svc-bkp-rmt-2-loc: migrate pull script to Python + add unit tests; lock down backup-provider ACLs

- Replace Bash pull-specific-host.sh with Python pull-specific-host.py (argparse, identical logic) - Update role vars and runner template to call python script - Add __init__.py files for test discovery/imports - Add unittest: tests/unit/roles/svc-bkp-rmt-2-loc/files/test_pull_specific_host.py (mocks subprocess/os/time; covers success, no types, find-fail, retry-exhaustion) - Backup provider SSH wrapper: align allowed ls path (backup-docker-to-local) - Split user role tasks: 01_core (sudoers), 02_permissions_ssh (SSH keys + wrapper), 03_permissions_folders (ownership + default ACLs + depth-limited chown/chmod) - Ensure default ACLs grant rwx to 'backup' and none to group/other; keep sudo rsync working Ref: ChatGPT discussion (2025-10-14) — https://chatgpt.com/share/68ee920a-9b98-800f-8806-ddcfe0255149
2025-11-16 10:06:29 +00:00 · 2025-10-14 20:10:49 +02:00
parent e54436821c
commit 05d7ddc491
14 changed files with 351 additions and 115 deletions
--- a/roles/sys-bkp-provider-user/tasks/02_permissions_ssh.yml
+++ b/roles/sys-bkp-provider-user/tasks/02_permissions_ssh.yml
@@ -0,0 +1,23 @@
+- name: create .ssh directory
+  file:
+    path: /home/backup/.ssh
+    state: directory
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: create /home/backup/.ssh/authorized_keys
+  template:
+    src: "authorized_keys.j2"
+    dest: /home/backup/.ssh/authorized_keys
+    owner: backup
+    group: backup
+    mode: '0644'
+
+- name: create /home/backup/ssh-wrapper.sh
+  copy:
+    src: "ssh-wrapper.sh"
+    dest: /home/backup/ssh-wrapper.sh
+    owner: backup
+    group: backup
+    mode: '0700'