mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-10-31 18:29:21 +00:00
Kevin Veen-Birkenbach
05d7ddc491
- Replace Bash pull-specific-host.sh with Python pull-specific-host.py (argparse, identical logic) - Update role vars and runner template to call python script - Add __init__.py files for test discovery/imports - Add unittest: tests/unit/roles/svc-bkp-rmt-2-loc/files/test_pull_specific_host.py (mocks subprocess/os/time; covers success, no types, find-fail, retry-exhaustion) - Backup provider SSH wrapper: align allowed ls path (backup-docker-to-local) - Split user role tasks: 01_core (sudoers), 02_permissions_ssh (SSH keys + wrapper), 03_permissions_folders (ownership + default ACLs + depth-limited chown/chmod) - Ensure default ACLs grant rwx to 'backup' and none to group/other; keep sudo rsync working Ref: ChatGPT discussion (2025-10-14) — https://chatgpt.com/share/68ee920a-9b98-800f-8806-ddcfe0255149
65 lines
1.8 KiB
YAML
65 lines
1.8 KiB
YAML
# Ensure the backups root exists and is owned by backup
|
|
- name: Ensure backups root exists and owned by backup
|
|
file:
|
|
path: "{{ BACKUPS_FOLDER_PATH }}"
|
|
state: directory
|
|
owner: backup
|
|
group: backup
|
|
mode: "0700"
|
|
|
|
# Explicit ACL so 'backup' has rwx, others none
|
|
- name: Grant ACL rwx on backups root to backup user
|
|
ansible.posix.acl:
|
|
path: "{{ BACKUPS_FOLDER_PATH }}"
|
|
entity: backup
|
|
etype: user
|
|
permissions: rwx
|
|
state: present
|
|
|
|
# Set default ACLs so new entries inherit rwx for backup and nothing for others
|
|
- name: Set default ACL (inherit) for backup user under backups root
|
|
ansible.posix.acl:
|
|
path: "{{ BACKUPS_FOLDER_PATH }}"
|
|
entity: backup
|
|
etype: user
|
|
permissions: rwx
|
|
default: true
|
|
state: present
|
|
|
|
# Remove default ACLs for group/others (defensive hardening)
|
|
# Default ACLs so new entries inherit only backup's rwx
|
|
- name: Default ACL for backup user (inherit)
|
|
ansible.posix.acl:
|
|
path: "{{ BACKUPS_FOLDER_PATH }}"
|
|
etype: user
|
|
entity: backup
|
|
permissions: rwx
|
|
default: true
|
|
state: present
|
|
|
|
# Explicitly set default group/other to no permissions (instead of absent)
|
|
- name: Default ACL for group -> none
|
|
ansible.posix.acl:
|
|
path: "{{ BACKUPS_FOLDER_PATH }}"
|
|
etype: group
|
|
permissions: '---'
|
|
default: true
|
|
state: present
|
|
|
|
- name: Default ACL for other -> none
|
|
ansible.posix.acl:
|
|
path: "{{ BACKUPS_FOLDER_PATH }}"
|
|
etype: other
|
|
permissions: '---'
|
|
default: true
|
|
state: present
|
|
|
|
- name: Fix ownership level 0..2 directories to backup:backup
|
|
ansible.builtin.shell: >
|
|
find "{{ BACKUPS_FOLDER_PATH }}" -mindepth 0 -maxdepth 2 -xdev -type d -exec chown backup:backup {} +
|
|
|
|
- name: Fix perms level 0..2 directories to 0700
|
|
ansible.builtin.shell: >
|
|
find "{{ BACKUPS_FOLDER_PATH }}" -mindepth 0 -maxdepth 2 -xdev -type d -exec chmod 700 {} +
|
|
|