matrix-docker-ansible-deploy/roles/custom/matrix-backup-borg/templates/systemd/matrix-backup-borg.service.j2

#jinja2: lstrip_blocks: "True"
[Unit]
Description=Matrix Borg Backup
{% for service in matrix_backup_borg_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_backup_borg_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
DefaultDependencies=no

[Service]
Type=oneshot
Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true'
ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
			--log-driver=none \
			--cap-drop=ALL \
			--read-only \
			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
			--network={{ matrix_docker_network }} \
			--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
			--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
			--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
			{% for source in matrix_backup_borg_location_source_directories %}
			--mount type=bind,src={{ source }},dst={{ source }},ro \
			{% endfor %}
			{% for arg in matrix_backup_borg_container_extra_arguments %}
			{{ arg }} \
			{% endfor %}
			{{ matrix_backup_borg_docker_image }} \
			sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}"

# The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container
# can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file,
# owned by `matrix:matrix` on the filesystem.
#
# `/root` is mountes as temporary filesystem, because we're using `--read-only` and because
# Borgmatic tries to write to at least a few paths under `/root` (`.config`, `.ssh`, `.borgmatic`).
ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \
			--log-driver=none \
			--cap-drop=ALL \
			--cap-add=CAP_DAC_OVERRIDE \
			--read-only \
			--network={{ matrix_docker_network }} \
			--tmpfs=/root:rw,noexec,nosuid,size=100m \
			--tmpfs=/tmp:rw,noexec,nosuid,size=100m \
			--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \
			--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \
			{% for source in matrix_backup_borg_location_source_directories %}
			--mount type=bind,src={{ source }},dst={{ source }},ro \
			{% endfor %}
			{% for arg in matrix_backup_borg_container_extra_arguments %}
			{{ arg }} \
			{% endfor %}
			{{ matrix_backup_borg_docker_image }}

ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null || true'
ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null || true'
SyslogIdentifier=matrix-backup-borg

[Install]
WantedBy=multi-user.target
add borg backup (#1727) * add borg backup * lint fix * add exlclude patterns * missed in the #1726 fix for honoroit * feedback * Fix indentation * feedback * feedback * feedback Co-authored-by: Slavi Pantaleev <slavi@devture.com> 2022-04-05 11:37:27 +00:00			`#jinja2: lstrip_blocks: "True"`
			`[Unit]`
			`Description=Matrix Borg Backup`
			`{% for service in matrix_backup_borg_systemd_required_services_list %}`
			`Requires={{ service }}`
			`After={{ service }}`
			`{% endfor %}`
			`{% for service in matrix_backup_borg_systemd_wanted_services_list %}`
			`Wants={{ service }}`
			`{% endfor %}`
			`DefaultDependencies=no`

			`[Service]`
			`Type=oneshot`
matrix_systemd_unit_home_path -> devture_systemd_docker_base_systemd_unit_home_path (via com.devture.ansible.role.systemd_docker_base) 2022-11-04 14:37:47 +00:00			`Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"`
matrix_host_command_sh -> devture_systemd_docker_base_host_command_sh (via com.devture.ansible.role.systemd_docker_base) 2022-11-04 14:40:25 +00:00			`ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null \|\| true'`
			`ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null \|\| true'`
matrix_host_command_docker -> devture_systemd_docker_base_host_command_docker (via com.devture.ansible.role.systemd_docker_base) 2022-11-04 14:39:35 +00:00			`ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \`
add borg backup (#1727) * add borg backup * lint fix * add exlclude patterns * missed in the #1726 fix for honoroit * feedback * Fix indentation * feedback * feedback * feedback Co-authored-by: Slavi Pantaleev <slavi@devture.com> 2022-04-05 11:37:27 +00:00			`--log-driver=none \`
			`--cap-drop=ALL \`
			`--read-only \`
			`--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \`
			`--network={{ matrix_docker_network }} \`
			`--tmpfs=/tmp:rw,noexec,nosuid,size=100m \`
			`--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \`
			`--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \`
			`{% for source in matrix_backup_borg_location_source_directories %}`
			`--mount type=bind,src={{ source }},dst={{ source }},ro \`
			`{% endfor %}`
			`{% for arg in matrix_backup_borg_container_extra_arguments %}`
			`{{ arg }} \`
			`{% endfor %}`
			`{{ matrix_backup_borg_docker_image }} \`
Fix backup-borg repository initialization for borgmatic 1.7+ (or borg 2.0) 2022-12-05 12:56:38 +00:00			`sh -c "borgmatic rcreate --encryption {{ matrix_backup_borg_encryption }}"`
add borg backup (#1727) * add borg backup * lint fix * add exlclude patterns * missed in the #1726 fix for honoroit * feedback * Fix indentation * feedback * feedback * feedback Co-authored-by: Slavi Pantaleev <slavi@devture.com> 2022-04-05 11:37:27 +00:00
Give backup-borg container more permissions to perform the backup Running with a user (like `matrix:matrix`) fails if Etherpad is enabled, because `/matrix/etherpad` is owned by `matrix_etherpad_user_uid`/`matrix_etherpad_user_gid` (`5001:5001`). The `matrix` user can't acccess the Etherpad directory for this reason and Borgmatic fails when trying to make a backup. There may be other things under `/matrix` which similarly use non-`matrix:matrix` permissions. Another workaround might have been to add `/matrix/etherpad` (and potentially other things) to `matrix_backup_borg_location_exclude_patterns`, but: - that means Etherpad won't be backed up - not great - only excluding Etherpad may not be enough. There may be other files we need to exclude as well --- Running with `root` is still not enough though. We need at least the `CAP_DAC_OVERRIDE` capability, or we won't be able to read the `/etc/borgmatic.d/config.yaml` configuration file (owned by `matrix:matrix` with `0640` permissions). --- Additionally, it seems like the backup process tries to write to at least a few directories: - `/root/.borgmatic` - `/root/.ssh` - `/root/.config` > [Errno 30] Read-only file system: '/root/.borgmatic' > Error while creating a backup. > /etc/borgmatic.d/config.yaml: Error running configuration file We either need to stop mounting the container filesystem as readonly (remove `--read-only`) or to allow writing via a `tmpfs`. I've gone the `tmpfs` route which seems to work. In any case, the mounted source directories (`matrix_backup_borg_location_source_directories`) are read-only regardless, so our actual source files are protected from unintentional changes. 2022-12-05 13:28:07 +00:00			# The `CAP_DAC_OVERRIDE` capability is required, so that `root` in the container
			# can read the `/etc/borgmatic.d/config.yaml` (`{{ matrix_backup_borg_config_path }}/config.yaml`) file,
			# owned by `matrix:matrix` on the filesystem.
Add comment to matrix-backup-borg.service Related to 8005557061c0e795be334 2022-12-05 13:45:33 +00:00			`#`
			# `/root` is mountes as temporary filesystem, because we're using `--read-only` and because
			# Borgmatic tries to write to at least a few paths under `/root` (`.config`, `.ssh`, `.borgmatic`).
matrix_host_command_docker -> devture_systemd_docker_base_host_command_docker (via com.devture.ansible.role.systemd_docker_base) 2022-11-04 14:39:35 +00:00			`ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-backup-borg \`
add borg backup (#1727) * add borg backup * lint fix * add exlclude patterns * missed in the #1726 fix for honoroit * feedback * Fix indentation * feedback * feedback * feedback Co-authored-by: Slavi Pantaleev <slavi@devture.com> 2022-04-05 11:37:27 +00:00			`--log-driver=none \`
			`--cap-drop=ALL \`
Give backup-borg container more permissions to perform the backup Running with a user (like `matrix:matrix`) fails if Etherpad is enabled, because `/matrix/etherpad` is owned by `matrix_etherpad_user_uid`/`matrix_etherpad_user_gid` (`5001:5001`). The `matrix` user can't acccess the Etherpad directory for this reason and Borgmatic fails when trying to make a backup. There may be other things under `/matrix` which similarly use non-`matrix:matrix` permissions. Another workaround might have been to add `/matrix/etherpad` (and potentially other things) to `matrix_backup_borg_location_exclude_patterns`, but: - that means Etherpad won't be backed up - not great - only excluding Etherpad may not be enough. There may be other files we need to exclude as well --- Running with `root` is still not enough though. We need at least the `CAP_DAC_OVERRIDE` capability, or we won't be able to read the `/etc/borgmatic.d/config.yaml` configuration file (owned by `matrix:matrix` with `0640` permissions). --- Additionally, it seems like the backup process tries to write to at least a few directories: - `/root/.borgmatic` - `/root/.ssh` - `/root/.config` > [Errno 30] Read-only file system: '/root/.borgmatic' > Error while creating a backup. > /etc/borgmatic.d/config.yaml: Error running configuration file We either need to stop mounting the container filesystem as readonly (remove `--read-only`) or to allow writing via a `tmpfs`. I've gone the `tmpfs` route which seems to work. In any case, the mounted source directories (`matrix_backup_borg_location_source_directories`) are read-only regardless, so our actual source files are protected from unintentional changes. 2022-12-05 13:28:07 +00:00			`--cap-add=CAP_DAC_OVERRIDE \`
add borg backup (#1727) * add borg backup * lint fix * add exlclude patterns * missed in the #1726 fix for honoroit * feedback * Fix indentation * feedback * feedback * feedback Co-authored-by: Slavi Pantaleev <slavi@devture.com> 2022-04-05 11:37:27 +00:00			`--read-only \`
			`--network={{ matrix_docker_network }} \`
Give backup-borg container more permissions to perform the backup Running with a user (like `matrix:matrix`) fails if Etherpad is enabled, because `/matrix/etherpad` is owned by `matrix_etherpad_user_uid`/`matrix_etherpad_user_gid` (`5001:5001`). The `matrix` user can't acccess the Etherpad directory for this reason and Borgmatic fails when trying to make a backup. There may be other things under `/matrix` which similarly use non-`matrix:matrix` permissions. Another workaround might have been to add `/matrix/etherpad` (and potentially other things) to `matrix_backup_borg_location_exclude_patterns`, but: - that means Etherpad won't be backed up - not great - only excluding Etherpad may not be enough. There may be other files we need to exclude as well --- Running with `root` is still not enough though. We need at least the `CAP_DAC_OVERRIDE` capability, or we won't be able to read the `/etc/borgmatic.d/config.yaml` configuration file (owned by `matrix:matrix` with `0640` permissions). --- Additionally, it seems like the backup process tries to write to at least a few directories: - `/root/.borgmatic` - `/root/.ssh` - `/root/.config` > [Errno 30] Read-only file system: '/root/.borgmatic' > Error while creating a backup. > /etc/borgmatic.d/config.yaml: Error running configuration file We either need to stop mounting the container filesystem as readonly (remove `--read-only`) or to allow writing via a `tmpfs`. I've gone the `tmpfs` route which seems to work. In any case, the mounted source directories (`matrix_backup_borg_location_source_directories`) are read-only regardless, so our actual source files are protected from unintentional changes. 2022-12-05 13:28:07 +00:00			`--tmpfs=/root:rw,noexec,nosuid,size=100m \`
add borg backup (#1727) * add borg backup * lint fix * add exlclude patterns * missed in the #1726 fix for honoroit * feedback * Fix indentation * feedback * feedback * feedback Co-authored-by: Slavi Pantaleev <slavi@devture.com> 2022-04-05 11:37:27 +00:00			`--tmpfs=/tmp:rw,noexec,nosuid,size=100m \`
			`--mount type=bind,src={{ matrix_backup_borg_config_path }}/passwd,dst=/etc/passwd,ro \`
			`--mount type=bind,src={{ matrix_backup_borg_config_path }},dst=/etc/borgmatic.d,ro \`
			`{% for source in matrix_backup_borg_location_source_directories %}`
			`--mount type=bind,src={{ source }},dst={{ source }},ro \`
			`{% endfor %}`
			`{% for arg in matrix_backup_borg_container_extra_arguments %}`
			`{{ arg }} \`
			`{% endfor %}`
			`{{ matrix_backup_borg_docker_image }}`

matrix_host_command_sh -> devture_systemd_docker_base_host_command_sh (via com.devture.ansible.role.systemd_docker_base) 2022-11-04 14:40:25 +00:00			`ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-backup-borg 2>/dev/null \|\| true'`
			`ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-backup-borg 2>/dev/null \|\| true'`
add borg backup (#1727) * add borg backup * lint fix * add exlclude patterns * missed in the #1726 fix for honoroit * feedback * Fix indentation * feedback * feedback * feedback Co-authored-by: Slavi Pantaleev <slavi@devture.com> 2022-04-05 11:37:27 +00:00			`SyslogIdentifier=matrix-backup-borg`

			`[Install]`
			`WantedBy=multi-user.target`