Ansible Role duplicity
This role configures daily file-based backups using duplicity. Currently, this role is focused on using OpenStack Object Storage („Swift“) as the storage backend.
Note that this role does not support running with --check
, as it first creates a GPG-Key which is required for the rest of the role.
Runs on
RHEL 7 (and compatible)
RHEL 8 (and compatible)
RHEL 9 (and compatible)
Fedora 35
duba (Duplicity Backup)
The role comes with the special Python wrapper script duba
for duplicity, implemented by Linuxfabrik. The script currently does a massive parallel backup to a Swift storage backend with duplicity, where the number of duplicity processes is min(processor count, 6) + 1
. The script’s configuration file is located at /etc/duba/duba.json
.
To start a backup, simply call duba
(or duba --config=/etc/duba/duba.json --command=backup
). Have a look at duba --help
for details.
Mandatory Requirements
On RHEL-compatible systems, enable the EPEL repository. This can be done using the linuxfabrik.lfops.repo_epel role.
Install
duplicity
,python-swiftclient
andpython-keystoneclient
into a Python 3 virtual environment in/opt/python-venv/duplicity
. This can be done using the linuxfabrik.lfops.python_venv role.
Attention
Make sure the virtual environment is not writable by other users to prevent privilege escalation. This is also done by the linuxfabrik.lfops.python_venv role.
Optional Requirements
Create a symbolic link from
/opt/python-venv/duplicity/bin/duplicity
to/usr/local/bin/duplicity
for easier usage on the command line.Either configure journald to persist your logs and do the rotating, or use logrotated.
Mandatory Role Variables
Variable |
Description |
---|---|
|
The ASCII-armored public master GPG key. Obtain it using |
|
The long key ID of the master GPG key. Obtain it using |
|
The Swift username and password. Usually, this is given by the provider of the Swift Storage. Subkeys: |
Example:
# mandatory
duplicity__gpg_encrypt_master_key_block: |-
-----BEGIN PGP PUBLIC KEY BLOCK-----
6ec3d2aed2a54122817ca02b43a7e340kgKEdlbmVyYXRlZCBieSBBbnNpYmxlLi
...
-----END PGP PUBLIC KEY BLOCK-----
duplicity__gpg_encrypt_master_key: 'LLZGH2BITI2LRLJCLFWEAJQ93N6MWTKBARQDMYX5'
duplicity__swift_login:
username: 'SBI-MF827483'
password: 'linuxfabrik'
Optional Role Variables
Variable |
Description |
Default Value |
---|---|---|
|
The Swift container. This can be used to separate backups on the destination. By default, this will be used in |
|
|
The backup destination. This will be used in combination with the backup source path to create the target URL for |
|
|
After how long a full backup instead of a incremental one should be done. Time Formats: |
|
|
The retention time of the backups. Time Formats: |
|
|
List of dictionaries with directories to backup. Subkeys:
|
|
|
List of global exclude shell patterns for |
|
|
Set the loglevel. Possible options: * error |
|
|
Number. Log files are rotated |
|
|
A shorthand to set the hour of |
|
|
The |
|
|
The Authentication URL for Swift. Usually, this is given by the provider of the Swift Storage. |
|
|
The Authentication Version for Swift. Usually, this is given by the provider of the Swift Storage. |
|
|
The Swift Tenantname. Usually, this is given by the provider of the Swift Storage. |
|
|
The state of the daily systemd timer. |
|
Example:
# optional
duplicity__backup_dest: 'swift://{{ duplicity__backup_dest_container | regex_replace("/$", "") }}'
duplicity__backup_dest_container: '{{ ansible_nodename }}'
duplicity__backup_full_if_older_than: '30D'
duplicity__backup_retention_time: '30D'
duplicity__excludes:
- '**/*.git*'
- '**/*.svn*'
- '**/*.temp'
- '**/*.tmp'
- '**/.cache'
- '**/cache'
- '**/log'
duplicity__backup_sources__group_var: []
duplicity__backup_sources__host_var:
- path: '/var/www/html'
divide: false
excludes:
- '/var/www/html/nextcloud/data'
state: 'present'
- path: '/var/www/html/nextcloud/data'
divide: true
state: 'present'
- path: '/backup'
state: 'absent'
duplicity__loglevel: 'notice'
duplicity__logrotate: 7
duplicity__on_calendar: '*-*-* {{ duplicity__on_calendar_hour }}:{{ 45 | random(seed=inventory_hostname) }}'
duplicity__on_calendar_hour: '23'
duplicity__swift_authurl: 'https://swiss-backup02.infomaniak.com/identity/v3'
duplicity__swift_authversion: '3'
duplicity__swift_tenantname: 'sb_project_SBI-MF827483'
duplicity__timer_enabled: true