Ansible Role: Install and Configure Duplicity

This role installs Duplicity from source and manages backup tasks on Debian/Ubuntu Linux servers.

Requirements

Ansible version 2.0 or higher.

Dependencies

None.

Installation

To install this role, run:

$ ansible-galaxy install tschifftner.duplicity

Example Playbook

Here are the available variables and their default values (check defaults/main.yml):

    - hosts: webservers
      vars:
        # Duplicity settings
        duplicity_known_hosts:
          - host: 'example.org'
            key: 'example.org ssh-rsa AAAAB3NzaC...+PwAK+MPw=='
            state: present
    
        duplicity_config_vars:
          FTP_SERVER: 'sftp://[email protected]/my/folder/'
          FTP_PASSWORD: '*******'
          DEFAULT_PARAMS: '--verbosity info --exclude-device-files --exclude-other-filesystems --exclude-if-present .duplicity-ignore'
    
        duplicity_cronjobs:
          - name: 'Cleanup older than 2 months'
            user: root
            group: root
            source: /etc/duplicity/duplicity.conf
            hour: 4
            minute: 10
            command: >
              duplicity remove-older-than 2M --force --extra-clean $FTP_SERVER;
              duplicity cleanup --force $FTP_SERVER
    
          - name: 'Backup /var/www'
            user: root
            group: root
            hour: 5
            minute: 21
            source: /etc/duplicity/duplicity.conf
            command: duplicity $DEFAULT_PARAMS --include /var/www --full-if-older-than 1M --exclude '**' / $FTP_SERVER

      roles:
             - { role: tschifftner.duplicity }

For easier management, consider putting all variables in an external file.

    - hosts: webservers
      vars_files:
        - duplicity-settings.yml

      roles:
         - { role: tschifftner.duplicity }

Tips

• To get the SSH key for a server, use: ssh-keyscan -t rsa example.org (this is used in the duplicity_known_hosts variable).
• Avoid writing cron jobs in multiple lines to maintain idempotence. For example:

 command: >
   duplicity remove-older-than 2M --force --extra-clean $FTP_SERVER;
   duplicity cleanup --force $FTP_SERVER

Duplicity Variables

duplicity_config_vars:
  SERVER: 'ftp://[email protected]/backups/'
  PASSPHRASE: 'YourSecretPassphrase'
  FTP_PASSWORD: '*******'
  PARAMS: '--verbosity info --exclude-device-files --exclude-other-filesystems --exclude-if-present .duplicity-ignore --exclude-filelist /etc/duplicity/exclude.list'
  INCLUDES: '/root /home /var/www /var/backup'

GPG Encryption

This role does not support GPG encryption. You need to install and configure it manually.

Generate GPG Key-Pair

Use the following command to generate GPG keys:

gpg --batch --gen-key <<EOF
%echo Generating a GPG key
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: Duplicity Backup
Name-Comment: Used for backup encryption
Name-Email: duplicity@localhost
Expire-Date: 0
Passphrase: ThisShouldBeYourPersonalUniquePassphrase
%commit
%echo Done
EOF

Export Public Key

gpg --output FB37DF3B.public.asc --armor --export FB37DF3B

Export Owner Trust

gpg --export-ownertrust > ownertrust.txt

Export Private Key

gpg --output FB37DF3B.private.asc --armor --export-secret-key FB37DF3B

Known Hosts

To mark hosts as known, use:

duplicity_known_hosts:
  - host: 'ftp.example.com'
    key: 'ftp.example.com ssh-rsa AAAAB3NzaC1yc2[...]+MPw=='
    state: 'present'

If your system supports it, you can use ecdsa and ed25519 keys as well:

ssh-keyscan -t ecdsa ftp.example.com
ssh-keyscan -t ed25519 ftp.example.com

Duptools

Duptools is a helper script to manage backups and is installed by default. You can disable it by setting duplicity_install_duptools: false.

Run Duptools

To see available options, simply run duptools in the terminal:

    duptools - manage duplicity backup

    USAGE:

    duptools backup
    duptools list
    duptools status
    duptools restore file [time] dest
    duptools remove [time]

    [time]
    a) now
    b) 2002-01-25T07:00:00+02:00
    c) D=Days, W=Weeks, M=Months, Y=Years, h=hours, m=minutes, s=seconds

Supported OS

• Debian 9 (Stretch)
• Debian 8 (Jessie)
• Ubuntu 18.04 (Bionic Beaver)
• Ubuntu 16.04 (Xenial Xerus)

Required Ansible Version

Ansible version 2.5 or higher.

License

MIT License

Author Information

• Tobias Schifftner, ambimax® GmbH

TODO

• Fix the reinstall issue and allow installing another version. Currently, the file /usr/local/bin/duplicity isn't overwritten, and uninstalling duplicity via pip does not remove it.