implemented new remote backup solution

2024-11-22 20:51:07 +01:00 · 2021-01-10 20:35:37 +01:00 · 2021-01-10 20:35:37 +01:00 · dc0894f168
commit dc0894f168
parent 2328b411f6
14 changed files with 120 additions and 10 deletions
--- a/roles/native-primary-backup/meta/main.yml
+++ b/roles/native-primary-backup/meta/main.yml
@ -0,0 +1,2 @@
 dependencies:
 - native-user-backup
--- a/roles/native-primary-backup/readme.md
+++ b/roles/native-primary-backup/readme.md
@ -0,0 +1,12 @@
 # role native-primary-backup-host
 ## todo
 - add full system backup
 ## see
 - https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/
 - https://serverfault.com/questions/135618/is-it-possible-to-use-rsync-over-sftp-without-an-ssh-shell
 - https://forum.duplicati.com/t/sftp-ssh-backups-to-a-linux-server-with-added-security/7334
 - https://serverfault.com/questions/287578/trying-to-setup-chrootd-rsync
 - http://ramblings.narrabilis.com/using-rsync-with-ssh
 - https://wiki.archlinux.org/index.php/rsync
--- a/roles/native-primary-backup/tasks/main.yml
+++ b/roles/native-primary-backup/tasks/main.yml
@ -0,0 +1,16 @@
 # Create sftp group
 # groupadd sftpusers
 # useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
 # passwd guestuser
 # grep guestuser /etc/passwd
 # usermod -g sftpusers -d /incoming -s /sbin/nologin john
 # Subsystem       sftp    internal-sftp > /etc/ssh/sshd_config
 # tail /etc/ssh/sshd_config
 # mkdir /sftp
 # mkdir /sftp/guestuser
 # mkdir /sftp/guestuser/incoming
 # chown guestuser:sftpusers /sftp/guestuser/incoming
 # ls -ld /sftp/guestuser/incoming
 # ls -ld /sftp/guestuser
 # ls -ld /sftp
 # service sshd restart
--- a/roles/native-pull-remote-backups/Readme.md
+++ b/roles/native-pull-remote-backups/Readme.md
@ -1,6 +1,15 @@
 # role native-pull-remote-backups
 ## goal
 This script allows to pull backups from a remote server.
 ## scheme
 It is part of the following scheme:
 ![backup scheme](https://www.veen.world/wp-content/uploads/2020/12/server-backup-768x567.jpg) <br />
 Further information you will find [in this blog post](https://www.veen.world/2020/12/26/how-i-backup-dedicated-root-servers/).
 ## debug
 ### live
 To track what the service is doing execute the following command:
--- a/roles/native-pull-remote-backups/files/pull-remote-backup.sh
+++ b/roles/native-pull-remote-backups/files/pull-remote-backup.sh
@ -0,0 +1,17 @@
 #!/bin/bash
 # @param $1 hostname from which backup should be pulled
 source_host="backup@$1"
 source_machine_id="$( (ssh "$source_host" sha256sum /etc/machine-id) | head -c 64)"
 source_path="/Backups/$source_machine_id/"
 directories="$(ssh "$source_host" find "$source_path" -maxdepth 1 -type d)"
 for folder in $directories; do
  if [ "$folder" != "$source_path" ]; then
    diff_path="$folder/diffs/$(date '+%Y%m%d%H%M%S')/"
    latest_path="$folder/latest/"
    remote_source_path="$source_host:$latest_path"
    log_path="$folder/log.txt"
    mkdir -vp "$latest_path"
    mkdir -vp "$diff_path"
    rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path" || exit 1
  fi
 done
--- a/roles/native-pull-remote-backups/tasks/main.yml
+++ b/roles/native-pull-remote-backups/tasks/main.yml
@ -1,16 +1,15 @@
- name: pull-remote-backups git
+- name: create pull-remote-backup.sh
-  git:
+  copy:
-    repo: "https://github.com/kevinveenbirkenbach/pull-remote-backup.git"
+    src: pull-remote-backup.sh
-    dest: "/usr/local/bin/pull-remote-backup"
+    dest: "/usr/local/bin/pull-remote-backup.sh"
    update: yes
- name: configure pull-remote-backups.service.tpl
+- name: create pull-remote-backups.service
  template: src=pull-remote-backups.service dest=/etc/systemd/system/pull-remote-backups.service
  notify: restart pull-remote-backups service
- name: configure pull-remote-backups.timer.tpl
+- name: create pull-remote-backups.timer
  template: src=pull-remote-backups.timer dest=/etc/systemd/system/pull-remote-backups.timer
  notify: restart pull-remote-backups timer
- name: configure pull-remote-backups.sh
+- name: create pull-remote-backups.sh
-  template: src=pull-remote-backups.sh dest=/usr/local/bin/pull-remote-backup/pull-remote-backups.sh
+  template: src=pull-remote-backups.sh dest=/usr/local/bin/pull-remote-backups.sh
--- a/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
+++ b/roles/native-pull-remote-backups/templates/pull-remote-backups.sh
@ -1,7 +1,8 @@
 #!/bin/bash
 # Pulls the remote backups from multiple hosts
 hosts="{{pull_remote_backups_hosts}}";
 errors=0
 for host in $hosts; do
-        bash /usr/local/bin/pull-remote-backup/pull-remote-backup.sh $host || ((errors+=1));
+        bash /usr/local/bin/pull-remote-backup.sh $host || ((errors+=1));
 done;
 exit $errors;
--- a/roles/native-user-backup/files/backup
+++ b/roles/native-user-backup/files/backup
@ -0,0 +1 @@
 backup ALL=NOPASSWD:/usr/bin/rsync
--- a/roles/native-user-backup/meta/main.yml
+++ b/roles/native-user-backup/meta/main.yml
@ -0,0 +1,2 @@
 dependencies:
 - native-sshd
--- a/roles/native-user-backup/readme.md
+++ b/roles/native-user-backup/readme.md
@ -0,0 +1,12 @@
 # role native-user-backup
 User for backups
 ## todo
 - add from="192.168.0.10" to authorized_keys as soon as wireguard is fully setup
 # see
 - https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
 - https://stackoverflow.com/questions/34722761/ansible-read-remote-file
 - http://gergap.de/restrict-ssh-to-rsync.html
 - https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
 - https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
--- a/roles/native-user-backup/tasks/main.yml
+++ b/roles/native-user-backup/tasks/main.yml
@ -0,0 +1,33 @@
 - name: create backup user
  user:
    name: backup
    create_home: yes
 - name: create .ssh directory
  file:
    path: /home/backup/.ssh
    state: directory
    owner: backup
    group: backup
    mode: '0700'
 - name: register hashed_machine_id
  shell: sha256sum /etc/machine-id | head -c 64
  register: hashed_machine_id
 - name: create /home/backup/.ssh/authorized_keys
  template:
    src: "authorized_keys.j2"
    dest: /home/backup/.ssh/authorized_keys
    owner: backup
    group: backup
    mode: '0644'
 - name: grant backup sudo rights with password
  copy:
    src: "backup"
    dest: /etc/sudoers.d/backup
    mode: '0644'
    owner: root
    group: root
  notify: sshd restart
--- a/roles/native-user-backup/templates/authorized_keys.j2
+++ b/roles/native-user-backup/templates/authorized_keys.j2
@ -0,0 +1,3 @@
 #command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" {{authorized_keys}}
 #command='rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path"',no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding {{authorized_keys}}
 {{authorized_keys}}
--- a/roles/native-user-backup/vars/main.yml
+++ b/roles/native-user-backup/vars/main.yml
@ -0,0 +1,2 @@
 authorized_keys_path: "{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys"
 authorized_keys: "{{ lookup('file', authorized_keys_path) }}"
--- a/site.yml
+++ b/site.yml
@ -23,6 +23,7 @@
  roles:
   -  role: native-docker-volume-backup
      when: "'error:' not in pacman_q_docker.stderr"
   -  role: native-primary-backup
 - name: setup nginx hosts
  hosts: nginx_hosts
  become: true
		`@ -0,0 +1,2 @@`
							`authorized_keys_path: "{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys"`
							`authorized_keys: "{{ lookup('file', authorized_keys_path) }}"`