From 021606d2d3830dc3bfb184efac29d56acfbed95f Mon Sep 17 00:00:00 2001
From: Ludovic Cartier <ludovic.cartier@alterway.fr>
Date: Wed, 7 Sep 2022 17:53:38 +0200
Subject: [PATCH] initial commit

---
 TODO                       |   3 ++
 defaults/main.yml          |  18 +++++++
 tasks/duplicity.yml        | 101 +++++++++++++++++++++++++++++++++++++
 tasks/main.yml             |  12 +++++
 tasks/requirements.yml     |   5 ++
 templates/duplicity.cnf.j2 |   3 ++
 templates/exclude.list.j2  |  21 ++++++++
 7 files changed, 163 insertions(+)
 create mode 100644 TODO
 create mode 100644 defaults/main.yml
 create mode 100644 tasks/duplicity.yml
 create mode 100644 tasks/main.yml
 create mode 100644 tasks/requirements.yml
 create mode 100644 templates/duplicity.cnf.j2
 create mode 100644 templates/exclude.list.j2

diff --git a/TODO b/TODO
new file mode 100644
index 0000000..987eccd
--- /dev/null
+++ b/TODO
@@ -0,0 +1,3 @@
+- archive_dir ??
+- passer gpg et l'encryption en defaut
+-- duplicity --no-encryption
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..f85c227
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+# duplicity
+duplicity_archive_dir: '/duplicity'
+
+duplicity_gpg_real_name: 'duplicity'
+duplicity_gpg_email: 'backup@localhost'
+
+duplicity_cron_backup_minute: '0'
+duplicity_cron_backup_hour: '3'
+duplicity_cron_backup_day: '*'
+duplicity_cron_backup_month: '*'
+duplicity_cron_backup_weekday: '*'
+duplicity_cron_backup_user: 'root'
+
+duplicity_full_older_than: '6'
+duplicity_remove_older_than: '8'
+
+duplicity_exclude_filelist: '/etc/duplicity/exclude.list'
diff --git a/tasks/duplicity.yml b/tasks/duplicity.yml
new file mode 100644
index 0000000..88ee765
--- /dev/null
+++ b/tasks/duplicity.yml
@@ -0,0 +1,101 @@
+---
+- name: duplicity | check vars are defined
+  assert:
+    that:
+      - duplicity_archive_dir is defined
+      - duplicity_s3_path is defined
+      - duplicity_s3_passphrase is defined
+      - duplicity_s3_access_key is defined
+      - duplicity_s3_secret_key is defined
+  tags: ['backup_duplicity']
+
+- name: duplicity | install packages
+  apt:
+    name: 
+      - duplicity
+    state: present
+  tags: ['backup_duplicity']
+
+- name: duplicity | check for dedicated GPG key
+  shell: |
+    gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
+  register: duplicity_get_key
+  tags: ['backup_duplicity']
+
+- set_fact:
+    duplicity_gpg_key: "{{ duplicity_get_key.stdout }}"
+  when: duplicity_get_key.stdout != ''
+  tags: ['backup_duplicity']
+
+- name: duplicity | generate dedicated GPG key
+  shell: |
+    gpg --batch --gen-key <<EOF
+    %echo Generating a OpenPGP key
+    %no-protection
+    Key-Type: eddsa
+    Key-Curve: Ed25519
+    Key-Usage: cert
+    Subkey-Type: ecdh
+    Subkey-Curve: Curve25519
+    Subkey-Usage: encrypt
+    Name-Real: "{{ duplicity_gpg_real_name }}"
+    Name-Email: "{{ duplicity_gpg_email }}"
+    Expire-Date: 0
+    %commit
+    EOF
+  when: duplicity_gpg_key is undefined
+  tags: ['backup_duplicity']
+
+
+- name: duplicity | create configuration directory
+  file:
+    path: /etc/duplicity
+    state: directory
+    mode: '0755'
