Use Fedder's TrueNAS for Restic backups #153
|
@ -49,9 +49,10 @@ services:
|
||||||
|
|
||||||
restic:
|
restic:
|
||||||
file: restic_backup.yml
|
file: restic_backup.yml
|
||||||
user: "datacoop"
|
user: "dc-user"
|
||||||
domain: "restic.cannedtuna.org"
|
domain: "rynkeby.skovgaard.tel"
|
||||||
repository: "datacoop-hevonen"
|
volume_folder: "{{ volume_root_folder }}/restic"
|
||||||
|
repository: "/mnt/SpinningRust/data.coop-backup/restic"
|
||||||
ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1lNLshXytq+mx2LPzm8Neh/nrVqCR3iDXPONzBag9s restic@fedder
|
ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1lNLshXytq+mx2LPzm8Neh/nrVqCR3iDXPONzBag9s restic@fedder
|
||||||
version: "1.6.0"
|
version: "1.6.0"
|
||||||
disabled_in_vagrant: true
|
disabled_in_vagrant: true
|
||||||
|
|
|
@ -1,5 +1,29 @@
|
||||||
# vim: ft=yaml.ansible
|
# vim: ft=yaml.ansible
|
||||||
---
|
---
|
||||||
|
- name: Create SSH directory
|
||||||
|
file:
|
||||||
|
name: "{{ services.restic.volume_folder }}/ssh"
|
||||||
|
owner: root
|
||||||
samsapti marked this conversation as resolved
|
|||||||
|
group: root
|
||||||
|
mode: '0700'
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Copy private SSH key
|
||||||
|
copy:
|
||||||
|
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0600'
|
||||||
|
content: "{{ restic_secrets.ssh_privkey }}"
|
||||||
|
|
||||||
|
- name: Copy public SSH key
|
||||||
|
copy:
|
||||||
|
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '0644'
|
||||||
|
content: "{{ services.restic.ssh_pubkey }}"
|
||||||
|
|
||||||
- name: Setup restic backup
|
- name: Setup restic backup
|
||||||
docker_compose:
|
docker_compose:
|
||||||
project_name: restic_backup
|
project_name: restic_backup
|
||||||
|
@ -13,12 +37,12 @@
|
||||||
environment:
|
environment:
|
||||||
RUN_ON_STARTUP: "false"
|
RUN_ON_STARTUP: "false"
|
||||||
BACKUP_CRON: "0 30 3 * * *"
|
BACKUP_CRON: "0 30 3 * * *"
|
||||||
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
|
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
|
||||||
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
||||||
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
|
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
|
||||||
RESTIC_BACKUP_ARGS: >-
|
RESTIC_BACKUP_ARGS: >-
|
||||||
--tag datacoop-volumes
|
--tag datacoop-volumes
|
||||||
--exclude='*.tmp'
|
--exclude '*.tmp'
|
||||||
--verbose
|
--verbose
|
||||||
RESTIC_FORGET_ARGS: >-
|
RESTIC_FORGET_ARGS: >-
|
||||||
--keep-last 10
|
--keep-last 10
|
||||||
|
@ -27,6 +51,7 @@
|
||||||
--keep-monthly 12
|
--keep-monthly 12
|
||||||
TZ: Europe/Copenhagen
|
TZ: Europe/Copenhagen
|
||||||
volumes:
|
volumes:
|
||||||
|
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
|
||||||
- /docker-volumes:/mnt/volumes:ro
|
- /docker-volumes:/mnt/volumes:ro
|
||||||
|
|
||||||
restic-prune:
|
restic-prune:
|
||||||
|
@ -34,6 +59,8 @@
|
||||||
environment:
|
environment:
|
||||||
RUN_ON_STARTUP: "false"
|
RUN_ON_STARTUP: "false"
|
||||||
PRUNE_CRON: "0 0 4 * * *"
|
PRUNE_CRON: "0 0 4 * * *"
|
||||||
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
|
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
|
||||||
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
|
||||||
TZ: Europe/copenhagen
|
TZ: Europe/copenhagen
|
||||||
|
volumes:
|
||||||
|
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
|
||||||
|
|
Loading…
Reference in a new issue
It's probably correct seeing what most containers do, but we could confirm it's running as root.
It's also possible with this location, since
mode: '0700'
denies read permission for everyone else.