add borg backup (#1727)

* add borg backup

* lint fix

* add exlclude patterns

* missed in the #1726 fix for honoroit

* feedback

* Fix indentation

* feedback

* feedback

* feedback

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

roles/matrix-backup-borg/templates/config.yaml.j2

@@ -0,0 +1,32 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
+
+location:
+  source_directories: {{ matrix_backup_borg_location_source_directories|to_json }}
+  repositories: {{ matrix_backup_borg_location_repositories|to_json }}
+  one_file_system: true
+  exclude_patterns: {{ matrix_backup_borg_location_exclude_patterns|to_json }}
+
+storage:
+  compression: {{ matrix_backup_borg_storage_compression }}
+  ssh_command: {{ matrix_backup_borg_storage_ssh_command }}
+  archive_name_format: '{{ matrix_backup_borg_storage_archive_name_format }}'
+  encryption_passphrase: {{ matrix_backup_borg_storage_encryption_passphrase }}
+
+retention:
+  keep_hourly: {{ matrix_backup_borg_retention_keep_hourly }}
+  keep_daily: {{ matrix_backup_borg_retention_keep_daily }}
+  keep_weekly: {{ matrix_backup_borg_retention_keep_weekly }}
+  keep_monthly: {{ matrix_backup_borg_retention_keep_monthly }}
+  keep_yearly: {{ matrix_backup_borg_retention_keep_yearly }}
+  prefix: '{{ matrix_backup_borg_retention_prefix }}'
+
+consistency:
+  checks:
+    - repository
+    - archives
+
+hooks:
+  after_backup:
+    - echo "Backup created."
+  on_error:
+    - echo "Error while creating a backup."

roles/matrix-backup-borg/templates/passwd.j2

@@ -0,0 +1,29 @@
+{# the passwd file with correct username, UID and GID is mandatory to work with borg over ssh, otherwise ssh connections will fail #}
+root:x:0:0:root:/root:/bin/ash
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+adm:x:3:4:adm:/var/adm:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/mail:/sbin/nologin
+news:x:9:13:news:/usr/lib/news:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+operator:x:11:0:operator:/root:/sbin/nologin
+man:x:13:15:man:/usr/man:/sbin/nologin
+postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
+cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
+squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
+xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
+games:x:35:35:games:/usr/games:/sbin/nologin
+cyrus:x:85:12::/usr/cyrus:/sbin/nologin
+vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
+ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
+guest:x:405:100:guest:/dev/null:/sbin/nologin
+{{ matrix_user_username }}:x:{{ matrix_user_uid }}:{{ matrix_user_gid }}:Matrix:/tmp:/bin/ash
+nobody:x:65534:65534:nobody:/:/sbin/nologin

roles/matrix-backup-borg/templates/sshkey.j2

@@ -0,0 +1 @@
+{{ matrix_backup_borg_ssh_key_private }}

roles/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2

@@ -0,0 +1,58 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Borg Backup
+{% for service in matrix_backup_borg_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_backup_borg_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-backup-borg 2>/dev/null'
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-backup-borg 2>/dev/null'
+ExecStartPre=-{{ matrix_host_command_docker }} run --rm --name matrix-backup-borg \
+			--log-driver=none \
+			--cap-drop=ALL \
+			--read-only \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--network={{ matrix_docker_network }} \
+			--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
+			--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
+			--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
+			{% for source in matrix_backup_borg_location_source_directories %}
+			--mount type=bind,src={{ source }},dst={{ source }},ro \
+			{% endfor %}
+			{% for arg in matrix_backup_borg_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_backup_borg_docker_image }} \
+			sh -c "borgmatic --init --encryption {{ matrix_backup_borg_encryption }}"
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-backup-borg \
+			--log-driver=none \
+			--cap-drop=ALL \
+			--read-only \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--network={{ matrix_docker_network }} \
+			--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
+			--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
+			--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
+			{% for source in matrix_backup_borg_location_source_directories %}
+			--mount type=bind,src={{ source }},dst={{ source }},ro \
+			{% endfor %}
+			{% for arg in matrix_backup_borg_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_backup_borg_docker_image }}
+
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-backup-borg 2>/dev/null'
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-backup-borg 2>/dev/null'
+SyslogIdentifier=matrix-backup-borg
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Matrix Borg Backup timer
+
+[Timer]
+Unit=matrix-backup-borg.service
+OnCalendar={{ matrix_backup_borg_schedule }}
+RandomizedDelaySec=2h
+
+[Install]
+WantedBy=timers.target