Add backup configuration (client and server) and some other updates

inventory_template/group_vars/backup_server.yml

@@ -6,3 +6,6 @@ public_key_backup_user_host: "{{ vault_public_key_backup_user_host }}"
 git_repositories:
   - https://git.example.org/user/template-repository.git
   - git@git.example.org:user/template-repository.git
+
+# Destination backup folder
+backup_folder: "/data"

playbook_backup_deploy.yml

@@ -0,0 +1,8 @@
+---
+- hosts: all,!backup_server
+  roles:
+    - backup_client
+
+- hosts: backup_server
+  roles:
+    - backup_server

playbook_backup_server_deploy.yml

@@ -1,4 +0,0 @@
----
-- hosts: backup_server
-  roles:
-    - backup_server

playbook_general_deploy.yml

@@ -9,6 +9,4 @@
     - client_tools
     - users_sudo
     - client_iptables
-    - munin-node
-    - munin-async
     - postfix

playbook_munin_deploy.yml

@@ -1,4 +1,9 @@
 ---
+- hosts: all
+  roles:
+    - munin-node
+    - munin-async
+
 - hosts: munin_server
   roles:
     - geerlingguy.munin

roles/backup_client/README.md

@@ -0,0 +1,70 @@
+Ansible Role: backup_client
+=========
+
+This role set up a GNU/Linux backup client.
+
+Requirements
+------------
+
+You need a valid postfix configuration on your host (to send email reports).
+
+Role Variables
+--------------
+
+All variables and default values are defined in `defaults/main.yml` :
+
+    # Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...)
+    cron_client_service_name: cron
+    cron_client_package: cron
+    
+    # Name of the Borkbackup package
+    borgbackup_package: borgbackup
+    
+    # Backup client folders to backup (separated with a space)
+    backup_client_folders_to_backup: ""
+    
+    # Folder to deploy backup client scripts
+    backup_scripts_folder: "/usr/local/sbin"
+    
+    # Backup client user and home directory
+    backup_client_user: "root"
+    backup_client_user_home: "/root"
+    
+    # Crontask backup client scheduling
+    backup_client_cron_weekday: "*"
+    backup_client_cron_hour: "1"
+    backup_client_cron_minute: "30"
+    
+    # Alias config file
+    aliases_config_file: "/etc/aliases"
+    
+    # User or email to send client backup scripts report
+    backup_client_mail_target: "root"
+    
+    # Compression parameters
+    backup_client_compression_param: "lzma,9"
+
+**NOTE :** this role will only configure backup client on host if `backup_client_folders_to_backup` is not empty.
+
+Dependencies
+------------
+
+None.
+
+Example Playbook
+----------------
+
+    - hosts: all
+      roles:
+        - backup_client
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+This role was created in 2020 by Nemo.
+

roles/backup_client/defaults/main.yml

@@ -0,0 +1,33 @@
+---
+# defaults file for backup_client
+
+# Name of the Cron service and cron package (depends on your OS, can be cron, cronie, crond...)
+cron_client_service_name: cron
+cron_client_package: cron
+
+# Name of the Borkbackup package
+borgbackup_package: borgbackup
+
+# Backup client folders to backup (separated with a space)
+backup_client_folders_to_backup: ""
+
+# Folder to deploy backup client scripts
+backup_client_scripts_folder: "/usr/local/sbin"
+
+# Backup client user and home directory
+backup_client_user: "root"
+backup_client_user_home: "/root"
+
+# Crontask backup client scheduling
+backup_client_cron_weekday: "*"
+backup_client_cron_hour: "1"
+backup_client_cron_minute: "30"
+
+# Alias config file
+aliases_config_file: "/etc/aliases"
+
+# User or email to send client backup scripts report
+backup_client_mail_target: "root"
+
+# Compression parameters
+backup_client_compression_param: "lzma,9"

roles/backup_client/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+# handlers file for backup_client
+
+- name: "restart cron"
+  service:
+    name: "{{ cron_service_name }}"
+    enabled: yes
+    state: restarted
+
+- name: update aliases
+  command: postalias {{ aliases_config_file }}

roles/backup_client/meta/main.yml

@@ -0,0 +1,26 @@
+galaxy_info:
+  author: nemo
+  description: Set up backup client for GNU/Linux.
+  company: Wirebrass
+
+  license: license (BSD)
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+    - name: Gentoo
+      versions:
+        - all
+
+  galaxy_tags:
+    - backup
+    - borgbackup
+    - system
+    - server
+    - auto
+
+dependencies: []

roles/backup_client/tasks/aliases.yml

@@ -0,0 +1,8 @@
+---
+- name: Update mail aliases.
+  lineinfile:
+    dest: "{{ aliases_config_file }}"
+    line: "{{ backup_client_user }}: {{ backup_client_mail_target }}"
+    regexp: "^{{ backup_client_user }}:"
+  when: backup_client_mail_target != backup_client_user and backup_client_folders_to_backup != ""
+  notify: update aliases

roles/backup_client/tasks/crontask.yml

@@ -0,0 +1,12 @@
+---
+- name: Backup client crontask configured
+  cron:
+    name: "Backup client"
+    user: "{{ backup_client_user }}"
+    weekday: "{{ backup_client_cron_weekday }}"
+    hour: "{{ backup_client_cron_hour }}"
+    minute: "{{ backup_client_cron_minute }}"
+    job: "{{ backup_client_scripts_folder }}/backup.sh"
+  when: backup_client_folders_to_backup != ""
+  notify: restart cron
+

