init

ansible/roles/restic/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+s3_endpoint: "https://a1ccf35724deda4d054913d2891e80a0.eu.r2.cloudflarestorage.com"
+s3_bucket: backups
+password: "{{ vault_restic_password }}"
+s3_access_key_id: "{{ vault_s3_access_key_id }}"
+s3_secret_access_key: "{{ vault_s3_secret_access_key }}"
+staging_dir: /var/backups
+backup_schedule: "Mon *-*-1,15 02:00:00"

ansible/roles/restic/meta/main.yml

@@ -0,0 +1,2 @@
+---
+dependencies: []

ansible/roles/restic/tasks/install-restic.yml

@@ -0,0 +1,57 @@
+---
+-
+    name: Install restic
+    apt:
+        name: restic
+        state: present
+        update_cache: yes
+
+-
+    name: Initialize restic S3 repository
+    command: restic init --repo s3:{{ s3_endpoint }}/{{ s3_bucket }}/{{ host_id }}
+    environment:
+        RESTIC_PASSWORD: "{{ password }}"
+        AWS_ACCESS_KEY_ID: "{{ s3_access_key_id }}"
+        AWS_SECRET_ACCESS_KEY: "{{ s3_secret_access_key }}"
+    register: restic_init
+    changed_when: restic_init.rc == 0
+    failed_when: restic_init.rc != 0 and 'already initialized' not in restic_init.stderr
+    no_log: true
+
+-
+    name: Create pre-backup scripts directory
+    file:
+        path: /etc/restic/pre-backup.d
+        state: directory
+        mode: "0755"
+
+-
+    name: Deploy backup script
+    template:
+        src: restic-backup.sh.j2
+        dest: /usr/local/bin/restic-backup.sh
+        mode: "0700"
+
+-
+    name: Deploy backup systemd service
+    template:
+        src: restic-backup.service.j2
+        dest: /etc/systemd/system/restic-backup.service
+
+-
+    name: Deploy backup systemd timer
+    template:
+        src: restic-backup.timer.j2
+        dest: /etc/systemd/system/restic-backup.timer
+
+-
+    name: Reload systemd
+    systemd:
+        daemon_reload: yes
+
+-
+    name: Enable backup timer
+    systemd:
+        name: restic-backup.timer
+        enabled: yes
+        state: started

ansible/roles/restic/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+-
+    name: Install and configure restic
+    ansible.builtin.include_tasks: install-restic.yml

ansible/roles/restic/tasks/restore-restic.yml

@@ -0,0 +1,20 @@
+---
+-
+    name: Install restic
+    apt:
+        name: restic
+        state: present
+        update_cache: yes
+
+-
+    name: Restore latest snapshot from S3
+    command: >
+        restic restore latest
+        --repo s3:{{ s3_endpoint }}/{{ s3_bucket }}/{{ host_id }}
+        --target /
+        {{ '--include ' + restore_include if restore_include is defined else '' }}
+    environment:
+        RESTIC_PASSWORD: "{{ password }}"
+        AWS_ACCESS_KEY_ID: "{{ s3_access_key_id }}"
+        AWS_SECRET_ACCESS_KEY: "{{ s3_secret_access_key }}"
+    no_log: true

ansible/roles/restic/templates/restic-backup.service.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=Restic backup
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+Environment=HOME=/root
+ExecStart=/usr/local/bin/restic-backup.sh

ansible/roles/restic/templates/restic-backup.sh.j2

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -euo pipefail
+
+STAGING_DIR="{{ staging_dir }}"
+RESTIC_REPO="s3:{{ s3_endpoint }}/{{ s3_bucket }}/{{ host_id }}"
+export RESTIC_PASSWORD="{{ password }}"
+export AWS_ACCESS_KEY_ID="{{ s3_access_key_id }}"
+export AWS_SECRET_ACCESS_KEY="{{ s3_secret_access_key }}"
+
+echo "$(date -Iseconds) Running pre-backup scripts..."
+if [ -d /etc/restic/pre-backup.d ]; then
+    for script in /etc/restic/pre-backup.d/*.sh; do
+        [ -x "$script" ] || continue
+        echo "  Running $script"
+        "$script"
+    done
+fi
+
+echo "$(date -Iseconds) Creating restic snapshot..."
+restic backup --repo "$RESTIC_REPO" "$STAGING_DIR"
+
+echo "$(date -Iseconds) Backup complete."

ansible/roles/restic/templates/restic-backup.timer.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Restic backup timer
+
+[Timer]
+OnCalendar={{ backup_schedule }}
+Persistent=true
+RandomizedDelaySec=1h
+
+[Install]
+WantedBy=timers.target