From 3dc1886a5551d1c0dc2d63846f9e6b508b3991ca Mon Sep 17 00:00:00 2001 From: erebion Date: Tue, 10 Oct 2023 12:40:22 +0200 Subject: [PATCH] added missing parts for the backup --- .../unhb_backup_scripts/files/98-backup-conf | 12 ++ .../restic-check-read-data.sh | 6 + .../restic-backup-scripts/restic-check.sh | 6 + .../restic-backup-scripts/restic-mount.sh | 6 + .../restic-backup-scripts/restic-unlock.sh | 4 + .../restic_scripts/files/98-backup-conf | 12 ++ .../restic-check-read-data.sh | 6 + .../restic-backup-scripts/restic-check.sh | 6 + .../restic-backup-scripts/restic-mount.sh | 6 + .../restic-backup-scripts/restic-unlock.sh | 4 + .../restic_scripts/tasks/main.yml | 111 +++++++++++++++ .../templates/restic-backup_ENTWURF.sh | 25 ++++ .../templates/restic-backup_ENTWURF.sh.j2 | 25 ++++ .../templates/restic-backup_desktops.sh.j2 | 45 ++++++ .../restic-backup_erebion-matrix.sh.j2 | 21 +++ .../restic-backup_mautrix-signal.sh.j2 | 24 ++++ .../restic-backup_unhb-proxmox-local.sh.j2 | 20 +++ .../templates/restic-backup_unhb2.sh.j2 | 29 ++++ .../templates/restic-backup_unhb4.sh.j2 | 42 ++++++ .../templates/restic-password-repo.j2 | 1 + .../templates/restic-prune.sh.j2 | 6 + .../restic_scripts/templates/restic.env.j2 | 3 + roles/unhb_backup_scripts/tasks/main.yml | 133 ++++++++++++++++++ .../restic-backup_unhb-proxmox-local.sh.j2 | 20 +++ .../templates/restic-backup_unhb2.sh.j2 | 29 ++++ .../templates/restic-backup_unhb4.sh.j2 | 42 ++++++ .../templates/restic.service.j2 | 11 ++ .../templates/restic.timer.j2 | 9 ++ 28 files changed, 664 insertions(+) create mode 100644 roles/unhb_backup_scripts/files/98-backup-conf create mode 100755 roles/unhb_backup_scripts/files/restic-backup-scripts/restic-check-read-data.sh create mode 100755 roles/unhb_backup_scripts/files/restic-backup-scripts/restic-check.sh create mode 100755 roles/unhb_backup_scripts/files/restic-backup-scripts/restic-mount.sh create mode 100755 roles/unhb_backup_scripts/files/restic-backup-scripts/restic-unlock.sh create mode 100644 roles/unhb_backup_scripts/restic_scripts/files/98-backup-conf create mode 100755 roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-check-read-data.sh create mode 100755 roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-check.sh create mode 100755 roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-mount.sh create mode 100755 roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-unlock.sh create mode 100644 roles/unhb_backup_scripts/restic_scripts/tasks/main.yml create mode 100644 roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_ENTWURF.sh create mode 100644 roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_ENTWURF.sh.j2 create mode 100755 roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_desktops.sh.j2 create mode 100755 roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_erebion-matrix.sh.j2 create mode 100755 roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_mautrix-signal.sh.j2 create mode 100755 roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb-proxmox-local.sh.j2 create mode 100755 roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb2.sh.j2 create mode 100755 roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb4.sh.j2 create mode 100644 roles/unhb_backup_scripts/restic_scripts/templates/restic-password-repo.j2 create mode 100755 roles/unhb_backup_scripts/restic_scripts/templates/restic-prune.sh.j2 create mode 100755 roles/unhb_backup_scripts/restic_scripts/templates/restic.env.j2 create mode 100755 roles/unhb_backup_scripts/templates/restic-backup_unhb-proxmox-local.sh.j2 create mode 100755 roles/unhb_backup_scripts/templates/restic-backup_unhb2.sh.j2 create mode 100755 roles/unhb_backup_scripts/templates/restic-backup_unhb4.sh.j2 create mode 100644 roles/unhb_backup_scripts/templates/restic.service.j2 create mode 100644 roles/unhb_backup_scripts/templates/restic.timer.j2 diff --git a/roles/unhb_backup_scripts/files/98-backup-conf b/roles/unhb_backup_scripts/files/98-backup-conf new file mode 100644 index 0000000..65e8c14 --- /dev/null +++ b/roles/unhb_backup_scripts/files/98-backup-conf @@ -0,0 +1,12 @@ +# allow members of the sudo group to run backups, but without password +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup.sh +#%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-prune.