Restic on Janik von Rotz https://janikvonrotz.ch/tags/restic/ Recent content in Restic on Janik von Rotz Hugo en Mon, 16 Mar 2020 17:43:01 +0100 Backup Docker volumes with Ansible and restic https://janikvonrotz.ch/2020/03/16/backup-docker-volumes-with-ansible-and-restic/ Mon, 16 Mar 2020 17:43:01 +0100 https://janikvonrotz.ch/2020/03/16/backup-docker-volumes-with-ansible-and-restic/ <p>In a new assignment I&rsquo;m in charge of the infrastructure for a new startup. I was given a blank canvas and decided to use Ansible and Docker from the start. Therefore I&rsquo;ve setup an Ansible project containing various roles and deployment scenarios. Have a look here for details: <a href="https://github.com/Mint-System/Ansible-Playbooks">https://github.com/Mint-System/Ansible-Playbooks</a>. To put it simply, this project deploys open source web application as Docker containers on a target system. Currently, I am adding new features and polishing existing ones. An important role that is still missing is the backup. Having a robust and reliable backup and recovery system is key. While developing the backup system I had a few key points in mind:</p> <ul> <li>Backup Docker volumes</li> <li>Backup location is remote</li> <li>No friction between backup and recovery</li> <li>Backup tool must manage rotation policies</li> <li>Docker host stores backups</li> <li>Support for multiple backup clients and servers</li> <li>Encrypted backups</li> <li>Simple configuration</li> </ul> <h2 id="solution">Solution</h2> <p>In the past I have used <a href="http://duplicity.nongnu.org/">duplicity</a> for my backups. I remember it as quite handy for managing backups, but complicated regarding encryption. While doing more research (aka googling <em>duplicity alternatives</em>), I found <a href="https://restic.net/">restic</a>. It seems restic has become the standard for remote backups. Folks from <a href="https://www.camptocamp.com/">camptocamp</a> use it to backup their kubernetes cluster using the restic based backup tool <a href="https://github.com/camptocamp/bivac">bivac</a>. Obviously, restic has been proven to be a worthy candidate.</p> <h2 id="files">Files</h2> <p>First I want to give you a short intro to the Ansible project. I have isolated the inventory and roles of the restic client and server deployment.</p> <p>These are the relevant Ansible project files:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>. </span></span><span style="display:flex;"><span>├── backup.yml </span></span><span style="display:flex;"><span>├── inventories/ </span></span><span style="display:flex;"><span>│   └── backup/ <span style="color:#75715e"># name of the inventory</span> </span></span><span style="display:flex;"><span>│      ├── group_vars/ </span></span><span style="display:flex;"><span>│      │   ├── all.yml </span></span><span style="display:flex;"><span>│      │   ├── client/ </span></span><span style="display:flex;"><span>│      │   │ ├── vars.yml </span></span><span style="display:flex;"><span>│      │   │ └── vault.yml <span style="color:#75715e"># Use ansible-vault to create this file</span> </span></span><span style="display:flex;"><span>│      │   └── server/ </span></span><span style="display:flex;"><span>│      │   ├── vars.yml </span></span><span style="display:flex;"><span>│      │   └── vault.yml <span style="color:#75715e"># Use ansible-vault to create this file</span> </span></span><span style="display:flex;"><span>│      ├── host_vars/ </span></span><span style="display:flex;"><span>│      │   ├── client.example.com.yml </span></span><span style="display:flex;"><span>│      │   └── server.example.com.yml </span></span><span style="display:flex;"><span>│      └── hosts.yml </span></span><span style="display:flex;"><span>└── roles/ </span></span><span style="display:flex;"><span>    ├── restic-client/ </span></span><span style="display:flex;"><span>    │   └── tasks/ </span></span><span style="display:flex;"><span> │ │ ├── main.yml </span></span><span style="display:flex;"><span>    │   └── install.yml </span></span><span style="display:flex;"><span>    └── restic-server/ </span></span><span style="display:flex;"><span>    └── tasks/ </span></span><span style="display:flex;"><span> ├── main.yml </span></span><span style="display:flex;"><span>    └── main.yml </span></span></code></pre></div><h2 id="inventory">Inventory</h2> <p>Let&rsquo;s have a look at the inventory.</p> <p>The <code>all.yml</code> file contains configs which is applied to all hosts of the backup inventory.</p> <p><strong>inventories/backup/group_vars/all.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#f92672">docker_network_name</span>: <span style="color:#ae81ff">example.com</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">docker_log_driver</span>: <span style="color:#e6db74">&#34;json-file&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">docker_log_max_size</span>: <span style="color:#e6db74">&#34;10m&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">docker_log_max_file</span>: <span style="color:#e6db74">&#34;3&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">ansible_python_interpreter</span>: <span style="color:#ae81ff">/usr/bin/python3</span> </span></span></code></pre></div><p>For every inventory group, in this case client and server, there is a folder and a vars config file.</p> <p><strong>inventories/backup/group_vars/client/vars.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#f92672">restic_client_package</span>: <span style="color:#e6db74">&#34;restic=0.8.3+ds-1&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_client_user</span>: <span style="color:#ae81ff">admin</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_client_password</span>: <span style="color:#e6db74">&#34;{{ vault_restic_client_password }}&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_repo</span>: <span style="color:#ae81ff">server.example.com:8080/backup</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_repo_password</span>: <span style="color:#e6db74">&#34;{{ vault_restic_repo_password }}&#34;</span> </span></span></code></pre></div><p>Every variable that is prefixed with <em>vault_</em> is defined in the <code>vault.yml</code> file.