Create borg service role

This commit is contained in:
Gabriel Arazas 2022-03-19 12:19:38 +08:00
parent 4af9c46e37
commit da532aa8af
3 changed files with 71 additions and 0 deletions
roles/system/borg

View File

@ -0,0 +1,36 @@
[Unit]
Description=Backup to external archive
Documentation=https://www.borgbackup.org/ https://torsion.org/borgmatic/ man:borg(1)
[Service]
LockPersonality=true
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100
Restart=no
LogRateLimitIntervalSec=0
ExecStartPre=sleep 1m
ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1

View File

@ -0,0 +1,10 @@
[Unit]
Description=Run borgmatic backup
Documentation=https://www.borgbackup.org/ https://torsion.org/borgmatic/ man:borg(1)
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target

View File

@ -0,0 +1,25 @@
---
- name: Install backup tools
dnf:
state: present
name:
- borgbackup
- borgmatic
- name: Add the borgmatic service
copy:
src: "{{ role_path }}/files/borgmatic.service"
dest: /etc/systemd/system/borgmatic.service
setype: systemd_unit_file_t
- name: Add the borgmatic timer
copy:
src: "{{ role_path }}/files/borgmatic.timer"
dest: /etc/systemd/system/borgmatic.timer
setype: systemd_unit_file_t
- name: Enable the backup service schedule
service:
state: started
name: borgmatic.timer
enabled: yes