Fixed authorized_keys configuration drift, and change repo directory from hostname to fqdn

2022-07-05 21:15:26 +02:00 · 2022-07-05 21:15:26 +02:00 · f084bd976c
commit f084bd976c
parent 42790f21cd
8 changed files with 36 additions and 26 deletions
--- a/README.md
+++ b/README.md
@ -39,6 +39,10 @@ julien@yen:~/git/adyxax/ansible$ cat setup.yml
 ...
 ```
 ## Upgrade notes from version 1.x to 2.x
 Version 2.x changes the repository path: `/srv/borg/repos/<hostname` becomes `/srv/borg/repos/<fqdn>`. You should move org rename the folders manually on your servers, the role will not do it for you. If you don't, running your usual playbook will create new borg repositories with the fqdn and leave the previous ones alone.
 ## Configuration
 First of all you only need to configure hosts that are backup clients. There are several `host_vars` you can define to this effect :
--- a/action_plugins/borg_init.py
+++ b/action_plugins/borg_init.py
@ -29,7 +29,7 @@ class ActionModule(ActionBase):
        }
        for hostname, hostvars in task_vars['hostvars'].items() :
            if 'borg_server' in hostvars.keys() and hostvars['borg_server'] == task_vars['ansible_host']:
-                server['clients'].append(hostname)
+                server['clients'].append({'hostname': hostname, 'pubkey': hostvars['ansible_local']['borg']['pubkey']})
        ### Borg client variables ############################################
        client = {
--- a/tasks/client.yml
+++ b/tasks/client.yml
@ -1,23 +1,4 @@
 ---
 - name: generate borg ssh key on client
  openssh_keypair:
    owner: root
    mode: 0400
    path: /root/.ssh/borg
    type: ed25519
  register: borg_ssh_key
 - name: reload ansible_local
  setup: filter=ansible_local
  when: borg_ssh_key.changed
 - name: Enforce borg authorized key on server
  authorized_key:
    user: borg
    key: "{{ ansible_local.borg.pubkey }}"
    key_options: 'command="borg serve --restrict-to-path /srv/borg/repos/{{ ansible_hostname }}",restrict'
  delegate_to: "{{ borg_server }}"
 - name: make the server known to the client
  lineinfile:
    line: "{{ borg_server }} ecdsa-sha2-nistp256 {{ hostvars[borg_server]['ansible_ssh_host_key_ecdsa_public'] }}"
@ -25,14 +6,14 @@
    create: yes
 - name: create borg client repo on server
-  shell: "borg init --rsh \"ssh -i /root/.ssh/borg\" --encryption=none borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}"
+  shell: "borg init --rsh \"ssh -i /root/.ssh/borg\" --encryption=none borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}"
-  when: hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] is not defined
+  when: hostvars[borg_server]['ansible_local']['borg']['repos'][inventory_hostname] is not defined
 - name: reload ansible_local
  setup: filter=ansible_local
  delegate_to: "{{ borg_server }}"
  delegate_facts: True
-  when: hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] is not defined
+  when: hostvars[borg_server]['ansible_local']['borg']['repos'][inventory_hostname] is not defined
 - name: deploy borg backup script
  template:
--- a/tasks/client_init.yml
+++ b/tasks/client_init.yml
@ -0,0 +1,12 @@
 ---
 - name: generate borg ssh key on client
  openssh_keypair:
    owner: root
    mode: 0400
    path: /root/.ssh/borg
    type: ed25519
  register: borg_ssh_key
 - name: reload ansible_local
  setup: filter=ansible_local
  #when: borg_ssh_key.changed
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,4 +1,7 @@
 ---
 - import_tasks: client_init.yml
  when: borg_server is defined
 - action: borg_validate
 - action: borg_init
--- a/tasks/server.yml
+++ b/tasks/server.yml
@ -24,4 +24,11 @@
    - /srv/borg
    - /srv/borg/.ssh
    - /srv/borg/repos
 - name: deploy borg authorized_keys
  template:
    dest: /srv/borg/.ssh/authorized_keys
    src: authorized_keys
    owner: borg
    mode: 0400
 ...
--- a/templates/authorized_keys
+++ b/templates/authorized_keys
@ -0,0 +1,3 @@
 {% for client in borg.server.clients %}
 command="borg serve --restrict-to-path /srv/borg/repos/{{ client.hostname }}",restrict {{ client.pubkey }}
 {% endfor %}
--- a/templates/backup.sh.j2
+++ b/templates/backup.sh.j2
@ -15,13 +15,13 @@ export BORG_RSH="ssh -i /root/.ssh/borg"
 {{ job.pre_command }}
 {% endif %}
 {% if job.command_to_pipe is defined %}
-{{ job.command_to_pipe }} | borg create borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}::{{ job.name }}-{now} -
+{{ job.command_to_pipe }} | borg create borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}::{{ job.name }}-{now} -
 {% else %}
-borg create {% for exclude in job.exclude|default([]) %} --exclude {{ exclude }}{% endfor %} borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}::{{ job.name }}-{now} {{ job.path }}
+borg create {% for exclude in job.exclude|default([]) %} --exclude {{ exclude }}{% endfor %} borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}::{{ job.name }}-{now} {{ job.path }}
 {% endif %}
 {% if job.post_command is defined %}
 {{ job.post_command }}
 {% endif %}
 {% endfor %}
-borg prune borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }} {{ borg_prune_arguments }}
+borg prune borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }} {{ borg_prune_arguments }}