Skip to content

Latest commit

 

History

History
136 lines (98 loc) · 6.17 KB

README.md

File metadata and controls

136 lines (98 loc) · 6.17 KB

Ansible role for Restic

This role will setup Restic backups on a Debian/Ubuntu machine using a systemd service and timer.

It supports S3 backend or SFTP backend and will thus setup the SSH config and SSH private keys (see variables below).

Role Variables

Restic installation

The role will download and install the restic binary (version restic_version) into restic_path if the file does not exist.

If you want to force the installation, overwrite the binary or update restic, you can run ansible with --extra-vars restic_install=true.

Restic configuration

  • restic_arch: architecture of the restic binary (eg linux_amd64 see architecture notes below)
  • restic_version: version of the restic binary to download (eg 0.9.6)
  • restic_user: user to run restic as (root)
  • restic_user_home: home directory of the restic_user (/root)
  • restic_password: password used for repository encryption
  • restic_repository_name: the name of the repository (restic)
  • restic_check: run restic check as ExecStartPre if true (false)
  • restic_default_folders: a default list of folders that restic will backup (/etc/, /root and /var/log)
  • restic_folders: the list of folder you want to backup
  • restic_dump_compression_enabled: enable piping to pigz for database dumps

Each folder has a path and an exclude property (which defaults to nothing). The exclude property is the literal argument passed to restic (exemple: --exclude .cache --exclude .local).

restic_default_folders and restic_folders are combined to form the final list of backed up folders.

  • restic_databases: a list of databases to dump

Each database has a name property which will be the name of the restic snapshot ({{ database.name }}.sql). They also have a dump_command property which is the command to dump the database to stdout (like mysqldump dbname).

  • restic_forget: run restic forget as ExecStartPost with --keep-within {{ restic_forget_keep_within }} (true)
  • restic_forget_keep_within: period of time to use with --keep-within (30d)
  • restic_prune: run restic prune as ExecStartPost (true)

Hardware Architecture & Restic Versions

Restic supports a number of different hardware architectures, the default is linux_amd64 but you can override this with the restic_arch variable.

To get the supported list of architectures, head to the Restic GitHub releases page here: https://github.com/restic/restic/releases The assets section lists all available files, the architecture is after the version number and will be something along the lines of linux_amd64, or linux_arm64, linux_riscv64, etc. Not all versions support all architectures, so you may need to try a few to find one that works for you.

The restic version can also be overridden with the restic_version variable, this should be a valid version number from the Restic GitHub releases page which has a matching architecture for the system you are running it on.

SSH/SFTP backend configuration

The SSH configuration will be written in {{ restic_user_home }}/.ssh/config.

  • restic_ssh_host: backend name and SSH alias for the backup host
  • restic_ssh_user: user for SSH connection
  • restic_ssh_hostname: actual SSH hostname of the backup machine
  • restic_ssh_private_key: private SSH key used to connect to the backup host
  • restic_ssh_private_key_path: path of the private key to use (~/.ssh/backup)
  • restic_ssh_port: SSH port to use with the backup machine (23)

S3 backend configuration

  • restic_ssh_enabled: set to false
  • restic_repository_name: set to s3 endpoint + bucket, restic syntax (e.g. s3:https://s3.fr-par.scw.cloud/restic-bucket)
  • restic_aws_access_key_id: AWS_ACCESS_KEY_ID
  • restic_aws_secret_access_key: AWS_SECRET_ACCESS_KEY

Sytemd service and timer

A restic-backup.service service will be created with all the parameters defined above. The service is of type oneshot and will be triggered periodically with restic-backup.timer.

The timer is configurable as follows:

  • restic_systemd_timer_on_calender: defines the OnCalendar directive (*-*-* 03:00:00)
  • restic_systemd_timer_randomized_delay_sec: Delay the timer by a random amount of time between 0 and the specified time value. (0)

See the systemd.timer documentation for more information.

You can see the logs of the backup with journalctl. (journalctl -xefu restic-backup).

Example playbook

---

- hosts: myhost
  roles: restic
  vars:
    restic_ssh_user: backupuser
    restic_ssh_hostname: storage-server.infra.tld
    restic_folders:
      - {path: "/srv"}
      - {path: "/var/www"}
    restic_databases:
    - {name: website, dump_command: sudo -Hiu postgres pg_dump -Fc website}
    - {name: website2, dump_command: mysqldump website2}
    restic_password: mysuperduperpassword
    restic_ssh_private_key: |-
      -----BEGIN OPENSSH PRIVATE KEY-----
      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
      QyNTUxOQAAACAocs5g1I4kFQ1HH/YZiVU+zLhRDu4tfzZ9CmFAfKhL2AAAAJi02XEwtNlx
      MAAAAAtzc2gtZWQyNTUxOQAAACAocs5g1I4kFQ1HH/YZiVU+zLhRDu4tfzZ9CmFAfKhL2A
      AAAEADZf2Pv4G74x+iNtuwSV/ItnR3YQJ/KUaNTH19umA/tChyzmDUjiQVDUcf9hmJVT7M
      uFEO7i1/Nn0KYUB8qEvYAAAAE3N0YW5pc2xhc0BtYnAubG9jYWwBAg==
      -----END OPENSSH PRIVATE KEY-----

S3 example:

---

- hosts: myhost
  roles: restic
  vars:
    restic_ssh_enabled: false
    restic_repository: "s3:https://s3.fr-par.scw.cloud/restic-bucket"
    restic_aws_access_key_id: xxxxx
    restic_aws_secret_access_key: xxxxx
    restic_folders:
      - {path: "/srv"}
      - {path: "/var/www"}
    restic_databases:
    - {name: website, dump_command: sudo -Hiu postgres pg_dump -Fc website}
    - {name: website2, dump_command: mysqldump website2}
    restic_password: mysuperduperpassword

Of course, restic_password and restic_ssh_private_key should be stored using ansible-vault.

License

MIT

Author Information