+  tags: ['backup_duplicity']
+
+- name: duplicity | copy configuration file
+  template:
+    src: duplicity.cnf.j2
+    dest: /etc/duplicity/duplicity.cnf
+    owner: root
+    group: root
+    mode: 0600
+  tags: ['backup_duplicity']
+
+- name: duplicity | copy exclude.list
+  template:
+    src: exclude.list.j2
+    dest: /etc/duplicity/exclude.list
+    owner: root
+    group: root
+    mode: 0644
+  tags: ['backup_duplicity']
+
+- name: duplicity | create backup cronjob
+  cron:
+    name: duplicity backup
+    minute: "{{ duplicity_cron_backup_minute }}"
+    hour: "{{ duplicity_cron_backup_hour }}"
+    day: "{{ duplicity_cron_backup_day }}"
+    month: "{{ duplicity_cron_backup_month }}"
+    weekday: "{{ duplicity_cron_backup_weekday }}"
+    user: "{{ duplicity_cron_backup_user }}"
+    job: "source /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --s3-use-new-style -v 4 --archive-dir={{ duplicity_archive_dir }} --full-if-older-than {{ duplicity_full_older_than }}D / \"{{ duplicity_s3_path }}\" --exclude-filelist {{ duplicity_exclude_filelist }}"
+  when: 
+    - duplicity_gpg_key is defined
+  tags: ['backup_duplicity']
+
+- name: duplicity | create cleanup cronjob
+  cron:
+    name: duplicity cleanup
+    minute: "{{ duplicity_cron_backup_minute }}"
+    hour: "{{ duplicity_cron_backup_hour }}"
+    day: "{{ duplicity_cron_backup_day }}"
+    month: "{{ duplicity_cron_backup_month }}"
+    weekday: "{{ duplicity_cron_backup_weekday }}"
+    user: "{{ duplicity_cron_backup_user }}"
+    job: "source /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --force --s3-use-new-style -v 4 remove-older-than {{ duplicity_remove_older_than }}D \"{{ duplicity_s3_path }}\""
+  when: 
+    - duplicity_gpg_key is defined
+  tags: ['backup_duplicity']
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..fa8fc50
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: requirements
+  include_tasks: requirements.yml
+
+- name: services
+  vars:
+   service: "{{ item }}"
+  include_tasks: "{{ item }}.yml"
+  tags:
+    - backup_duplicity
+  with_items:
+    - "{{ backup_services }}"
diff --git a/tasks/requirements.yml b/tasks/requirements.yml
new file mode 100644
index 0000000..380d26f
--- /dev/null
+++ b/tasks/requirements.yml
@@ -0,0 +1,5 @@
+---
+- name: apt update cache
+  apt:
+    update_cache: yes
+    cache_valid_time: 86400
diff --git a/templates/duplicity.cnf.j2 b/templates/duplicity.cnf.j2
new file mode 100644
index 0000000..d4fa9bc
--- /dev/null
+++ b/templates/duplicity.cnf.j2
@@ -0,0 +1,3 @@
+export PASSPHRASE="{{ duplicity_s3_passphrase }}"
+export AWS_ACCESS_KEY_ID={{ duplicity_s3_access_key }}
+export AWS_SECRET_ACCESS_KEY={{ duplicity_s3_secret_key }}
diff --git a/templates/exclude.list.j2 b/templates/exclude.list.j2
new file mode 100644
index 0000000..53445cd
--- /dev/null
+++ b/templates/exclude.list.j2
@@ -0,0 +1,21 @@
+/var/lib/bareos
+/dev
+/media
+/mnt
+/proc
+/sys
+/tmp
+/var/cache
+/var/tmp
+/var/lib/mongodb
+/var/lib/mysql
+/var/lib/postgresql
+/var/lib/redis
+/var/lib/solr
+/var/lib/elasticsearch
+/var/spool/postfix
+/var/www
+/VMs
+/.journal
+/.fsck
+/zpve