Merged client playbook and server playbook

roles/server_native-user-backup/files/backup

@@ -0,0 +1 @@
+backup ALL=NOPASSWD:/usr/bin/rsync

roles/server_native-user-backup/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+- native-sshd

roles/server_native-user-backup/readme.md

@@ -0,0 +1,14 @@
+# role native-user-backup
+User for backups
+
+## todo
+- optimize authorized_keys.j2 for multiple pull clients
+
+# see
+- https://docs.ansible.com/ansible/latest/user_guide/playbooks_lookups.html#id3
+- https://stackoverflow.com/questions/34722761/ansible-read-remote-file
+- http://gergap.de/restrict-ssh-to-rsync.html
+- https://unix.stackexchange.com/questions/276198/allow-the-restricted-rsync-rrsync-script-for-arbitrary-directories-with-author
+- https://askubuntu.com/questions/719439/using-rsync-with-sudo-on-the-destination-machine
+- https://www.thomas-krenn.com/de/wiki/Ausf%C3%BChrbare_SSH-Kommandos_per_authorized_keys_einschr%C3%A4nken
+- https://serverfault.com/questions/793669/what-is-the-rsync-option-logdtprze-ilsf-for/793676

roles/server_native-user-backup/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: create backup user
+  user:
+    name: backup
+    create_home: yes
+
+- name: create .ssh directory
+  file:
+    path: /home/backup/.ssh
+    state: directory
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: register hashed_machine_id
+  shell: sha256sum /etc/machine-id | head -c 64
+  register: hashed_machine_id
+
+- name: create /home/backup/.ssh/authorized_keys
+  template:
+    src: "authorized_keys.j2"
+    dest: /home/backup/.ssh/authorized_keys
+    owner: backup
+    group: backup
+    mode: '0644'
+
+- name: create /home/backup/ssh-wrapper.sh
+  template:
+    src: "ssh-wrapper.sh.j2"
+    dest: /home/backup/ssh-wrapper.sh
+    owner: backup
+    group: backup
+    mode: '0700'
+
+- name: grant backup sudo rights
+  copy:
+    src: "backup"
+    dest: /etc/sudoers.d/backup
+    mode: '0644'
+    owner: root
+    group: root
+  notify: sshd restart

roles/server_native-user-backup/templates/authorized_keys.j2

@@ -0,0 +1,3 @@
+{% for authorized_key in authorized_keys_list %}
+command="/home/backup/ssh-wrapper.sh" {{authorized_key}}
+{% endfor %}

roles/server_native-user-backup/templates/ssh-wrapper.sh.j2

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+# log command
+if [ -n "$SSH_ORIGINAL_COMMAND" ]
+then
+  echo "`/bin/date`: $SSH_ORIGINAL_COMMAND" | systemd-cat -t "ssh-wrapper.sh"
+fi
+
+# define executable commands
+get_hashed_machine_id="sha256sum /etc/machine-id";
+get_backup_types="find /Backups/{{hashed_machine_id.stdout}}/ -maxdepth 1 -type d -execdir basename {} ;";
+
+# @todo This configuration is not scalable yet. If other backup services then docker-volume-backup are integrated, this logic needs to be optimized
+get_static_last_version_dir="readlink -f /Backups/{{hashed_machine_id.stdout}}/docker-volume-backup/latest"
+rsync_command="sudo rsync --server --sender -blogDtpre.iLsfxCIvu . $($get_static_last_version_dir)/"
+
+# filter commands
+case "$SSH_ORIGINAL_COMMAND" in
+	"$get_hashed_machine_id")
+		$get_hashed_machine_id
+		;;
+	"$get_static_last_version_dir")
+		$get_static_last_version_dir
+		;;
+	"$get_backup_types")
+		$get_backup_types
+		;;
+	"$rsync_command")
+		$rsync_command
+		;;
+	*)
+		echo "This command is not supported."
+		exit 1
+		;;
+esac

roles/server_native-user-backup/vars/main.yml

@@ -0,0 +1,2 @@
+authorized_keys_path: "{{ inventory_dir }}/files/{{ inventory_hostname }}/home/backup/.ssh/authorized_keys"
+authorized_keys_list: "{{ lookup('file', authorized_keys_path).splitlines() }}"