improve and clarify append-only

README.md

@@ -4,7 +4,7 @@ The role supports both self hosted and offsite backup-storage such as rsync.net
 
 It's possible to configure append-only repositories to secure the backups against deletion from the client.
 
-Ansible 2.4 is required to run this role.
+Ansible 2.4 or higher is required to run this role.
 
 ## Required variables
 Define a group borgbackup\_servers in your inventory with one or multiple hosts. The group borgbackup\_management is only necessary if you want to enable append-only mode and prune the backups from a secured hosts.
@@ -63,9 +63,11 @@ borgbackup_cron_hour: "{{ 5|random }}"
 ```
 Override borgbackup\_client\_user where required, for example if you have a laptop with an encrypted homedir you'll have to run the backup as the user of that homedir.
 
-Set borgbackup\_appendonly: True in host or group vars if you want append-only repositories. In that case it's possible to define a hostname in borgbackup\_management\_station where a borg prune script will be configured. Only the management station will have permission to prune old backups for (all) clients.
+Set borgbackup\_appendonly: True in host or group vars if you want append-only repositories. In that case it's possible to define a hostname in borgbackup\_management\_station where a borg prune script will be configured. Only the management station will have permission to prune old backups for (all) clients. This will generate serve with --append-only ssh key options.
+If you set borgbackup\_appendonly\_repoconfig to True, this will also disable the possibility to remove backups from the management station. (Or at least: it's not possible to remove them till you reconfigure the repository and this is currently not supported in the prune script)
+Be aware of the limitations of append-only mode: [pruned backups appear to be removed, but are only removed in the transaction log till something writes in normal mode to the repository](https://github.com/borgbackup/borg/issues/3504))
 
-*Make sure to check the configured defaults for this role, which contains the list of default locations being backed up in backup_include.* Override this in your inventory where required.
+*Make sure to check the configured defaults for this role, which contains the list of default locations being backed up in backup\_include.* Override this in your inventory where required.
 
 ## Usage
 
@@ -76,4 +78,5 @@ ansible-playbook -i inventory/test backup.yml -l client1.fiaas.co
 ```
 
 ## Further reading
-* https://borgbackup.readthedocs.io/en/stable/
+* [Borg documentation](https://borgbackup.readthedocs.io/en/stable/)
+* [Append only mode information](http://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode)

defaults/main.yml

@@ -37,6 +37,7 @@ borgbackup_cron_hour: "{{ 5|random }}"
 borgbackup_cron_minute: "{{ 59|random }}"
 
 borgbackup_appendonly: False
+borgbackup_appendonly_repoconfig: False
 borgbackup_management_station: ''
 borgbackup_management_user: ''
 borgbackup_management_ssh_pubkey: ''

tasks/borg-server.yml

@@ -18,3 +18,4 @@
     mode: "0770"
   delegate_to: "{{ item.fqdn }}"
   with_items: "{{ borgbackup_servers }}"
+  when: item.type == 'normal'

templates/borg-backup.sh.j2

@@ -48,7 +48,7 @@ if [ "$1" = "init" ]
   then
 {% for b in borgbackup_servers %}
     REPOSITORY={% if b.type == 'hetzner' %}ssh://{% endif %}{{ b.user }}@{{ b.fqdn }}:{% if b.type == 'hetzner' %}23/./{% endif %}{{ b.home }}{{ b.pool }}/{{ inventory_hostname }}
-    /usr/local/bin/borg init --encryption={{ borgbackup_encryption_mode }} {{ b.options }} $REPOSITORY
+    /usr/local/bin/borg init --encryption={{ borgbackup_encryption_mode }}{% if borgbackup_appendonly_repoconfig %} --append-only{% endif %} {{ b.options }} $REPOSITORY
 {% endfor %}
     exit 0
 fi