The restic ansible role automatically installs the restic application and configures a systemd service with a systemd timer to allow backups to run on a schedule. Currently only sftp is supported, but this could probably easily be modified to accomodate other protocols.
Role tasks:
- download and install restic
- create a service acccount and primary group
- create a systemd service and systemd timer
- create any required directories
- specify a list to exclude by default from backups (i.e.
/proc,/dev, etc.) - specify a list of directories to ibackup
- start the systemd timer
Name of the restic package for your distro.
Type: string
Default: restic
Required: true
Service account name that will be used to run the restic service.
Type: string
Default: svc-restic
Required: true
Primary group of the service account that will be used to run the restic service.
Type: string
Default: svc-restic
Required: true
The desired systemd timer schedule. See https://silentlad.com/systemd-timers-oncalendar-(cron)-format-explained for a quick explanation with examples.
Type: string
Default: *-*-* 0:00:00 (midnight every night)
Required: true
The desired home directory for the service account that will be used to run the restic service.
Type: string
Default: /home/{{ restic_service_account_name }}
Required: true
The name of the desired systemd service instance name for restic. For example, [email protected] where work is the instance name, which would backup all the files and folders used for my job. The default is to backup the whole system; see includes.files.
Type: string
Default: whole-system-backup
Required: true
The key id of the password to access the restic vault. See https://restic.readthedocs.io/en/stable/070_encryption.html for more details.
Type: string
Default: null
Required: true
The full path to the repo on the remote server. For example, /home/username/backups/project.
Type: string
Default: null
Required: true
Username used to connect to the remote server via SSH where the restic repo is stored.
Type: string
Default: null
Required: true
FQDN of the remote server where the restic repo is stored.
Type: string
Default: null
Required: true
List of file/folder paths that will be excluded from backup.
Type: list
Default:
- /dev
- /proc
- /sys
- /tmp
- /run
- /mnt
- /media
- /lost+found
- /swapfile
- /cdrom
- /rootRequired: true
List of file/folder paths that will be backed up.
Type: list
Default:
- /Required: true
Enable desktop notifications for if/when the service fails for whatever reason. Due to the limitations of the system process being able to interact with the user space and display a notification, this had to be setup as a new service ([email protected]) and accompanying timer. This new service is running within the user space, allowing desktop notifications to work properly. This optional but highly recommended. Without this, how will you know if your backups are working or not without manually verifying?
Type: bool
Default: false
Required: false
# playbook/group_vars/all.yml
restic_key_id: 5c657874
ssh_username: admin
restic_repo_path: /home/{{ ssh_username }}/backups/project_name
ssh_server_fqdn: server.host.xlocal
systemd_instance_name: whole-system-backup
enable_desktop_notifications: true # optional, but highly recommended.
# playbook/site.yml
- hosts: all
roles:
- { role: restic, tags: restic, become: true}- An SSH private is required to allow you to connect to
ssh_server_fqdn. Place it in{{ restic_service_account_home }}/.ssh/. - Make sure the permissions are correct on the private key.
- You will need to add a
known_hostsfile to{{ restic_service_account_home }}/.ssh/in order to trust the remote server's host key.
The password for your repo needs to be saved to {{ restic_service_account_home }}/{{ systemd_instance_name }}/{{ restic_key_id }}. This file was created automatically with the correct permissions and just needs to be modified to include the repo password that matches the specified key id.
You can check if the systemd timer is active by running systemctl list-timers.
This was inspired by the work of @tdemin who created a rather thorough blog post detailing the steps to create the systemd service and timer for restic. I used the steps he shared, converted it to an ansible module and added a few modifications of my own. Thank you Timur!
Additionally, credit goes to @papanito whose blog post (https://wyssmann.com/blog/2021/07/notifications-for-failing-systemd-services/) led me to a script he created, which I used and modified slightly to help me create my own convoluded desktop notification process.
I'd like to also thank the folks over at SmallStep for publishing a neat systemd service file, containing all the config required to properly harden a service.
Have an idea or feature you'd like to implement? Submit a PR or file an issue! 🙂