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-mount.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-check.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-check-read-data.sh + +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS.sh +#%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-PRUNE.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-MOUNT.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-CHECK.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-READ-DATA.sh diff --git a/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-check-read-data.sh b/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-check-read-data.sh new file mode 100755 index 0000000..c2a95e1 --- /dev/null +++ b/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-check-read-data.sh @@ -0,0 +1,6 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env + +restic check --read-data + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-check.sh b/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-check.sh new file mode 100755 index 0000000..1cefa7d --- /dev/null +++ b/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-check.sh @@ -0,0 +1,6 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env + +restic check + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-mount.sh b/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-mount.sh new file mode 100755 index 0000000..ce70e61 --- /dev/null +++ b/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-mount.sh @@ -0,0 +1,6 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env + +restic mount /mnt/restic + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-unlock.sh b/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-unlock.sh new file mode 100755 index 0000000..e6e19c9 --- /dev/null +++ b/roles/unhb_backup_scripts/files/restic-backup-scripts/restic-unlock.sh @@ -0,0 +1,4 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +restic unlock +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/files/98-backup-conf b/roles/unhb_backup_scripts/restic_scripts/files/98-backup-conf new file mode 100644 index 0000000..65e8c14 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/files/98-backup-conf @@ -0,0 +1,12 @@ +# allow members of the sudo group to run backups, but without password +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup.sh +#%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-prune.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-mount.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-check.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-check-read-data.sh + +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS.sh +#%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-PRUNE.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-MOUNT.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-CHECK.sh +%sudo ALL = NOPASSWD: /opt/scripts/restic/restic-backup-externe-4TB-HD-auf-NAS-READ-DATA.sh diff --git a/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-check-read-data.sh b/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-check-read-data.sh new file mode 100755 index 0000000..c2a95e1 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-check-read-data.sh @@ -0,0 +1,6 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env + +restic check --read-data + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-check.sh b/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-check.sh new file mode 100755 index 0000000..1cefa7d --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-check.sh @@ -0,0 +1,6 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env + +restic check + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-mount.sh b/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-mount.sh new file mode 100755 index 0000000..ce70e61 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-mount.sh @@ -0,0 +1,6 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env + +restic mount /mnt/restic + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-unlock.sh b/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-unlock.sh new file mode 100755 index 0000000..e6e19c9 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/files/restic-backup-scripts/restic-unlock.sh @@ -0,0 +1,4 