nick/noofac-snackpot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

snackpot.yml etc. - add borgmatic backup container

Browse Source
This commit is contained in:
Nick Stokoe
2023-04-04 11:52:08 +01:00
parent a6872077a9
commit 2d3d9217e8
8 changed files with 122 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
snackpot.yml
View File

@@ -11,6 +11,12 @@
jellyfin_hostname: jf.noodlefactory.co.uk jellyfin_hostname: jf.noodlefactory.co.uk
letsencrypt_email: webmaster@noodlefactory.co.uk letsencrypt_email: webmaster@noodlefactory.co.uk
docker_compose_base_dir: /opt/docker-compose docker_compose_base_dir: /opt/docker-compose
docker_compose_cmd: docker-compose
borg_passphrase: "{{lookup('passwordstore', 'servers/snackpot/borg.passphrase')}}"
smtp_password: "{{lookup('passwordstore', 'servers/snackpot/smtp.password')}}"
borg_ssh_key: "{{lookup('passwordstore', 'servers/snackpot/borg.id_rsa')}}"
borg_ssh_key_pub: "{{lookup('passwordstore', 'servers/snackpot/borg.id_rsa.pub')}}"
borg_repo_key: "{{lookup('passwordstore', 'servers/snackpot/borg_repo.key')}}"
firewall_ports: firewall_ports:
- "22" - "22"
- "80" - "80"
@@ -136,5 +142,25 @@
with_filetree: templates/bin with_filetree: templates/bin
when: item.state == "file" and not item.path.endswith("~") when: item.state == "file" and not item.path.endswith("~")
tags: docker-config tags: docker-config
- name: install appserver and borg backup services
template:
dest: "/etc/systemd/system/{{ item }}"
src: "{{ item }}.j2"
owner: root
group: root
mode: 0550
with_items:
- appserver.service
- borg.service
- borg.timer
tags: docker-config
- name: enable backup service
service:
name: borg
state: started
enabled: yes
# config nextcloud # config nextcloud
# hide pg password # hide pg password

14
templates/appserver.service.j2 Normal file
View File

@@ -0,0 +1,14 @@
[Unit]
Description=appserver
Requires=docker.service
After=docker.service
[Service]
Type=oneshot
WorkingDirectory={{docker_compose_base_dir}}
ExecStart={{docker_compose_cmd}} up -d --remove-orphans main-services
ExecStop={{docker_compose_cmd}} down
RemainAfterExit=true
[Install]
WantedBy=multi-user.target

2
templates/bin/backup
View File

@@ -9,6 +9,6 @@ DC_DIR=/opt/docker-compose/
cd $DC_DIR cd $DC_DIR
docker-compose down docker-compose down
docker run --name borgmatic -T --rm borgmatic /backup.sh docker-compose run --name borgmatic -T --rm borgmatic /backup.sh
docker-compose up -d main-services docker-compose up -d main-services

2
templates/borg.service.j2
View File

@@ -3,4 +3,4 @@ Description=Borg backups
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/opt/docker/bin/backup ExecStart=/opt/docker-compose/bin/backup

2
templates/docker-compose/borgmatic/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM b3vis/borgmatic:latest-msmtp FROM b3vis/borgmatic:latest-msmtp
COPY backup.sh /backup.sh COPY --chmod=755 backup.sh /backup.sh

