defaults | ||
meta | ||
molecule | ||
tasks | ||
templates | ||
.gitignore | ||
.travis.yml | ||
.yamllint | ||
backup.yml | ||
LICENSE.md | ||
README.md |
Borg backup role
This role installs Borg backup on borgbackup_servers and clients. The role contains a wrapper-script 'borg-backup' to ease the usage on the client. Supported options include borg-backup info | init | list | backup | mount. Automysqlbackup will run as pre-backup command if it's installed. The role supports both self hosted and offsite backup-storage such as rsync.net and hetzner storage box as Borg server.
It's possible to configure append-only repositories to secure the backups against deletion from the client.
Ansible 2.4 or higher is required to run this role.
Required variables
Define a group borgbackup_servers in your inventory with one or multiple hosts. The group borgbackup_management is only necessary if you want to enable append-only mode and prune the backups from a secured hosts.
[borgbackup_servers]
backup1.fiaas.co
[borgbackup_management]
supersecurehost
Define group- or hostvars for your backup endpoints and retention:
borgbackup_servers:
- fqdn: backup1.fiaas.co
user: borgbackup
type: normal
home: /backup/
pool: repos
options: ""
- fqdn: yourhost.rsync.net
user: userid
type: rsync.net
home: ""
pool: repos
options: "--remote-path=borg1"
- fqdn: username.your-storagebox.de
user: username
type: hetzner
home: ""
pool: repos
options: ""
borgbackup_retention:
hourly: 12
daily: 7
weekly: 4
monthly: 6
yearly: 1
WARNING: the trailing / in item.home is required.
Define a borg_passphrase for every host. host_vars\client1:
borgbackup_passphrase: Ahl9EiNohr5koosh1Wohs3Shoo3ooZ6p
Per default the role creates a cronjob in /etc/cron.d/borg-backup running as root every day on a random hour between 0 and 5am on a random minute. Override the defaults if necessary:
borgbackup_client_user: root
borgbackup_cron_day: "*"
borgbackup_cron_minute: "{{ 59|random }}"
borgbackup_cron_hour: "{{ 5|random }}"
Override borgbackup_client_user where required, for example if you have a laptop with an encrypted homedir you'll have to run the backup as the user of that homedir.
Set borgbackup_appendonly: True in host or group vars if you want append-only repositories. In that case it's possible to define a hostname in borgbackup_management_station where a borg prune script will be configured. Only the management station will have permission to prune old backups for (all) clients. This will generate serve with --append-only ssh key options. If you set borgbackup_appendonly_repoconfig to True, this will also disable the possibility to remove backups from the management station. (Or at least: it's not possible to remove them till you reconfigure the repository and this is currently not supported in the prune script) Be aware of the limitations of append-only mode: pruned backups appear to be removed, but are only removed in the transaction log till something writes in normal mode to the repository)
Make sure to check the configured defaults for this role, which contains the list of default locations being backed up in backup_include. Override this in your inventory where required.
Usage
Configure Borg on the server and on a client:
ansible-playbook -i inventory/test backup.yml -l backup1.fiaas.co
ansible-playbook -i inventory/test backup.yml -l client1.fiaas.co