From 904657c27c5d927fd2117c1e91305c4a1b17d76b Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Sat, 4 May 2024 13:19:48 -0700
Subject: [PATCH] borg

---
 deploy.yml                                    |  3 ++
 group_vars/borg.yml                           | 15 ++++++++++
 inventory                                     |  4 +++
 playbooks/deploy-borg.yml                     |  6 ++++
 playbooks/roles/borg/tasks/main.yml           | 28 +++++++++++++++++++
 .../roles/borg/templates/borg_ssh_key.j2      |  1 +
 playbooks/roles/wireguard-mesh/tasks/main.yml |  3 +-
 .../wireguard-mesh/templates/mmtmesh.conf.j2  | 11 ++++++--
 secrets.txt                                   |  4 +++
 9 files changed, 72 insertions(+), 3 deletions(-)
 create mode 100644 group_vars/borg.yml
 create mode 100644 playbooks/deploy-borg.yml
 create mode 100644 playbooks/roles/borg/tasks/main.yml
 create mode 100644 playbooks/roles/borg/templates/borg_ssh_key.j2

diff --git a/deploy.yml b/deploy.yml
index 65ea464..c386bfe 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -23,3 +23,6 @@
 
 - name: Website for mmt
   ansible.builtin.import_playbook: playbooks/deploy-mmt.yml
+
+- name: Borg
+  ansible.builtin.import_playbook: playbooks/deploy-borg.yml
diff --git a/group_vars/borg.yml b/group_vars/borg.yml
new file mode 100644
index 0000000..8f4c8d9
--- /dev/null
+++ b/group_vars/borg.yml
@@ -0,0 +1,15 @@
+borg_my_user: "root"
+borg_my_group: "root"
+borg_ssh_key: "/root/borg_ssh_key"
+
+backup_topic: "{{ borg_backup_topic }}"
+
+base_files:
+  - /home
+  - /root
+  - /var
+  - /etc
+  - /boot
+  - /opt
+
+extra_files:
diff --git a/inventory b/inventory
index 9c76e0f..db7738f 100644
--- a/inventory
+++ b/inventory
@@ -27,5 +27,9 @@ mail.int.mistymountainstherapy.com  ansible_user=root ansible_connection=ssh
 [wireguard-endpoint]
 www.int.mistymountainstherapy.com  ansible_user=root ansible_connection=ssh
 
+[borg]
+www.int.mistymountainstherapy.com  ansible_user=root ansible_connection=ssh
+mail.int.mistymountainstherapy.com  ansible_user=root ansible_connection=ssh
+
 [mmt]
 www.int.mistymountainstherapy.com  ansible_user=root ansible_connection=ssh
diff --git a/playbooks/deploy-borg.yml b/playbooks/deploy-borg.yml
new file mode 100644
index 0000000..842d3a3
--- /dev/null
+++ b/playbooks/deploy-borg.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Borg setup
+  hosts: borg
+  roles:
+    - borg
diff --git a/playbooks/roles/borg/tasks/main.yml b/playbooks/roles/borg/tasks/main.yml
new file mode 100644
index 0000000..fd3be99
--- /dev/null
+++ b/playbooks/roles/borg/tasks/main.yml
@@ -0,0 +1,28 @@
+- name: copy key
+  template:
+    src: ../templates/borg_ssh_key.j2
+    dest: /root/borg_ssh_key
+    owner: root
+    group: root
+    mode: 0600
+
+- name: push borg
+  import_role: 
+    name: borgbase.ansible_role_borgbackup
+  vars:
+    borg_encryption_passphrase: "{{ borg_password }}"
+    borg_repository: "{{ borg_repo }}"
+    borg_user: "{{ borg_my_user }}"
+    borg_group: "{{ borg_my_group }}"
+    borgmatic_timer: cron
+    borg_ssh_command: "ssh -o StrictHostKeyChecking=no -i {{ borg_ssh_key }}"
+    borg_source_directories:
+      "{{ base_files + (extra_files[inventory_hostname] | default([])) }}"
+    borg_retention_policy:
+      keep_hourly: 3
+      keep_daily: 7
+      keep_weekly: 4
+      keep_monthly: 6
+    borgmatic_hooks:
+      after_backup:
+        - "curl -d '{{ inventory_hostname }}' {{ backup_topic }}"
diff --git a/playbooks/roles/borg/templates/borg_ssh_key.j2 b/playbooks/roles/borg/templates/borg_ssh_key.j2
new file mode 100644
index 0000000..70d4cc9
--- /dev/null
+++ b/playbooks/roles/borg/templates/borg_ssh_key.j2
@@ -0,0 +1 @@
+{{ borg_secret_key | b64decode }}
diff --git a/playbooks/roles/wireguard-mesh/tasks/main.yml b/playbooks/roles/wireguard-mesh/tasks/main.yml
index 9f9419f..34d46bc 100644
--- a/playbooks/roles/wireguard-mesh/tasks/main.yml
+++ b/playbooks/roles/wireguard-mesh/tasks/main.yml
@@ -8,8 +8,9 @@
     state: present
 
 - name: Get node ips from dns records
-  ansible.builtin.shell: "dig +short {{ item }} | tail -n1"
+  command: "dig +short {{ item }}"
   register: wireguard_node_ip
+  delegate_to: localhost
   with_items: "{{ groups['wireguard-mesh'] }}"
 
 - name: Massage node ips
diff --git a/playbooks/roles/wireguard-mesh/templates/mmtmesh.conf.j2 b/playbooks/roles/wireguard-mesh/templates/mmtmesh.conf.j2
index aa15d23..634b20a 100644
--- a/playbooks/roles/wireguard-mesh/templates/mmtmesh.conf.j2
+++ b/playbooks/roles/wireguard-mesh/templates/mmtmesh.conf.j2
@@ -1,8 +1,11 @@
 [Interface]
 Address={{ wireguard_node_ips[inventory_hostname] }}/32
-SaveConfig=true
 ListenPort={{ wireguard_listen_port }}
 PrivateKey={{ wireguard_private_key.stdout }}
+SaveConfig=true
+{% if wireguard_node_ips[inventory_hostname] != '10.212.0.1' %}
+PostUp=ip route add 10.137.0.0/16 via 10.212.0.1 dev mmtmesh
+{% endif %}
 
 {% for peer in groups['wireguard-mesh'] %}
 {% if peer != inventory_hostname %}
@@ -10,8 +13,12 @@ PrivateKey={{ wireguard_private_key.stdout }}
 [Peer]
 PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
 PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
+{% if wireguard_node_ips[peer] == '10.212.0.1' %}
+AllowedIPs={{ wireguard_node_ips[peer] }}/32, 10.137.0.0/16
+{% else %}
 AllowedIPs={{ wireguard_node_ips[peer] }}/32
-Endpoint={{ peer | replace('.int.', '.pub.') }}:{{ wireguard_listen_port }}
+{% endif %}
+Endpoint={{ peer | replace('.int.', '.') }}:{{ wireguard_listen_port }}
 
 {% endif %}
 {% endfor %}
diff --git a/secrets.txt b/secrets.txt
index d0e021d..636a628 100644
--- a/secrets.txt
+++ b/secrets.txt
@@ -10,3 +10,7 @@ mmt_smtp_server
 mmt_smtp_password
 mmt_smtp_username
 mmt_form_to_email
+borg_secret_key
+borg_password
+borg_repo
+borg_backup_topic