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +restic unlock +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/tasks/main.yml b/roles/unhb_backup_scripts/restic_scripts/tasks/main.yml new file mode 100644 index 0000000..f846067 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/tasks/main.yml @@ -0,0 +1,111 @@ +--- + +- name: "Install restic" + ansible.builtin.apt: + name: + - restic + state: latest + update_cache: true + become: true + when: ansible_os_family == 'Debian' + +- name: "Ensure /opt/scripts/ exists" + ansible.builtin.file: + path: /opt/scripts + state: directory + mode: '0755' + when: "ansible_os_family == 'Debian'" + +- name: "Ensure /opt/db_dumps/ exists" + ansible.builtin.file: + path: /opt/db_dumps/ + state: directory + owner: postgres + group: postgres + mode: '0774' + ignore_errors: true #to do: auf mautrix-signal kein User "postgres" weil in Docker, muss gelöst werden + when: "ansible_os_family == 'Debian' and 'desktops' not in group_names and 'mautrix-signal' not in inventory_hostname" + +- name: "Copy restic backup scripts" + ansible.builtin.copy: + src: "restic-backup-scripts/" + dest: /opt/scripts/restic/. + owner: root + group: root + mode: u+rwx + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Template restic backup script restic-backup_{{ inventory_hostname }}.sh" + ansible.builtin.template: + src: ../templates/restic-backup_{{ inventory_hostname }}.sh.j2 + dest: /opt/scripts/restic/restic-backup_{{ inventory_hostname }}.sh + owner: root + group: root + mode: 'u+rwx' + force: true + when: "ansible_os_family == 'Debian' and 'desktops' not in group_names" + +#- name: "Template restic backup script ENTWURF" +# ansible.builtin.template: +# src: ../templates/restic-backup_ENTWURF.sh.j2 +# dest: /opt/scripts/restic/restic-backup_ENTWURF.sh +# owner: root +# group: root +# mode: 'u+rwx' + +- name: "Template restic backup script restic-backup_desktops.sh" + ansible.builtin.template: + src: ../templates/restic-backup_desktops.sh.j2 + dest: /opt/scripts/restic/restic-backup_desktops.sh + owner: root + group: root + mode: 'u+rwx' + force: true + when: "ansible_os_family == 'Debian' and 'desktops' in group_names" + +- name: "Template restic prune script restic-prune.sh" + ansible.builtin.template: + src: ../templates/restic-prune.sh.j2 + dest: /opt/scripts/restic/restic-prune.sh + owner: root + group: root + mode: 'u+rwx' + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Template environment variable file restic.env" + ansible.builtin.template: + src: ../templates/restic.env.j2 + dest: /opt/scripts/restic/restic.env + owner: root + group: root + mode: '0644' + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Template restic password file restic-password-repo" + ansible.builtin.template: + src: ../templates/restic-password-repo.j2 + dest: /opt/scripts/restic/restic-password-repo + owner: root + group: root + mode: '0440' + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Cronjob for Backups" + ansible.builtin.cron: + name: "Restic Backup" + minute: "0" + hour: "3" + job: "/opt/scripts/restic/restic-backup_{{ inventory_hostname }}.sh" + when: "ansible_os_family == 'Debian' and 'desktops' not in group_names" + +- name: "Cronjob for Backups" + ansible.builtin.cron: + name: "Restic Backup" + minute: "0" + hour: "3" + job: "/opt/scripts/restic/restic-backup_desktops.sh" + when: "ansible_os_family == 'Debian' and 'desktops' in group_names" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_ENTWURF.sh b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_ENTWURF.sh new file mode 100644 index 0000000..f239ea4 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_ENTWURF.sh @@ -0,0 +1,25 @@ +#!/bin/bash +source {{ restic_env_file }} +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + + +{% if restic_execute_before is defined %} +{{ restic_execute_before }} +{% else %} +# restic_execute_before is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook +{% endif %} +restic backup --verbose {{ restic_backup_paths }} +{% if restic_execute_after is defined %} +{{ restic_execute_after }} +{% else %} +# restic_execute_after is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook +{% endif %} + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_ENTWURF.sh.