snackpot.yml etc. - add borgmatic backup container

2023-04-04 11:52:08 +01:00
parent a6872077a9
commit 2d3d9217e8
8 changed files with 122 additions and 13 deletions
--- a/templates/appserver.service.j2
+++ b/templates/appserver.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=appserver
+Requires=docker.service
+After=docker.service
+
+[Service]
+Type=oneshot
+WorkingDirectory={{docker_compose_base_dir}}
+ExecStart={{docker_compose_cmd}} up -d --remove-orphans main-services
+ExecStop={{docker_compose_cmd}} down
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
--- a/templates/bin/backup
+++ b/templates/bin/backup
@@ -9,6 +9,6 @@ DC_DIR=/opt/docker-compose/

 cd $DC_DIR
 docker-compose down
-docker run --name borgmatic -T --rm borgmatic  /backup.sh
+docker-compose run --name borgmatic -T --rm borgmatic  /backup.sh
 docker-compose up -d main-services

--- a/templates/borg.service.j2
+++ b/templates/borg.service.j2
@@ -3,4 +3,4 @@ Description=Borg backups

 [Service]
 Type=oneshot
-ExecStart=/opt/docker/bin/backup
+ExecStart=/opt/docker-compose/bin/backup
--- a/templates/docker-compose/borgmatic/Dockerfile
+++ b/templates/docker-compose/borgmatic/Dockerfile
@@ -1,4 +1,4 @@
 FROM b3vis/borgmatic:latest-msmtp

-COPY backup.sh /backup.sh
+COPY --chmod=755 backup.sh /backup.sh

--- a/templates/docker-compose/docker-compose.yml
+++ b/templates/docker-compose/docker-compose.yml
@@ -17,6 +17,7 @@ volumes:
  minidlna_state:
  minidlna_data:
  mopidy_data:
+  borgmatic-cache:

 networks:
  # This is for proxied containers
@@ -95,6 +96,7 @@ services:
      - web.env
    depends_on:
      - nextcloud
+      - letsencrypt-companion
    networks:
      - proxy-tier
      - default
@@ -193,6 +195,67 @@ services:
        ipv4_address: 192.168.0.243
    restart: always

+  # a dummy container to start the main services as deps
+  # This allows the borgmatic image to be excluded when run as:
+  #      docker-compose up main-services
+  main-services: 
+    image: alpine:latest # a small dumy image 
+    command: sh -c "sleep infinity"
+    depends_on:
+      - nextcloud
+      - nextcloud_cron
+      - web
+      - jellyfin
+      - minidlna
+      - upmpdcli
+      
+  borgmatic:
+    build: ./borgmatic
+    restart: 'no' # This container is only run when required
+    depends_on: # These containers need to be up for dumps
+      - postgres
+    networks:
+      # Networks for DB access for backups
+      - default
+    volumes:
+      # Backup mount
+      - /mnt/c/backup/nick:/mnt/borg-repository
+      # Volumes to back up
+      - certs:/mnt/source/certs:ro
+      - nextcloud_data:/mnt/source/nextcloud_data:ro
+      - vhost.d:/mnt/source/vhost.d:ro
+      - html:/mnt/source/html:ro
+      - jellyfin_config:/mnt/source/jellyfin_config:ro
+      - minidlna_state:/mnt/source/minidlna_state:ro
+      - minidlna_data:/mnt/source/minidlna_data:ro
+      # System volumes
+      - /etc/timezone:/etc/timezone:ro             # timezone
+      - /etc/localtime:/etc/localtime:ro           # localtime
+      - borgmatic-cache:/root/.cache/borg  # non-volatile borg chunk cache
+      # Config volumes
+      - ./volumes/borgmatic-config:/etc/borgmatic.d/:ro # config.yaml, crontab.txt, mstmp.env
+      - ./volumes/borg-config:/root/.config/borg/ # borg encryption keys, other config written here
+      - ./volumes/borg-ssh-config:/root/.ssh/ # ssh keys; sshd writes knownhosts etc here
+
+    environment:
+      POSTGRES_USER: nextcloud
+      POSTGRES_DB: nextcloud
+      POSTGRES_HOST: postgres
+      BORG_ARCHIVE: nick
+      MAIL_RELAY_HOST: mail.noodlefactory.co.uk
+      MAIL_PORT: 25
+      MAIL_AUTH_METHOD: login
+      MAIL_STARTTLS: 'on'
+      MAIL_USER: nc.noodlefactory.co.uk
+      MAIL_FROM: borgmatic@snackpot.noodlefactory.co.uk
+      MAIL_TO: nick@noodlefactory.co.uk
+      MAIL_SUBJECT: Borgmatic Backup
+      # MAIL_PASSWORD is set via volumes/borgmatic-config/msmtp.env, created via ansible
+    env_file:
+      - ./borgmatic.env
+      # FIXME create backup service
+    
+
      # Next three services adapted from
 # https://github.com/deisi/audiostation/blob/master/docker-compose.yml
 # and https://github.com/IVData/dockerfiles/blob/master/mopidy-multiroom/docker-compose.yml
--- a/templates/docker-compose/volumes/borgmatic-config/config.yaml
+++ b/templates/docker-compose/volumes/borgmatic-config/config.yaml
@@ -16,7 +16,7 @@ location:
  # is used, then add local repository paths in the systemd
  # service file to the ReadWritePaths list.
  repositories:
-    - /mnt/c/backup/nick
+    - /mnt/borg-repository
 #    - ssh://${BORG_REPO_USER}@${BORG_REPO_HOST}:${BORG_REPO_PORT}/./${BORG_ARCHIVE}

