From 8d7163e7e6e76cacfea953ad84e3c338f3797e82 Mon Sep 17 00:00:00 2001 From: Nick Stokoe Date: Mon, 3 Apr 2023 16:47:07 +0100 Subject: [PATCH] requirements.yml,SETUP.md - prerequisites --- SETUP.md | 45 ++ requirements.yml | 6 + templates/bin/backup | 14 + templates/borg.service.j2 | 6 + templates/borg.timer.j2 | 10 + templates/docker-compose/borgmatic.env.j2 | 2 + templates/docker-compose/borgmatic/Dockerfile | 4 + templates/docker-compose/borgmatic/backup.sh | 20 + .../volumes/borg-config/.gitignore | 3 + .../volumes/borg-ssh-config/.gitignore | 5 + .../volumes/borg-ssh-config/config | 1 + .../volumes/borgmatic-config/.gitignore | 3 + .../volumes/borgmatic-config/config.yaml | 722 ++++++++++++++++++ .../volumes/borgmatic-config/crontab.txt | 1 + 14 files changed, 842 insertions(+) create mode 100644 SETUP.md create mode 100644 requirements.yml create mode 100755 templates/bin/backup create mode 100644 templates/borg.service.j2 create mode 100644 templates/borg.timer.j2 create mode 100644 templates/docker-compose/borgmatic.env.j2 create mode 100644 templates/docker-compose/borgmatic/Dockerfile create mode 100755 templates/docker-compose/borgmatic/backup.sh create mode 100644 templates/docker-compose/volumes/borg-config/.gitignore create mode 100644 templates/docker-compose/volumes/borg-ssh-config/.gitignore create mode 100644 templates/docker-compose/volumes/borg-ssh-config/config create mode 100644 templates/docker-compose/volumes/borgmatic-config/.gitignore create mode 100644 templates/docker-compose/volumes/borgmatic-config/config.yaml create mode 100644 templates/docker-compose/volumes/borgmatic-config/crontab.txt diff --git a/SETUP.md b/SETUP.md new file mode 100644 index 0000000..abaf5d2 --- /dev/null +++ b/SETUP.md @@ -0,0 +1,45 @@ + +## To set up + +These subdirectorys need to be cloned, as they are not part of the repo. + +The first is Ansible. The exact version is not always important, but +it is wise to keep roughly the same version because Ansible has +changed a lot. I like to be able to use a version which works with my +playbooks... some of my older playbooks contained a lot of +workarounds for old versions of ansible. Newer playbooks use newer +versions of Ansible. At the time of writing, I'm using v2.9.26. + + git clone git@github.com:ansible/ansible.git .ansible-src + (cd .ansible-src && git co v2.9.26) + +This subdirectory contains the passwords and other secrets this repo +needs access to. It is a Password Store GPG2 encrypted repository, +accessible with the `pass` command. Ansible has a plugin which can +use that. + + git clone gitolite:password-store .password-store + +You should also make sure that the hosts in the inventory are +accessible - sometimes this requires adding `~/.ssh/config` settings +like this example: + + Host mixian mixian.noodlefactory.co.uk + Hostname 142.132.227.118 + User root + + +## Before deploying + +This script initialises the environment so that `pass` and +`ansible-playbook` will work as if they were installed in the standard +places (although they are not). + + ./env-setup + +## Dependencies + +Ansible role and collection dependencies the need to be installed: + + ansible-galaxy install -r requirements.yml + ansible-galaxy collection install -r requirements.yml diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..20ef2e1 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,6 @@ +--- +roles: + # From Galaxy + - name: mrlesmithjr.netplan + version: v0.3.0 + diff --git a/templates/bin/backup b/templates/bin/backup new file mode 100755 index 0000000..cba9701 --- /dev/null +++ b/templates/bin/backup @@ -0,0 +1,14 @@ +#!/bin/bash + +# Borg Backup runner + +set -o pipefail +set -o errexit + +DC_DIR=/opt/docker-compose/ + +cd $DC_DIR +docker-compose down +docker run --name borgmatic -T --rm borgmatic /backup.sh +docker-compose up -d main-services + diff --git a/templates/borg.service.j2 b/templates/borg.service.j2 new file mode 100644 index 0000000..3159178 --- /dev/null +++ b/templates/borg.service.j2 @@ -0,0 +1,6 @@ +[Unit] +Description=Borg backups + +[Service] +Type=oneshot +ExecStart=/opt/docker/bin/backup diff --git a/templates/borg.timer.j2 b/templates/borg.timer.j2 new file mode 100644 index 0000000..b650a34 --- /dev/null +++ b/templates/borg.timer.