ansible-roles/backup
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add feature to use only one key for many servers and some improvements

Browse Source
This commit is contained in:
camille 2023-01-03 16:55:38 +01:00
parent bba1584598
commit 55e67e987d
4 changed files with 182 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
defaults/main.yml
View File

@ -1,9 +1,10 @@
--- ---
# duplicity # duplicity
duplicity_oneforall_key: False
duplicity_archive_dir: '/duplicity' duplicity_archive_dir: '/duplicity'
duplicity_gpg_real_name: 'duplicity' duplicity_gpg_real_name: 'duplicity'
duplicity_gpg_email: 'backup@localhost' duplicity_gpg_email: 'team-lca@alterway.fr'
duplicity_cron_backup_minute: '0' duplicity_cron_backup_minute: '0'
duplicity_cron_backup_hour: '3' duplicity_cron_backup_hour: '3'
@ -16,3 +17,27 @@ duplicity_full_older_than: '6'
duplicity_remove_older_than: '8' duplicity_remove_older_than: '8'
duplicity_exclude_filelist: '/etc/duplicity/exclude.list' duplicity_exclude_filelist: '/etc/duplicity/exclude.list'
duplicity_list:
- /var/lib/bareos
- /dev
- /media
- /mnt
- /proc
- /sys
- /tmp
- /var/cache
- /var/tmp
- /var/lib/mongodb
- /var/lib/mysql
- /var/lib/postgresql
- /var/lib/redis
- /var/lib/solr
- /var/lib/elasticsearch
- /var/spool/postfix
- /var/www
- /VMs
- /.journal
- /.fsck
- /zpve
duplicity_list_custom:

