Create borg service role

roles/system/borg/files/borgmatic.service

@@ -0,0 +1,36 @@
+[Unit]
+Description=Backup to external archive
+Documentation=https://www.borgbackup.org/ https://torsion.org/borgmatic/ man:borg(1)
+
+[Service]
+LockPersonality=true
+MemoryDenyWriteExecute=no
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
+Nice=19
+CPUSchedulingPolicy=batch
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+IOWeight=100
+Restart=no
+LogRateLimitIntervalSec=0
+
+ExecStartPre=sleep 1m
+ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1

roles/system/borg/files/borgmatic.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Run borgmatic backup
+Documentation=https://www.borgbackup.org/ https://torsion.org/borgmatic/ man:borg(1)
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+
+[Install]
+WantedBy=timers.target

roles/system/borg/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: Install backup tools
+  dnf:
+    state: present
+    name:
+      - borgbackup
+      - borgmatic
+
+- name: Add the borgmatic service
+  copy:
+    src: "{{ role_path }}/files/borgmatic.service"
+    dest: /etc/systemd/system/borgmatic.service
+    setype: systemd_unit_file_t
+
+- name: Add the borgmatic timer
+  copy:
+    src: "{{ role_path }}/files/borgmatic.timer"
+    dest: /etc/systemd/system/borgmatic.timer
+    setype: systemd_unit_file_t
+
+- name: Enable the backup service schedule
+  service:
+    state: started
+    name: borgmatic.timer
+    enabled: yes