</p> <p><strong>inventories/backup/group_vars/server/vars.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#75715e"># https://hub.docker.com/r/restic/rest-server</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_server_image</span>: <span style="color:#ae81ff">restic/rest-server:0.9.7</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_server_user</span>: <span style="color:#ae81ff">admin</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_server_password</span>: <span style="color:#e6db74">&#34;{{ vault_restic_server_password }}&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_server_port</span>: <span style="color:#ae81ff">8080</span> </span></span></code></pre></div><p>For host specific configurations there is a file in the <code>host_vars</code> folder.</p> <p><strong>inventories/backup/host_vars/client.example.com.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#f92672">restic_backup_sets</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">id</span>: <span style="color:#e6db74">&#34;odoo volume&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">docker-volume</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">volume</span>: <span style="color:#ae81ff">odoo_data01</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">odoo01</span> </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">postgres01</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">hour</span>: <span style="color:#e6db74">&#34;1&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">minute</span>: <span style="color:#e6db74">&#34;0&#34;</span> </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">id:-&#34;postgres-volume&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">type</span>: <span style="color:#ae81ff">docker-volume</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">volume</span>: <span style="color:#ae81ff">postgres_data01</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">odoo01</span> </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">postgres01</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">hour</span>: <span style="color:#e6db74">&#34;1&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">minute</span>: <span style="color:#e6db74">&#34;0&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_backup_rotation</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">daily</span>: <span style="color:#ae81ff">7</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">weekly</span>: <span style="color:#ae81ff">4</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">monthly</span>: <span style="color:#ae81ff">1</span> </span></span></code></pre></div><p>Each client has a set of backup jobs.</p> <p><strong>inventories/backup/host_vars/server.example.com.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span><span style="color:#f92672">restic_server_hostname</span>: <span style="color:#ae81ff">restic01</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">restic_server_backup_dir</span>: <span style="color:#ae81ff">/path/to/mount</span> </span></span></code></pre></div><p>The server mounts the backupfolder via bind mount.</p> <h2 id="roles">Roles</h2> <p>Next we will have a look at the Ansible roles.</p> <h3 id="restic-server">Restic server</h3> <p>The restic server receives and stores backup files.</p> <p><strong>roles/restic-server/tasks/main.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Include install tasks</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">include_tasks</span>: <span style="color:#ae81ff">install.yml</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">when</span>: <span style="color:#ae81ff">restic_server_image is defined</span> </span></span></code></pre></div><p>If a restic server docker image is defined, the install tasks are included.</p> <p><strong>roles/restic-server/tasks/install.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Install htpasswd module</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">apt</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#ae81ff">python3-passlib</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">state</span>: <span style="color:#ae81ff">latest</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Configure user access for restic server</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">htpasswd</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">path</span>: <span style="color:#e6db74">&#34;{{ restic_server_backup_dir }}/.htpasswd&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;{{ restic_server_user }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">crypt_scheme</span>: <span style="color:#ae81ff">ldap_sha1</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">password</span>: <span style="color:#e6db74">&#34;{{ restic_server_password }}&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Start restic server container</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">docker_container</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;{{ restic_server_hostname }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">image</span>: <span style="color:#e6db74">&#34;{{ restic_server_image }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">volumes</span>: </span></span><span style="display:flex;"><span> - <span style="color:#e6db74">&#34;{{ restic_server_backup_dir }}:/data&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ports</span>: </span></span><span style="display:flex;"><span> - <span style="color:#e6db74">&#34;{{ restic_server_port }}:8000&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">networks</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;{{ docker_network_name }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">log_driver</span>: <span style="color:#e6db74">&#34;{{ docker_log_driver }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">log_options</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">max-size</span>: <span style="color:#e6db74">&#34;{{ docker_log_max_size }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">max-file</span>: <span style="color:#e6db74">&#34;{{ docker_log_max_file }}&#34;</span> </span></span></code></pre></div><p>The install tasks creates a <code>.htpasswd</code> file in the mounted directory and then starts a restic server container with configurations applied from the inventory.