kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-02 15:39:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e09f561f0bc8206608c5fd4e06610148669e214a
computer-playbook/roles/sys-bkp-provider-user
History
Kevin Veen-Birkenbach e09f561f0b Refactor run-once orchestration and bootstrap Mailu/Mastodon in a single deploy 
- Replace legacy utils/run_once.yml with the new helpers utils/once_flag.yml and utils/once_finalize.yml
- Introduce utils/compose_up.yml to ensure docker-compose stacks are up and to flush handlers safely without coupling to run-once flags
- Migrate all affected roles (desk-*, dev-*, sys-ctl-*, sys-svc-*, web-app-*, web-svc-*, util-*) to the new run-once helpers
- Rework sys-svc-msmtp to auto-load Mailu once per deploy, check reachability, and reuse the running stack instead of requiring multiple playbook passes
- Adjust web-app-mailu to integrate cert deployment, handler flushing, and run-once handling so Mailu is fully initialized in a single deploy
- Improve Matomo, CDN, logout and CSP/health-check related roles to cooperate with the new compose_up / once_* pattern
- Simplify alarm/backup/timer/service orchestration (sys-ctl-alm-*, sys-bkp-provider, sys-timer-cln-bkps, etc.) by moving run-once logic into dedicated 01_core.yml files
- Update integration tests so utils/once_flag.yml and utils/once_finalize.yml are recognised as valid run-once providers, keeping the global run_once_* guarantees consistent
- Align frontend injection and service dependencies so Mastodon- and Mailu-related services can be brought up coherently within a single deployment cycle rather than several iterations
2025-12-01 13:30:50 +01:00
..
files
svc-bkp-rmt-2-loc: migrate pull script to Python + add unit tests; lock down backup-provider ACLs
2025-10-14 20:10:49 +02:00
meta
Replaced .infinito.service and .infinito.timer by SOFTWARE_NAME suffix, optimized LICENSE link and update OIDC Realm and ID conf
2025-08-14 14:39:18 +02:00
tasks
Refactor run-once orchestration and bootstrap Mailu/Mastodon in a single deploy
2025-12-01 13:30:50 +01:00
templates
vars
README.md

README.md

User for Backup Provider

Description

This role sets up a dedicated backup user (backup) for performing secure backup operations. It creates the user, configures a restricted SSH environment with a custom authorized_keys template and an SSH wrapper script, and grants necessary sudo rights for executing rsync. This configuration helps ensure controlled and secure access specifically for backup processes.

Overview

The role is a critical component in a secure backup scheme. By isolating backup operations to a dedicated user, it minimizes the risk of unauthorized actions. The role configures the SSH environment so that only specific, allowed commands can be executed, and it sets up passwordless sudo rights for rsync, ensuring smooth and secure backup operations.

Purpose

The purpose of this role is to enhance the security of your backup system by providing a dedicated user with strict command restrictions. This controlled environment limits the potential damage from a compromised backup account while still allowing efficient backup operations.

Features

  • User Creation: Creates a dedicated backup user with a home directory.
  • SSH Environment Setup: Establishes a secure .ssh directory and deploys a restricted authorized_keys file via a Jinja2 template.
  • SSH Wrapper Script: Implements a custom SSH wrapper that logs and filters incoming SSH commands, enforcing security policies.
  • Sudo Configuration: Grants passwordless sudo rights for rsync, enabling secure and automated backup transfers.
  • Integration: Supports seamless integration with your backup infrastructure by limiting the backup user's permissions to only the required commands.

Other Resources

For more details on how the role works and advanced configuration options, please see the related references below:

Reference in New Issue View Git Blame Copy Permalink