From da532aa8afa19e1f4586dd1fe782cc1c9fa489be Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foo.dogsquared@gmail.com>
Date: Sat, 19 Mar 2022 12:19:38 +0800
Subject: [PATCH] Create borg service role

---
 roles/system/borg/files/borgmatic.service | 36 +++++++++++++++++++++++
 roles/system/borg/files/borgmatic.timer   | 10 +++++++
 roles/system/borg/tasks/main.yml          | 25 ++++++++++++++++
 3 files changed, 71 insertions(+)
 create mode 100644 roles/system/borg/files/borgmatic.service
 create mode 100644 roles/system/borg/files/borgmatic.timer
 create mode 100644 roles/system/borg/tasks/main.yml

diff --git a/roles/system/borg/files/borgmatic.service b/roles/system/borg/files/borgmatic.service
new file mode 100644
index 0000000..f35d21f
--- /dev/null
+++ b/roles/system/borg/files/borgmatic.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Backup to external archive
+Documentation=https://www.borgbackup.org/ https://torsion.org/borgmatic/ man:borg(1)
+
+[Service]
+LockPersonality=true
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+Restart=no
+LogRateLimitIntervalSec=0
+
+ExecStartPre=sleep 1m
+ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1
diff --git a/roles/system/borg/files/borgmatic.timer b/roles/system/borg/files/borgmatic.timer
new file mode 100644
index 0000000..bf56ef2
--- /dev/null
+++ b/roles/system/borg/files/borgmatic.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Run borgmatic backup
+Documentation=https://www.borgbackup.org/ https://torsion.org/borgmatic/ man:borg(1)
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/system/borg/tasks/main.yml b/roles/system/borg/tasks/main.yml
new file mode 100644
index 0000000..c5f1dc6
--- /dev/null
+++ b/roles/system/borg/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: Install backup tools
+  dnf:
+    state: present
+    name:
+      - borgbackup
+      - borgmatic
+
+- name: Add the borgmatic service
+  copy:
+    src: "{{ role_path }}/files/borgmatic.service"
+    dest: /etc/systemd/system/borgmatic.service
+    setype: systemd_unit_file_t
+
+- name: Add the borgmatic timer
+  copy:
+    src: "{{ role_path }}/files/borgmatic.timer"
+    dest: /etc/systemd/system/borgmatic.timer
+    setype: systemd_unit_file_t
+
+- name: Enable the backup service schedule
+  service:
+    state: started
+    name: borgmatic.timer
+    enabled: yes