63
templates/docker-compose/docker-compose.yml
View File

@@ -17,6 +17,7 @@ volumes:
minidlna_state: minidlna_state:
minidlna_data: minidlna_data:
mopidy_data: mopidy_data:
borgmatic-cache:
networks: networks:
# This is for proxied containers # This is for proxied containers
@@ -95,6 +96,7 @@ services:
- web.env - web.env
depends_on: depends_on:
- nextcloud - nextcloud
- letsencrypt-companion
networks: networks:
- proxy-tier - proxy-tier
- default - default
@@ -193,6 +195,67 @@ services:
ipv4_address: 192.168.0.243 ipv4_address: 192.168.0.243
restart: always restart: always
# a dummy container to start the main services as deps
# This allows the borgmatic image to be excluded when run as:
# docker-compose up main-services
main-services:
image: alpine:latest # a small dumy image
command: sh -c "sleep infinity"
depends_on:
- nextcloud
- nextcloud_cron
- web
- jellyfin
- minidlna
- upmpdcli
borgmatic:
build: ./borgmatic
restart: 'no' # This container is only run when required
depends_on: # These containers need to be up for dumps
- postgres
networks:
# Networks for DB access for backups
- default
volumes:
# Backup mount
- /mnt/c/backup/nick:/mnt/borg-repository
# Volumes to back up
- certs:/mnt/source/certs:ro
- nextcloud_data:/mnt/source/nextcloud_data:ro
- vhost.d:/mnt/source/vhost.d:ro
- html:/mnt/source/html:ro
- jellyfin_config:/mnt/source/jellyfin_config:ro
- minidlna_state:/mnt/source/minidlna_state:ro
- minidlna_data:/mnt/source/minidlna_data:ro
# System volumes
- /etc/timezone:/etc/timezone:ro # timezone
- /etc/localtime:/etc/localtime:ro # localtime
- borgmatic-cache:/root/.cache/borg # non-volatile borg chunk cache
# Config volumes
- ./volumes/borgmatic-config:/etc/borgmatic.d/:ro # config.yaml, crontab.txt, mstmp.env
- ./volumes/borg-config:/root/.config/borg/ # borg encryption keys, other config written here
- ./volumes/borg-ssh-config:/root/.ssh/ # ssh keys; sshd writes knownhosts etc here
environment:
POSTGRES_USER: nextcloud
POSTGRES_DB: nextcloud
POSTGRES_HOST: postgres
BORG_ARCHIVE: nick
MAIL_RELAY_HOST: mail.noodlefactory.co.uk
MAIL_PORT: 25
MAIL_AUTH_METHOD: login
MAIL_STARTTLS: 'on'
MAIL_USER: nc.noodlefactory.co.uk
MAIL_FROM: borgmatic@snackpot.noodlefactory.co.uk
MAIL_TO: nick@noodlefactory.co.uk
MAIL_SUBJECT: Borgmatic Backup
# MAIL_PASSWORD is set via volumes/borgmatic-config/msmtp.env, created via ansible
env_file:
- ./borgmatic.env
# FIXME create backup service
# Next three services adapted from # Next three services adapted from
# https://github.com/deisi/audiostation/blob/master/docker-compose.yml # https://github.com/deisi/audiostation/blob/master/docker-compose.yml
# and https://github.com/IVData/dockerfiles/blob/master/mopidy-multiroom/docker-compose.yml # and https://github.com/IVData/dockerfiles/blob/master/mopidy-multiroom/docker-compose.yml

