/backup/defaults/main.yml

@@ -0,0 +1,28 @@
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+backup_vpn_net: "10.8.0.0/24"
+backup_vpn_bridge: "10.8.0.2"
+backup_host: "192.168.0.10"
+backup_share: "/mnt/data/backups"
+backup_borg_passphrase: "{{ lookup('password', secret + '/' + 'backup_borg_passphrase length=20') }}"
+backup_daily: "7"
+backup_weekly: "4"
+backup_monthly: "6"
+backup_source: "/"
+backup_repo_dir: "/mnt/nas_backups"
+backup_repo_name: "borg-linux-{{ server_name }}"
+backup_destination: "{{ backup_repo_dir }}/{{ backup_repo_name }}"
+backup_excludes:
+  - "/home/*/.cache/*"
+  - "/var/cache/*"
+  - "/var/tmp/*"
+  - "/media/*"
+  - "/mnt/*"
+  - "/dev/*"
+  - "/proc/*"
+  - "/sys/*"
+  - "/tmp/*"
+  - "/run/*"
+  - "/lost+found/*"

roles/backup/tasks/backup.yml

@@ -0,0 +1,88 @@
+
+- name: Install Borg-Backup, NFS Tools and their dependencies
+  apt:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - borgbackup
+    - nfs-common
+    - python-pexpect
+  tags:
+    - dependencies
+
+- name: Remove static route over VPN on shutdown
+  lineinfile:
+    path: /etc/network/interfaces.d/50-cloud-init.cfg
+    insertafter: "iface eth0 inet dhcp"
+    line: "pre-down ip route del {{ backup_vpn_net }} via {{ backup_vpn_bridge }} || true"
+
+- name: Add static route over VPN on boot
+  lineinfile:
+    path: /etc/network/interfaces.d/50-cloud-init.cfg
+    insertafter: "iface eth0 inet dhcp"
+    line: "post-up ip route add {{ backup_vpn_net }} via {{ backup_vpn_bridge }} || true"
+
+- name: Apply static route for current session
+  command: "ip route add {{ backup_vpn_net }} via {{ backup_vpn_bridge }}"
+  ignore_errors: yes
+
+- name: Creates directory for NFS mount
+  file:
+    path: "{{ backup_repo_dir }}"
+    state: directory
+    owner: root
+    group: root
+  ignore_errors: yes
+
+- name: Add NFS mount to /etc/fstab
+  lineinfile:
+    path: /etc/fstab
+    line: "{{ backup_host }}:{{ backup_share }} {{ backup_repo_dir }} nfs rw,async,hard,intr,noexec 0 0"
+
+- name: Mount NFS share
+  mount:
+    path: "{{ backup_repo_dir }}"
+    src: "{{ backup_host }}:{{ backup_share }}"
+    fstype: "nfs"
+    state: mounted
+
+- name: Create Borg Repo
+  expect:
+    chdir: "{{ backup_repo_dir }}"
+    creates: "{{ backup_destination }}"
+    command: "borg init --encryption=repokey {{ backup_repo_name }}"
+    responses:
+      "Enter new passphrase": "{{ backup_borg_passphrase }}"
+      "Enter same passphrase again": "{{ backup_borg_passphrase }}"
+      "Do you want your passphrase to be displayed for verification": "y"
+
+- name: Dump Borg Repo Key
+  command: borg key export {{ backup_destination }} /home/deploy/borg_repo_key
+
+- name: Dump Borg Repo Key
+  fetch:
+    src: /home/deploy/borg_repo_key
+    dest: "{{ secret }}/borg_repo_key"
+    fail_on_missing: yes
+
+- name: Remove Borg Repo Key dump
+  command: rm -rf /home/deploy/borg_repo_key
+
+- name: Unmount NFS share
+  command: "umount -l {{ backup_repo_dir }}"
+
+- name: Copy backup script
+  template:
+    src: home_deploy_backup-root_sh.j2
+    dest: /home/deploy/backup-root.sh
+    owner: root
+    group: root
+    mode: 0500
+
+- name: Configure daily backup cronjob
+  cron:
+    hour: "1"
+    minute: "0"
+    job: /home/deploy/backup-root.sh
+    name: "nas-backup"

roles/backup/tasks/main.yml

@@ -0,0 +1 @@
+- include: backup.yml tags=backup

roles/backup/templates/home_deploy_backup-root_sh.j2

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+mount {{ backup_repo_dir }}
+
+# Setting this, so the repo does not need to be given on the commandline:
+export BORG_REPO={{ backup_destination }}
+
+# Setting this, so you won't be asked for your repository passphrase:
+export BORG_PASSPHRASE='{{ backup_borg_passphrase }}'
+
+# some helpers and error handling:
+info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
+trap 'echo $( date ) Backup interrupted >&2; exit 2' INT TERM
+
+info "Starting backup"
+
+# Backup the most important directories into an archive named after
+# the machine this script is currently running on:
+
+borg create \
+    --verbose \
+    --filter AME \
+    --stats \
+    --show-rc \
+    --compression lz4 \
+    --exclude-caches \
+{% for path in backup_excludes %}
+    --exclude '{{ path }}' \
+{% endfor %}
+    ::'{hostname}-{now}' \
+    {{ backup_source }} \
+
+backup_exit=$?
+
+info "Pruning repository"
+
+# Use the `prune` subcommand to maintain 7 daily, 4 weekly and 6 monthly
+# archives of THIS machine. The '{hostname}-' prefix is very important to
+# limit prune's operation to this machine's archives and not apply to
+# other machines' archives also:
+
+borg prune \
+    --list \
+    --prefix '{hostname}-' \
+    --show-rc \
+    --keep-daily {{ backup_daily }} \
+    --keep-weekly {{ backup_weekly }} \
+    --keep-monthly {{ backup_monthly }} \
+
+prune_exit=$?
+
+# use highest exit code as global exit code
+global_exit=$(( backup_exit > prune_exit ? backup_exit : prune_exit ))
+
+if [ ${global_exit} -eq 1 ];
+then
+    info "Backup and/or Prune finished with a warning"
+fi
+
+if [ ${global_exit} -gt 1 ];
+then
+    info "Backup and/or Prune finished with an error"
+fi
+
+umount -l {{ backup_repo_dir }}
+
+exit ${global_exit}