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_ENTWURF.sh.j2 new file mode 100644 index 0000000..2d9ab03 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_ENTWURF.sh.j2 @@ -0,0 +1,25 @@ +#!/bin/bash +{{ restic_env_file }} +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + + +{% if restic_execute_before is defined %} +{{ restic_execute_before }} +{% else %} +# restic_execute_before is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook +{% endif %} +restic backup --verbose {{ restic_backup_paths }} +{% if restic_execute_after is defined %} +{{ restic_execute_after }} +{% else %} +# restic_execute_after is not defined, to insert commands to run before the actual backup, please define the variable in the Ansible Playbook +{% endif %} + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_desktops.sh.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_desktops.sh.j2 new file mode 100755 index 0000000..6c05639 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_desktops.sh.j2 @@ -0,0 +1,45 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +restic backup --verbose / \ + --exclude /home/{{ user }}/.cache \ + --exclude /home/{{ user }}/cache \ + --exclude /home/{{ user }}/.config/Element/Cache/ \ + --exclude /home/{{ user }}/.config/Element/GPUCache \ + --exclude /home/{{ user }}/.config/Element/Code\ Cache/ \ + --exclude /home/{{ user }}/.config/Signal/attachments.noindex \ + --exclude /home/{{ user }}/.config/SchildiChat/Cache \ + --exclude /home/{{ user }}/.config/SchildiChat/GPUCache \ + --exclude /home/{{ user }}/.config/SchildiChat/Code\ Cache/ \ + --exclude /home/{{ user }}/.config/Signal/Cache \ + --exclude /home/{{ user }}/.config/Signal/GPUCache \ + --exclude /home/{{ user }}/.config/Signal/Code\ Cache/ \ + --exclude /home/{{ user }}/.local/share/Trash \ + --exclude /home/{{ user }}/Bilder \ + --exclude /home/{{ user }}/Downloads \ + --exclude /home/{{ user }}/gPodder/Downloads/ \ + --exclude /home/{{ user }}/Nextcloud \ + --exclude /home/{{ user }}/no-backup \ + --exclude /home/{{ user }}/synced_folders \ + --exclude /home/{{ user }}/sync \ + --exclude /home/{{ user }}/Signal_Backups \ + --exclude /lost+found \ + --exclude /media \ + --exclude /mnt \ + --exclude /proc \ + --exclude /run \ + --exclude /root/.cache \ + --exclude /sys \ + --exclude /tmp \ + --exclude /var/cache \ + --exclude /var/tmp + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_erebion-matrix.sh.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_erebion-matrix.sh.j2 new file mode 100755 index 0000000..c77bede --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_erebion-matrix.sh.j2 @@ -0,0 +1,21 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +su - postgres --session-command 'pg_dump "{{ matrix_db_name }}" -f /opt/db_dumps/db-dump-{{ matrix_db_name }}.sql' +su - postgres --session-command 'pg_dump "mautrix_googlechat" -f /opt/db_dumps/db-dump-mautrix_googlechat.sql' +su - postgres --session-command 'pg_dump "mautrix_slack" -f /opt/db_dumps/db-dump-mautrix_slack.sql' + +restic backup --verbose \ + /etc/matrix-synapse \ + /opt \ + /var/lib/matrix-synapse + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_mautrix-signal.sh.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_mautrix-signal.sh.j2 new file mode 100755 index 0000000..b5aeec7 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_mautrix-signal.sh.j2 @@ -0,0 +1,24 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +# systemctl disable --now mautrix-signal.service + +su - postgres --session-command 'pg_dump "{{ database_vars.mautrix_signal.db }}" -f /opt/db_dumps/db-dump-mautrix-signal.sql' + +restic backup --verbose \ + /data-usb \ + /etc/matrix-synapse \ + /opt \ + /var/lib/matrix-synapse + +# systemctl enable --now mautrix-signal.service + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb-proxmox-local.sh.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb-proxmox-local.sh.j2 new file mode 100755 index 0000000..d404eb5 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb-proxmox-local.sh.j2 @@ -0,0 +1,20 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +restic backup --verbose \ + /etc \ + /home \ + /opt \ + /root \ + /srv \ + /var/www + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb2.sh.