Integrate restic backup system

roles/lander/files/lander.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/lander'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/lander/tasks/main.yml

@@ -23,7 +23,12 @@
     system: true
     create_home: false
 
-- name: Ensure data directory is present
+# Only one BTRFS file system should be mounted, so this will match that one
+- name: Ensure data subvolume is present
+  community.general.btrfs_subvolume:
+    name: '/lander'
+
+- name: Ensure data subvolume permissions are correct
   ansible.builtin.file:
     path: '/mnt/data1/lander'
     state: directory
@@ -48,6 +53,14 @@
     mode: '0644'
   notify: lander-restart
 
+- name: Ensure backup script is present
+  ansible.builtin.copy:
+    src: 'lander.backup.sh'
+    dest: '/etc/backups/lander.backup.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+
 - name: Ensure service file is present
   ansible.builtin.copy:
     src: 'lander.service'

roles/restic-rest/tasks/main.yml

@@ -40,7 +40,11 @@
     system: true
     create_home: false
 
-- name: Ensure data directory is present
+- name: Ensure data subvolume is present
+  community.general.btrfs_subvolume:
+    name: '/restic-rest'
+
+- name: Ensure data subvolume permissions are correct
   ansible.builtin.file:
     path: '/mnt/data1/restic-rest'
     state: directory

roles/restic/files/restic_backups_passwd

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+33666438313237356564363136333933633035303531653464643766373434623834663736386463
+3464643731366237633334616536613864396162353264360a316130333032316437393333396466
+34356638393834316235633062646330336438376135346666663064303831666632353834663465
+6636663930356138640a323433613263393939303833616637336436366630386133386338613736
+34353433643539306238663638656539373731616238656635353561356632366332623532396465
+3936373534643966616131616161633234663430633233653435

roles/restic/tasks/main.yml

@@ -25,3 +25,32 @@
     group: 'root'
     mode: '0755'
   when: 'res.changed'
+
+- name: Ensure backup scripts directory is present
+  ansible.builtin.file:
+    path: '/etc/backups'
+    state: directory
+    mode: '0755'
+
+- name: Ensure Restic backups password file is present
+  ansible.builtin.copy:
+    src: 'restic_backups_passwd'
+    dest: '/etc/backups/restic_backups_passwd'
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Ensure backup-all script is present
+  ansible.builtin.template:
+    src: "backup-all.sh.j2"
+    dest: '/etc/backups/backup-all.sh'
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Ensure backup cronjob is enabled
+  ansible.builtin.cron:
+    name: 'Perform nightly backups'
+    minute: '0'
+    hour: '2'
+    job: 'bash /etc/backups/backup-all.sh'

roles/restic/templates/backup-all.sh.j2

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# This script sequentially executes all shell scripts matching
+# /etc/backups/*.backup.sh, with environment variables configured to publish
+# backups to the local Restic REST server.
+
+# Get passed along to subcalls to bash
+export RESTIC_REPOSITORY='rest:http://{{ groups['nas'][0] }}:8000/backups'
+export RESTIC_PASSWORD_FILE='/etc/backups/restic_backups_passwd'
+
+for script in $(find /etc/backups -name '*.backup.sh'); do
+    bash "$script"
+done
+
+# Prune older backups
+restic forget --keep-last 7 && \
+    restic prune