roles/backup_client/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+# Main tasks file for backup_server
+
+- name: Include OS-specific variables.
+  include_vars: "{{ ansible_os_family }}.yml"
+
+- import_tasks: user_backup.yml
+  when: backup_client_folders_to_backup != ""
+- import_tasks: package.yml
+  when: backup_client_folders_to_backup != ""
+- import_tasks: script.yml
+  when: backup_client_folders_to_backup != ""
+- import_tasks: crontask.yml
+  when: backup_client_folders_to_backup != ""
+- import_tasks: aliases.yml
+  when: backup_client_folders_to_backup != ""
+- import_tasks: server.yml
+  when: "'backup_server' not in group_names and backup_client_folders_to_backup != \"\""

roles/backup_client/tasks/package.yml

@@ -0,0 +1,13 @@
+---
+- name: Cron installed
+  package:
+    name: "{{ cron_package }}"
+    state: present
+  when: backup_client_folders_to_backup != ""
+  notify: restart cron
+
+- name: BorgBackup installed
+  package:
+    name: "{{ borgbackup_package }}"
+    state: present
+  when: backup_client_folders_to_backup != ""

roles/backup_client/tasks/script.yml

@@ -0,0 +1,10 @@
+---
+- name: Deploy client backup script
+  template:
+    src: backup.sh.j2
+    dest: "{{ backup_client_scripts_folder }}/backup.sh"
+    owner: "{{ backup_client_user }}"
+    group: "{{ backup_client_user }}"
+    mode: '0740'
+  when: backup_client_folders_to_backup != ""
+

roles/backup_client/tasks/server.yml

@@ -0,0 +1,30 @@
+---
+- name: "Read backup SSH pubkey and register"
+  slurp:
+   src: "{{ backup_client_user_home }}/.ssh/id_rsa.pub"
+  register: ssh_backup_pubkey
+
+- name: "Backup user created on backup server"
+  user:
+    name: "backup-{{ inventory_hostname_short }}"
+    create_home: yes
+  delegate_to: "{{ item }}"
+  loop: "{{ groups['backup_server'] }}"
+
+- name: "Backup directory created on backup server"
+  file:
+    path: "{{ hostvars[item]['backup_folder'] }}/{{ inventory_hostname_short }}"
+    owner: "backup-{{ inventory_hostname_short }}"
+    group: "backup-{{ inventory_hostname_short }}"
+    mode: "0700"
+    state: directory
+  delegate_to: "{{ item }}"
+  loop: "{{ groups['backup_server'] }}"
+
+- name: "Authorized key defined for backup user on backup server"
+  authorized_key:
+    user: "backup-{{ inventory_hostname_short }}"
+    state: present
+    key: "{{ ssh_backup_pubkey['content'] | b64decode }}"
+  delegate_to: "{{ item }}"
+  loop: "{{ groups['backup_server'] }}"

roles/backup_client/tasks/user_backup.yml

@@ -0,0 +1,6 @@
+---
+- name: "Client backup user created"
+  user:
+    name: "{{ backup_client_user }}"
+    generate_ssh_key: yes
+  when: backup_client_folders_to_backup != ""

roles/backup_client/templates/backup.sh.j2

@@ -0,0 +1,21 @@
+#!/bin/bash
+{% for backup_serv in groups['backup_server'] %}
+
+# Check if {{ backup_serv }} is a known host
+grep {{ backup_serv }} ~/.ssh/known_hosts &> /dev/null
+if [ ! $? -eq 0 ]; then
+	ssh-keygen -F {{ backup_serv }} || ssh-keyscan {{ backup_serv }} >>~/.ssh/known_hosts
+fi
+
+borg list backup-$(hostname -s)@{{ backup_serv }}:{{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s) &>/dev/null
+
+if [ $? -ne 0 ]
+then
+    ssh backup-$(hostname -s)@{{ backup_serv }} mkdir -p {{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s) -m 0700
+    export BORG_PASSPHRASE=""
+    borg init --encryption=repokey backup-$(hostname -s)@{{ backup_serv }}:{{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s)
+fi
+
+borg prune -v backup-$(hostname -s)@{{ backup_serv }}:{{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s) --keep-daily=7 --keep-weekly=4 --keep-monthly=1
+borg create --info --stats --compression {{ backup_client_compression_param }} backup-$(hostname -s)@{{ backup_serv }}:{{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s)::$(date +%F) $(find {{ backup_client_folders_to_backup }} -maxdepth 1 -type d | grep -Ev '^/$|^/tmp|^/lost\+found|^/run|^/proc|^/dev|^/sys' | tr '\n' ' ')
+{% endfor %}

roles/backup_client/vars/Debian.yml

@@ -0,0 +1,4 @@
+---
+cron_service_name: cron
+cron_package: cron
+aliases_config_file: /etc/aliases

roles/backup_client/vars/Gentoo.yml

@@ -0,0 +1,4 @@
+---
+cron_service_name: cronie
+cron_package: cronie
+aliases_config_file: /etc/mail/aliases

roles/backup_client/vars/RedHat.yml

@@ -0,0 +1,4 @@
+---
+cron_service_name: crond
+cron_package: cronie
+aliases_config_file: /etc/aliases

roles/backup_server/tasks/aliases.yml

@@ -4,4 +4,5 @@
     dest: "{{ aliases_config_file }}"
     line: "{{ backup_user_git }}: {{ backup_git_mail_target }}"
     regexp: "^{{ backup_user_git }}:"
+  when: backup_user_git != backup_git_mail_target
   notify: update aliases

roles/postfix/tasks/main.yml

@@ -12,6 +12,7 @@
     dest: "{{ aliases_config_file }}"
     line: "root: {{ alias_email }}"
     regexp: "^root:"
+  when: alias_email != "root"
   notify: update aliases
 
 - name: Update Postfix configuration.