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb2.sh.j2 new file mode 100755 index 0000000..8c90754 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb2.sh.j2 @@ -0,0 +1,29 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +echo "Now dumping databases, this might take a while..." +set -x +docker exec -t pretix_pg-sql.server2 pg_dumpall -c -U prtxdb > /opt/db_dumps/db-dump-pretix_db.sql +#docker exec docker-partkeepr-database-1 sh -c "exec mariadb-dump --all-databases -u{{ unhb4_mariadb_containers['partkeepr'].user }} --password=$MARIADB_PASSWORD_PARTKEEPR" > /opt/db_dumps/db-dump-partkeepr_db.sql +source /opt/scripts/restic/restic_db_passwords.env +docker exec -t engel_sql.server2 sh -c "exec mysqldump --all-databases -u{{ unhb4_mariadb_containers['engelsystem'].user }} --password=$MARIADB_PASSWORD_ENGELSYSTEM" > /opt/db_dumps/db-dump-engelsystem_db.sql +set +x + +restic backup --verbose \ + /etc \ + /home \ + /opt \ + /root \ + /srv \ + /var/lib/docker/volumes/ \ + /var/www + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb4.sh.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb4.sh.j2 new file mode 100755 index 0000000..d8b9ff6 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-backup_unhb4.sh.j2 @@ -0,0 +1,42 @@ +#!/bin/bash +# +# +# This file is managed via Ansible, do not edit manually. Changes might get overwitten. +# +# +source /opt/scripts/restic/restic.env +source /opt/scripts/restic/restic_db_passwords.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +echo "Now dumping databases, this might take a while..." +set -x +docker exec -t matrix_sql.server4 pg_dumpall -c -U user_synapse_unhb > /opt/db_dumps/db-dump-synapse_db.sql +docker exec -t authentik-postgresql-1 pg_dumpall -c -U authentik > /opt/db_dumps/db-dump-authentik_db.sql +docker exec -t hedgedoc_sql15.server4 pg_dumpall -c -U md > /opt/db_dumps/db-dump-hedgedoc_db.sql +docker exec -t tandoor-tandoor_recipes_db-1 pg_dumpall -c -U djangouser > /opt/db_dumps/db-dump-tandoor_db.sql +docker exec -t wikijs-wikijs-db-1 pg_dumpall -c -U wikijs > /opt/db_dumps/db-dump-wikijs_db.sql +docker exec -t nextcloud_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_NEXTCLOUD" > /opt/db_dumps/db-dump-nextcloud_db.sql +docker exec -t etherpad_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_ETHERPAD" > /opt/db_dumps/db-dump-etherpad_db.sql +docker exec -t jverein_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_JVEREIN" > /opt/db_dumps/db-dump-jverein_db.sql +docker exec -t url-shortener_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_URLSHORTENER" > /opt/db_dumps/db-dump-urlshortener_db.sql +docker exec -t wiki_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_WIKI" > /opt/db_dumps/db-dump-wiki_db.sql +docker exec -t wordpress_sql.server4 sh -c "exec mysqldump --all-databases -uroot --password=$MARIADB_ROOT_PASSWORD_WORDPRESS" > /opt/db_dumps/db-dump-wordpress_db.sql +set +x + +restic backup --verbose \ + /etc \ + /home \ + /opt \ + /root \ + /srv \ + /var/lib/docker/volumes/ \ + /var/www + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-password-repo.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-password-repo.j2 new file mode 100644 index 0000000..b66fd94 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-password-repo.j2 @@ -0,0 +1 @@ +{{ restic_password_repo[inventory_hostname]["password"] }} diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic-prune.sh.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic-prune.sh.j2 new file mode 100755 index 0000000..bef5c0e --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic-prune.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env + +restic forget --prune --keep-within 1m --host={{ ansible_hostname }} + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/restic_scripts/templates/restic.env.j2 b/roles/unhb_backup_scripts/restic_scripts/templates/restic.env.j2 new file mode 100755 index 0000000..c648512 --- /dev/null +++ b/roles/unhb_backup_scripts/restic_scripts/templates/restic.env.j2 @@ -0,0 +1,3 @@ +#!