system-config/playbooks/roles/borg-backup/tasks/main.yaml

- name: Generate borg username for this host
  set_fact:
    borg_username: 'borg-{{ inventory_hostname.split(".", 1)[0] }}'
  when: borg_username is not defined

- debug:
    var: borg_username

- name: Install borg
  include_role:
    name: install-borg

- name: Install backup script
  template:
    src: borg-backup.j2
    dest: /usr/local/bin/borg-backup
    mode: 0755

- name: Generate keypair for backups
  openssh_keypair:
    path: /root/.ssh/id_borg_backup_ed25519
    type: ed25519
  register: borg_keypair

- name: Configure ssh for backup server
  blockinfile:
    path: /root/.ssh/config
    create: true
    block: |
      # {{ item }} backup server
      Host {{ item }}
      HostName {{ item }}
      IdentityFile /root/.ssh/id_borg_backup_ed25519
      User {{ borg_username }}      
    mode: 0600
    marker: '# {mark} ANSIBLE MANAGED BLOCK borg-backup {{ item }}'
  with_inventory_hostnames: borg-backup-server

- name: Generate borg_user info tuple
  set_fact:
    borg_user: '{{ [ borg_username, borg_keypair["public_key"] ] }}'

- name: Accept hostkey of backup server
  known_hosts:
    state: present
    key: '{{ item }} ssh-ed25519 {{ hostvars[item]["ansible_ssh_host_key_ed25519_public"] }}'
    name: '{{ item }}'
  with_inventory_hostnames: borg-backup-server

- name: Install backup cron job
  cron:
    name: "Run borg backup to {{ item }}"
    job: "/usr/local/bin/borg-backup {{ item }} 2>> /var/log/borg-backup-{{ item }}.log"
    user: root
    hour: '5'
    minute: '{{ 59|random(seed=item) }}'
  with_inventory_hostnames: borg-backup-server

- name: Install logrotate rules
  include_role:
    name: logrotate
  vars:
    logrotate_file_name: '/var/log/borg-backup-{{ item }}.txt'
  with_inventory_hostnames: borg-backup-server