This repository contains an example playbook that configures three hosts:

• One FreeBSD 11.3 jail running on a FreeNAS 11.2-U7 host and serving as the backup server,
• Two Debian (>= 8) servers that need to be backuped.

It serves as an example of how to use Ansible roles qb.backup and qb.backup_server.

You can find here a video of our talk at FOSDEM'20 presenting how qb.backup works.

This repository contains submodules, please ensure that they are initialized:

$ git submodule init
$ git submodule update

The inventory.yml file must be modified with the correct values for your setup, as well as all the various files in the group_vars folder.

This playbook has been tested with ansible>=2.8.0.

Note: If you do not have a FreeNAS server, you can still setup the server-side script of qb.backup on any other host. You will have to manually do the installation yourself. You can adapt the role qb.backup_server for your needs.

The configuration of the FreeNAS server is not in the scope of this example. The pre-requisites on the FreeNAS server are simple:

• The person running this Ansible playbook must be able to connect using a SSH key to the root user of the FreeNAS server,
• The FreeBSD jail must be created and running.
• The dataset used to store backups must be mounted in the jail in /mnt/backup using FreeNAS's "Mount points" jail option.

Python 3.7 must be manually installed in the jail:

# pkg bootstrap
# pkg update -f
# pkg install python37

Note: The role configuring backuped hosts targets Debian >= 8 servers. Any other OS that can run SSH, borg and borgmatic can be used in this backup solution by manually configuring those hosts.

You can manually setup hosts that need to be backuped by following the instructions of the README.md file in the role qb.backup.

The following SSH server options must be enabled on the servers that need to be backuped:

# File: /etc/ssh/sshd_config
PermitRootLogin forced-commands-only # Or greater level of access
PermitUserEnvironment yes

Note: since qb.backup aims to take whole server backups, we connect using the user root directly to avoid permission issues, so sshd must not deny SSH connections to root.

The minimum level of authentication we support for PermitRootLogin is forced-commands-only, but any level above would work (prohibit-password or yes).

Once all the requirements are met, you can execute the playbook:

$ ansible-playbook -i inventory.yml backup-playbook.yml

The playbook will fail the first time, just follow the instructions in the error message to edit the variable backup_clt__srv_ssh_pubkey.

Important note: The backup client setup role saves on the Ansible controller running the playbook one borg repository encryption key passphrase per backuped host. By default, those passphrases are saved in /tmp/backup-passphrases/ which is a temporary folder erased at reboot, so make sure to move those passphrases to a secure place as they will be needed to recover backups in case of a loss of data!