mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2024-11-26 06:31:04 +01:00
Implemented working secure backup
This commit is contained in:
parent
dc0894f168
commit
dc4ddb6b27
@ -21,3 +21,7 @@ To track what the service is doing execute the following command:
|
|||||||
```bash
|
```bash
|
||||||
sudo journalctl -u pull-remote-backups
|
sudo journalctl -u pull-remote-backups
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## see
|
||||||
|
- https://superuser.com/questions/363444/how-do-i-get-the-output-and-exit-value-of-a-subshell-when-using-bash-e
|
||||||
|
- https://gist.github.com/otkrsk/b0ffd4018e8a79b9010c461af298471e
|
||||||
|
@ -1,17 +1,36 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# @param $1 hostname from which backup should be pulled
|
# @param $1 hostname from which backup should be pulled
|
||||||
|
|
||||||
|
# error counter
|
||||||
|
errors=0
|
||||||
|
|
||||||
source_host="backup@$1"
|
source_host="backup@$1"
|
||||||
source_machine_id="$( (ssh "$source_host" sha256sum /etc/machine-id) | head -c 64)"
|
source_machine_id="$( (ssh "$source_host" sha256sum /etc/machine-id) | head -c 64)" || exit 1
|
||||||
source_path="/Backups/$source_machine_id/"
|
source_path="/Backups/$source_machine_id/"
|
||||||
directories="$(ssh "$source_host" find "$source_path" -maxdepth 1 -type d)"
|
directories="$(ssh "$source_host" find "$source_path" -maxdepth 1 -type d)" || exit 1
|
||||||
|
|
||||||
for folder in $directories; do
|
for folder in $directories; do
|
||||||
if [ "$folder" != "$source_path" ]; then
|
if [ "$folder" != "$source_path" ]; then
|
||||||
diff_path="$folder/diffs/$(date '+%Y%m%d%H%M%S')/"
|
# this folder is neccessary to make restricted rsync possible:
|
||||||
|
diff_current="$folder/diffs/current/"
|
||||||
|
# this is the folder where the diffs will be copied to:
|
||||||
|
diff_store="$folder/diffs/$(date '+%Y%m%d%H%M%S')/"
|
||||||
|
# this is the folder which contains the actual backup:
|
||||||
latest_path="$folder/latest/"
|
latest_path="$folder/latest/"
|
||||||
|
# source path of the backup files:
|
||||||
remote_source_path="$source_host:$latest_path"
|
remote_source_path="$source_host:$latest_path"
|
||||||
|
# file in which the logs will be saved:
|
||||||
log_path="$folder/log.txt"
|
log_path="$folder/log.txt"
|
||||||
|
|
||||||
|
# create working folders:
|
||||||
mkdir -vp "$latest_path"
|
mkdir -vp "$latest_path"
|
||||||
mkdir -vp "$diff_path"
|
mkdir -vp "$diff_store"
|
||||||
rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path" || exit 1
|
rm -vr "$diff_current"
|
||||||
|
mkdir -vp "$diff_current"
|
||||||
|
|
||||||
|
# do backup:
|
||||||
|
rsync -abP --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_current" "$remote_source_path" "$latest_path" || ((errors+=1));
|
||||||
|
mv -v "$diff_current"* "$diff_store"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
exit $errors;
|
||||||
|
@ -3,6 +3,6 @@
|
|||||||
hosts="{{pull_remote_backups_hosts}}";
|
hosts="{{pull_remote_backups_hosts}}";
|
||||||
errors=0
|
errors=0
|
||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
bash /usr/local/bin/pull-remote-backup.sh $host || ((errors+=1));
|
bash /usr/local/bin/pull-remote-backup.sh $host || ((errors+=1));
|
||||||
done;
|
done;
|
||||||
exit $errors;
|
exit $errors;
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
User for backups
|
User for backups
|
||||||
|
|
||||||
## todo
|
## todo
|
||||||
- add from="192.168.0.10" to authorized_keys as soon as wireguard is fully setup
|
- optimize authorized_keys.j2 for multiple pull clients
|
||||||
|
|
||||||
# see
|
# see
|
||||||
- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
|
- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
|
||||||
@ -10,3 +10,5 @@ User for backups
|
|||||||
- http://gergap.de/restrict-ssh-to-rsync.html
|
- http://gergap.de/restrict-ssh-to-rsync.html
|
||||||
- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
|
- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
|
||||||
- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
|
- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
|
||||||
|
- https://www.thomas-krenn.com/de/wiki/Ausf%C3%BChrbare_SSH-Kommandos_per_authorized_keys_einschr%C3%A4nken
|
||||||
|
- https://serverfault.com/questions/793669/what-is-the-rsync-option-logdtprze-ilsf-for/793676
|
||||||
|
@ -23,7 +23,15 @@
|
|||||||
group: backup
|
group: backup
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
|
|
||||||
- name: grant backup sudo rights with password
|
- name: create /home/backup/ssh-wrapper.sh
|
||||||
|
template:
|
||||||
|
src: "ssh-wrapper.sh.j2"
|
||||||
|
dest: /home/backup/ssh-wrapper.sh
|
||||||
|
owner: backup
|
||||||
|
group: backup
|
||||||
|
mode: '0700'
|
||||||
|
|
||||||
|
- name: grant backup sudo rights
|
||||||
copy:
|
copy:
|
||||||
src: "backup"
|
src: "backup"
|
||||||
dest: /etc/sudoers.d/backup
|
dest: /etc/sudoers.d/backup
|
||||||
|
@ -1,3 +1 @@
|
|||||||
#command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND" {{authorized_keys}}
|
command="/home/backup/ssh-wrapper.sh" {{authorized_keys}}
|
||||||
#command='rsync -abvv --delete --delete-excluded --rsync-path="sudo rsync" --log-file="$log_path" --backup-dir="$diff_path" "$remote_source_path" "$latest_path"',no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding {{authorized_keys}}
|
|
||||||
{{authorized_keys}}
|
|
||||||
|
24
roles/native-user-backup/templates/ssh-wrapper.sh.j2
Normal file
24
roles/native-user-backup/templates/ssh-wrapper.sh.j2
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# log
|
||||||
|
if [ -n "$SSH_ORIGINAL_COMMAND" ]
|
||||||
|
then
|
||||||
|
echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" >> $HOME/ssh-command-log
|
||||||
|
fi
|
||||||
|
|
||||||
|
# filter commands
|
||||||
|
case "$SSH_ORIGINAL_COMMAND" in
|
||||||
|
"sha256sum /etc/machine-id")
|
||||||
|
sha256sum /etc/machine-id
|
||||||
|
;;
|
||||||
|
"find /Backups/{{hashed_machine_id.stdout}}/ -maxdepth 1 -type d")
|
||||||
|
find /Backups/{{hashed_machine_id.stdout}}/ -maxdepth 1 -type d
|
||||||
|
;;
|
||||||
|
"sudo rsync --server --sender -blogDtpre.iLsfxCIvu --backup-dir /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/diffs/current/ . /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/latest/")
|
||||||
|
sudo rsync --server --sender -blogDtpre.iLsfxCIvu --backup-dir /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/diffs/current/ . /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/latest/
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "This command is not supported."
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
Loading…
Reference in New Issue
Block a user