/bin/bash +export RESTIC_REPOSITORY="{{ restic_repository_location }}{{ inventory_hostname }}" +export RESTIC_PASSWORD_FILE="/opt/scripts/restic/restic-password-repo" diff --git a/roles/unhb_backup_scripts/tasks/main.yml b/roles/unhb_backup_scripts/tasks/main.yml index 9fb8378..028a57d 100644 --- a/roles/unhb_backup_scripts/tasks/main.yml +++ b/roles/unhb_backup_scripts/tasks/main.yml @@ -1,5 +1,138 @@ --- +- name: "Install restic" + ansible.builtin.apt: + name: + - restic + state: latest + update_cache: true + become: true + when: ansible_os_family == 'Debian' + +- name: "Ensure /opt/scripts/ exists" + ansible.builtin.file: + path: /opt/scripts + state: directory + mode: '0755' + when: "ansible_os_family == 'Debian'" + +- name: "Ensure /opt/db_dumps/ exists" + ansible.builtin.file: + path: /opt/db_dumps/ + state: directory + owner: root + group: root + mode: '0644' + when: "ansible_os_family == 'Debian'" + +- name: "Copy restic backup scripts" + ansible.builtin.copy: + src: "restic-backup-scripts/" + dest: /opt/scripts/restic/. + owner: root + group: root + mode: u+rwx + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Template restic backup script restic-backup_{{ inventory_hostname }}.sh" + ansible.builtin.template: + src: ../templates/restic-backup_{{ inventory_hostname }}.sh.j2 + dest: /opt/scripts/restic/restic-backup_{{ inventory_hostname }}.sh + owner: root + group: root + mode: 'u+rwx' + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Template restic prune script restic-prune.sh" + ansible.builtin.template: + src: ../templates/restic-prune.sh.j2 + dest: /opt/scripts/restic/restic-prune.sh + owner: root + group: root + mode: 'u+rwx' + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Template environment variable file restic.env" + ansible.builtin.template: + src: ../templates/restic.env.j2 + dest: /opt/scripts/restic/restic.env + owner: root + group: root + mode: '0644' + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Template restic password file restic-password-repo" + ansible.builtin.template: + src: ../templates/restic-password-repo.j2 + dest: /opt/scripts/restic/restic-password-repo + owner: root + group: root + mode: '0440' + force: true + when: "ansible_os_family == 'Debian'" + +- name: "Template systemd units for restic" + ansible.builtin.template: + src: "restic-wasabi.service.j2" + dest: "/etc/systemd/system/restic@.service" + owner: root + group: root + mode: 'u+rwx' + when: "ansible_os_family == 'Debian'" + +- name: "Template systemd timers for restic" + ansible.builtin.template: + src: "restic-wasabi.timer.j2" + dest: "/etc/systemd/system/restic@.timer" + owner: root + group: root + mode: 'u+rwx' + when: "ansible_os_family == 'Debian'" + +- name: "Reload systemd units" + ansible.builtin.systemd: + daemon_reload: true + when: unit.changed + +- name: "Restart systemd units for restic" + ansible.builtin.systemd: + state: restarted + enabled: true + name: "{{ item }}" + with_items: + - "restic@{{ inventory_hostname }}.service" + - "restic@{{ inventory_hostname }}.timer" + when: unit.changed + +- name: "Enable systemd units for restic-wasabi" + ansible.builtin.systemd: + state: started + enabled: true + name: "{{ item }}" + with_items: + - "restic@{{ inventory_hostname }}.service" + - "restic@{{ inventory_hostname }}.timer" + +#- name: "Cronjob for Backups" +# ansible.builtin.cron: +# name: "Restic Backup" +# minute: "0" +# hour: "3" +# job: "/opt/scripts/restic/restic-backup_{{ inventory_hostname }}.sh" +# when: "ansible_os_family == 'Debian' and 'desktops' not in group_names" + +#- name: "Cronjob for Backups" +# ansible.builtin.cron: +# name: "Restic Backup" +# minute: "0" +# hour: "3" +# job: "/opt/scripts/restic/restic-backup_desktops.sh" +# when: "ansible_os_family == 'Debian' and 'desktops' in group_names" + - name: "Template restic_db_passwords.env" ansible.builtin.template: src: "restic_db_passwords.env_{{ inventory_hostname }}.j2" diff --git a/roles/unhb_backup_scripts/templates/restic-backup_unhb-proxmox-local.sh.j2 b/roles/unhb_backup_scripts/templates/restic-backup_unhb-proxmox-local.sh.j2 new file mode 100755 index 0000000..d404eb5 --- /dev/null +++ b/roles/unhb_backup_scripts/templates/restic-backup_unhb-proxmox-local.sh.j2 @@ -0,0 +1,20 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +restic backup --verbose \ + /etc \ + /home \ + /opt \ + /root \ + /srv \ + /var/www + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/templates/restic-backup_unhb2.sh.j2 b/roles/unhb_backup_scripts/templates/restic-backup_unhb2.sh.j2 new file mode 100755 index 0000000..8c90754 --- /dev/null +++ b/roles/unhb_backup_scripts/templates/restic-backup_unhb2.sh.j2 @@ -0,0 +1,29 @@ +#!