</p> <p>As you can see the http communication is not encrypted. However, this is not a problem as restic encrypts its payload.</p> <h3 id="restic-client">Restic client</h3> <p>The restic client runs backups and uses the server as storage.</p> <p><strong>roles/restic-client/tasks/main.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Include install tasks</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">include_tasks</span>: <span style="color:#ae81ff">install.yml</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">when</span>: <span style="color:#ae81ff">restic_client_package is defined</span> </span></span></code></pre></div><p>Now comes the most interesting part. The <code>install.yml</code> of the restic client does a few things:</p> <ul> <li>Install the restic package</li> <li>Check if backup repo has been initialized and if not does so</li> <li>Ensure the repo url and password are set as global environment variables</li> <li>Register the backup jobs</li> <li>Register the backup rotation job</li> </ul> <p><strong>roles/restic-client/tasks/install.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Install restic</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">apt</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;{{ restic_client_package }}&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Check if repo is initialized</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">shell</span>: <span style="color:#ae81ff">restic snapshots</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">environment</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">RESTIC_PASSWORD</span>: <span style="color:#e6db74">&#34;{{ restic_repo_password }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">RESTIC_REPOSITORY</span>: <span style="color:#e6db74">&#34;rest:http://{{ restic_client_user }}:{{ restic_client_password }}@{{ restic_repo }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ignore_errors</span>: <span style="color:#66d9ef">yes</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">changed_when</span>: <span style="color:#66d9ef">false</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">register</span>: <span style="color:#ae81ff">repo_initalized</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Init restic repository</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">shell</span>: <span style="color:#ae81ff">restic init</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">environment</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">RESTIC_PASSWORD</span>: <span style="color:#e6db74">&#34;{{ restic_repo_password }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">RESTIC_REPOSITORY</span>: <span style="color:#e6db74">&#34;rest:http://{{ restic_client_user }}:{{ restic_client_password }}@{{ restic_repo }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">when</span>: <span style="color:#ae81ff">repo_initalized.failed</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Ensure restic environment vars exists</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">lineinfile</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">dest</span>: <span style="color:#e6db74">&#34;/etc/environment&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">state</span>: <span style="color:#ae81ff">present</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">regexp</span>: <span style="color:#e6db74">&#34;^{{ item.key }}=&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">line</span>: <span style="color:#e6db74">&#34;{{ item.key }}={{ item.value}}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">loop</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">key</span>: <span style="color:#ae81ff">RESTIC_PASSWORD</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">value</span>: <span style="color:#e6db74">&#34;{{ restic_repo_password }}&#34;</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">key</span>: <span style="color:#ae81ff">RESTIC_REPOSITORY</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">value</span>: <span style="color:#e6db74">&#34;rest:http://{{ restic_client_user }}:{{ restic_client_password }}@{{ restic_repo }}&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Register docker volume backup jobs</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">cron</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;Backup job {{ item.id }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">hour</span>: <span style="color:#e6db74">&#34;{{ item.hour }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">minute</span>: <span style="color:#e6db74">&#34;{{ item.minute }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">job</span>: <span style="color:#e6db74">&#34;. /etc/environment; restic backup /var/lib/docker/volumes/{{ item.volume }}/_data/ --tag {{ item.tags | join(&#39; --tag &#39;)}}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">loop</span>: <span style="color:#e6db74">&#34;{{ restic_backup_sets }}&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">when</span>: <span style="color:#ae81ff">item.type == &#34;docker-volume&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>- <span style="color:#f92672">name</span>: <span style="color:#ae81ff">Register backup rotation job</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">cron</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">name</span>: <span style="color:#e6db74">&#34;Backup rotation job&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">hour</span>: <span style="color:#e6db74">&#34;23&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">minute</span>: <span style="color:#e6db74">&#34;0&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">job</span>: <span style="color:#e6db74">&#34;. /etc/environment; restic forget --keep-daily {{ restic_backup_rotation.daily }} --keep-weekly {{ restic_backup_rotation.weekly }} --keep-monthly {{ restic_backup_rotation.monthly }} --prune&#34;</span> </span></span></code></pre></div><p>For every item in the <code>restic_backup_sets</code> var a cron job is configured. The <code>item.type</code> property allows you to define and select more backup types.