feat: adds borg, timers and systemd service support

2025-07-27 02:13:33 +02:00
parent 47221e5803
commit 4018399fd4
12 changed files with 535 additions and 62 deletions
--- a/config/ansible/templates/borg-backup.service.j2
+++ b/config/ansible/templates/borg-backup.service.j2
@@ -0,0 +1,31 @@
+[Unit]
+Description=Borg Backup Service
+After=network.target
+
+[Service]
+Type=oneshot
+User=root
+Group=root
+ExecStart={{ borg_config_dir }}/backup.sh
+StandardOutput=journal
+StandardError=journal
+Environment="BORG_PASSPHRASE={{ borg_passphrase }}"
+Environment="BORG_REPO={{ borg_repo_dir }}"
+Environment="BORG_CACHE_DIR={{ borg_config_dir }}/cache"
+Environment="BORG_CONFIG_DIR={{ borg_config_dir }}/config"
+Environment="BORG_SECURITY_DIR={{ borg_config_dir }}/security"
+Environment="BORG_KEYS_DIR={{ borg_config_dir }}/keys"
+
+# Security settings
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ReadWritePaths=/mnt/services /mnt/object_storage /var/log {{ borg_config_dir }}
+ProtectHome=read-only
+ProtectControlGroups=true
+RestrictRealtime=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy=multi-user.target
--- a/config/ansible/templates/borg-backup.sh.j2
+++ b/config/ansible/templates/borg-backup.sh.j2
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+# Borg backup script for /mnt/services
+# This script creates incremental backups of the services directory
+
+# Set environment variables
+export BORG_REPO="{{ borg_repo_dir }}"
+export BORG_PASSPHRASE="{{ borg_passphrase }}"
+export BORG_CACHE_DIR="{{ borg_config_dir }}/cache"
+export BORG_CONFIG_DIR="{{ borg_config_dir }}/config"
+export BORG_SECURITY_DIR="{{ borg_config_dir }}/security"
+export BORG_KEYS_DIR="{{ borg_config_dir }}/keys"
+
+# Backup name with timestamp
+BACKUP_NAME="services-$(date +%Y%m%d-%H%M%S)"
+
+# Log function
+log() {
+    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a /var/log/borg-backup.log
+}
+
+# Ensure all Borg directories exist
+mkdir -p "$BORG_CACHE_DIR"
+mkdir -p "$BORG_CONFIG_DIR"
+mkdir -p "$BORG_SECURITY_DIR"
+mkdir -p "$BORG_KEYS_DIR"
+
+# Start backup
+log "Starting Borg backup: $BACKUP_NAME"
+
+# Create backup
+borg create \
+    --verbose \
+    --filter AME \
+    --list \
+    --stats \
+    --show-rc \
+    --compression lz4 \
+    --exclude-caches \
+    --exclude '*.tmp' \
+    --exclude '*.temp' \
+    --exclude '*.log' \
+    --exclude '*/.cache' \
+    --exclude '*/cache' \
+    --exclude '*/logs' \
+    --exclude '*/tmp' \
+    --exclude '*/node_modules' \
+    --exclude '*/__pycache__' \
+    "::$BACKUP_NAME" \
+    {{ borg_backup_dir }}
+
+backup_exit=$?
+
+log "Backup finished with exit code: $backup_exit"
+
+# Prune old backups (keep last 7 daily, 4 weekly, 6 monthly)
+log "Pruning old backups"
+
+# Check if there are any archives to prune first
+archive_count=$(borg list --short --prefix 'services-' 2>/dev/null | wc -l)
+
+if [ "$archive_count" -gt 1 ]; then
+    borg prune \
+        --list \
+        --prefix 'services-' \
+        --show-rc \
+        --keep-daily 7 \
+        --keep-weekly 4 \
+        --keep-monthly 6
+    prune_exit=$?
+else
+    log "Only one or no archives found, skipping prune"
+    prune_exit=0
+fi
+
+log "Prune finished with exit code: $prune_exit"
+
+# Compact repository
+log "Compacting repository"
+borg compact
+
+compact_exit=$?
+
+log "Compact finished with exit code: $compact_exit"
+
+# Global exit status
+global_exit=$(( backup_exit > prune_exit ? backup_exit : prune_exit ))
+global_exit=$(( compact_exit > global_exit ? compact_exit : global_exit ))
+
+if [ $global_exit -eq 0 ]; then
+    log "Backup completed successfully"
+else
+    log "Backup completed with warnings or errors (exit code: $global_exit)"
+fi
+
+exit $global_exit
--- a/config/ansible/templates/borg-backup.timer.j2
+++ b/config/ansible/templates/borg-backup.timer.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=Run Borg Backup Daily
+Requires=borg-backup.service
+
+[Timer]
+# Run daily at 2 AM
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=1800
+
+[Install]
+WantedBy=timers.target
--- a/config/ansible/templates/dynamic-dns-systemd.env.j2
+++ b/config/ansible/templates/dynamic-dns-systemd.env.j2
@@ -0,0 +1,12 @@
+# Dynamic DNS Environment Configuration for SystemD
+# This file contains sensitive credentials and should be kept secure
+# Credentials are automatically retrieved from OnePassword
+
+# CloudFlare API Token (required)
+# Retrieved from OnePassword: CloudFlare API Token
+CLOUDFLARE_API_TOKEN={{ lookup('community.general.onepassword', 'CloudFlare API Token', vault='Dotfiles', field='password') }}
+
+# Telegram Bot Credentials (for notifications when IP changes)
+# Retrieved from OnePassword: Telegram DynDNS Bot
+TELEGRAM_BOT_TOKEN={{ lookup('community.general.onepassword', 'Telegram DynDNS Bot', vault='Dotfiles', field='password') }}
+TELEGRAM_CHAT_ID={{ lookup('community.general.onepassword', 'Telegram DynDNS Bot', vault='Dotfiles', field='chat_id') }}
--- a/config/ansible/templates/dynamic-dns.env.j2
+++ b/config/ansible/templates/dynamic-dns.env.j2
@@ -1,12 +0,0 @@
-# Dynamic DNS Environment Configuration
-# This file contains sensitive credentials and should be kept secure
-# Credentials are automatically retrieved from OnePassword
-
-# CloudFlare API Token (required)
-# Retrieved from OnePassword: CloudFlare API Token
-export CLOUDFLARE_API_TOKEN="{{ lookup('community.general.onepassword', 'CloudFlare API Token', vault='Dotfiles', field='password') }}"
-
-# Telegram Bot Credentials (for notifications when IP changes)
-# Retrieved from OnePassword: Telegram DynDNS Bot
-export TELEGRAM_BOT_TOKEN="{{ lookup('community.general.onepassword', 'Telegram DynDNS Bot', vault='Dotfiles', field='password') }}"
-export TELEGRAM_CHAT_ID="{{ lookup('community.general.onepassword', 'Telegram DynDNS Bot', vault='Dotfiles', field='chat_id') }}"