/bin/bash +source /opt/scripts/restic/restic.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +echo "Now dumping databases, this might take a while..." +set -x +docker exec -t pretix_pg-sql.server2 pg_dumpall -c -U prtxdb > /opt/db_dumps/db-dump-pretix_db.sql +#docker exec docker-partkeepr-database-1 sh -c "exec mariadb-dump --all-databases -u{{ unhb4_mariadb_containers['partkeepr'].user }} --password=$MARIADB_PASSWORD_PARTKEEPR" > /opt/db_dumps/db-dump-partkeepr_db.sql +source /opt/scripts/restic/restic_db_passwords.env +docker exec -t engel_sql.server2 sh -c "exec mysqldump --all-databases -u{{ unhb4_mariadb_containers['engelsystem'].user }} --password=$MARIADB_PASSWORD_ENGELSYSTEM" > /opt/db_dumps/db-dump-engelsystem_db.sql +set +x + +restic backup --verbose \ + /etc \ + /home \ + /opt \ + /root \ + /srv \ + /var/lib/docker/volumes/ \ + /var/www + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/templates/restic-backup_unhb4.sh.j2 b/roles/unhb_backup_scripts/templates/restic-backup_unhb4.sh.j2 new file mode 100755 index 0000000..64f69f9 --- /dev/null +++ b/roles/unhb_backup_scripts/templates/restic-backup_unhb4.sh.j2 @@ -0,0 +1,42 @@ +#!/bin/bash +# +# +# This file is managed via Ansible, do not edit manually. Changes might get overwitten. +# +# +source /opt/scripts/restic/restic.env +source /opt/scripts/restic/restic_db_passwords.env +#We will have to find out whether or not we need to initialize the repo. A non-zero exit code indicates that it has not yet been initialized. +restic snapshots +if [ "$?" -eq "0" ] +then + echo "Repo is already initialized, no need to do that." +else + echo "We need to initialize the repo first." && restic init +fi + +echo "Now dumping databases, this might take a while..." +set -x +docker exec -t matrix_sql.server4 pg_dumpall -c -U user_synapse_unhb > /opt/db_dumps/db-dump-synapse_db.sql +docker exec -t authentik-postgresql-1 pg_dumpall -c -U authentik > /opt/db_dumps/db-dump-authentik_db.sql +docker exec -t hedgedoc_sql15.server4 pg_dumpall -c -U md > /opt/db_dumps/db-dump-hedgedoc_db.sql +docker exec -t tandoor-tandoor_recipes_db-1 pg_dumpall -c -U djangouser > /opt/db_dumps/db-dump-tandoor_db.sql +docker exec -t wikijs-wikijs-db-1 pg_dumpall -c -U wikijs > /opt/db_dumps/db-dump-wikijs_db.sql +docker exec -t nextcloud_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_PASSWORD_NEXTCLOUD" > /opt/db_dumps/db-dump-nextcloud_db.sql +docker exec -t etherpad_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_PASSWORD_ETHERPAD" > /opt/db_dumps/db-dump-etherpad_db.sql +docker exec -t jverein_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_PASSWORD_JVEREIN" > /opt/db_dumps/db-dump-jverein_db.sql +docker exec -t url-shortener_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_PASSWORD_URLSHORTENER" > /opt/db_dumps/db-dump-urlshortener_db.sql +docker exec -t wiki_sql.server4 sh -c "exec mariadb-dump --all-databases -uroot --password=$MARIADB_PASSWORD_WIKI" > /opt/db_dumps/db-dump-wiki_db.sql +docker exec -t wordpress_sql.server4 sh -c "exec mysqldump --all-databases -uroot --password=$MARIADB_PASSWORD_WORDPRESS" > /opt/db_dumps/db-dump-wordpress_db.sql +set +x + +restic backup --verbose \ + /etc \ + /home \ + /opt \ + /root \ + /srv \ + /var/lib/docker/volumes/ \ + /var/www + +echo "done! :)" diff --git a/roles/unhb_backup_scripts/templates/restic.service.j2 b/roles/unhb_backup_scripts/templates/restic.service.j2 new file mode 100644 index 0000000..bee346f --- /dev/null +++ b/roles/unhb_backup_scripts/templates/restic.service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=This unit will start the restic backup +After= +Wants= + +[Service] +Restart=no +Type=simple +ExecStart=/opt/scripts/restic/restic-backup_%i.sh + +[Install] diff --git a/roles/unhb_backup_scripts/templates/restic.timer.j2 b/roles/unhb_backup_scripts/templates/restic.timer.j2 new file mode 100644 index 0000000..ba2f07f --- /dev/null +++ b/roles/unhb_backup_scripts/templates/restic.timer.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Timer starting restic-wasabi.service + +[Timer] +OnCalendar={{ restic_start_time }} +Unit=restic-wasabi@%i.service + +[Install] +WantedBy=multi-user.target