</p> <h2 id="deployment">Deployment</h2> <p>This is the final section. I will show you how to deploy the roles.</p> <h3 id="playbook">Playbook</h3> <p>First we need an Ansible playbook.</p> <p><strong>backup.yml</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yml" data-lang="yml"><span style="display:flex;"><span>- <span style="color:#f92672">hosts</span>: <span style="color:#ae81ff">all</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">become</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">roles</span>: </span></span><span style="display:flex;"><span> - <span style="color:#f92672">role</span>: <span style="color:#ae81ff">restic-server</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: <span style="color:#ae81ff">restic-server</span> </span></span><span style="display:flex;"><span> - <span style="color:#f92672">role</span>: <span style="color:#ae81ff">restic-client</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">tags</span>: <span style="color:#ae81ff">restic-client</span> </span></span></code></pre></div><p>This playbook includes the role. Note that we deploy as root on the target machine.</p> <h3 id="installation">Installation</h3> <p>If everything has been configured properly, we can install the server:</p> <p><code>ansible-playbook -i inventories/backup backup.yml -l server.example.com</code></p> <p>And the client:</p> <p><code>ansible-playbook -i inventories/backup backup.yml -l client.example.com</code></p> <p>Here is an example output of the client installation:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>MacBuechLuft:ansible-playbooks janikvonrotz$ ansible-playbook -i inventories/backup backup.yml -t restic-client </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>PLAY <span style="color:#f92672">[</span>all<span style="color:#f92672">]</span> *********************************************************************************************************************************************************************************************************************************** </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TASK <span style="color:#f92672">[</span>Gathering Facts<span style="color:#f92672">]</span> *********************************************************************************************************************************************************************************************************************** </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>server.example.com<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TASK <span style="color:#f92672">[</span>restic-client : Include install tasks<span style="color:#f92672">]</span> ************************************************************************************************************************************************************************************************* </span></span><span style="display:flex;"><span>skipping: <span style="color:#f92672">[</span>server.example.com<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span>included: /Users/janikvonrotz/ansible-playbooks/roles/restic-client/tasks/install.yml <span style="color:#66d9ef">for</span> client.example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TASK <span style="color:#f92672">[</span>restic-client : Install restic<span style="color:#f92672">]</span> ******************************************************************************************************************************************************************************************************** </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TASK <span style="color:#f92672">[</span>restic-client : Check <span style="color:#66d9ef">if</span> repo is initialized<span style="color:#f92672">]</span> ****************************************************************************************************************************************************************************************** </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TASK <span style="color:#f92672">[</span>restic-client : Init restic repository<span style="color:#f92672">]</span> ************************************************************************************************************************************************************************************************ </span></span><span style="display:flex;"><span>skipping: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TASK <span style="color:#f92672">[</span>restic-client : Ensure restic environment vars exists<span style="color:#f92672">]</span> ********************************************************************************************************************************************************************************* </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> <span style="color:#f92672">=</span>&gt; <span style="color:#f92672">(</span>item<span style="color:#f92672">={</span><span style="color:#e6db74">&#39;key&#39;</span>: <span style="color:#e6db74">&#39;RESTIC_PASSWORD&#39;</span>, <span style="color:#e6db74">&#39;value&#39;</span>: <span style="color:#e6db74">&#39;********&#39;</span><span style="color:#f92672">})</span> </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> <span style="color:#f92672">=</span>&gt; <span style="color:#f92672">(</span>item<span style="color:#f92672">={</span><span style="color:#e6db74">&#39;key&#39;</span>: <span style="color:#e6db74">&#39;RESTIC_REPOSITORY&#39;</span>, <span style="color:#e6db74">&#39;value&#39;</span>: <span style="color:#e6db74">&#39;rest:http://admin:&#39;</span>********<span