snackpot.yml etc. - add borgmatic backup container

snackpot.yml

@@ -11,6 +11,12 @@
     jellyfin_hostname: jf.noodlefactory.co.uk
     letsencrypt_email: webmaster@noodlefactory.co.uk
     docker_compose_base_dir: /opt/docker-compose
+    docker_compose_cmd: docker-compose
+    borg_passphrase: "{{lookup('passwordstore', 'servers/snackpot/borg.passphrase')}}"
+    smtp_password: "{{lookup('passwordstore', 'servers/snackpot/smtp.password')}}"
+    borg_ssh_key: "{{lookup('passwordstore', 'servers/snackpot/borg.id_rsa')}}"
+    borg_ssh_key_pub: "{{lookup('passwordstore', 'servers/snackpot/borg.id_rsa.pub')}}"
+    borg_repo_key: "{{lookup('passwordstore', 'servers/snackpot/borg_repo.key')}}"
     firewall_ports:
       - "22"
       - "80"
@@ -136,5 +142,25 @@
       with_filetree: templates/bin
       when: item.state == "file" and not item.path.endswith("~")
       tags: docker-config
+
+    - name: install appserver and borg backup services
+      template:
+        dest: "/etc/systemd/system/{{ item }}"
+        src: "{{ item }}.j2"
+        owner: root
+        group: root
+        mode: 0550
+      with_items:
+        - appserver.service
+        - borg.service
+        - borg.timer
+      tags: docker-config
+          
+    - name: enable backup service
+      service:
+        name: borg
+        state: started
+        enabled: yes
+
 # config nextcloud
 # hide pg password

templates/appserver.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=appserver
+Requires=docker.service
+After=docker.service
+
+[Service]
+Type=oneshot
+WorkingDirectory={{docker_compose_base_dir}}
+ExecStart={{docker_compose_cmd}} up -d --remove-orphans main-services
+ExecStop={{docker_compose_cmd}} down
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target

templates/bin/backup

@@ -9,6 +9,6 @@ DC_DIR=/opt/docker-compose/
 
 cd $DC_DIR
 docker-compose down
-docker run --name borgmatic -T --rm borgmatic  /backup.sh
+docker-compose run --name borgmatic -T --rm borgmatic  /backup.sh
 docker-compose up -d main-services
 

templates/borg.service.j2

@@ -3,4 +3,4 @@ Description=Borg backups
 
 [Service]
 Type=oneshot
-ExecStart=/opt/docker/bin/backup
+ExecStart=/opt/docker-compose/bin/backup

templates/docker-compose/borgmatic/Dockerfile

@@ -1,4 +1,4 @@
 FROM b3vis/borgmatic:latest-msmtp
 
-COPY backup.sh /backup.sh
+COPY --chmod=755 backup.sh /backup.sh
 

templates/docker-compose/docker-compose.yml

@@ -17,6 +17,7 @@ volumes:
   minidlna_state:
   minidlna_data:
   mopidy_data:
+  borgmatic-cache:
 
 networks:
   # This is for proxied containers
@@ -95,6 +96,7 @@ services:
       - web.env
     depends_on:
       - nextcloud
+      - letsencrypt-companion
     networks:
       - proxy-tier
       - default
@@ -193,6 +195,67 @@ services:
         ipv4_address: 192.168.0.243
     restart: always
 
+  # a dummy container to start the main services as deps
+  # This allows the borgmatic image to be excluded when run as:
+  #      docker-compose up main-services
+  main-services: 
+    image: alpine:latest # a small dumy image 
+    command: sh -c "sleep infinity"
+    depends_on:
+      - nextcloud
+      - nextcloud_cron
+      - web
+      - jellyfin
+      - minidlna
+      - upmpdcli
+      
+  borgmatic:
+    build: ./borgmatic
+    restart: 'no' # This container is only run when required
+    depends_on: # These containers need to be up for dumps
+      - postgres
+    networks:
+      # Networks for DB access for backups
+      - default
+    volumes:
+      # Backup mount
+      - /mnt/c/backup/nick:/mnt/borg-repository
+      # Volumes to back up
+      - certs:/mnt/source/certs:ro
+      - nextcloud_data:/mnt/source/nextcloud_data:ro
+      - vhost.d:/mnt/source/vhost.d:ro
+      - html:/mnt/source/html:ro
+      - jellyfin_config:/mnt/source/jellyfin_config:ro
+      - minidlna_state:/mnt/source/minidlna_state:ro
+      - minidlna_data:/mnt/source/minidlna_data:ro
+      # System volumes
+      - /etc/timezone:/etc/timezone:ro             # timezone
+      - /etc/localtime:/etc/localtime:ro           # localtime
+      - borgmatic-cache:/root/.cache/borg  # non-volatile borg chunk cache
+      # Config volumes
+      - ./volumes/borgmatic-config:/etc/borgmatic.d/:ro # config.yaml, crontab.txt, mstmp.env
+      - ./volumes/borg-config:/root/.config/borg/ # borg encryption keys, other config written here
+      - ./volumes/borg-ssh-config:/root/.ssh/ # ssh keys; sshd writes knownhosts etc here
+
+    environment:
+      POSTGRES_USER: nextcloud
+      POSTGRES_DB: nextcloud
+      POSTGRES_HOST: postgres
+      BORG_ARCHIVE: nick
+      MAIL_RELAY_HOST: mail.noodlefactory.co.uk
+      MAIL_PORT: 25
+      MAIL_AUTH_METHOD: login
+      MAIL_STARTTLS: 'on'
+      MAIL_USER: nc.noodlefactory.co.uk
+      MAIL_FROM: borgmatic@snackpot.noodlefactory.co.uk
+      MAIL_TO: nick@noodlefactory.co.uk
+      MAIL_SUBJECT: Borgmatic Backup
+      # MAIL_PASSWORD is set via volumes/borgmatic-config/msmtp.env, created via ansible
+    env_file:
+      - ./borgmatic.env
+      # FIXME create backup service
+    
+
       # Next three services adapted from
 # https://github.com/deisi/audiostation/blob/master/docker-compose.yml
 # and https://github.com/IVData/dockerfiles/blob/master/mopidy-multiroom/docker-compose.yml

