diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index 8af8bab..1824797 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -49,9 +49,10 @@ services: restic: file: restic_backup.yml - user: "datacoop" - domain: "restic.cannedtuna.org" - repository: "datacoop-hevonen" + user: "dc-user" + domain: "rynkeby.skovgaard.tel" + volume_folder: "{{ volume_root_folder }}/restic" + repository: "/mnt/SpinningRust/data.coop-backup/restic" ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1lNLshXytq+mx2LPzm8Neh/nrVqCR3iDXPONzBag9s restic@fedder version: "1.6.0" disabled_in_vagrant: true diff --git a/roles/docker/tasks/services/restic_backup.yml b/roles/docker/tasks/services/restic_backup.yml index 20ed075..731ee47 100644 --- a/roles/docker/tasks/services/restic_backup.yml +++ b/roles/docker/tasks/services/restic_backup.yml @@ -1,5 +1,29 @@ # vim: ft=yaml.ansible --- +- name: Create SSH directory + file: + name: "{{ services.restic.volume_folder }}/ssh" + owner: root + group: root + mode: '0700' + state: directory + +- name: Copy private SSH key + copy: + dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519" + owner: root + group: root + mode: '0600' + content: "{{ restic_secrets.ssh_privkey }}" + +- name: Copy public SSH key + copy: + dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub" + owner: root + group: root + mode: '0644' + content: "{{ services.restic.ssh_pubkey }}" + - name: Setup restic backup docker_compose: project_name: restic_backup @@ -13,12 +37,12 @@ environment: RUN_ON_STARTUP: "false" BACKUP_CRON: "0 30 3 * * *" - RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" + RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" RESTIC_BACKUP_SOURCES: "/mnt/volumes" RESTIC_BACKUP_ARGS: >- --tag datacoop-volumes - --exclude='*.tmp' + --exclude '*.tmp' --verbose RESTIC_FORGET_ARGS: >- --keep-last 10 @@ -27,6 +51,7 @@ --keep-monthly 12 TZ: Europe/Copenhagen volumes: + - "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro" - /docker-volumes:/mnt/volumes:ro restic-prune: @@ -34,6 +59,8 @@ environment: RUN_ON_STARTUP: "false" PRUNE_CRON: "0 0 4 * * *" - RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}" + RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}" RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}" TZ: Europe/copenhagen + volumes: + - "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"