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=Run Borg backups nightly + +[Timer] +OnCalendar=01:40:00 +Persistent=true + +[Install] +WantedBy=timers.target +WantedBy=borg.target diff --git a/templates/docker-compose/borgmatic.env.j2 b/templates/docker-compose/borgmatic.env.j2 new file mode 100644 index 0000000..198b5e9 --- /dev/null +++ b/templates/docker-compose/borgmatic.env.j2 @@ -0,0 +1,2 @@ +POSTGRES_PASSWORD={{ nextcloud_db_password }} +BORG_PASSPHRASE={{ borg_passphrase }} diff --git a/templates/docker-compose/borgmatic/Dockerfile b/templates/docker-compose/borgmatic/Dockerfile new file mode 100644 index 0000000..6e80b08 --- /dev/null +++ b/templates/docker-compose/borgmatic/Dockerfile @@ -0,0 +1,4 @@ +FROM b3vis/borgmatic:latest-msmtp + +COPY backup.sh /backup.sh + diff --git a/templates/docker-compose/borgmatic/backup.sh b/templates/docker-compose/borgmatic/backup.sh new file mode 100755 index 0000000..c1e5af1 --- /dev/null +++ b/templates/docker-compose/borgmatic/backup.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# Run the backup and mail the logs + +BACKUP_COMMAND="borgmatic --stats" +LOGFILE="/tmp/backup_run_$(date +%s).log" + +set -o pipefail +if $BACKUP_COMMAND 2>&1 | tee $LOGFILE; then + SUBJECT_PREFIX="=?utf-8?Q? =E2=9C=85 SUCCESS?=" + SUCCESS=1 +else + SUBJECT_PREFIX="=?utf-8?Q? =E2=9D=8C FAILED?=" +fi + +if [ -z "$SUCCESS" ]; then + echo -e "Subject: $SUBJECT_PREFIX: $MAIL_SUBJECT\n\n$(cat $LOGFILE)\n" | + sendmail -t $MAIL_TO +fi + +rm $LOGFILE diff --git a/templates/docker-compose/volumes/borg-config/.gitignore b/templates/docker-compose/volumes/borg-config/.gitignore new file mode 100644 index 0000000..eb9968e --- /dev/null +++ b/templates/docker-compose/volumes/borg-config/.gitignore @@ -0,0 +1,3 @@ +# these files get written here by Bundlewrap +/* +!/.gitignore diff --git a/templates/docker-compose/volumes/borg-ssh-config/.gitignore b/templates/docker-compose/volumes/borg-ssh-config/.gitignore new file mode 100644 index 0000000..111eecb --- /dev/null +++ b/templates/docker-compose/volumes/borg-ssh-config/.gitignore @@ -0,0 +1,5 @@ +# SSH key files get written here by Bundlewrap +/* +!/.gitignore +!/config + diff --git a/templates/docker-compose/volumes/borg-ssh-config/config b/templates/docker-compose/volumes/borg-ssh-config/config new file mode 100644 index 0000000..a337a68 --- /dev/null +++ b/templates/docker-compose/volumes/borg-ssh-config/config @@ -0,0 +1 @@ +StrictHostKeyChecking accept-new diff --git a/templates/docker-compose/volumes/borgmatic-config/.gitignore b/templates/docker-compose/volumes/borgmatic-config/.gitignore new file mode 100644 index 0000000..b759032 --- /dev/null +++ b/templates/docker-compose/volumes/borgmatic-config/.gitignore @@ -0,0 +1,3 @@ +# these files get written here by Bundlewrap +/msmtp.env + diff --git a/templates/docker-compose/volumes/borgmatic-config/config.yaml b/templates/docker-compose/volumes/borgmatic-config/config.yaml new file mode 100644 index 0000000..ddfda05 --- /dev/null +++ b/templates/docker-compose/volumes/borgmatic-config/config.yaml @@ -0,0 +1,722 @@ +# Where to look for files to backup, and where to store those backups. +# See https://borgbackup.readthedocs.io/en/stable/quickstart.html and +# https://borgbackup.readthedocs.io/en/stable/usage/create.html +# for details. +location: + # List of source directories to backup. Globs and tildes are + # expanded. Do not backslash spaces in path names. + source_directories: + - /mnt/source/ + + # Paths to local or remote repositories (required). Tildes are + # expanded. Multiple repositories are backed up to in + # sequence. Borg placeholders can be used. See the output of + # "borg help placeholders" for details. See ssh_command for + # SSH options like identity file or port. If systemd service + # is used, then add local repository paths in the systemd + # service file to the ReadWritePaths list. + repositories: + - /mnt/c/backup/nick +# - ssh://${BORG_REPO_USER}@${BORG_REPO_HOST}:${BORG_REPO_PORT}/./${BORG_ARCHIVE} + + # Working