templates/docker-compose/volumes/borgmatic-config/config.yaml

@@ -16,7 +16,7 @@ location:
   # is used, then add local repository paths in the systemd
   # service file to the ReadWritePaths list.
   repositories:
-    - /mnt/c/backup/nick
+    - /mnt/borg-repository
 #    - ssh://${BORG_REPO_USER}@${BORG_REPO_HOST}:${BORG_REPO_PORT}/./${BORG_ARCHIVE}
 
   # Working directory for the "borg create" command. Tildes are
@@ -103,6 +103,7 @@ location:
     - '*#'
     - '.cache'
     - 'cache'
+    - 'files_trashbin'
 
   # Read exclude patterns from one or more separate named files,
   # one pattern per line. See the output of "borg help patterns"
@@ -451,17 +452,19 @@ hooks:
   # https://www.postgresql.org/docs/current/app-pgdump.html and
   # https://www.postgresql.org/docs/current/libpq-ssl.html for
   # details.
-  # postgresql_databases:
+  postgresql_databases:
     # Database name (required if using this hook). Or
     # "all" to dump all databases on the host. Note
     # that using this database hook implicitly enables
     # both read_special and one_file_system (see
     # above) to support dump and restore streaming.
     # - name: users
+    - name: ${POSTGRES_DB}
 
       # Database hostname to connect to. Defaults to
       # connecting via local Unix socket.
       # hostname: database.example.org
+      hostname: ${POSTGRES_HOST}
       
       # Port to connect to. Defaults to 5432.
       # port: 5433
@@ -471,6 +474,7 @@ hooks:
       # You probably want to specify the "postgres"
       # superuser here when the database name is "all".
       # username: dbuser
+      username: ${POSTGRES_USER}
       
       # Password with which to connect to the database.
       # Omitting a password will only work if PostgreSQL
@@ -478,6 +482,7 @@ hooks:
       # without a password or you create a ~/.pgpass
       # file.
       # password: trustsome1
+      password: ${POSTGRES_PASSWORD}
       
       # Database dump output format. One of "plain",
       # "custom", "directory", or "tar". Defaults to
@@ -518,30 +523,30 @@ hooks:
   # mysqldump/mysql commands (from either MySQL or MariaDB). See
   # https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html or
   # https://mariadb.com/kb/en/library/mysqldump/ for details.
-  mysql_databases:
+  # mysql_databases:
     # Database name (required if using this hook). Or
     # "all" to dump all databases on the host. Note
     # that using this database hook implicitly enables
     # both read_special and one_file_system (see
     # above) to support dump and restore streaming.
-    - name: ${POSTGRES_DB}
+    # - name: ${POSTGRES_DB}
 
       # Database hostname to connect to. Defaults to
       # connecting via local Unix socket.
-      hostname: ${POSTGRES_HOST}
+      # hostname: ${POSTGRES_HOST}
 
       # Port to connect to. Defaults to 3306.
       # port: 3307
 
       # Username with which to connect to the database.
       # Defaults to the username of the current user.
-      username: ${POSTGRES_USER}
+      # username: ${POSTGRES_USER}
 
       # Password with which to connect to the database.
       # Omitting a password will only work if MySQL is
       # configured to trust the configured username
       # without a password.
-      password: ${POSTGRES_PASSWORD}
+      # password: ${POSTGRES_PASSWORD}
 
       # Additional mysql options to pass directly to
       # the mysql command that lists available

templates/docker-compose/volumes/borgmatic-config/msmtp.env.j2

@@ -0,0 +1 @@
+MAIL_PASSWORD={{ smtp_password }}