data.coop/ansible
8
3
Fork 7
Code Issues 49 Pull requests 9 Projects 1 Releases Wiki Activity

Use Fedder's TrueNAS for Restic backups #153

Merged
samsapti merged 8 commits from restic_fedder into main 2023-03-05 22:01:54 +00:00
Conversation 1 Commits 8 Files changed 5 +34 -6
2 changed files with 34 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 3df4301513 - Show all commits

7
roles/docker/defaults/main.yml
View file

@ -49,9 +49,10 @@ services:
restic:
file: restic_backup.yml
user: "datacoop"
domain: "restic.cannedtuna.org"
repository: "datacoop-hevonen"
user: "dc-user"
domain: "rynkeby.skovgaard.tel"
volume_folder: "{{ volume_root_folder }}/restic"
repository: "/mnt/SpinningRust/data.coop-backup/restic"
ssh_pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1lNLshXytq+mx2LPzm8Neh/nrVqCR3iDXPONzBag9s restic@fedder
version: "1.6.0"
disabled_in_vagrant: true

33
roles/docker/tasks/services/restic_backup.yml
View file

@ -1,5 +1,29 @@
# vim: ft=yaml.ansible
---
- name: Create SSH directory
file:
name: "{{ services.restic.volume_folder }}/ssh"
owner: root
samsapti marked this conversation as resolved
reynir commented 2023-02-09 08:14:02 +00:00
Review
Copy link

It's probably correct seeing what most containers do, but we could confirm it's running as root.

It's probably correct seeing what most containers do, but we could confirm it's running as root.
samsapti commented 2023-02-11 17:41:57 +00:00
Review
Copy link

It's also possible with this location, since mode: '0700' denies read permission for everyone else.

It's also possible with this location, since `mode: '0700'` denies read permission for everyone else.
group: root
mode: '0700'
state: directory
- name: Copy private SSH key
copy:
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519"
owner: root
group: root
mode: '0600'
content: "{{ restic_secrets.ssh_privkey }}"
- name: Copy public SSH key
copy:
dest: "{{ services.restic.volume_folder }}/ssh/id_ed25519.pub"
owner: root
group: root
mode: '0644'
content: "{{ services.restic.ssh_pubkey }}"
- name: Setup restic backup
docker_compose:
project_name: restic_backup
@ -13,12 +37,12 @@
environment:
RUN_ON_STARTUP: "false"
BACKUP_CRON: "0 30 3 * * *"
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
RESTIC_BACKUP_SOURCES: "/mnt/volumes"
RESTIC_BACKUP_ARGS: >-
--tag datacoop-volumes
--exclude='*.tmp'
--exclude '*.tmp'
--verbose
RESTIC_FORGET_ARGS: >-
--keep-last 10
@ -27,6 +51,7 @@
--keep-monthly 12
TZ: Europe/Copenhagen
volumes:
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"
- /docker-volumes:/mnt/volumes:ro
restic-prune:
@ -34,6 +59,8 @@
environment:
RUN_ON_STARTUP: "false"
PRUNE_CRON: "0 0 4 * * *"
RESTIC_REPOSITORY: "rest:https://{{ services.restic.user }}:{{ restic_secrets.user_password }}@{{ services.restic.domain }}/{{ services.restic.repository }}"
RESTIC_REPOSITORY: "sftp:{{ services.restic.user }}@{{ services.restic.domain }}:{{ services.restic.repository }}"
RESTIC_PASSWORD: "{{ restic_secrets.repository_password }}"
TZ: Europe/copenhagen
volumes:
- "{{ services.restic.volume_folder }}/ssh:/run/secrets/.ssh:ro"