directory for the "borg create" command. Tildes are + # expanded. Useful for backing up using relative paths. See + # http://borgbackup.readthedocs.io/en/stable/usage/create.html + # for details. Defaults to not set. + # working_directory: /path/to/working/directory + + # Stay in same file system: do not cross mount points beyond + # the given source directories. Defaults to false. But when a + # database hook is used, the setting here is ignored and + # one_file_system is considered true. + # one_file_system: true + + # Only store/extract numeric user and group identifiers. + # Defaults to false. + # numeric_ids: true + + # Store atime into archive. Defaults to true in Borg < 1.2, + # false in Borg 1.2+. + # atime: false + + # Store ctime into archive. Defaults to true. + # ctime: false + + # Store birthtime (creation date) into archive. Defaults to + # true. + # birthtime: false + + # Use Borg's --read-special flag to allow backup of block and + # other special devices. Use with caution, as it will lead to + # problems if used when backing up special devices such as + # /dev/zero. Defaults to false. But when a database hook is + # used, the setting here is ignored and read_special is + # considered true. + # read_special: false + + # Record filesystem flags (e.g. NODUMP, IMMUTABLE) in archive. + # Defaults to true. + # flags: true + + # Mode in which to operate the files cache. See + # http://borgbackup.readthedocs.io/en/stable/usage/create.html + # for details. Defaults to "ctime,size,inode". + # files_cache: ctime,size,inode + + # Alternate Borg local executable. Defaults to "borg". + # local_path: borg1 + + # Alternate Borg remote executable. Defaults to "borg". + # remote_path: borg1 + + # Any paths matching these patterns are included/excluded from + # backups. Globs are expanded. (Tildes are not.) See the + # output of "borg help patterns" for more details. Quote any + # value if it contains leading punctuation, so it parses + # correctly. Note that only one of "patterns" and + # "source_directories" may be used. + # patterns: + # - R / + # - '- /home/*/.cache' + # - + /home/susan + # - '- /home/*' + + # Read include/exclude patterns from one or more separate + # named files, one pattern per line. Note that Borg considers + # this option experimental. See the output of "borg help + # patterns" for more details. + # patterns_from: + # - /etc/borgmatic/patterns + + # Any paths matching these patterns are excluded from backups. + # Globs and tildes are expanded. Note that a glob pattern must + # either start with a glob or be an absolute path. Do not + # backslash spaces in path names. See the output of "borg help + # patterns" for more details. + exclude_patterns: + # - '*.pyc' + # - /home/*/.cache + # - '*/.vim*.tmp' + # - /etc/ssl + # - /home/user/path with spaces + - '*~' + - '*#' + - '.cache' + - 'cache' + + # Read exclude patterns from one or more separate named files, + # one pattern per line. See the output of "borg help patterns" + # for more details. + # exclude_from: + # - /etc/borgmatic/excludes + + # Exclude directories that contain a CACHEDIR.TAG file. See + # http://www.brynosaurus.com/cachedir/spec.html for details. + # Defaults to false. + # exclude_caches: true + + # Exclude directories that contain a file with the given + # filenames. Defaults to not set. + # exclude_if_present: + # - .nobackup + + # If true, the exclude_if_present filename is included in + # backups. Defaults to false, meaning that the + # exclude_if_present filename is omitted from backups. + # keep_exclude_tags: true + + # Exclude files with the NODUMP flag. Defaults to false. + # exclude_nodump: true + + # Path for additional source files used for temporary internal + # state like borgmatic database dumps. Note that changing this + # path prevents "borgmatic restore" from finding any database + # dumps created before the change. Defaults to ~/.borgmatic + # borgmatic_source_directory: /tmp/borgmatic + +# Repository storage options. See +# https://borgbackup.readthedocs.io/en/stable/usage/create.html and +# https://borgbackup.readthedocs.io/en/stable/usage/general.html for +# details. +storage: + # The standard output of this command is used to unlock the + # encryption key. Only use on repositories that were + # initialized with passcommand/repokey/keyfile encryption. + # Note that if both encryption_passcommand and + # encryption_passphrase are set, then encryption_passphrase + # takes precedence. Defaults to not set. + # encryption_passcommand: secret-tool lookup borg-repository repo-name + + # Passphrase to unlock the encryption key with. Only use on + # repositories that were initialized with + # passphrase/repokey/keyfile encryption. Quote the value if it + # contains punctuation, so it parses correctly. And backslash + # any quote or backslash literals as well. Defaults to not + # set. + # encryption_passphrase: "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~" + + # Number of seconds between each checkpoint during a + # long-running backup. See + # https://borgbackup.readthedocs.io/en/stable/faq.html + # for details. Defaults to checkpoints every 1800 seconds (30 + # minutes). + # checkpoint_interval: 1800 + + # Specify the parameters passed to then chunker + # (CHUNK_MIN_EXP, CHUNK_MAX_EXP, HASH_MASK_BITS, + # HASH_WINDOW_SIZE). See + # https://borgbackup.readthedocs.io/en/stable/internals.html + # for details. Defaults to "19,23,21,4095". + # chunker_params: 19,23,21,4095 + + # Type of compression to use when creating archives. See + # http://borgbackup.readthedocs.io/en/stable/usage/create.html + # for details. Defaults to "lz4". + # compression: lz4 + + # Remote network upload rate limit in kiBytes/second. Defaults + # to unlimited. + # upload_rate_limit: 100 + + # Number of times to retry a failing backup before giving up. + # Defaults to 0 (i.e., does not attempt retry). + # retries: 3 + + # Wait time between retries (in seconds) to allow transient + # issues to pass. Increases after each retry as a form of + # backoff. Defaults to 0 (no wait). + # retry_wait: 10 + + # Directory where temporary files are stored. Defaults to + # $TMPDIR + # temporary_directory: /path/to/tmpdir + + # Command to use instead of "ssh". This can be used to specify + # ssh options. Defaults to not set. + # ssh_command: ssh -i /path/to/private/key + + # Base path used for various Borg directories. Defaults to + # $HOME, ~$USER, or ~. + # borg_base_directory: /path/to/base + + # Path for Borg configuration files. Defaults to + # $borg_base_directory/.config/borg + # borg_config_directory: /path/to/base/config + + # Path for Borg cache files. Defaults to + # $borg_base_directory/.cache/borg + # borg_cache_directory: /path/to/base/cache + + # Path for Borg security and encryption nonce files. Defaults + # to $borg_base_directory/.config/borg/security + # borg_security_directory: /path/to/base/config/security + + # Path for Borg encryption key files. Defaults to + # $borg_base_directory/.config/borg/keys + # borg_keys_directory: /path/to/base/config/keys + + # Umask to be used for borg create. Defaults to 0077. + # umask: 0077 + + # Maximum seconds to wait for acquiring a repository/cache + # lock. Defaults to 1. + # lock_wait: 5 + + # Name of the archive. Borg placeholders can be used. See the + # output of "borg help placeholders" for details. Defaults to + # "{hostname}-{now:%Y-%m-%dT%H:%M:%S.%f}". If you specify this + # option, consider also specifying a prefix in the retention + # and consistency sections to avoid accidental + # pruning/checking of archives with different archive name + # formats. + # archive_name_format: '{hostname}-documents-{now}' + archive_name_format: '{hostname}-{now:%Y-%m-%dT%H:%M:%S.