From dc0894f168a8ea2e9b90715b3dc69460b0060357 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Sun, 10 Jan 2021 20:35:37 +0100
Subject: [PATCH] implemented new remote backup solution

---
 roles/native-primary-backup/meta/main.yml     |  2 ++
 roles/native-primary-backup/readme.md         | 12 +++++++
 roles/native-primary-backup/tasks/main.yml    | 16 +++++++++
 roles/native-pull-remote-backups/Readme.md    |  9 +++++
 .../files/pull-remote-backup.sh               | 17 ++++++++++
 .../native-pull-remote-backups/tasks/main.yml | 17 +++++-----
 .../templates/pull-remote-backups.sh          |  3 +-
 roles/native-user-backup/files/backup         |  1 +
 roles/native-user-backup/meta/main.yml        |  2 ++
 roles/native-user-backup/readme.md            | 12 +++++++
 roles/native-user-backup/tasks/main.yml       | 33 +++++++++++++++++++
 .../templates/authorized_keys.j2              |  3 ++
 roles/native-user-backup/vars/main.yml        |  2 ++
 site.yml                                      |  1 +
 14 files changed, 120 insertions(+), 10 deletions(-)
 create mode 100644 roles/native-primary-backup/meta/main.yml
 create mode 100644 roles/native-primary-backup/readme.md
 create mode 100644 roles/native-primary-backup/tasks/main.yml
 create mode 100644 roles/native-pull-remote-backups/files/pull-remote-backup.sh
 create mode 100644 roles/native-user-backup/files/backup
 create mode 100644 roles/native-user-backup/meta/main.yml
 create mode 100644 roles/native-user-backup/readme.md
 create mode 100644 roles/native-user-backup/tasks/main.yml
 create mode 100644 roles/native-user-backup/templates/authorized_keys.j2
 create mode 100644 roles/native-user-backup/vars/main.yml

diff --git a/roles/native-primary-backup/meta/main.yml b/roles/native-primary-backup/meta/main.yml
new file mode 100644
index 00000000..39254757
--- /dev/null
+++ b/roles/native-primary-backup/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- native-user-backup
diff --git a/roles/native-primary-backup/readme.md b/roles/native-primary-backup/readme.md
new file mode 100644
index 00000000..0caf853e
--- /dev/null
+++ b/roles/native-primary-backup/readme.md
@@ -0,0 +1,12 @@
+# role native-primary-backup-host
+
+## todo
+- add full system backup
+
+## see
+- https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
+- https://serverfault.com/questions/135618/is-it-possible-to-use-rsync-over-sftp-without-an-ssh-shell
+- https://forum.duplicati.com/t/sftp-ssh-backups-to-a-linux-server-with-added-security/7334
+- https://serverfault.com/questions/287578/trying-to-setup-chrootd-rsync
+- http://ramblings.narrabilis.com/using-rsync-with-ssh
+- https://wiki.archlinux.org/index.php/rsync
diff --git a/roles/native-primary-backup/tasks/main.yml b/roles/native-primary-backup/tasks/main.yml
new file mode 100644
index 00000000..8e70ed94
--- /dev/null
+++ b/roles/native-primary-backup/tasks/main.yml
@@ -0,0 +1,16 @@
+# Create sftp group
+# groupadd sftpusers
+# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
+# passwd guestuser
+# grep guestuser /etc/passwd
+# usermod -g sftpusers -d /incoming -s /sbin/nologin john
+# Subsystem       sftp    internal-sftp > /etc/ssh/sshd_config
+# tail /etc/ssh/sshd_config
+# mkdir /sftp
+# mkdir /sftp/guestuser
+# mkdir /sftp/guestuser/incoming
+# chown guestuser:sftpusers /sftp/guestuser/incoming
+# ls -ld /sftp/guestuser/incoming
+# ls -ld /sftp/guestuser
+# ls -ld /sftp
+# service sshd restart
diff --git a/roles/native-pull-remote-backups/Readme.md b/roles/native-pull-remote-backups/Readme.md
index 3a35d84a..aecf64a0 100644
--- a/roles/native-pull-remote-backups/Readme.md
+++ b/roles/native-pull-remote-backups/Readme.md
@@ -1,6 +1,15 @@
 # role native-pull-remote-backups
 
+## goal
+This script allows to pull backups from a remote server.
+
+## scheme
+It is part of the following scheme:
+![backup scheme](https://www.veen.world/wp-content/uploads/2020/12/server-backup-768x567.jpg) <br />
+Further information you will find [in this blog post](https://www.veen.world/2020/12/26/how-i-backup-dedicated-root-servers/).
+
 ## debug
+
 ### live
 To track what the service is doing execute the following command:
 
diff --git a/roles/native-pull-remote-backups/files/pull-remote-backup.sh b/roles/native-pull-remote-backups/files/pull-remote-backup.sh
new file mode 100644
index 00000000..26c74538
--- /dev/null
+++ b/roles/native-pull-remote-backups/files/pull-remote-backup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# @param $1 hostname from which backup should be pulled
+source_host="backup@$1"
+source_machine_id="$( (ssh "$source_host" sha256sum /etc/machine-id) | head -c 64)"
+source_path="/Backups/$source_machine_id/"
+directories="$(ssh "$source_host" find "$source_path" -maxdepth 1 -type d)"
+for folder in $directories; do
+  if [ "$folder" != "$source_path" ]; then
+    diff_path="$folder/diffs/$(date '+%Y%m%d%H%M%S')/"
+    latest_path="$folder/latest/"
+    remote_source_path="$source_host:$latest_path"
+    log_path="$folder/log.txt"
+    mkdir -vp "$latest_path"
+    mkdir -vp "$diff_path"
+    rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path" || exit 1
+  fi
+done
diff --git a/roles/native-pull-remote-backups/tasks/main.yml b/roles/native-pull-remote-backups/tasks/main.yml
index b4b5f042..28d73c29 100644
--- a/roles/native-pull-remote-backups/tasks/main.yml
+++ b/roles/native-pull-remote-backups/tasks/main.yml
@@ -1,16 +1,15 @@
-- name: pull-remote-backups git
-  git:
-    repo: "https://github.com/kevinveenbirkenbach/pull-remote-backup.git"
-    dest: "/usr/local/bin/pull-remote-backup"
-    update: yes
+- name: create pull-remote-backup.sh
+  copy:
+    src: pull-remote-backup.sh
+    dest: "/usr/local/bin/pull-remote-backup.sh"
 
-- name: configure pull-remote-backups.service.tpl
+- name: create pull-remote-backups.service
   template: src=pull-remote-backups.service dest=/etc/systemd/system/pull-remote-backups.service
   notify: restart pull-remote-backups service
 
-- name: configure pull-remote-backups.timer.tpl
+- name: create pull-remote-backups.timer
   template: src=pull-remote-backups.timer dest=/etc/systemd/system/pull-remote-backups.timer
   notify: restart pull-remote-backups timer
 
-- name: configure pull-remote-backups.sh
-  template: src=pull-remote-backups.sh dest=/usr/local/bin/pull-remote-backup/pull-remote-backups.sh
+- name: create pull-remote-backups.sh
+  template: src=pull-remote-backups.sh dest=/usr/local/bin/pull-remote-backups.sh
diff --git a/roles/native-pull-remote-backups/templates/pull-remote-backups.sh b/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
index 39e6e369..e7353246 100644
--- a/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
+++ b/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
+# Pulls the remote backups from multiple hosts
 hosts="{{pull_remote_backups_hosts}}";
 errors=0
 for host in $hosts; do
-        bash /usr/local/bin/pull-remote-backup/pull-remote-backup.sh $host || ((errors+=1));
+        bash /usr/local/bin/pull-remote-backup.sh $host || ((errors+=1));
 done;
 exit $errors;
diff --git a/roles/native-user-backup/files/backup b/roles/native-user-backup/files/backup
new file mode 100644
index 00000000..e1de1a3b
--- /dev/null
+++ b/roles/native-user-backup/files/backup
@@ -0,0 +1 @@
+backup ALL=NOPASSWD:/usr/bin/rsync
diff --git a/roles/native-user-backup/meta/main.yml b/roles/native-user-backup/meta/main.yml
new file mode 100644
index 00000000..94856f23
--- /dev/null
+++ b/roles/native-user-backup/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- native-sshd
diff --git a/roles/native-user-backup/readme.md b/roles/native-user-backup/readme.md
new file mode 100644
index 00000000..dd363802
--- /dev/null
+++ b/roles/native-user-backup/readme.md
@@ -0,0 +1,12 @@
+# role native-user-backup
+User for backups
+
+## todo
+- add from="192.168.0.10" to authorized_keys as soon as wireguard is fully setup
+
+# see
+- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
+- https://stackoverflow.com/questions/34722761/ansible-read-remote-file
+- http://gergap.de/restrict-ssh-to-rsync.html
+- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
+- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
diff --git a/roles/native-user-backup/tasks/main.yml b/roles/native-user-backup/tasks/main.yml
new file mode 100644
index 00000000..1ca42b71
--- /dev/null
+++ b/roles/native-user-backup/tasks/main.yml
@@ -0,0 +1,33 @@
+- name: create backup user
+  user:
+    name: backup
+    create_home: yes
+
+- name: create .ssh directory
+  file:
+    path: /home/backup/.ssh
+    state: directory
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: register hashed_machine_id
+  shell: sha256sum /etc/machine-id | head -c 64
+  register: hashed_machine_id
+
+- name: create /home/backup/.ssh/authorized_keys
+  template:
+    src: "authorized_keys.j2"
+    dest: /home/backup/.ssh/authorized_keys
+    owner: backup
+    group: backup
+    mode: '0644'
+
+- name: grant backup sudo rights with password
+  copy:
+    src: "backup"
+    dest: /etc/sudoers.d/backup
+    mode: '0644'
+    owner: root
+    group: root
+  notify: sshd restart
diff --git a/roles/native-user-backup/templates/authorized_keys.j2 b/roles/native-user-backup/templates/authorized_keys.j2
new file mode 100644
index 00000000..dda80838
--- /dev/null
+++ b/roles/native-user-backup/templates/authorized_keys.j2
@@ -0,0 +1,3 @@
+#command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" {{authorized_keys}}
+#command='rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path"',no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding {{authorized_keys}}
+{{authorized_keys}}
diff --git a/roles/native-user-backup/vars/main.yml b/roles/native-user-backup/vars/main.yml
new file mode 100644
index 00000000..b6a2ce98
--- /dev/null
+++ b/roles/native-user-backup/vars/main.yml
@@ -0,0 +1,2 @@
+authorized_keys_path: "{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys"
+authorized_keys: "{{ lookup('file', authorized_keys_path) }}"
diff --git a/site.yml b/site.yml
index 483ce387..406c90e3 100644
--- a/site.yml
+++ b/site.yml
@@ -23,6 +23,7 @@
   roles:
    -  role: native-docker-volume-backup
       when: "'error:' not in pacman_q_docker.stderr"
+   -  role: native-primary-backup
 - name: setup nginx hosts
   hosts: nginx_hosts
   become: true