eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/ansible/roles/borgmatic/templates/config.yaml.j2
Erich Blume d045a5d76a Add BorgBase offsite backup repository (#142) 
## Summary
- Adds BorgBase as a second borgmatic repository for offsite backups (US region, append-only)
- SSH key managed via 1Password, deployed to indri by Ansible
- Borgmatic `ssh_command` configured to use the dedicated BorgBase key
- BorgBase host key pinned in known_hosts via Ansible

## Post-merge deployment steps
1. Provision borgmatic: `mise run provision-indri -- --tags borgmatic`
2. Initialize the BorgBase repo: `ssh indri 'mise x -- borgmatic init --encryption repokey --repository borgbase-offsite'`
3. Export and store the borg repokey: `ssh indri 'borg key export ssh://k04ljcd7@k04ljcd7.repo.borgbase.com/./repo'` → save to 1Password
4. Verify first backup: `ssh indri 'mise x -- borgmatic create --repository borgbase-offsite --verbosity 1'`

## BorgBase setup (already done)
- Account created, API token in 1Password (`borgbase` item in blumeops vault)
- SSH keypair generated, stored in 1Password, public key uploaded to BorgBase (ID: 200815)
- Repository `indri-borgmatic` created (ID: k04ljcd7, US region, append-only, 2-day alert)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/142
2026-02-10 12:47:02 -08:00

53 lines
1.4 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
# Path to borg binary (LaunchAgent doesn't have homebrew in PATH)
local_path: {{ borgmatic_local_path }}
source_directories:
{% for dir in borgmatic_source_directories %}
- {{ dir }}
{% endfor %}
source_directories_must_exist: true
repositories:
{% for repo in borgmatic_repositories %}
- path: {{ repo.path }}
label: {{ repo.label }}
{% if repo.encryption is defined %}
encryption: {{ repo.encryption }}
{% endif %}
{% if repo.append_only is defined %}
append_only: {{ repo.append_only | lower }}
{% endif %}
{% endfor %}
{% if borgmatic_exclude_patterns %}
exclude_patterns:
{% for pattern in borgmatic_exclude_patterns %}
- {{ pattern }}
{% endfor %}
{% endif %}
encryption_passcommand: {{ borgmatic_encryption_passcommand }}
ssh_command: ssh -o IdentitiesOnly=yes -i {{ borgmatic_borgbase_ssh_key_path }}
# Retention policy
keep_daily: {{ borgmatic_keep_daily }}
keep_monthly: {{ borgmatic_keep_monthly }}
keep_yearly: {{ borgmatic_keep_yearly }}
{% if borgmatic_postgresql_databases %}
# PostgreSQL database backups (streamed via pg_dump)
postgresql_databases:
{% for db in borgmatic_postgresql_databases %}
- name: {{ db.name }}
hostname: {{ db.hostname | default('localhost') }}
port: {{ db.port | default(5432) }}
username: {{ db.username }}
{% if borgmatic_pg_dump_command is defined %}
pg_dump_command: {{ borgmatic_pg_dump_command }}
{% endif %}
{% endfor %}
{% endif %}
Reference in a new issue View git blame Copy permalink