%f}' + + # Bypass Borg error about a repository that has been moved. + # Defaults to false. + # relocated_repo_access_is_ok: true + + # Bypass Borg error about a previously unknown unencrypted + # repository. Defaults to false. + # unknown_unencrypted_repo_access_is_ok: true + + # Additional options to pass directly to particular Borg + # commands, handy for Borg options that borgmatic does not yet + # support natively. Note that borgmatic does not perform any + # validation on these options. Running borgmatic with + # "--verbosity 2" shows the exact Borg command-line + # invocation. + # extra_borg_options: + # Extra command-line options to pass to "borg init". + # init: --extra-option + + # Extra command-line options to pass to "borg prune". + # prune: --extra-option + + # Extra command-line options to pass to "borg compact". + # compact: --extra-option + + # Extra command-line options to pass to "borg create". + # create: --extra-option + + # Extra command-line options to pass to "borg check". + # check: --extra-option + +# Retention policy for how many backups to keep in each category. See +# https://borgbackup.readthedocs.io/en/stable/usage/prune.html for +# details. At least one of the "keep" options is required for pruning +# to work. To skip pruning entirely, run "borgmatic create" or "check" +# without the "prune" action. See borgmatic documentation for details. +retention: + # Keep all archives within this time interval. + # keep_within: 3H + + # Number of secondly archives to keep. + # keep_secondly: 60 + + # Number of minutely archives to keep. + # keep_minutely: 60 + + # Number of hourly archives to keep. + # keep_hourly: 24 + + # Number of daily archives to keep. + keep_daily: 7 + + # Number of weekly archives to keep. + keep_weekly: 4 + + # Number of monthly archives to keep. + keep_monthly: 6 + + # Number of yearly archives to keep. + keep_yearly: 5 + + # When pruning, only consider archive names starting with this + # prefix. Borg placeholders can be used. See the output of + # "borg help placeholders" for details. Defaults to + # "{hostname}-". Use an empty value to disable the default. + # prefix: sourcehostname + +# Consistency checks to run after backups. See +# https://borgbackup.readthedocs.io/en/stable/usage/check.html and +# https://borgbackup.readthedocs.io/en/stable/usage/extract.html for +# details. +# consistency: + # List of one or more consistency checks to run on a periodic + # basis (if "frequency" is set) or every time borgmatic runs + # checks (if "frequency" is omitted). + # checks: + # Name of consistency check to run: "repository", + # "archives", "data", and/or "extract". Set to + # "disabled" to disable all consistency checks. + # "repository" checks the consistency of the + # repository, "archives" checks all of the + # archives, "data" verifies the integrity of the + # data within the archives, and "extract" does an + # extraction dry-run of the most recent archive. + # Note that "data" implies "archives". + # - name: repository + + # How frequently to run this type of consistency + # check (as a best effort). The value is a number + # followed by a unit of time. E.g., "2 weeks" to + # run this consistency check no more than every + # two weeks for a given repository or "1 month" to + # run it no more than monthly. Defaults to + # "always": running this check every time checks + # are run. + # frequency: 2 weeks + + # Paths to a subset of the repositories in the location + # section on which to run consistency checks. Handy in case + # some of your repositories are very large, and so running + # consistency checks on them would take too long. Defaults to + # running consistency checks on all repositories configured in + # the location section. + # check_repositories: + # - user@backupserver:sourcehostname.borg + + # Restrict the number of checked archives to the last n. + # Applies only to the "archives" check. Defaults to checking + # all archives. + # check_last: 3 + + # When performing the "archives" check, only consider archive + # names starting with this prefix. Borg placeholders can be + # used. See the output of "borg help placeholders" for + # details. Defaults to "{hostname}-". Use an empty value to + # disable the default. + # prefix: sourcehostname + +# Options for customizing borgmatic's own output and logging. +output: + # Apply color to console output. Can be overridden with + # --no-color command-line flag. Defaults to true. + color: false + +# Shell commands, scripts, or integrations to execute at various +# points during a borgmatic run. IMPORTANT: All provided commands and +# scripts are executed with user permissions of borgmatic. Do not +# forget to set secure permissions on this configuration file (chmod +# 0600) as well as on any script called from a hook (chmod 0700) to +# prevent potential shell injection or privilege escalation. +hooks: + # List of one or more shell commands or scripts to execute + # before all the actions for each repository. + # before_actions: + # - echo "Starting actions." + + # List of one or more shell commands or scripts to execute + # before creating a backup, run once per repository. + # before_backup: + # - echo "Starting a backup." + + # List of one or more shell commands or scripts to execute + # before pruning, run once per repository. + # before_prune: + # - echo "Starting pruning." + + # List of one or more shell commands or scripts to execute + # before compaction, run once per repository. + # before_compact: + # - echo "Starting compaction." + + # List of one or more shell commands or scripts to execute + # before consistency checks, run once per repository. + # before_check: + # - echo "Starting checks." + + # List of one or more shell commands or scripts to execute + # before extracting a backup, run once per repository. + # before_extract: + # - echo "Starting extracting." + + # List of one or more shell commands or scripts to execute + # after creating a backup, run once per repository. + # after_backup: + # - echo "Finished a backup." + + # List of one or more shell commands or scripts to execute + # after compaction, run once per repository. + # after_compact: + # - echo "Finished compaction." + + # List of one or more shell commands or scripts to execute + # after pruning, run once per repository. + # after_prune: + # - echo "Finished pruning." + + # List of one or more shell commands or scripts to execute + # after consistency checks, run once per repository. + # after_check: + # - echo "Finished checks." + + # List of one or more shell commands or scripts to execute + # after extracting a backup, run once per repository. + # after_extract: + # - echo "Finished extracting." + + # List of one or more shell commands or scripts to execute + # after all actions for each repository. + # after_actions: + # - echo "Finished actions." + + # List of one or more shell commands or scripts to execute + # when an exception occurs during a "prune", "compact", + # "create", or "check" action or an associated before/after + # hook. + # on_error: + # - echo "Error during prune/compact/create/check." + + # List of one or more shell commands or scripts to execute + # before running all actions (if one of them is "create"). + # These are collected from all configuration files and then + # run once before all of them (prior to all actions). + # before_everything: + # - echo "Starting actions." + + # List of one or more shell commands or scripts to execute + # after running all actions (if one of them is "create"). + # These are collected from all configuration files and then + # run once after all of them (after any action). + # after_everything: + # - echo "Completed actions." + + # List of one or more PostgreSQL databases to dump before + # creating a backup, run once per configuration file. The + # database dumps are added to your source directories at + # runtime, backed up, and removed afterwards. Requires + # pg_dump/pg_dumpall/pg_restore commands. See + # https://www.postgresql.org/docs/current/app-pgdump.html and + # https://www.postgresql.org/docs/current/libpq-ssl.html for + # details. + # postgresql_databases: + # Database name (required if using this hook). Or + # "all" to dump all databases on the host. Note + # that using this database hook implicitly enables + # both read_special and one_file_system (see + # above) to support dump and restore streaming. + # - name: users + + # Database hostname to connect to. Defaults to + # connecting via local Unix socket. + # hostname: database.example.org + + # Port to connect to. Defaults to 5432. + # port: 5433 + + # Username with which to connect to the database. + # Defaults to the username of the current user. + # You probably want to specify the "postgres" + # superuser here when the database name is "all". + # username: dbuser + + # Password with which to connect to the database. + # Omitting a password