move to push backups

ansible/roles/backupng/files/backup.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Backup data using Borgmatic
+
+[Service]
+ExecStart=/usr/bin/borgmatic --config /root/backup.yml
+Type=oneshot

ansible/roles/backupng/files/backup.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Backup data daily
+
+[Timer]
+OnCalendar=*-*-* 3:00:00
+Persistent=true
+RandomizedDelaySec=1h
+
+[Install]
+WantedBy=timers.target

ansible/roles/backupng/files/backup.yml

@@ -0,0 +1,16 @@
+location:
+  source_directories:
+    - /data
+  repositories:
+    - 'ssh://root@lewis.hyp/mnt/kingston1TB/hosts/atlas'
+retention:
+  keep_daily: 7
+  keep_weekly: 4
+  keep_monthly: 6
+storage:
+  unknown_unencrypted_repo_access_is_ok: true
+hooks:
+  before_everything:
+    - /root/stop_vms.sh
+  after_everything:
+    - /root/start_vms.sh

ansible/roles/backupng/files/ssh_user_certificate.conf

@@ -0,0 +1,2 @@
+CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub
+IdentityFile /etc/ssh/ssh_user_ed25519_key

ansible/roles/backupng/files/start_vms.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+for i in $(virsh list --all --name --autostart); do virsh start "$i"; done

ansible/roles/backupng/files/stop_vms.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+for i in $(virsh list --state-running --name --autostart); do
+	virsh shutdown "$i"
+	echo Stopping domain "$i"
+	until virsh domstate "$i" | grep shut; do
+		sleep 0.5
+	done
+done

ansible/roles/backupng/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: systemd daemon reload
+  systemd:
+    name: backup.timer
+    daemon_reload: true

ansible/roles/backupng/tasks/main.yml

@@ -0,0 +1,114 @@
+- name: Generate user key pair
+  openssh_keypair:
+    path: /etc/ssh/ssh_user_ed25519_key
+    type: ed25519
+    comment: "{{ ansible_fqdn }}"
+  register: user_key
+
+- name: Check whether user certificate exists
+  stat:
+    path: /etc/ssh/ssh_user_ed25519_key-cert.pub
+  register: cert_stat
+
+- name: Generate SSH user certificate
+  command:
+    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh user hyp_user \"{{ user_key.public_key }}\" {{ ansible_fqdn }} \"hypervisor\"'"
+  register: user_certificate
+  delegate_to: localhost
+  when: not cert_stat.stat.exists
+
+- name: Place user certificate
+  copy:
+    dest: /etc/ssh/ssh_user_ed25519_key-cert.pub
+    content: "{{ user_certificate.stdout }}"
+    mode: 0644
+  when: not cert_stat.stat.exists
+
+- name: Enable user certificate
+  copy:
+    src: "{{ role_path }}/files/ssh_user_certificate.conf"
+    dest: /etc/ssh/ssh_config.d/user_certificate.conf
+
+- name: Install Borg
+  apt:
+    pkg:
+      - borgbackup
+      - borgmatic
+
+- name: Copy Borgmatic script
+  template:
+    src: "{{ role_path }}/files/backup.yml"
+    dest: /root/backup.yml
+
+- name: Copy start_vms.sh
+  copy:
+    src: "{{ role_path }}/files/start_vms.sh"
+    dest: /root/start_vms.sh
+    mode: preserve
+
+- name: Copy stop_vms.sh
+  copy:
+    src: "{{ role_path }}/files/stop_vms.sh"
+    dest: /root/stop_vms.sh
+    mode: preserve
+
+- name: Copy systemd backup unit
+  copy:
+    src: "{{ role_path }}/files/backup.service"
+    dest: /etc/systemd/system/backup.service
+  notify: systemd daemon reload
+
+- name: Copy systemd backup timer
+  copy:
+    src: "{{ role_path }}/files/backup.timer"
+    dest: /etc/systemd/system/backup.timer
+  notify: systemd daemon reload
+
+- name: Enable backup timer
+  systemd:
+    name: backup.timer
+    enabled: true
+    state: started
+
+- name: Add SSH host CA known host
+  known_hosts:
+    key: '@cert-authority *.dmz ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ'
+    name: '@cert-authority *.dmz'
+    path: /etc/ssh/ssh_known_hosts
+
+- name: Add SSH host CA known host
+  known_hosts:
+    key: '@cert-authority *.hyp ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb Host Certficate Authority for HYP'
+    name: '@cert-authority *.hyp'
+    path: /etc/ssh/ssh_known_hosts
+
+- name: Generate host key pair
+  openssh_keypair:
+    path: /etc/ssh/ssh_host_ed25519_key
+    type: ed25519
+    comment: "{{ ansible_host }}"
+  register: host_key
+
+- name: Check whether host certificate exists
+  stat:
+    path: /etc/ssh/ssh_host_ed25519_key-cert.pub
+  register: cert_stat
+
+- name: Generate SSH host certificate
+  command:
+    cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
+  register: host_certificate
+  delegate_to: localhost
+  when: not cert_stat.stat.exists
+
+- name: Place host certificate
+  copy:
+    dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
+    content: "{{ host_certificate.stdout }}"
+    mode: 0644
+  when: not cert_stat.stat.exists
+
+- name: Enable host certificate
+  copy:
+    dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
+    content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"