add support to create a remote sftp user

2021-06-12 19:04:29 +02:00 · 2021-06-12 19:04:29 +02:00 · de9e0004f6
commit de9e0004f6
parent 90f6b0a360
3 changed files with 86 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -34,14 +34,14 @@ backends:
 	restic:
 		# url of the restic repository
 		url: '/var/backup-client/restic'
-		# repository type musst be 'local'
+		# repository type can be 'local' or 'sftp'
 		repo_type: 'local'

 # Mode in which the backup is taken. One of the following:
 #
 # vm-via-hypervisor: backup a vm via restic on the hypervisor. Saves config on the host
 # hypervisor-restic: backup its vms via restic
-# standalone-restic: use restic on the target itself to save a backup to a backup location (TODO)
+# standalone-restic: use restic on the target itself to save a backup to a backup location
 mode: vm-via-hypervisor

 # Allows backups to be skipped
@ -68,6 +68,26 @@ export:
 #	  port: 22
 #	  key: "/etc/backup-client/id_ed25519"

+# Settings to create a remote sftp user. Use this for restic sftp repos
+remote_sftp_user:
+	# enable/disable the user creation feature
+	enabled: False
+	# user name
+	name: backup
+	# user group
+	group: nogroup
+	# user auxillary groups
+	groups: []
+	# host to create the user on
+	host: ~
+	# Path used to setup an sftp chroot using ssh.
+	# Only the top most folder is created
+	chroot_basepath: "/var/chroots/{{ inventory_hostname }}"
+	# Path to bindmount in the chroot jail
+	storage_path: "/srv/backups/{{ inventory_hostname }}"
+	# Wether to create the topmost storage folder or not
+	create_storage_folder: True
+
 # keys are strings with glob patterns of files to be excluded. Value musst be true to enable the exclude, false to disable it
 # Only supportet in restic based backups
 exclude_files: {}
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -26,6 +26,15 @@ backups:
    years: 3
  export:
    destinations: []
+  remote_sftp_user:
+    name: backup
+    host: ~
+    chroot_basepath: "/var/chroots/{{ inventory_hostname }}"
+    storage_path: "/srv/backups/{{ inventory_hostname }}"
+    groups: []
+    group: nogroup
+    enabled: False
+    create_storage_folder: True
  exclude_files:
    '/tmp': true
    '/var/tmp': true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -15,6 +15,7 @@
  when: backup_executor
  block:
  - name: generate ssh key
+    register: backup_ssh_key_task
    community.crypto.openssh_keypair:
      path: /etc/backup-client/id_ed25519
      type: ed25519
@ -98,6 +99,60 @@
      group: root
      mode: 0700

+- name: create a remote sftp user if enabled
+  when:
+    - backups.remote_sftp_user.enabled
+    - backup_executor
+  delegate_to: "{{ backups.remote_sftp_user.host }}"
+  block:
+    - name: "create user {{ backups.remote_sftp_user.name }}"
+      user:
+        name: "{{ backups.remote_sftp_user.name }}"
+        createhome: yes
+        shell: /sbin/nologin
+        system: false
+        group: "{{ backups.remote_sftp_user.group }}"
+        groups: "{{backups.remote_sftp_user.groups }}"
+    - name: add ssh key to user
+      when: not ansible_check_mode
+      ansible.posix.authorized_key:
+        user: "{{ backups.remote_sftp_user.name }}"
+        state: present
+        key: '{{ backup_ssh_key_task.public_key }}'
+    - name: create chroot folder
+      file:
+        path: "{{ backups.remote_sftp_user.chroot_basepath }}"
+        owner: root
+        group: root
+        mode: 0755
+        state: directory
+    - name: create bind mount point in chroot folder
+      file:
+        path: "{{ backups.remote_sftp_user.chroot_basepath }}/backups"
+        owner: "{{ backups.remote_sftp_user.name }}"
+        group: "{{ backups.remote_sftp_user.group }}"
+        mode: 0700
+        state: directory
+    - name: create storage folder
+      when: backups.remote_sftp_user.create_storage_folder
+      file:
+        path: "{{ backups.remote_sftp_user.storage_path }}"
+        owner: "{{ backups.remote_sftp_user.name }}"
+        group: "{{ backups.remote_sftp_user.group }}"
+        mode: 0700
+        state: directory
+    - name: "setup bindmount"
+      loop:
+        - mounted
+        - present
+      mount:
+        path: "{{ backups.remote_sftp_user.chroot_basepath }}/backups"
+        src: "{{ backups.remote_sftp_user.storage_path }}"
+        opts: "rw,bind,noauto,x-systemd.automount"
+        fstype: auto
+        passno: "0"
+        state: "{{ item }}"
+
 - name: handle common restic based setup tasks
  when: backup_backend == 'restic'
  block: