Description

Make incremental backups securely using rsnapshot.

Why should backups always be pulled instead of being pushed?

Because pushing backups is highly insecure.

Requirements

Yannik/rsnapshot-remote-host must be installed on the hosts that should be backed up.

Role Variables

• rsnapshot_enable_cron: whether to run backups automatically
  • Default: true
• rsnapshot_mailto: where email reports should go to
• rsnapshot_custom_options: set custom rsnapshot.conf options (list of dicts as some options can be used multiple times)
• rsnapshot_backups: List of backup sets
  • name: unique lowercase alphanumeric name (required)
  • enabled: yes/no
  • interval: how often should the data be synced (required)
    • options: every30min, every1h, every3h, every6h, every12h, every24h
  • snapshot_root: unique path where the backups will be saved (required)
  • backup_host: backupro@host from where the backups should be pulled from
  • retain_settings: list of backups that should be kept (required)
  • maxdowntime: maximum time a host is allowed to be down (format: 6h, 12d)
  • custom_options: custom options (list of dicts as some options can be used multiple times)
  • backup_directives: the actual list of directories that should be backed up (required)
    • src: Source directory (required)
    • dest: destination directory, by default the src path appended to snapshot_root/ (optional)
    • args: optional arguments
      • Example: exclude=logs,exclude=vendor,+rsync_long_args=--bwlimit=625

Example Playbook

- hosts: all
  roles:
     - role: yannik.rsnapshot-backup-host
       rsnapshot_enable_cron: True
       rsnapshot_mailto: test@example.org
       rsnapshot_custom_directives:
         - rsync_long_args: --delete --numeric-ids --relative --delete-excluded --bwlimit=625
       rsnapshot_backups:
         - name: backups1
           interval: every30min
           snapshot_root: /var/rsnapshot-backups/backups1
           backup_host: backupro@example.org
           retain_settings:
             - { name: every1h, keep: 12 }
             - { name: every1d, keep: 3 }
             - { name: every1w, keep: 4 }
           backup_directives:
             - src: /etc
             - src: /var/www
               args: exclude=logs,exclude=vendor,+rsync_long_args=--bwlimit=625
             - src: "sudo /etc/rsnapshot/backup-scripts/backup-mysql.sh"
               type: ssh
             - src: /var/rsnapshot-backup/mysqldump.sql.gz
         - name: backups2
           interval: every6h
           snapshot_root: /var/rsnapshot-backups/backups2
           backup_host: backupro@example2.org
           retain_settings:
             - { name: every1d, keep: 3 }
             - { name: every1w, keep: 4 }
           backup_directives:
             - src: /etc
               dest: myetc

Debugging

• ssh -F /home/backuppuller/.ssh/config backupro@host test
• rsync -a --rsh="/usr/bin/ssh -F /home/backuppuller/.ssh/config" backupro@host:/path-to-dir .

Inspired by

• Backup remote Linux hosts without root access, using rsnapshot
• Restricting SSH Access to rsync
• rsync as root with rrsync and sudo
• Root, Sudo, and Rsnapshot
• OpenSSH: Going flexible with forced commands
• Ausführbare SSH-Kommandos per authorized keys einschränken
• Securing Rsync as Root
• Security of only allowing a few vetted commands using $SSH_ORIGINAL_COMMAND

License

GPLv2

Author Information

Yannik Sembritzki