will only work if PostgreSQL + # is configured to trust the configured username + # without a password or you create a ~/.pgpass + # file. + # password: trustsome1 + + # Database dump output format. One of "plain", + # "custom", "directory", or "tar". Defaults to + # "custom" (unlike raw pg_dump). See pg_dump + # documentation for details. Note that format is + # ignored when the database name is "all". + # format: directory + + # SSL mode to use to connect to the database + # server. One of "disable", "allow", "prefer", + # "require", "verify-ca" or "verify-full". + # Defaults to "disable". + # ssl_mode: require + + # Path to a client certificate. + # ssl_cert: /root/.postgresql/postgresql.crt + + # Path to a private client key. + # ssl_key: /root/.postgresql/postgresql.key + + # Path to a root certificate containing a list of + # trusted certificate authorities. + # ssl_root_cert: /root/.postgresql/root.crt + + # Path to a certificate revocation list. + # ssl_crl: /root/.postgresql/root.crl + + # Additional pg_dump/pg_dumpall options to pass + # directly to the dump command, without performing + # any validation on them. See pg_dump + # documentation for details. + # options: --role=someone + + # List of one or more MySQL/MariaDB databases to dump before + # creating a backup, run once per configuration file. The + # database dumps are added to your source directories at + # runtime, backed up, and removed afterwards. Requires + # mysqldump/mysql commands (from either MySQL or MariaDB). See + # https://dev.mysql.com/doc/refman/8.0/en/mysqldump.html or + # https://mariadb.com/kb/en/library/mysqldump/ for details. + mysql_databases: + # Database name (required if using this hook). Or + # "all" to dump all databases on the host. Note + # that using this database hook implicitly enables + # both read_special and one_file_system (see + # above) to support dump and restore streaming. + - name: ${POSTGRES_DB} + + # Database hostname to connect to. Defaults to + # connecting via local Unix socket. + hostname: ${POSTGRES_HOST} + + # Port to connect to. Defaults to 3306. + # port: 3307 + + # Username with which to connect to the database. + # Defaults to the username of the current user. + username: ${POSTGRES_USER} + + # Password with which to connect to the database. + # Omitting a password will only work if MySQL is + # configured to trust the configured username + # without a password. + password: ${POSTGRES_PASSWORD} + + # Additional mysql options to pass directly to + # the mysql command that lists available + # databases, without performing any validation on + # them. See mysql documentation for details. + # list_options: --defaults-extra-file=my.cnf + + # Additional mysqldump options to pass directly to + # the dump command, without performing any + # validation on them. See mysqldump documentation + # for details. + # options: --skip-comments + + # List of one or more MongoDB databases to dump before + # creating a backup, run once per configuration file. The + # database dumps are added to your source directories at + # runtime, backed up, and removed afterwards. Requires + # mongodump/mongorestore commands. See + # https://docs.mongodb.com/database-tools/mongodump/ and + # https://docs.mongodb.com/database-tools/mongorestore/ for + # details. + # mongodb_databases: + # Database name (required if using this hook). Or + # "all" to dump all databases on the host. Note + # that using this database hook implicitly enables + # both read_special and one_file_system (see + # above) to support dump and restore streaming. + # - name: users + + # Database hostname to connect to. Defaults to + # connecting to localhost. + # hostname: database.example.org + + # Port to connect to. Defaults to 27017. + # port: 27018 + + # Username with which to connect to the database. + # Skip it if no authentication is needed. + # username: dbuser + + # Password with which to connect to the database. + # Skip it if no authentication is needed. + # password: trustsome1 + + # Authentication database where the specified + # username exists. If no authentication database + # is specified, the database provided in "name" + # is used. If "name" is "all", the "admin" + # database is used. + # authentication_database: admin + + # Database dump output format. One of "archive", + # or "directory". Defaults to "archive". See + # mongodump documentation for details. Note that + # format is ignored when the database name is + # "all". + # format: directory + + # Additional mongodump options to pass + # directly to the dump command, without performing + # any validation on them. See mongodump + # documentation for details. + # options: --role=someone + + # ntfy: + # The topic to publish to. + # (https://ntfy.sh/docs/publish/) + # topic: topic + + # The address of your self-hosted ntfy.sh instance. + # server: https://ntfy.your-domain.com + + # start: + # The title of the message + # title: Ping! + + # The message body to publish. + # message: Your backups have failed. + + # The priority to set. + # priority: urgent + + # Tags to attach to the message. + # tags: incoming_envelope + + # finish: + # The title of the message. + # title: Ping! + + # The message body to publish. + # message: Your backups have failed. + + # The priority to set. + # priority: urgent + + # Tags to attach to the message. + # tags: incoming_envelope + + # fail: + # The title of the message. + # title: Ping! + + # The message body to publish. + # message: Your backups have failed. + + # The priority to set. + # priority: urgent + + # Tags to attach to the message. + # tags: incoming_envelope + + # List of one or more monitoring states to ping for: + # "start", "finish", and/or "fail". Defaults to + # pinging for failure only. + # states: + # - start + # - finish + + # Configuration for a monitoring integration with + # Healthchecks. Create an account at https://healthchecks.io + # (or self-host Healthchecks) if you'd like to use this + # service. See borgmatic monitoring documentation for details. + # healthchecks: + # Healthchecks ping URL or UUID to notify when a + # backup begins, ends, or errors. + # ping_url: https://hc-ping.com/your-uuid-here + + # Verify the TLS certificate of the ping URL host. + # Defaults to true. + # verify_tls: false + + # Send borgmatic logs to Healthchecks as part the + # "finish" state. Defaults to true. + # send_logs: false + + # Number of bytes of borgmatic logs to send to + # Healthchecks, ideally the same as PING_BODY_LIMIT + # configured on the Healthchecks server. Set to 0 to + # send all logs and disable this truncation. Defaults + # to 100000. + # ping_body_limit: 200000 + + # List of one or more monitoring states to ping for: + # "start", "finish", and/or "fail". Defaults to + # pinging for all states. + # states: + # - finish + + # Configuration for a monitoring integration with Cronitor. + # Create an account at https://cronitor.io if you'd + # like to use this service. See borgmatic monitoring + # documentation for details. + # cronitor: + # Cronitor ping URL to notify when a backup begins, + # ends, or errors. + # ping_url: https://cronitor.link/d3x0c1 + + # Configuration for a monitoring integration with PagerDuty. + # Create an account at https://www.pagerduty.com/ if you'd + # like to use this service. See borgmatic monitoring + # documentation for details. + # pagerduty: + # PagerDuty integration key used to notify PagerDuty + # when a backup errors. + # integration_key: a177cad45bd374409f78906a810a3074 + + # Configuration for a monitoring integration with Crunhub. + # Create an account at https://cronhub.io if you'd like to + # use this service. See borgmatic monitoring documentation + # for details. + # cronhub: + # Cronhub ping URL to notify when a backup begins, + # ends, or errors. + # ping_url: https://cronhub.io/ping/1f5e3410-254c-5587 + + # Umask used when executing hooks. Defaults to the umask that + # borgmatic is run with. + # umask: 0077 diff --git a/templates/docker-compose/volumes/borgmatic-config/crontab.txt b/templates/docker-compose/volumes/borgmatic-config/crontab.txt new file mode 100644 index 0000000..5090f8c --- /dev/null +++ b/templates/docker-compose/volumes/borgmatic-config/crontab.txt @@ -0,0 +1 @@ +0 1 * * * PATH=$PATH:/usr/bin /usr/local/bin/borgmatic --stats -v 0 2>&1