161
tasks/duplicity.yml
View File

@ -7,27 +7,48 @@
- duplicity_s3_passphrase is defined - duplicity_s3_passphrase is defined
- duplicity_s3_access_key is defined - duplicity_s3_access_key is defined
- duplicity_s3_secret_key is defined - duplicity_s3_secret_key is defined
tags: ['backup_duplicity'] tags: ['backup']
- name: duplicity | install packages - name: duplicity | install packages
apt: apt:
name: name:
- duplicity - duplicity
state: present state: present
tags: ['backup_duplicity'] tags: ['backup']
- name: duplicity | check for dedicated GPG key - name: duplicity | check for dedicated GPG key standalone
shell: | shell: |
gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}' gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
register: duplicity_get_key register: duplicity_get_key
tags: ['backup_duplicity'] when:
- duplicity_oneforall_key == False
tags: ['backup']
- name: duplicity | check for dedicated GPG key infra
shell: |
gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
register: duplicity_get_key
delegate_to: localhost
when:
- duplicity_oneforall_key == True
tags: ['backup']
- set_fact: - set_fact:
duplicity_gpg_key: "{{ duplicity_get_key.stdout }}" duplicity_gpg_key: "{{ duplicity_get_key.stdout }}"
when: duplicity_get_key.stdout != '' when:
tags: ['backup_duplicity'] - duplicity_oneforall_key == False
- duplicity_get_key.stdout != ''
tags: ['backup']
- name: duplicity | generate dedicated GPG key - set_fact:
duplicity_gpg_key: "{{ duplicity_get_key.stdout }}"
delegate_to: localhost
when:
- duplicity_oneforall_key == True
- duplicity_get_key.stdout != ''
tags: ['backup']
- name: duplicity | generate dedicated GPG key standalone
shell: | shell: |
gpg --batch --gen-key <<EOF gpg --batch --gen-key <<EOF
%echo Generating a OpenPGP key %echo Generating a OpenPGP key
@ -43,15 +64,127 @@
Expire-Date: 0 Expire-Date: 0
%commit %commit
EOF EOF
when: duplicity_gpg_key is undefined when:
tags: ['backup_duplicity'] - duplicity_oneforall_key == False
- duplicity_gpg_key is undefined
tags: ['backup']
- name: duplicity | generate dedicated GPG key infra
shell: |
gpg --batch --gen-key <<EOF
%echo Generating a OpenPGP key
%no-protection
Key-Type: eddsa
Key-Curve: Ed25519
Key-Usage: cert
Subkey-Type: ecdh
Subkey-Curve: Curve25519
Subkey-Usage: encrypt
Name-Real: "{{ duplicity_gpg_real_name }}"
Name-Email: "{{ duplicity_gpg_email }}"
Expire-Date: 0
%commit
EOF
delegate_to: localhost
when:
- duplicity_oneforall_key == True
- duplicity_gpg_key is undefined
tags: ['backup']
- name: duplicity | check for dedicated GPG key infra on remote
shell: |
gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
register: duplicity_get_key_remote
when:
- duplicity_oneforall_key == True
tags: ['backup']
- set_fact:
duplicity_gpg_key_remote: "{{ duplicity_get_key_remote.stdout }}"
when:
- duplicity_oneforall_key == True
- duplicity_get_key_remote.stdout != ''
tags: ['backup']
- name: duplicity | export public key
shell: |
gpg --export -a "{{ duplicity_gpg_real_name }}" > /home/ansible/{{ duplicity_gpg_real_name }}_public.key
delegate_to: localhost
when:
- duplicity_oneforall_key == True
- duplicity_gpg_key_remote is undefined
tags: ['backup']
- name: duplicity | export private key
shell: |
gpg --export-secret-key -a "{{ duplicity_gpg_real_name }}" > /home/ansible/{{ duplicity_gpg_real_name }}_private.key
delegate_to: localhost
when:
- duplicity_oneforall_key == True
- duplicity_gpg_key_remote is undefined
tags: ['backup']
- name: duplicity | copy keys to the server
copy:
src: "{{ item }}"
dest: "{{ item }}"
with_items:
- "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
- "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
when:
- duplicity_oneforall_key == True
- duplicity_gpg_key_remote is undefined
tags: ['backup']
- name: duplicity | import keys to the server
shell: |
gpg --import {{ item }}
with_items:
- "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
- "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
when:
- duplicity_oneforall_key == True
- duplicity_gpg_key_remote is undefined
tags: ['backup']
- name: duplicity | import ownertrust
shell: "/usr/bin/echo '{{ duplicity_gpg_key }}:6:' |/usr/bin/gpg --import-ownertrust"
when:
- duplicity_oneforall_key == True
- duplicity_gpg_key_remote is undefined
tags: ['backup']
- name: duplicity | delete exported keys
ansible.builtin.file:
path: '{{ item }}'
state: absent
with_items:
- "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
- "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
delegate_to: localhost
when:
- duplicity_oneforall_key == True
- duplicity_gpg_key_remote is undefined
tags: ['backup']
- name: duplicity | delete exported keys on remote
ansible.builtin.file:
path: '{{ item }}'
state: absent
with_items:
- "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
- "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
when:
- duplicity_oneforall_key == True
- duplicity_gpg_key_remote is undefined
tags: ['backup']
- name: duplicity | create configuration directory - name: duplicity | create configuration directory
file: file:
path: /etc/duplicity path: /etc/duplicity
state: directory state: directory
mode: '0755' mode: '0755'
tags: ['backup_duplicity'] tags: ['backup']
- name: duplicity | copy configuration file - name: duplicity | copy configuration file
template: template:
@ -60,7 +193,7 @@
owner: root owner: root
group: root group: root
mode: 0600 mode: 0600
tags: ['backup_duplicity'] tags: ['backup']
- name: duplicity | copy exclude.list - name: duplicity | copy exclude.list
template: template:
@ -69,7 +202,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
tags: ['backup_duplicity'] tags: ['backup']
- name: duplicity | create backup cronjob - name: duplicity | create backup cronjob
cron: cron:
@ -83,7 +216,7 @@
job: "source /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --s3-use-new-style -v 4 --archive-dir={{ duplicity_archive_dir }} --full-if-older-than {{ duplicity_full_older_than }}D / \"{{ duplicity_s3_path }}\" --exclude-filelist {{ duplicity_exclude_filelist }}" job: "source /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --s3-use-new-style -v 4 --archive-dir={{ duplicity_archive_dir }} --full-if-older-than {{ duplicity_full_older_than }}D / \"{{ duplicity_s3_path }}\" --exclude-filelist {{ duplicity_exclude_filelist }}"
when: when:
- duplicity_gpg_key is defined - duplicity_gpg_key is defined
tags: ['backup_duplicity'] tags: ['backup']
- name: duplicity | create cleanup cronjob - name: duplicity | create cleanup cronjob
cron: cron:
@ -97,4 +230,4 @@
job: "source /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --force --s3-use-new-style -v 4 remove-older-than {{ duplicity_remove_older_than }}D \"{{ duplicity_s3_path }}\"" job: "source /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --force --s3-use-new-style -v 4 remove-older-than {{ duplicity_remove_older_than }}D \"{{ duplicity_s3_path }}\""
when: when:
- duplicity_gpg_key is defined - duplicity_gpg_key is defined
tags: ['backup_duplicity'] tags: ['backup']

2
tasks/main.yml
View File

@ -7,6 +7,6 @@
service: "{{ item }}" service: "{{ item }}"
include_tasks: "{{ item }}.yml" include_tasks: "{{ item }}.yml"
tags: tags:
- backup_duplicity - backup
with_items: with_items:
- "{{ backup_services }}" - "{{ backup_services }}"

29
templates/exclude.list.j2
View File

@ -1,21 +1,8 @@
/var/lib/bareos {% for exclude in duplicity_list -%}
/dev {{ exclude }}
/media {% endfor %}
/mnt {% if duplicity_list_custom is iterable %}
/proc {% for exclude in duplicity_list_custom -%}
/sys {{ exclude }}
/tmp {% endfor %}
/var/cache {% endif %}
/var/tmp
/var/lib/mongodb
/var/lib/mysql
/var/lib/postgresql
/var/lib/redis
/var/lib/solr
/var/lib/elasticsearch
/var/spool/postfix
/var/www
/VMs
/.journal
/.fsck
/zpve