Feat: borgmatic on boot works in molecule

This commit is contained in:
Bertrand Benjamin 2022-03-13 11:20:57 +01:00
parent a4688b6f99
commit c23bebed74
4 changed files with 12 additions and 50 deletions

View File

@ -9,8 +9,8 @@ Role Variables
Available variables are listed below, along with default values (see defaults/main.yml):
borg_source_directories
borg_repositories
borg_source_directories # list of folder to backup
borg_repository # list of repositories
Dependencies
------------

View File

@ -48,7 +48,7 @@
src: borgmatic.service.j2
dest: "/lib/systemd/system/borgmatic_{{ borgmatic_name }}.service"
mode: 644
notify: reload systemd
notify: "reload systemd"
- name: copy systemd timer for executing borgmatic after boot
template:
@ -56,7 +56,12 @@
dest: "/lib/systemd/system/borgmatic_{{ borgmatic_name }}.timer"
notify: "reload systemd"
- name: disable service
systemd:
name: "borgmatic_{{ borgmatic_name }}.service"
enabled: no
- name: enable timer
systemd:
name: "borgmatic_{{ borgmatic_name }}"
name: "borgmatic_{{ borgmatic_name }}.timer"
enabled: yes

View File

@ -1,5 +1,5 @@
[Unit]
Description=Run borgmatic {{ borgmatic_name }}backup
Description=Run borgmatic {{ borgmatic_name }} backup
[Timer]
OnBootSec=2min

View File

@ -1,56 +1,13 @@
{{ ansible_managed | comment }}
[Unit]
Description=borgmatic backup
Description=borgmatic {{ borgmatic_name }}backup
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
# Security settings for systemd running as root, optional but recommended to improve security. You
# can disable individual settings if they cause problems for your use case. For more details, see
# the systemd manual: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
LockPersonality=true
# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
# But you can try setting it to "yes" for improved security if you don't use those features.
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
# leaves most of the filesystem read-only to borgmatic.
ProtectSystem=full
# ReadWritePaths=-/mnt/my_backup_drive
# ReadOnlyPaths=-/var/lib/my_backup_source
# This will mount a tmpfs on top of /root and pass through needed paths
# ProtectHome=tmpfs
# BindPaths=-/root/.cache/borg -/root/.cache/borg -/root/.borgmatic
# May interfere with running external programs within borgmatic hooks.
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
Restart=no
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
# doesn't support this (pre-240 or so), you may have to remove this option.
LogRateLimitIntervalSec=0
# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
# dbus-user-session to be installed.
ExecStartPre=/usr/bin/sleep 1m
ExecStart=/usr/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic -c {{ borgmatic_config_file }} --verbosity -1 --syslog-verbosity 1
ExecStart=/usr/bin/systemd-inhibit --who="borgmatic {{ borgmatic_name }}" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic -c {{ borgmatic_config_file }} --verbosity -1 --syslog-verbosity 1