style="color:#e6db74">&#39;})@server.example.com:8080/backup&#39;</span><span style="color:#f92672">})</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TASK <span style="color:#f92672">[</span>restic-client : Register docker volume backup jobs<span style="color:#f92672">]</span> ************************************************************************************************************************************************************************************ </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> <span style="color:#f92672">=</span>&gt; <span style="color:#f92672">(</span>item<span style="color:#f92672">={</span><span style="color:#e6db74">&#39;id&#39;</span>: <span style="color:#e6db74">&#39;odoo volume&#39;</span>, <span style="color:#e6db74">&#39;type&#39;</span>: <span style="color:#e6db74">&#39;docker-volume&#39;</span>, <span style="color:#e6db74">&#39;volume&#39;</span>: <span style="color:#e6db74">&#39;odoo_data01&#39;</span>, <span style="color:#e6db74">&#39;tags&#39;</span>: <span style="color:#f92672">[</span><span style="color:#e6db74">&#39;odoo&#39;</span>, <span style="color:#e6db74">&#39;odoo02&#39;</span>, <span style="color:#e6db74">&#39;postgres03&#39;</span><span style="color:#f92672">]</span>, <span style="color:#e6db74">&#39;hour&#39;</span>: <span style="color:#e6db74">&#39;1&#39;</span>, <span style="color:#e6db74">&#39;minute&#39;</span>: <span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">})</span> </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> <span style="color:#f92672">=</span>&gt; <span style="color:#f92672">(</span>item<span style="color:#f92672">={</span><span style="color:#e6db74">&#39;id&#39;</span>: <span style="color:#e6db74">&#39;postgres volume&#39;</span>, <span style="color:#e6db74">&#39;type&#39;</span>: <span style="color:#e6db74">&#39;docker-volume&#39;</span>, <span style="color:#e6db74">&#39;volume&#39;</span>: <span style="color:#e6db74">&#39;postgres_data01&#39;</span>, <span style="color:#e6db74">&#39;tags&#39;</span>: <span style="color:#f92672">[</span><span style="color:#e6db74">&#39;postgres&#39;</span>, <span style="color:#e6db74">&#39;odoo02&#39;</span>, <span style="color:#e6db74">&#39;postgres03&#39;</span><span style="color:#f92672">]</span>, <span style="color:#e6db74">&#39;hour&#39;</span>: <span style="color:#e6db74">&#39;1&#39;</span>, <span style="color:#e6db74">&#39;minute&#39;</span>: <span style="color:#e6db74">&#39;0&#39;</span><span style="color:#f92672">})</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>TASK <span style="color:#f92672">[</span>restic-client : Register backup rotation job<span style="color:#f92672">]</span> ****************************************************************************************************************************************************************************************** </span></span><span style="display:flex;"><span>ok: <span style="color:#f92672">[</span>client.example.com<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>PLAY RECAP *********************************************************************************************************************************************************************************************************************************** </span></span><span style="display:flex;"><span>client.example.com : ok<span style="color:#f92672">=</span><span style="color:#ae81ff">7</span> changed<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> unreachable<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> failed<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> skipped<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> rescued<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ignored<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> </span></span><span style="display:flex;"><span>server.example.com : ok<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> changed<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> unreachable<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> failed<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> skipped<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span> rescued<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> ignored<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span> </span></span></code></pre></div><p>Note that the passwords are not hidden in your output. They might end up on a log aggregation server.</p> <h3 id="manual-backups">Manual backups</h3> <p>Remember that we installed the restic package on the target host and defined two important environment variables on the global scope? This helps managing backups without looking up any secrets.</p> <p>I can easily browse and if necessary restore backups with personal user.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>MacBuechLuft:~ janikvonrotz$ ssh client.example.com </span></span><span style="display:flex;"><span>janikvonrotz@hades:~$ restic snapshots </span></span><span style="display:flex;"><span>password is correct </span></span><span style="display:flex;"><span>ID Date Host Tags Directory </span></span><span style="display:flex;"><span>---------------------------------------------------------------------- </span></span><span style="display:flex;"><span>a8f86bf6 2020-03-23 14:07:02 hades odoo01 ┌── /var/lib/docker/volumes/odoo_data01/_data </span></span><span style="display:flex;"><span> postgres01 └── </span></span><span style="display:flex;"><span>c0686e66 2020-03-23 14:07:02 hades odoo01 ┌── /var/lib/docker/volumes/postgres_data01/_data </span></span><span style="display:flex;"><span> postgres01 └── </span></span><span style="display:flex;"><span>---------------------------------------------------------------------- </span></span><span style="display:flex;"><span><span style="color:#ae81ff">2</span> snapshots </span></span></code></pre></div><p>Cool isn&rsquo;t it? If you have any feedback, let me know? In the near future I will add new backup types and share them in the referenced GitHub repo.</p>