Another big round of refactoring and cleaning...

roles/sys-bkp-provider-user/README.md

@@ -0,0 +1,29 @@
+# User for Backup Provider 
+
+## Description
+
+This role sets up a dedicated backup user (`backup`) for performing secure backup operations. It creates the user, configures a restricted SSH environment with a custom `authorized_keys` template and an SSH wrapper script, and grants necessary sudo rights for executing rsync. This configuration helps ensure controlled and secure access specifically for backup processes.
+
+## Overview
+
+The role is a critical component in a secure backup scheme. By isolating backup operations to a dedicated user, it minimizes the risk of unauthorized actions. The role configures the SSH environment so that only specific, allowed commands can be executed, and it sets up passwordless sudo rights for rsync, ensuring smooth and secure backup operations.
+
+## Purpose
+
+The purpose of this role is to enhance the security of your backup system by providing a dedicated user with strict command restrictions. This controlled environment limits the potential damage from a compromised backup account while still allowing efficient backup operations.
+
+## Features
+
+- **User Creation:** Creates a dedicated `backup` user with a home directory.
+- **SSH Environment Setup:** Establishes a secure `.ssh` directory and deploys a restricted `authorized_keys` file via a Jinja2 template.
+- **SSH Wrapper Script:** Implements a custom SSH wrapper that logs and filters incoming SSH commands, enforcing security policies.
+- **Sudo Configuration:** Grants passwordless sudo rights for rsync, enabling secure and automated backup transfers.
+- **Integration:** Supports seamless integration with your backup infrastructure by limiting the backup user's permissions to only the required commands.
+
+## Other Resources
+
+For more details on how the role works and advanced configuration options, please see the related references below:
+- [Ansible Playbooks Lookups](https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3)
+- [Restrict SSH to rsync](http://gergap.de/restrict-ssh-to-rsync.html)
+- [SSH Command Restrictions via authorized_keys](https://www.thomas-krenn.com/de/wiki/Ausf%C3%BChrbare_SSH-Kommandos_per_authorized_keys_einschr%C3%A4nken)
+- [Rsync and sudo integration](https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine)

roles/sys-bkp-provider-user/files/backup

@@ -0,0 +1 @@
+backup ALL=NOPASSWD:/usr/bin/rsync

roles/sys-bkp-provider-user/files/ssh-wrapper.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# log command
+if [ -n "$SSH_ORIGINAL_COMMAND" ]
+then
+  echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" | systemd-cat -t "ssh-wrapper.sh"
+fi
+
+# define executable commands
+get_hashed_machine_id="sha256sum /etc/machine-id";
+hashed_machine_id="$($get_hashed_machine_id | head -c 64)"
+get_backup_types="find /Backups/$hashed_machine_id/ -maxdepth 1 -type d -execdir basename {} ;";
+
+
+# @todo This configuration is not scalable yet. If other backup services then sys-bkp-docker-to-local are integrated, this logic needs to be optimized
+get_version_directories="ls -d /Backups/$hashed_machine_id/sys-bkp-docker-to-local/*"
+last_version_directory="$($get_version_directories | tail -1)"
+rsync_command="sudo rsync --server --sender -blogDtpre.iLsfxCIvu . $last_version_directory/"
+
+# filter commands
+case "$SSH_ORIGINAL_COMMAND" in
+	"$get_hashed_machine_id")
+		$get_hashed_machine_id
+		;;
+	"$get_version_directories")
+		$get_version_directories
+		;;
+	"$get_backup_types")
+		$get_backup_types
+		;;
+	"$rsync_command")
+		$rsync_command
+		;;
+	*)
+		echo "This command is not supported."
+		exit 1
+		;;
+esac

roles/sys-bkp-provider-user/meta/main.yml

@@ -0,0 +1,26 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Sets up a dedicated backup user with restricted SSH commands for backup operations. This role configures a backup user with custom SSH key restrictions and sudo rights, ensuring secure and controlled access for backup processes."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Linux
+      versions:
+        - all
+  galaxy_tags:
+    - backup
+    - ssh
+    - user
+    - security
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies:
+  - sys-svc-sshd

roles/sys-bkp-provider-user/tasks/main.yml

@@ -0,0 +1,47 @@
+- name: create backup user
+  user:
+    name: backup
+    create_home: yes
+  when: run_once_backups_provider_user is not defined
+
+- name: create .ssh directory
+  file:
+    path: /home/backup/.ssh
+    state: directory
+    owner: backup
+    group: backup
+    mode: '0700'
+  when: run_once_backups_provider_user is not defined
+
+- name: create /home/backup/.ssh/authorized_keys
+  template:
+    src: "authorized_keys.j2"
+    dest: /home/backup/.ssh/authorized_keys
+    owner: backup
+    group: backup
+    mode: '0644'
+  when: run_once_backups_provider_user is not defined
+
+- name: create /home/backup/ssh-wrapper.sh
+  copy:
+    src: "ssh-wrapper.sh"
+    dest: /home/backup/ssh-wrapper.sh
+    owner: backup
+    group: backup
+    mode: '0700'
+  when: run_once_backups_provider_user is not defined
+
+- name: grant backup sudo rights
+  copy:
+    src: "backup"
+    dest: /etc/sudoers.d/backup
+    mode: '0644'
+    owner: root
+    group: root
+  notify: sshd restart
+  when: run_once_backups_provider_user is not defined
+  
+- name: run the backups_provider_user tasks once
+  set_fact:
+    run_once_backups_provider_user: true
+  when: run_once_backups_provider_user is not defined

roles/sys-bkp-provider-user/templates/authorized_keys.j2

@@ -0,0 +1,3 @@
+{% for authorized_key in authorized_keys_list %}
+command="/home/backup/ssh-wrapper.sh" {{authorized_key}}
+{% endfor %}

roles/sys-bkp-provider-user/vars/main.yml

@@ -0,0 +1,3 @@
+authorized_keys_path: '{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys'
+authorized_keys_list: '{{ lookup(''file'', authorized_keys_path).splitlines() }}'
+