implemented new remote backup solution

2025-08-29 15:06:26 +02:00 · 2021-01-10 20:35:37 +01:00
parent 2328b411f6
commit dc0894f168
14 changed files with 120 additions and 10 deletions
--- a/roles/native-user-backup/files/backup
+++ b/roles/native-user-backup/files/backup
@@ -0,0 +1 @@
+backup ALL=NOPASSWD:/usr/bin/rsync
--- a/roles/native-user-backup/meta/main.yml
+++ b/roles/native-user-backup/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- native-sshd
--- a/roles/native-user-backup/readme.md
+++ b/roles/native-user-backup/readme.md
@@ -0,0 +1,12 @@
+# role native-user-backup
+User for backups
+
+## todo
+- add from="192.168.0.10" to authorized_keys as soon as wireguard is fully setup
+
+# see
+- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
+- https://stackoverflow.com/questions/34722761/ansible-read-remote-file
+- http://gergap.de/restrict-ssh-to-rsync.html
+- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
+- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
--- a/roles/native-user-backup/tasks/main.yml
+++ b/roles/native-user-backup/tasks/main.yml
@@ -0,0 +1,33 @@
+- name: create backup user
+  user:
+    name: backup
+    create_home: yes
+
+- name: create .ssh directory
+  file:
+    path: /home/backup/.ssh
+    state: directory
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: register hashed_machine_id
+  shell: sha256sum /etc/machine-id | head -c 64
+  register: hashed_machine_id
+
+- name: create /home/backup/.ssh/authorized_keys
+  template:
+    src: "authorized_keys.j2"
+    dest: /home/backup/.ssh/authorized_keys
+    owner: backup
+    group: backup
+    mode: '0644'
+
+- name: grant backup sudo rights with password
+  copy:
+    src: "backup"
+    dest: /etc/sudoers.d/backup
+    mode: '0644'
+    owner: root
+    group: root
+  notify: sshd restart
--- a/roles/native-user-backup/templates/authorized_keys.j2
+++ b/roles/native-user-backup/templates/authorized_keys.j2
@@ -0,0 +1,3 @@
+#command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" {{authorized_keys}}
+#command='rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path"',no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding {{authorized_keys}}
+{{authorized_keys}}
--- a/roles/native-user-backup/vars/main.yml
+++ b/roles/native-user-backup/vars/main.yml
@@ -0,0 +1,2 @@
+authorized_keys_path: "{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys"
+authorized_keys: "{{ lookup('file', authorized_keys_path) }}"