Fixed authorized_keys configuration drift, and change repo directory from hostname to fqdn

8 files changed, 36 insertions, 26 deletions

diff --git a/README.md b/README.md
index a7cf149..69730c7 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,10 @@ julien@yen:~/git/adyxax/ansible$ cat setup.yml
 ...
 ```
 
+## Upgrade notes from version 1.x to 2.x
+
+Version 2.x changes the repository path: `/srv/borg/repos/<hostname` becomes `/srv/borg/repos/<fqdn>`. You should move org rename the folders manually on your servers, the role will not do it for you. If you don't, running your usual playbook will create new borg repositories with the fqdn and leave the previous ones alone.
+
 ## Configuration
 
 First of all you only need to configure hosts that are backup clients. There are several `host_vars` you can define to this effect :
diff --git a/action_plugins/borg_init.py b/action_plugins/borg_init.py
index ea07f20..ea62145 100644
--- a/action_plugins/borg_init.py
+++ b/action_plugins/borg_init.py
@@ -29,7 +29,7 @@ class ActionModule(ActionBase):
         }
         for hostname, hostvars in task_vars['hostvars'].items() :
             if 'borg_server' in hostvars.keys() and hostvars['borg_server'] == task_vars['ansible_host']:
-                server['clients'].append(hostname)
+                server['clients'].append({'hostname': hostname, 'pubkey': hostvars['ansible_local']['borg']['pubkey']})
 
         ### Borg client variables ############################################
         client = {
diff --git a/tasks/client.yml b/tasks/client.yml
index ef28c53..073cea0 100644
--- a/tasks/client.yml
+++ b/tasks/client.yml
@@ -1,23 +1,4 @@
 ---
-- name: generate borg ssh key on client
-  openssh_keypair:
-    owner: root
-    mode: 0400
-    path: /root/.ssh/borg
-    type: ed25519
-  register: borg_ssh_key
-
-- name: reload ansible_local
-  setup: filter=ansible_local
-  when: borg_ssh_key.changed
-
-- name: Enforce borg authorized key on server
-  authorized_key:
-    user: borg
-    key: "{{ ansible_local.borg.pubkey }}"
-    key_options: 'command="borg serve --restrict-to-path /srv/borg/repos/{{ ansible_hostname }}",restrict'
-  delegate_to: "{{ borg_server }}"
-
 - name: make the server known to the client
   lineinfile:
     line: "{{ borg_server }} ecdsa-sha2-nistp256 {{ hostvars[borg_server]['ansible_ssh_host_key_ecdsa_public'] }}"
@@ -25,14 +6,14 @@
     create: yes
 
 - name: create borg client repo on server
-  shell: "borg init --rsh \"ssh -i /root/.ssh/borg\" --encryption=none borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}"
-  when: hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] is not defined
+  shell: "borg init --rsh \"ssh -i /root/.ssh/borg\" --encryption=none borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}"
+  when: hostvars[borg_server]['ansible_local']['borg']['repos'][inventory_hostname] is not defined
 
 - name: reload ansible_local
   setup: filter=ansible_local
   delegate_to: "{{ borg_server }}"
   delegate_facts: True
-  when: hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] is not defined
+  when: hostvars[borg_server]['ansible_local']['borg']['repos'][inventory_hostname] is not defined
 
 - name: deploy borg backup script
   template:
diff --git a/tasks/client_init.yml b/tasks/client_init.yml
new file mode 100644
index 0000000..251bee4
--- /dev/null
+++ b/tasks/client_init.yml
@@ -0,0 +1,12 @@
+---
+- name: generate borg ssh key on client
+  openssh_keypair:
+    owner: root
+    mode: 0400
+    path: /root/.ssh/borg
+    type: ed25519
+  register: borg_ssh_key
+
+- name: reload ansible_local
+  setup: filter=ansible_local
+  #when: borg_ssh_key.changed
diff --git a/tasks/main.yml b/tasks/main.yml
index 8832443..2606ecf 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,4 +1,7 @@
 ---
+- import_tasks: client_init.yml
+  when: borg_server is defined
+
 - action: borg_validate
 
 - action: borg_init
diff --git a/tasks/server.yml b/tasks/server.yml
index 78754a2..ce731f6 100644
--- a/tasks/server.yml
+++ b/tasks/server.yml
@@ -24,4 +24,11 @@
     - /srv/borg
     - /srv/borg/.ssh
     - /srv/borg/repos
+
+- name: deploy borg authorized_keys
+  template:
+    dest: /srv/borg/.ssh/authorized_keys
+    src: authorized_keys
+    owner: borg
+    mode: 0400
 ...
diff --git a/templates/authorized_keys b/templates/authorized_keys
new file mode 100644
index 0000000..49c8820
--- /dev/null
+++ b/templates/authorized_keys
@@ -0,0 +1,3 @@
+{% for client in borg.server.clients %}
+command="borg serve --restrict-to-path /srv/borg/repos/{{ client.hostname }}",restrict {{ client.pubkey }}
+{% endfor %}
diff --git a/templates/backup.sh.j2 b/templates/backup.sh.j2
index 3937dfc..57d1854 100644
--- a/templates/backup.sh.j2
+++ b/templates/backup.sh.j2
@@ -15,13 +15,13 @@ export BORG_RSH="ssh -i /root/.ssh/borg"
 {{ job.pre_command }}
 {% endif %}
 {% if job.command_to_pipe is defined %}
-{{ job.command_to_pipe }} | borg create borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}::{{ job.name }}-{now} -
+{{ job.command_to_pipe }} | borg create borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}::{{ job.name }}-{now} -
 {% else %}
-borg create {% for exclude in job.exclude|default([]) %} --exclude {{ exclude }}{% endfor %} borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}::{{ job.name }}-{now} {{ job.path }}
+borg create {% for exclude in job.exclude|default([]) %} --exclude {{ exclude }}{% endfor %} borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}::{{ job.name }}-{now} {{ job.path }}
 {% endif %}
 {% if job.post_command is defined %}
 {{ job.post_command }}
 {% endif %}
 {% endfor %}
 
-borg prune borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }} {{ borg_prune_arguments }}
+borg prune borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }} {{ borg_prune_arguments }}