From f084bd976cf942a43df7bbc77c63e21bf1045970 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Tue, 5 Jul 2022 21:15:26 +0200 Subject: Fixed authorized_keys configuration drift, and change repo directory from hostname to fqdn --- README.md | 4 ++++ action_plugins/borg_init.py | 2 +- tasks/client.yml | 25 +++---------------------- tasks/client_init.yml | 12 ++++++++++++ tasks/main.yml | 3 +++ tasks/server.yml | 7 +++++++ templates/authorized_keys | 3 +++ templates/backup.sh.j2 | 6 +++--- 8 files changed, 36 insertions(+), 26 deletions(-) create mode 100644 tasks/client_init.yml create mode 100644 templates/authorized_keys diff --git a/README.md b/README.md index a7cf149..69730c7 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,10 @@ julien@yen:~/git/adyxax/ansible$ cat setup.yml ... ``` +## Upgrade notes from version 1.x to 2.x + +Version 2.x changes the repository path: `/srv/borg/repos/`. You should move org rename the folders manually on your servers, the role will not do it for you. If you don't, running your usual playbook will create new borg repositories with the fqdn and leave the previous ones alone. + ## Configuration First of all you only need to configure hosts that are backup clients. There are several `host_vars` you can define to this effect : diff --git a/action_plugins/borg_init.py b/action_plugins/borg_init.py index ea07f20..ea62145 100644 --- a/action_plugins/borg_init.py +++ b/action_plugins/borg_init.py @@ -29,7 +29,7 @@ class ActionModule(ActionBase): } for hostname, hostvars in task_vars['hostvars'].items() : if 'borg_server' in hostvars.keys() and hostvars['borg_server'] == task_vars['ansible_host']: - server['clients'].append(hostname) + server['clients'].append({'hostname': hostname, 'pubkey': hostvars['ansible_local']['borg']['pubkey']}) ### Borg client variables ############################################ client = { diff --git a/tasks/client.yml b/tasks/client.yml index ef28c53..073cea0 100644 --- a/tasks/client.yml +++ b/tasks/client.yml @@ -1,23 +1,4 @@ --- -- name: generate borg ssh key on client - openssh_keypair: - owner: root - mode: 0400 - path: /root/.ssh/borg - type: ed25519 - register: borg_ssh_key - -- name: reload ansible_local - setup: filter=ansible_local - when: borg_ssh_key.changed - -- name: Enforce borg authorized key on server - authorized_key: - user: borg - key: "{{ ansible_local.borg.pubkey }}" - key_options: 'command="borg serve --restrict-to-path /srv/borg/repos/{{ ansible_hostname }}",restrict' - delegate_to: "{{ borg_server }}" - - name: make the server known to the client lineinfile: line: "{{ borg_server }} ecdsa-sha2-nistp256 {{ hostvars[borg_server]['ansible_ssh_host_key_ecdsa_public'] }}" @@ -25,14 +6,14 @@ create: yes - name: create borg client repo on server - shell: "borg init --rsh \"ssh -i /root/.ssh/borg\" --encryption=none borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}" - when: hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] is not defined + shell: "borg init --rsh \"ssh -i /root/.ssh/borg\" --encryption=none borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}" + when: hostvars[borg_server]['ansible_local']['borg']['repos'][inventory_hostname] is not defined - name: reload ansible_local setup: filter=ansible_local delegate_to: "{{ borg_server }}" delegate_facts: True - when: hostvars[borg_server]['ansible_local']['borg']['repos'][ansible_hostname] is not defined + when: hostvars[borg_server]['ansible_local']['borg']['repos'][inventory_hostname] is not defined - name: deploy borg backup script template: diff --git a/tasks/client_init.yml b/tasks/client_init.yml new file mode 100644 index 0000000..251bee4 --- /dev/null +++ b/tasks/client_init.yml @@ -0,0 +1,12 @@ +--- +- name: generate borg ssh key on client + openssh_keypair: + owner: root + mode: 0400 + path: /root/.ssh/borg + type: ed25519 + register: borg_ssh_key + +- name: reload ansible_local + setup: filter=ansible_local + #when: borg_ssh_key.changed diff --git a/tasks/main.yml b/tasks/main.yml index 8832443..2606ecf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,4 +1,7 @@ --- +- import_tasks: client_init.yml + when: borg_server is defined + - action: borg_validate - action: borg_init diff --git a/tasks/server.yml b/tasks/server.yml index 78754a2..ce731f6 100644 --- a/tasks/server.yml +++ b/tasks/server.yml @@ -24,4 +24,11 @@ - /srv/borg - /srv/borg/.ssh - /srv/borg/repos + +- name: deploy borg authorized_keys + template: + dest: /srv/borg/.ssh/authorized_keys + src: authorized_keys + owner: borg + mode: 0400 ... diff --git a/templates/authorized_keys b/templates/authorized_keys new file mode 100644 index 0000000..49c8820 --- /dev/null +++ b/templates/authorized_keys @@ -0,0 +1,3 @@ +{% for client in borg.server.clients %} +command="borg serve --restrict-to-path /srv/borg/repos/{{ client.hostname }}",restrict {{ client.pubkey }} +{% endfor %} diff --git a/templates/backup.sh.j2 b/templates/backup.sh.j2 index 3937dfc..57d1854 100644 --- a/templates/backup.sh.j2 +++ b/templates/backup.sh.j2 @@ -15,13 +15,13 @@ export BORG_RSH="ssh -i /root/.ssh/borg" {{ job.pre_command }} {% endif %} {% if job.command_to_pipe is defined %} -{{ job.command_to_pipe }} | borg create borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}::{{ job.name }}-{now} - +{{ job.command_to_pipe }} | borg create borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}::{{ job.name }}-{now} - {% else %} -borg create {% for exclude in job.exclude|default([]) %} --exclude {{ exclude }}{% endfor %} borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }}::{{ job.name }}-{now} {{ job.path }} +borg create {% for exclude in job.exclude|default([]) %} --exclude {{ exclude }}{% endfor %} borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }}::{{ job.name }}-{now} {{ job.path }} {% endif %} {% if job.post_command is defined %} {{ job.post_command }} {% endif %} {% endfor %} -borg prune borg@{{ borg_server }}:/srv/borg/repos/{{ ansible_hostname }} {{ borg_prune_arguments }} +borg prune borg@{{ borg_server }}:/srv/borg/repos/{{ inventory_hostname }} {{ borg_prune_arguments }} -- cgit v1.2.3