Refactored native-

2025-08-29 15:06:26 +02:00 · 2023-09-02 13:13:28 +02:00
parent c11333be9a
commit 96b0d10ea8
169 changed files with 94 additions and 94 deletions
--- a/roles/backups-provider-user/files/backup
+++ b/roles/backups-provider-user/files/backup
@@ -0,0 +1 @@
+backup ALL=NOPASSWD:/usr/bin/rsync
--- a/roles/backups-provider-user/files/ssh-wrapper.sh
+++ b/roles/backups-provider-user/files/ssh-wrapper.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# log command
+if [ -n "$SSH_ORIGINAL_COMMAND" ]
+then
+  echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" | systemd-cat -t "ssh-wrapper.sh"
+fi
+
+# define executable commands
+get_hashed_machine_id="sha256sum /etc/machine-id";
+hashed_machine_id="$($get_hashed_machine_id | head -c 64)"
+get_backup_types="find /Backups/$hashed_machine_id/ -maxdepth 1 -type d -execdir basename {} ;";
+
+
+# @todo This configuration is not scalable yet. If other backup services then docker-volume-backup are integrated, this logic needs to be optimized
+get_version_directories="ls -d /Backups/$hashed_machine_id/docker-volume-backup/*"
+last_version_directory="$($get_version_directories | tail -1)"
+rsync_command="sudo rsync --server --sender -blogDtpre.iLsfxCIvu . $last_version_directory/"
+
+# filter commands
+case "$SSH_ORIGINAL_COMMAND" in
+	"$get_hashed_machine_id")
+		$get_hashed_machine_id
+		;;
+	"$get_version_directories")
+		$get_version_directories
+		;;
+	"$get_backup_types")
+		$get_backup_types
+		;;
+	"$rsync_command")
+		$rsync_command
+		;;
+	*)
+		echo "This command is not supported."
+		exit 1
+		;;
+esac
--- a/roles/backups-provider-user/meta/main.yml
+++ b/roles/backups-provider-user/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- sshd
--- a/roles/backups-provider-user/readme.md
+++ b/roles/backups-provider-user/readme.md
@@ -0,0 +1,14 @@
+# role backups-provider-user
+User for backups
+
+## todo
+- optimize authorized_keys.j2 for multiple pull clients
+
+# see
+- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
+- https://stackoverflow.com/questions/34722761/ansible-read-remote-file
+- http://gergap.de/restrict-ssh-to-rsync.html
+- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
+- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
+- https://www.thomas-krenn.com/de/wiki/Ausf%C3%BChrbare_SSH-Kommandos_per_authorized_keys_einschr%C3%A4nken
+- https://serverfault.com/questions/793669/what-is-the-rsync-option-logdtprze-ilsf-for/793676
--- a/roles/backups-provider-user/tasks/main.yml
+++ b/roles/backups-provider-user/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: create backup user
+  user:
+    name: backup
+    create_home: yes
+
+- name: create .ssh directory
+  file:
+    path: /home/backup/.ssh
+    state: directory
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: create /home/backup/.ssh/authorized_keys
+  template:
+    src: "authorized_keys.j2"
+    dest: /home/backup/.ssh/authorized_keys
+    owner: backup
+    group: backup
+    mode: '0644'
+
+- name: create /home/backup/ssh-wrapper.sh
+  copy:
+    src: "ssh-wrapper.sh"
+    dest: /home/backup/ssh-wrapper.sh
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: grant backup sudo rights
+  copy:
+    src: "backup"
+    dest: /etc/sudoers.d/backup
+    mode: '0644'
+    owner: root
+    group: root
+  notify: sshd restart
--- a/roles/backups-provider-user/templates/authorized_keys.j2
+++ b/roles/backups-provider-user/templates/authorized_keys.j2
@@ -0,0 +1,3 @@
+{% for authorized_key in authorized_keys_list %}
+command="/home/backup/ssh-wrapper.sh" {{authorized_key}}
+{% endfor %}
--- a/roles/backups-provider-user/vars/main.yml
+++ b/roles/backups-provider-user/vars/main.yml
@@ -0,0 +1,2 @@
+authorized_keys_path: "{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys"
+authorized_keys_list: "{{ lookup('file', authorized_keys_path).splitlines() }}"