25
templates/docker-compose/volumes/borgmatic-config/config.yaml
View File

@@ -16,7 +16,7 @@ location:
# is used, then add local repository paths in the systemd # is used, then add local repository paths in the systemd
# service file to the ReadWritePaths list. # service file to the ReadWritePaths list.
repositories: repositories:
- /mnt/c/backup/nick - /mnt/borg-repository
# - ssh://${BORG_REPO_USER}@${BORG_REPO_HOST}:${BORG_REPO_PORT}/./${BORG_ARCHIVE} # - ssh://${BORG_REPO_USER}@${BORG_REPO_HOST}:${BORG_REPO_PORT}/./${BORG_ARCHIVE}
# Working directory for the "borg create" command. Tildes are # Working directory for the "borg create" command. Tildes are
@@ -103,6 +103,7 @@ location:
- '*#' - '*#'
- '.cache' - '.cache'
- 'cache' - 'cache'
- 'files_trashbin'
# Read exclude patterns from one or more separate named files, # Read exclude patterns from one or more separate named files,
# one pattern per line. See the output of "borg help patterns" # one pattern per line. See the output of "borg help patterns"
@@ -451,18 +452,20 @@ hooks:
# https://www.postgresql.org/docs/current/app-pgdump.html and # https://www.postgresql.org/docs/current/app-pgdump.html and
# https://www.postgresql.org/docs/current/libpq-ssl.html for # https://www.postgresql.org/docs/current/libpq-ssl.html for
# details. # details.
# postgresql_databases: postgresql_databases:
# Database name (required if using this hook). Or # Database name (required if using this hook). Or
# "all" to dump all databases on the host. Note # "all" to dump all databases on the host. Note
# that using this database hook implicitly enables # that using this database hook implicitly enables
# both read_special and one_file_system (see # both read_special and one_file_system (see
# above) to support dump and restore streaming. # above) to support dump and restore streaming.
# - name: users # - name: users
- name: ${POSTGRES_DB}
# Database hostname to connect to. Defaults to # Database hostname to connect to. Defaults to
# connecting via local Unix socket. # connecting via local Unix socket.
# hostname: database.example.org # hostname: database.example.org
hostname: ${POSTGRES_HOST}
# Port to connect to. Defaults to 5432. # Port to connect to. Defaults to 5432.
# port: 5433 # port: 5433
@@ -471,14 +474,16 @@ hooks:
# You probably want to specify the "postgres" # You probably want to specify the "postgres"
# superuser here when the database name is "all". # superuser here when the database name is "all".
# username: dbuser # username: dbuser
username: ${POSTGRES_USER}
# Password with which to connect to the database. # Password with which to connect to the database.
# Omitting a password will only work if PostgreSQL # Omitting a password will only work if PostgreSQL
# is configured to trust the configured username # is configured to trust the configured username
# without a password or you create a ~/.pgpass # without a password or you create a ~/.pgpass
# file. # file.
# password: trustsome1 # password: trustsome1
password: ${POSTGRES_PASSWORD}
# Database dump output format. One of "plain", # Database dump output format. One of "plain",
# "custom", "directory", or "tar". Defaults to # "custom", "directory", or "tar". Defaults to
# "custom" (unlike raw pg_dump). See pg_dump # "custom" (unlike raw pg_dump). See pg_dump
@@ -518,30 +523,30 @@ hooks:
# mysqldump/mysql commands (from either MySQL or MariaDB). See # mysqldump/mysql commands (from either MySQL or MariaDB). See
# https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html or # https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html or
# https://mariadb.com/kb/en/library/mysqldump/ for details. # https://mariadb.com/kb/en/library/mysqldump/ for details.
mysql_databases: # mysql_databases:
# Database name (required if using this hook). Or # Database name (required if using this hook). Or
# "all" to dump all databases on the host. Note # "all" to dump all databases on the host. Note
# that using this database hook implicitly enables # that using this database hook implicitly enables
# both read_special and one_file_system (see # both read_special and one_file_system (see
# above) to support dump and restore streaming. # above) to support dump and restore streaming.
- name: ${POSTGRES_DB} # - name: ${POSTGRES_DB}
# Database hostname to connect to. Defaults to # Database hostname to connect to. Defaults to
# connecting via local Unix socket. # connecting via local Unix socket.
hostname: ${POSTGRES_HOST} # hostname: ${POSTGRES_HOST}
# Port to connect to. Defaults to 3306. # Port to connect to. Defaults to 3306.
# port: 3307 # port: 3307
# Username with which to connect to the database. # Username with which to connect to the database.
# Defaults to the username of the current user. # Defaults to the username of the current user.
username: ${POSTGRES_USER} # username: ${POSTGRES_USER}
# Password with which to connect to the database. # Password with which to connect to the database.
# Omitting a password will only work if MySQL is # Omitting a password will only work if MySQL is
# configured to trust the configured username # configured to trust the configured username
# without a password. # without a password.
password: ${POSTGRES_PASSWORD} # password: ${POSTGRES_PASSWORD}
# Additional mysql options to pass directly to # Additional mysql options to pass directly to
# the mysql command that lists available # the mysql command that lists available

1
templates/docker-compose/volumes/borgmatic-config/msmtp.env.j2 Normal file
View File

@@ -0,0 +1 @@
MAIL_PASSWORD={{ smtp_password }}