infra/ansible-role-backup-client
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add support to create a remote sftp user

Browse source
This commit is contained in:
nd 2021-06-12 19:04:29 +02:00
parent 90f6b0a360
commit de9e0004f6
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
3 changed files with 86 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

24
README.md
View file

@ -34,14 +34,14 @@ backends:
restic: restic:
# url of the restic repository # url of the restic repository
url: '/var/backup-client/restic' url: '/var/backup-client/restic'
# repository type musst be 'local' # repository type can be 'local' or 'sftp'
repo_type: 'local' repo_type: 'local'
# Mode in which the backup is taken. One of the following: # Mode in which the backup is taken. One of the following:
# #
# vm-via-hypervisor: backup a vm via restic on the hypervisor. Saves config on the host # vm-via-hypervisor: backup a vm via restic on the hypervisor. Saves config on the host
# hypervisor-restic: backup its vms via restic # hypervisor-restic: backup its vms via restic
# standalone-restic: use restic on the target itself to save a backup to a backup location (TODO) # standalone-restic: use restic on the target itself to save a backup to a backup location
mode: vm-via-hypervisor mode: vm-via-hypervisor
# Allows backups to be skipped # Allows backups to be skipped
@ -68,6 +68,26 @@ export:
# port: 22 # port: 22
# key: "/etc/backup-client/id_ed25519" # key: "/etc/backup-client/id_ed25519"
# Settings to create a remote sftp user. Use this for restic sftp repos
remote_sftp_user:
# enable/disable the user creation feature
enabled: False
# user name
name: backup
# user group
group: nogroup
# user auxillary groups
groups: []
# host to create the user on
host: ~
# Path used to setup an sftp chroot using ssh.
# Only the top most folder is created
chroot_basepath: "/var/chroots/{{ inventory_hostname }}"
# Path to bindmount in the chroot jail
storage_path: "/srv/backups/{{ inventory_hostname }}"
# Wether to create the topmost storage folder or not
create_storage_folder: True
# keys are strings with glob patterns of files to be excluded. Value musst be true to enable the exclude, false to disable it # keys are strings with glob patterns of files to be excluded. Value musst be true to enable the exclude, false to disable it
# Only supportet in restic based backups # Only supportet in restic based backups
exclude_files: {} exclude_files: {}

9
defaults/main.yml
View file

@ -26,6 +26,15 @@ backups:
years: 3 years: 3
export: export:
destinations: [] destinations: []
remote_sftp_user:
name: backup
host: ~
chroot_basepath: "/var/chroots/{{ inventory_hostname }}"
storage_path: "/srv/backups/{{ inventory_hostname }}"
groups: []
group: nogroup
enabled: False
create_storage_folder: True
exclude_files: exclude_files:
'/tmp': true '/tmp': true
'/var/tmp': true '/var/tmp': true

55
tasks/main.yml
View file

@ -15,6 +15,7 @@
when: backup_executor when: backup_executor
block: block:
- name: generate ssh key - name: generate ssh key
register: backup_ssh_key_task
community.crypto.openssh_keypair: community.crypto.openssh_keypair:
path: /etc/backup-client/id_ed25519 path: /etc/backup-client/id_ed25519
type: ed25519 type: ed25519
@ -98,6 +99,60 @@
group: root group: root
mode: 0700 mode: 0700
- name: create a remote sftp user if enabled
when:
- backups.remote_sftp_user.enabled
- backup_executor
delegate_to: "{{ backups.remote_sftp_user.host }}"
block:
- name: "create user {{ backups.remote_sftp_user.name }}"
user:
name: "{{ backups.remote_sftp_user.name }}"
createhome: yes
shell: /sbin/nologin
system: false
group: "{{ backups.remote_sftp_user.group }}"
groups: "{{backups.remote_sftp_user.groups }}"
- name: add ssh key to user
when: not ansible_check_mode
ansible.posix.authorized_key:
user: "{{ backups.remote_sftp_user.name }}"
state: present
key: '{{ backup_ssh_key_task.public_key }}'
- name: create chroot folder
file:
path: "{{ backups.remote_sftp_user.chroot_basepath }}"
owner: root
group: root
mode: 0755
state: directory
- name: create bind mount point in chroot folder
file:
path: "{{ backups.remote_sftp_user.chroot_basepath }}/backups"
owner: "{{ backups.remote_sftp_user.name }}"
group: "{{ backups.remote_sftp_user.group }}"
mode: 0700
state: directory
- name: create storage folder
when: backups.remote_sftp_user.create_storage_folder
file:
path: "{{ backups.remote_sftp_user.storage_path }}"
owner: "{{ backups.remote_sftp_user.name }}"
group: "{{ backups.remote_sftp_user.group }}"
mode: 0700
state: directory
- name: "setup bindmount"
loop:
- mounted
- present
mount:
path: "{{ backups.remote_sftp_user.chroot_basepath }}/backups"
src: "{{ backups.remote_sftp_user.storage_path }}"
opts: "rw,bind,noauto,x-systemd.automount"
fstype: auto
passno: "0"
state: "{{ item }}"
- name: handle common restic based setup tasks - name: handle common restic based setup tasks
when: backup_backend == 'restic' when: backup_backend == 'restic'
block: block: