implemented new remote backup solution

2025-10-31 02:10:05 +00:00 · 2021-01-10 20:35:37 +01:00
parent 2328b411f6
commit dc0894f168
14 changed files with 120 additions and 10 deletions
--- a/roles/native-primary-backup/meta/main.yml
+++ b/roles/native-primary-backup/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- native-user-backup
--- a/roles/native-primary-backup/readme.md
+++ b/roles/native-primary-backup/readme.md
@@ -0,0 +1,12 @@
+# role native-primary-backup-host
+
+## todo
+- add full system backup
+
+## see
+- https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
+- https://serverfault.com/questions/135618/is-it-possible-to-use-rsync-over-sftp-without-an-ssh-shell
+- https://forum.duplicati.com/t/sftp-ssh-backups-to-a-linux-server-with-added-security/7334
+- https://serverfault.com/questions/287578/trying-to-setup-chrootd-rsync
+- http://ramblings.narrabilis.com/using-rsync-with-ssh
+- https://wiki.archlinux.org/index.php/rsync
--- a/roles/native-primary-backup/tasks/main.yml
+++ b/roles/native-primary-backup/tasks/main.yml
@@ -0,0 +1,16 @@
+# Create sftp group
+# groupadd sftpusers
+# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
+# passwd guestuser
+# grep guestuser /etc/passwd
+# usermod -g sftpusers -d /incoming -s /sbin/nologin john
+# Subsystem       sftp    internal-sftp > /etc/ssh/sshd_config
+# tail /etc/ssh/sshd_config
+# mkdir /sftp
+# mkdir /sftp/guestuser
+# mkdir /sftp/guestuser/incoming
+# chown guestuser:sftpusers /sftp/guestuser/incoming
+# ls -ld /sftp/guestuser/incoming
+# ls -ld /sftp/guestuser
+# ls -ld /sftp
+# service sshd restart
--- a/roles/native-pull-remote-backups/Readme.md
+++ b/roles/native-pull-remote-backups/Readme.md
@@ -1,6 +1,15 @@
 # role native-pull-remote-backups

+## goal
+This script allows to pull backups from a remote server.
+
+## scheme
+It is part of the following scheme:
+![backup scheme](https://www.veen.world/wp-content/uploads/2020/12/server-backup-768x567.jpg) <br />
+Further information you will find [in this blog post](https://www.veen.world/2020/12/26/how-i-backup-dedicated-root-servers/).
+
 ## debug
+
 ### live
 To track what the service is doing execute the following command:

--- a/roles/native-pull-remote-backups/files/pull-remote-backup.sh
+++ b/roles/native-pull-remote-backups/files/pull-remote-backup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# @param $1 hostname from which backup should be pulled
+source_host="backup@$1"
+source_machine_id="$( (ssh "$source_host" sha256sum /etc/machine-id) | head -c 64)"
+source_path="/Backups/$source_machine_id/"
+directories="$(ssh "$source_host" find "$source_path" -maxdepth 1 -type d)"
+for folder in $directories; do
+  if [ "$folder" != "$source_path" ]; then
+    diff_path="$folder/diffs/$(date '+%Y%m%d%H%M%S')/"
+    latest_path="$folder/latest/"
+    remote_source_path="$source_host:$latest_path"
+    log_path="$folder/log.txt"
+    mkdir -vp "$latest_path"
+    mkdir -vp "$diff_path"
+    rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path" || exit 1
+  fi
+done
--- a/roles/native-pull-remote-backups/tasks/main.yml
+++ b/roles/native-pull-remote-backups/tasks/main.yml
@@ -1,16 +1,15 @@
- name: pull-remote-backups git
-  git:
-    repo: "https://github.com/kevinveenbirkenbach/pull-remote-backup.git"
-    dest: "/usr/local/bin/pull-remote-backup"
-    update: yes
+- name: create pull-remote-backup.sh
+  copy:
+    src: pull-remote-backup.sh
+    dest: "/usr/local/bin/pull-remote-backup.sh"

- name: configure pull-remote-backups.service.tpl
+- name: create pull-remote-backups.service
  template: src=pull-remote-backups.service dest=/etc/systemd/system/pull-remote-backups.service
  notify: restart pull-remote-backups service

- name: configure pull-remote-backups.timer.tpl
+- name: create pull-remote-backups.timer
  template: src=pull-remote-backups.timer dest=/etc/systemd/system/pull-remote-backups.timer
  notify: restart pull-remote-backups timer

- name: configure pull-remote-backups.sh
-  template: src=pull-remote-backups.sh dest=/usr/local/bin/pull-remote-backup/pull-remote-backups.sh
+- name: create pull-remote-backups.sh
+  template: src=pull-remote-backups.sh dest=/usr/local/bin/pull-remote-backups.sh
--- a/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
+++ b/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
@@ -1,7 +1,8 @@
 #!/bin/bash
+# Pulls the remote backups from multiple hosts
 hosts="{{pull_remote_backups_hosts}}";
 errors=0
 for host in $hosts; do
-        bash /usr/local/bin/pull-remote-backup/pull-remote-backup.sh $host || ((errors+=1));
+        bash /usr/local/bin/pull-remote-backup.sh $host || ((errors+=1));
 done;
 exit $errors;
--- a/roles/native-user-backup/files/backup
+++ b/roles/native-user-backup/files/backup
@@ -0,0 +1 @@
+backup ALL=NOPASSWD:/usr/bin/rsync
--- a/roles/native-user-backup/meta/main.yml
+++ b/roles/native-user-backup/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- native-sshd
--- a/roles/native-user-backup/readme.md
+++ b/roles/native-user-backup/readme.md
@@ -0,0 +1,12 @@
+# role native-user-backup
+User for backups
+
+## todo
+- add from="192.168.0.10" to authorized_keys as soon as wireguard is fully setup
+
+# see
+- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
+- https://stackoverflow.com/questions/34722761/ansible-read-remote-file
+- http://gergap.de/restrict-ssh-to-rsync.html
+- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
+- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
--- a/roles/native-user-backup/tasks/main.yml
+++ b/roles/native-user-backup/tasks/main.yml
@@ -0,0 +1,33 @@
+- name: create backup user
+  user:
+    name: backup
+    create_home: yes
+
+- name: create .ssh directory
+  file:
+    path: /home/backup/.ssh
+    state: directory
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: register hashed_machine_id
+  shell: sha256sum /etc/machine-id | head -c 64
+  register: hashed_machine_id
+
+- name: create /home/backup/.ssh/authorized_keys
+  template:
+    src: "authorized_keys.j2"
+    dest: /home/backup/.ssh/authorized_keys
+    owner: backup
+    group: backup
+    mode: '0644'
+
+- name: grant backup sudo rights with password
+  copy:
+    src: "backup"
+    dest: /etc/sudoers.d/backup
+    mode: '0644'
+    owner: root
+    group: root
+  notify: sshd restart
--- a/roles/native-user-backup/templates/authorized_keys.j2
+++ b/roles/native-user-backup/templates/authorized_keys.j2
@@ -0,0 +1,3 @@
+#command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" {{authorized_keys}}
+#command='rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path"',no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding {{authorized_keys}}
+{{authorized_keys}}
--- a/roles/native-user-backup/vars/main.yml
+++ b/roles/native-user-backup/vars/main.yml
@@ -0,0 +1,2 @@
+authorized_keys_path: "{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys"
+authorized_keys: "{{ lookup('file', authorized_keys_path) }}"