  # Working directory for the "borg create" command. Tildes are
@@ -103,6 +103,7 @@ location:
    - '*#'
    - '.cache'
    - 'cache'
+    - 'files_trashbin'

  # Read exclude patterns from one or more separate named files,
  # one pattern per line. See the output of "borg help patterns"
@@ -451,18 +452,20 @@ hooks:
  # https://www.postgresql.org/docs/current/app-pgdump.html and
  # https://www.postgresql.org/docs/current/libpq-ssl.html for
  # details.
-  # postgresql_databases:
+  postgresql_databases:
    # Database name (required if using this hook). Or
    # "all" to dump all databases on the host. Note
    # that using this database hook implicitly enables
    # both read_special and one_file_system (see
    # above) to support dump and restore streaming.
    # - name: users
+    - name: ${POSTGRES_DB}

      # Database hostname to connect to. Defaults to
      # connecting via local Unix socket.
      # hostname: database.example.org
-
+      hostname: ${POSTGRES_HOST}
+      
      # Port to connect to. Defaults to 5432.
      # port: 5433

@@ -471,14 +474,16 @@ hooks:
      # You probably want to specify the "postgres"
      # superuser here when the database name is "all".
      # username: dbuser
-
+      username: ${POSTGRES_USER}
+      
      # Password with which to connect to the database.
      # Omitting a password will only work if PostgreSQL
      # is configured to trust the configured username
      # without a password or you create a ~/.pgpass
      # file.
      # password: trustsome1
-
+      password: ${POSTGRES_PASSWORD}
+      
      # Database dump output format. One of "plain",
      # "custom", "directory", or "tar". Defaults to
      # "custom" (unlike raw pg_dump). See pg_dump
@@ -518,30 +523,30 @@ hooks:
  # mysqldump/mysql commands (from either MySQL or MariaDB). See
  # https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html or
  # https://mariadb.com/kb/en/library/mysqldump/ for details.
-  mysql_databases:
+  # mysql_databases:
    # Database name (required if using this hook). Or
    # "all" to dump all databases on the host. Note
    # that using this database hook implicitly enables
    # both read_special and one_file_system (see
    # above) to support dump and restore streaming.
-    - name: ${POSTGRES_DB}
+    # - name: ${POSTGRES_DB}

      # Database hostname to connect to. Defaults to
      # connecting via local Unix socket.
-      hostname: ${POSTGRES_HOST}
+      # hostname: ${POSTGRES_HOST}

      # Port to connect to. Defaults to 3306.
      # port: 3307

      # Username with which to connect to the database.
      # Defaults to the username of the current user.
-      username: ${POSTGRES_USER}
+      # username: ${POSTGRES_USER}

      # Password with which to connect to the database.
      # Omitting a password will only work if MySQL is
      # configured to trust the configured username
      # without a password.
-      password: ${POSTGRES_PASSWORD}
+      # password: ${POSTGRES_PASSWORD}

      # Additional mysql options to pass directly to
      # the mysql command that lists available
--- a/templates/docker-compose/volumes/borgmatic-config/msmtp.env.j2
+++ b/templates/docker-compose/volumes/borgmatic-config/msmtp.env.j2
@@ -0,0 +1 @@
+MAIL_PASSWORD={{ smtp_password }}