Update backup script to use restic

2025-01-19 12:43:10 -06:00 · 2025-01-19 12:43:10 -06:00 · f3520c10ae
commit f3520c10ae
parent f8be177789
6 changed files with 48 additions and 8 deletions
--- a/inventories/production/group_vars/all.yml
+++ b/inventories/production/group_vars/all.yml
@ -29,6 +29,13 @@ adminuser_ssh_authorized_keys:
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKwcV0mKhhQveIOjFKwt01S8WVtOn3Pfz6qa2P4/JR7S salt@lap-s76-lemp13-0.ws.mgmt.desu.ltd

 # For backups
+backup_restic_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          65623036653432326435353932623037626532316631613763623237323533363938363462316237
+          6363613363346239666630323134643866653436633537300a663732363565383061326135656539
+          33313334656330366632613334366664613366313631363964373038396636623735633830386336
+          3230316663373966390a663732373134323561313633363435376263643834383739643739303761
+          62376231353936333666613661323864343439383736386636356561636463626266
 backup_s3_bucket: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66316231643933316261303631656432376339663264666661663634616465326537303331626634
--- a/playbooks/prod_web.yml
+++ b/playbooks/prod_web.yml
@ -3,7 +3,7 @@
 # Webservers
 ---
 - hosts: vm-general-1.ashburn.mgmt.desu.ltd
-  gather_facts: no
+  #gather_facts: no
  module_defaults:
    docker_container:
      restart_policy: unless-stopped
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@ -1,12 +1,27 @@
 #!/usr/bin/env ansible-playbook
 # vim:ft=ansible:
 ---
+  # Install restic if we can
+- name: install restic
+  block:
+    - name: install restic through apt
+      ansible.builtin.apt: name=restic state=present
+      when: ansible_pkg_mgr == "apt"
+  # The script
 - name: template out backup script
  ansible.builtin.template: src={{ backup_script }}.sh dest=/opt/backup.sh mode=0700 owner=root group=root
+  # Some restic-specific stuff
+- name: template out restic password file
+  ansible.builtin.template: src={{ backup_script }}-password dest=/opt/restic-password mode=0700 owner=root group=root
+- name: template out restic wrapper
+  ansible.builtin.template: src=restic-wrapper.sh dest=/opt/restic-wrapper mode=0700 owner=root group=root
+  # An analyzer for... reasons?
 - name: template out analyze script
  ansible.builtin.template: src={{ backup_script }}-analyze.sh dest=/opt/analyze.sh mode=0700 owner=root group=root
+  # This restore script doesn't even work???
 - name: template out restore script
  ansible.builtin.template: src={{ restore_script }}.sh dest=/opt/restore.sh mode=0700 owner=root group=root
+  # And service/timer definitions
 - name: configure systemd service
  ansible.builtin.template: src=backup.service dest=/etc/systemd/system/backup.service mode=0644
 - name: configure systemd timer
--- a/roles/backup/templates/restic-wrapper.sh
+++ b/roles/backup/templates/restic-wrapper.sh
@ -0,0 +1,6 @@
+#! /bin/sh
+exec nice -n 10 restic \
+	-r "s3:{{ backup_s3_aws_endpoint_url }}/{{ backup_s3_bucket }}/restic" \
+	-p /opt/restic-password \
+	--verbose \
+	"$@"
--- a/roles/backup/templates/s3backup-password
+++ b/roles/backup/templates/s3backup-password
@ -0,0 +1 @@
+{{ backup_restic_password }}
--- a/roles/backup/templates/s3backup.sh
+++ b/roles/backup/templates/s3backup.sh
@ -53,16 +53,22 @@ backup() {
 	dir="$1"
 	echo "- $dir"

-	nice -n 10 tar {{ backup_s3backup_tar_args }}{{ backup_s3backup_tar_args_extra }} \
+	if command -v restic > /dev/null 2>&1; then
+		/opt/restic-wrapper \
+			backup \
+			"$dir"
+	else
+		nice -n 10 tar {{ backup_s3backup_tar_args }}{{ backup_s3backup_tar_args_extra }} \
 	{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
-		--exclude "{{ item }}" \
+			--exclude "{{ item }}" \
 	{% endfor %}
-		"$dir" \
-		| aws s3 cp --expected-size 274877906944 - \
+			"$dir" \
+			| aws s3 cp --expected-size 274877906944 - \
 {% if backup_s3_aws_endpoint_url is defined %}
-		--endpoint-url="{{ backup_s3_aws_endpoint_url }}" \
+			--endpoint-url="{{ backup_s3_aws_endpoint_url }}" \
 {% endif %}
-		"s3://{{ backup_s3_bucket }}/$HOSTNAME/$dir/$(date "+{{ backup_dateformat }}").tar.gz"
+			"s3://{{ backup_s3_bucket }}/$HOSTNAME/$dir/$(date "+{{ backup_dateformat }}").tar.gz"
+	fi
 }

 # Tar up all items in the backup list, recursively, and pipe them straight
@ -72,7 +78,12 @@ if [ -n "${DIRS[*]}" ]; then
 	for dir in "${DIRS[@]}"; do
 		echo "- $dir"
 	done
-	echo "Will ignore the following items:"
+	if command -v restic > /dev/null 2>&1; then
+		echo "An ignore list was specified, but restic was detected as the backup method."
+		echo "The following list of items WILL be backed up:"
+	else
+		echo "Will ignore the following items:"
+	fi
 	{% for item in backup_s3backup_exclude_list + backup_s3backup_exclude_list_extra %}
 	echo "- {{ item }}"
 	{% endfor %}