From c23bebed74fdcd7bc23f2c92952075490d9f4b83 Mon Sep 17 00:00:00 2001 From: Bertrand Benjamin Date: Sun, 13 Mar 2022 11:20:57 +0100 Subject: [PATCH] Feat: borgmatic on boot works in molecule --- roles/borgmatic/README.md | 4 +- roles/borgmatic/tasks/main.yml | 9 +++- .../templates/borgmatic.afterboot.timer.j2 | 2 +- .../borgmatic/templates/borgmatic.service.j2 | 47 +------------------ 4 files changed, 12 insertions(+), 50 deletions(-) diff --git a/roles/borgmatic/README.md b/roles/borgmatic/README.md index f3edb10..d7bc3ef 100644 --- a/roles/borgmatic/README.md +++ b/roles/borgmatic/README.md @@ -9,8 +9,8 @@ Role Variables Available variables are listed below, along with default values (see defaults/main.yml): - borg_source_directories - borg_repositories + borg_source_directories # list of folder to backup + borg_repository # list of repositories Dependencies ------------ diff --git a/roles/borgmatic/tasks/main.yml b/roles/borgmatic/tasks/main.yml index c9587bf..f6db61e 100644 --- a/roles/borgmatic/tasks/main.yml +++ b/roles/borgmatic/tasks/main.yml @@ -48,7 +48,7 @@ src: borgmatic.service.j2 dest: "/lib/systemd/system/borgmatic_{{ borgmatic_name }}.service" mode: 644 - notify: reload systemd + notify: "reload systemd" - name: copy systemd timer for executing borgmatic after boot template: @@ -56,7 +56,12 @@ dest: "/lib/systemd/system/borgmatic_{{ borgmatic_name }}.timer" notify: "reload systemd" +- name: disable service + systemd: + name: "borgmatic_{{ borgmatic_name }}.service" + enabled: no + - name: enable timer systemd: - name: "borgmatic_{{ borgmatic_name }}" + name: "borgmatic_{{ borgmatic_name }}.timer" enabled: yes diff --git a/roles/borgmatic/templates/borgmatic.afterboot.timer.j2 b/roles/borgmatic/templates/borgmatic.afterboot.timer.j2 index 91ad378..dea5f20 100644 --- a/roles/borgmatic/templates/borgmatic.afterboot.timer.j2 +++ b/roles/borgmatic/templates/borgmatic.afterboot.timer.j2 @@ -1,5 +1,5 @@ [Unit] -Description=Run borgmatic {{ borgmatic_name }}backup +Description=Run borgmatic {{ borgmatic_name }} backup [Timer] OnBootSec=2min diff --git a/roles/borgmatic/templates/borgmatic.service.j2 b/roles/borgmatic/templates/borgmatic.service.j2 index 38719e4..9e67d74 100644 --- a/roles/borgmatic/templates/borgmatic.service.j2 +++ b/roles/borgmatic/templates/borgmatic.service.j2 @@ -1,56 +1,13 @@ {{ ansible_managed | comment }} [Unit] -Description=borgmatic backup +Description=borgmatic {{ borgmatic_name }}backup Wants=network-online.target After=network-online.target [Service] Type=oneshot -# Security settings for systemd running as root, optional but recommended to improve security. You -# can disable individual settings if they cause problems for your use case. For more details, see -# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -LockPersonality=true -# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off. -# But you can try setting it to "yes" for improved security if you don't use those features. -MemoryDenyWriteExecute=no -NoNewPrivileges=yes -PrivateDevices=yes -PrivateTmp=yes -ProtectClock=yes -ProtectControlGroups=yes -ProtectHostname=yes -ProtectKernelLogs=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -RestrictSUIDSGID=yes -SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM -# To restrict write access further, change "ProtectSystem" to "strict" and uncomment -# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository -# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This -# leaves most of the filesystem read-only to borgmatic. -ProtectSystem=full -# ReadWritePaths=-/mnt/my_backup_drive -# ReadOnlyPaths=-/var/lib/my_backup_source -# This will mount a tmpfs on top of /root and pass through needed paths -# ProtectHome=tmpfs -# BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic - -# May interfere with running external programs within borgmatic hooks. -CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW - -Restart=no -# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that -# doesn't support this (pre-240 or so), you may have to remove this option. -LogRateLimitIntervalSec=0 - # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and # dbus-user-session to be installed. -ExecStartPre=/usr/bin/sleep 1m -ExecStart=/usr/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic -c {{ borgmatic_config_file }} --verbosity -1 --syslog-verbosity 1 +ExecStart=/usr/bin/systemd-inhibit --who="borgmatic {{ borgmatic_name }}" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic -c {{ borgmatic_config_file }} --verbosity -1 --syslog-verbosity 1