-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
148 lines (126 loc) · 7.53 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
---
################################################################################
# Borg Server Host Configuration
################################################################################
# This it the host, as specified in your ansible inventory file, that the
# backups will be made to.
# Ansible will delegate borg-server related tasks to that host.
# Currently there is only a single backup host supported per role run.
# ---
# borg_server_host: SETME
# This is the public key of the ssh server of your borg server.
# It is used for protecting against spoofed borg servers. It is recommended you
# set this variable as a group var in your ansible repository as it is a per
# borg-server configuration. To get this key you can run ssh-keyscan against
# your borg server like this:
# ssh-keyscan -t rsa borg.example.org
# You will need to remove the hostname from the output so that the
# remaining key will look something like this:
# ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
# ---
# borg_server_host_ssh_key: SETME
# This is the host url that will be used for running borg related commands on
# the borg client. The borg server ssh port needs to be reachable from the borg
# borg client under this host.
# This defaults to the borg_server_host which will work as long as the inventory
# hostnames are globally reachable.
borg_server_host_url: '{{ borg_server_host }}'
# The home directory of the borg user that is created on the borg server.
# All borg borg client repositories will be saved in this directory on the borg
# server. e.g. /opt/borg/client1 /opt/borg/client2
borg_server_user_home: /opt/borg
################################################################################
# Borg Repository Configuration
# See: https://borgbackup.readthedocs.io/en/stable/usage/serve.html
################################################################################
# The name of the repository (directory) created on the borg-server
# `{{ borg_server_user_home }}/{{ borg_repo_name }}`
# This setting is mostly relevant if you use multiple repositories per
# borg-client in which case you have to set a custom repo names / formats to
# avoid clashes.
borg_repo_name: '{{ inventory_hostname }}'
# Should the repo be append only? (--append-only)
# This will deny any request to delete data from the backup repository coming
# from the client host. This is so that an attacker would not be able to simply
# delete the backups from a compromised client.
# With this configuration option enabled you won't have the ability to remove
# old backups directly from the client that pushes the backups.
# See https://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode-forbid-compaction
borg_mode_append_only: false
################################################################################
# Borg Backup Configuration
# See: https://borgbackup.readthedocs.io/en/stable/usage/create.html
################################################################################
# This is the name of the backup in the configured repository
# The default here creates a backup with the hostname and the current time in
# the name. It is important to dynamically generate the backup names by using
# the placeholders so that you don't have colliding backup names.
# Most of the time the default option is fine.
# For more information about the borg placeholder see
# https://borgbackup.readthedocs.io/en/stable/usage/help.html#borg-help-placeholders
borg_backup_name_format: '{hostname}-{now:%Y-%m-%dT%H:%M:%S}'
# Borg has a few compression modes to those from:
# none, lz4, zstd[,L], zlib[,L], lzma[,L], auto,C[,L], obfuscate,SPEC,C[,L].
# For more information see the borg compression page: `borg help compression` or
# https://borgbackup.readthedocs.io/en/stable/usage/help.html#borg-help-compression
borg_compression: zstd
# This is a list of files and directories to be backed up in the systemd job.
# In case you leave this empty, the role will not create an automatic backup job
borg_included_dirs: []
# This is a list of files and directories that you wish to have excluded from
# Your backups. You may need this in case you want to remove a file from a
# folder which you want to have backed up e.g. cache directory in application.
# If you want to backup `/application/data` and `/application/db`
# but not `application/cache` you can add `/application` to `borg_included_dirs`
# and add `application/cache` to `borg_excluded_dirs`.
borg_excluded_dirs: []
# By default the role is configured to only use an encryption key with no
# passphrase. This allows it to use the borgs command on the machine without any
# haste. If you wish to enable the borg passphrase you can do so here. Note that
# The passphrase will be stored in plaintext inside the backup script.
# For more information about the borg passphrase see
# https://borgbackup.readthedocs.io/en/stable/quickstart.html#passphrase-notes
borg_passphrase: ''
# Since borg encrypts the backups on the borg-server you should save the
# encryption keys somewhere to another machine to be able to recover the backup
# without the keys on the backup-client.
# While you need the decryption keys as well as actual access to the borg
# repository to download the backup data, you should still treat the decryption
# keys as rather sensitive information.
# Depending on your use case it may be okay to store them in your git repository.
# If wish to encrypt the decryption keys, you look into third party tools for
# that such as ansible-vault, git-crypt or a completely separate secrets
# management system.
borg_decryption_keys_yaml_path: '{{ inventory_dir }}/decryption_keys.yml'
# The role creates a script for backing up with the configured parameters that
# the regular systemd service then executes. This specifies the default location
# and name where the script is stored. By default, we store it as
# `/usr/local/bin/run_borg_backup` so that you can run `run_borg_backup` from
# your shell to create manual backups.
# When you use multiple backups, this script will trigger all of them. You can
# trigger them individually by calling
# {{ borg_backup_script_location }}@{{ borg_backup_argument }}.
# See: `borg_backup_argument` variable.
borg_backup_script_location: /usr/local/bin/run_borg_backup
# Name of the systemd timer that is created for the borg service.
# The borg backup argument is appended to the timer name, meaning the timer will
# be called {{ borg_backup_timer_name }}@{{ borg_backup_argument }}
borg_backup_timer_name: borg_backup
# Name of the systemd service that is created for the borg service.
# The borg backup argument is appended to the service name, meaning the service
# will be called {{ borg_backup_service_name }}@{{ borg_backup_argument }}
borg_backup_service_name: borg_backup
# The backup argument is appended to systemd timer / systemd service and the
# backup script. It is used to distinguish backup targets from one another
# meaning it should be unique per target.
# By default, we use borg_server_host_url, which is fine as long as you don't
# need multiple backup repositories from the same client on the same server.
borg_backup_argument: '{{ borg_server_host_url }}'
# Configures the systemd timer for how regularly to run the backup. By default,
# the backup will run every night attacker 2AM. For more information on how to
# configure this, see: systemd.timer(5)
borg_systemd_oncalendar: '*-*-* 02:00:00'
# Specify the accuracy the timer shall elapse with. By default, we use 60min
# to distribute the load on the backup server. For more information on how to
# configure this see: systemd.timer(5)
borg_systemd_accuracysec: 60min