From 6ae4bbf49ede3d3690f08bba40f4d0039edff97d Mon Sep 17 00:00:00 2001
From: Luc Stroobant <luc@warp.be>
Date: Sat, 19 May 2018 16:13:19 +0200
Subject: [PATCH] improve and clarify append-only

---
 README.md                   | 11 +++++++----
 defaults/main.yml           |  1 +
 tasks/borg-server.yml       |  1 +
 templates/borg-backup.sh.j2 |  2 +-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index af20300..da7f5f4 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ The role supports both self hosted and offsite backup-storage such as rsync.net
 
 It's possible to configure append-only repositories to secure the backups against deletion from the client.
 
-Ansible 2.4 is required to run this role.
+Ansible 2.4 or higher is required to run this role.
 
 ## Required variables
 Define a group borgbackup\_servers in your inventory with one or multiple hosts. The group borgbackup\_management is only necessary if you want to enable append-only mode and prune the backups from a secured hosts.
@@ -63,9 +63,11 @@ borgbackup_cron_hour: "{{ 5|random }}"
 ```
 Override borgbackup\_client\_user where required, for example if you have a laptop with an encrypted homedir you'll have to run the backup as the user of that homedir.
 
-Set borgbackup\_appendonly: True in host or group vars if you want append-only repositories. In that case it's possible to define a hostname in borgbackup\_management\_station where a borg prune script will be configured. Only the management station will have permission to prune old backups for (all) clients.
+Set borgbackup\_appendonly: True in host or group vars if you want append-only repositories. In that case it's possible to define a hostname in borgbackup\_management\_station where a borg prune script will be configured. Only the management station will have permission to prune old backups for (all) clients. This will generate serve with --append-only ssh key options.
+If you set borgbackup\_appendonly\_repoconfig to True, this will also disable the possibility to remove backups from the management station. (Or at least: it's not possible to remove them till you reconfigure the repository and this is currently not supported in the prune script)
+Be aware of the limitations of append-only mode: [pruned backups appear to be removed, but are only removed in the transaction log till something writes in normal mode to the repository](https://github.com/borgbackup/borg/issues/3504))
 
-*Make sure to check the configured defaults for this role, which contains the list of default locations being backed up in backup_include.* Override this in your inventory where required.
+*Make sure to check the configured defaults for this role, which contains the list of default locations being backed up in backup\_include.* Override this in your inventory where required.
 
 ## Usage
 
@@ -76,4 +78,5 @@ ansible-playbook -i inventory/test backup.yml -l client1.fiaas.co
 ```
 
 ## Further reading
-* https://borgbackup.readthedocs.io/en/stable/
+* [Borg documentation](https://borgbackup.readthedocs.io/en/stable/)
+* [Append only mode information](http://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode)
diff --git a/defaults/main.yml b/defaults/main.yml
index 0792d88..1c637e2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -37,6 +37,7 @@ borgbackup_cron_hour: "{{ 5|random }}"
 borgbackup_cron_minute: "{{ 59|random }}"
 
 borgbackup_appendonly: False
+borgbackup_appendonly_repoconfig: False
 borgbackup_management_station: ''
 borgbackup_management_user: ''
 borgbackup_management_ssh_pubkey: ''
diff --git a/tasks/borg-server.yml b/tasks/borg-server.yml
index de53c4f..3a18d12 100644
--- a/tasks/borg-server.yml
+++ b/tasks/borg-server.yml
@@ -18,3 +18,4 @@
     mode: "0770"
   delegate_to: "{{ item.fqdn }}"
   with_items: "{{ borgbackup_servers }}"
+  when: item.type == 'normal'
diff --git a/templates/borg-backup.sh.j2 b/templates/borg-backup.sh.j2
index 9c631e1..1313d85 100644
--- a/templates/borg-backup.sh.j2
+++ b/templates/borg-backup.sh.j2
@@ -48,7 +48,7 @@ if [ "$1" = "init" ]
   then
 {% for b in borgbackup_servers %}
     REPOSITORY={% if b.type == 'hetzner' %}ssh://{% endif %}{{ b.user }}@{{ b.fqdn }}:{% if b.type == 'hetzner' %}23/./{% endif %}{{ b.home }}{{ b.pool }}/{{ inventory_hostname }}
-    /usr/local/bin/borg init --encryption={{ borgbackup_encryption_mode }} {{ b.options }} $REPOSITORY
+    /usr/local/bin/borg init --encryption={{ borgbackup_encryption_mode }}{% if borgbackup_appendonly_repoconfig %} --append-only{% endif %} {{ b.options }} $REPOSITORY
 {% endfor %}
     exit 0
 fi