kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-08-29 15:06:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implemented working secure backup

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach
2021-01-11 14:14:36 +01:00
parent dc0894f168
commit dc4ddb6b27
7 changed files with 66 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/native-user-backup/readme.md
View File

@@ -2,7 +2,7 @@
User for backups
## todo
- add from="192.168.0.10" to authorized_keys as soon as wireguard is fully setup
- optimize authorized_keys.j2 for multiple pull clients
# see
- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
@@ -10,3 +10,5 @@ User for backups
- http://gergap.de/restrict-ssh-to-rsync.html
- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
- https://www.thomas-krenn.com/de/wiki/Ausf%C3%BChrbare_SSH-Kommandos_per_authorized_keys_einschr%C3%A4nken
- https://serverfault.com/questions/793669/what-is-the-rsync-option-logdtprze-ilsf-for/793676

10
roles/native-user-backup/tasks/main.yml
View File

@@ -23,7 +23,15 @@
group: backup
mode: '0644'
- name: grant backup sudo rights with password
- name: create /home/backup/ssh-wrapper.sh
template:
src: "ssh-wrapper.sh.j2"
dest: /home/backup/ssh-wrapper.sh
owner: backup
group: backup
mode: '0700'
- name: grant backup sudo rights
copy:
src: "backup"
dest: /etc/sudoers.d/backup

4
roles/native-user-backup/templates/authorized_keys.j2
View File

@@ -1,3 +1 @@
#command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" {{authorized_keys}}
#command='rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path"',no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding {{authorized_keys}}
{{authorized_keys}}
command="/home/backup/ssh-wrapper.sh" {{authorized_keys}}

24
roles/native-user-backup/templates/ssh-wrapper.sh.j2 Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/sh
# log
if [ -n "$SSH_ORIGINAL_COMMAND" ]
then
echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" >> $HOME/ssh-command-log
fi
# filter commands
case "$SSH_ORIGINAL_COMMAND" in
"sha256sum /etc/machine-id")
sha256sum /etc/machine-id
;;
"find /Backups/{{hashed_machine_id.stdout}}/ -maxdepth 1 -type d")
find /Backups/{{hashed_machine_id.stdout}}/ -maxdepth 1 -type d
;;
"sudo rsync --server --sender -blogDtpre.iLsfxCIvu --backup-dir /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/diffs/current/ . /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/latest/")
sudo rsync --server --sender -blogDtpre.iLsfxCIvu --backup-dir /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/diffs/current/ . /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/latest/
;;
*)
echo "This command is not supported."
exit 1
;;
esac