From 750241cd47dbfb51aa40ecfe66401a3ee99cf6af Mon Sep 17 00:00:00 2001
From: HgO <hgo@batato.be>
Date: Sun, 29 Nov 2020 15:56:59 +0100
Subject: [PATCH] fix storage box permissions for backup-sync user

---
 .gitattributes                            |  1 +
 ansible.cfg                               |  3 +-
 roles/common/defaults/main.yml            |  4 +-
 roles/common/tasks/backup.yml             |  5 +-
 roles/common/tasks/backup_storage_box.yml |  2 +-
 roles/common/vars/main.yml                |  9 ++-
 scripts/gopass-client.py                  | 97 -----------------------
 7 files changed, 16 insertions(+), 105 deletions(-)
 create mode 100644 .gitattributes
 delete mode 100755 scripts/gopass-client.py

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..d426ecb
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+.vault.secret filter=git-crypt diff=git-crypt
diff --git a/ansible.cfg b/ansible.cfg
index 9b2cedb..fc700c8 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,6 +1,5 @@
 [defaults]
-vault_identity=62a40f49-7deb-45e3-8c17-639277033357
-vault_password_file=scripts/gopass-client.py
+vault_password_file=.vault.secret
 host_key_checking = False
 inventory = inventories/hosts.ini
 roles_path = ~/.ansible/roles:./roles:/usr/share/ansible/roles:/etc/ansible/roles
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
index 8675b3f..bad5f44 100644
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -23,14 +23,14 @@ backup_group: "{{ backup_owner }}"
 backup_chroot_dir: /mnt/backup
 
 storage_box_enabled: no
-storage_box_host: storage.example.com
+storage_box_host: "{{ storage_box_username.split('-') | first }}.your-storagebox.de"
 storage_box_port: 23
 storage_box_path: /home/backup
 storage_box_mount:
   path: "{{ backup_chroot_dir }}"
   owner: "{{ backup_owner }}"
   group: "{{ backup_group }}"
-  options: [rw,default_permissions]
+  options: "{{ storage_box_default_mount_options }}"
 storage_box_username: u123456-sub1
 storage_box_password: somesecret
 
diff --git a/roles/common/tasks/backup.yml b/roles/common/tasks/backup.yml
index 4d7f4f0..608c6fd 100644
--- a/roles/common/tasks/backup.yml
+++ b/roles/common/tasks/backup.yml
@@ -15,13 +15,14 @@
       name: "{{ backup_owner }}"
       groups: []
 
-- name: Ensure backup directory is read-only for backup user
+- name: Create backup directory
   file:
     path: "{{ backup_chroot_dir }}"
     state: directory
     owner: root
     group: root
-    mode: "og=rx"
+    mode: "755"
+  when: not storage_box_enabled
 
 - name: Include Storage Box backup tasks
   import_tasks: backup_storage_box.yml
diff --git a/roles/common/tasks/backup_storage_box.yml b/roles/common/tasks/backup_storage_box.yml
index 2101f6b..82d542e 100644
--- a/roles/common/tasks/backup_storage_box.yml
+++ b/roles/common/tasks/backup_storage_box.yml
@@ -85,7 +85,7 @@
     path: /etc/auto.backup.{{ storage_box_prefix }}
     regex: "^{{ storage_box_mount.path }} "
     line: |
-      {{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }},uid={{ storage_box_mount.owner }},gid={{ storage_box_mount.group }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }}
+      {{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }}
     state: present
     create: yes
   notify: reload autofs
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index 76f7479..a3ce5b1 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -4,6 +4,13 @@ storage_box_packages:
   - sshpass
   - sshfs
   - autofs
+storage_box_default_mount_options:
+  - rw
+  - default_permissions
+  - allow_other
+  - uid=root
+  - gid={{ backup_group }} 
 borg_packages:
   - borgbackup
-  - borgmatic
\ No newline at end of file
+  - borgmatic
+borg_umask: "{{ storage_box_enabled | ternary('0027', '0022') }}"
\ No newline at end of file
diff --git a/scripts/gopass-client.py b/scripts/gopass-client.py
deleted file mode 100755
index 73878ba..0000000
--- a/scripts/gopass-client.py
+++ /dev/null
@@ -1,97 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-import argparse
-import configparser
-import logging
-import os
-import subprocess
-import sys
-
-ANSIBLE_ENV_DIR = os.getenv("ANSIBLE_CONFIG")
-ANSIBLE_DIR = "/etc/ansible"
-CURRENT_DIR = os.getcwd()
-HOME_DIR = os.getenv("HOME")
-
-ANSIBLE_CONFIG_SECTION = "gopass"
-ANSIBLE_CONFIG_KEY = "key_path"
-
-class ShutdownHandler(logging.Handler):
-    def emit(self, record):
-        logging.shutdown()
-        sys.exit(1)
-
-def find_ansible_config_value(section, key):
-    config = configparser.ConfigParser()
-
-    ansible_config_dirs = [CURRENT_DIR, HOME_DIR, ANSIBLE_DIR]
-    if ANSIBLE_ENV_DIR:
-        ansible_config_dirs.insert(0, ANSIBLE_ENV_DIR)
-
-    for ansible_config_dir in ansible_config_dirs:
-        ansible_config_path = os.path.join(ansible_config_dir, "ansible.cfg")
-        config.read(ansible_config_path)
-
-        try:
-            return config[section][key]
-        except KeyError:
-            logging.debug(f"Cannot find '{key}' key in '{ansible_config_path}' config file")
-    
-    ansible_config_paths = ':'.join(ansible_config_dirs)
-    raise RuntimeError(f"Cannot find key '{ANSIBLE_CONFIG_KEY}' in {ansible_config_paths}")
-
-def build_arg_parser():
-    parser = argparse.ArgumentParser(description='Get a vault password from user keyring')
-
-    parser.add_argument('--vault-id', action='store', default='',
-                        dest='vault_id',
-                        help='Name of the vault secret to get from keyring')
-    return parser
-
-def main():
-    logger = logging.getLogger()
-    logger.setLevel(logging.NOTSET)
-
-    formatter = logging.Formatter("%(levelname)s: %(message)s")
-    
-    stdout_handler = logging.StreamHandler(sys.stdout)
-    stdout_handler.setLevel(logging.INFO)
-    stdout_handler.addFilter(lambda record: record.levelno <= logging.INFO)
-    stdout_handler.setFormatter(formatter)
-    logger.addHandler(stdout_handler)
-
-    stderr_handler = logging.StreamHandler(sys.stderr)
-    stderr_handler.setLevel(logging.WARNING)
-    stderr_handler.setFormatter(formatter)
-    logger.addHandler(stderr_handler)
-
-    logger.addHandler(ShutdownHandler(level=logging.ERROR))
-    
-    try:
-        ansible_config_value = find_ansible_config_value(ANSIBLE_CONFIG_SECTION, ANSIBLE_CONFIG_KEY)
-    except RuntimeError as e:
-        logging.error(e)
-
-    arg_parser = build_arg_parser()
-    args = arg_parser.parse_args()
-
-    ansible_vault_id = args.vault_id
-    gopass_key_path = os.path.join(ansible_config_value, ansible_vault_id)
-
-    gopass_keys_cmd = subprocess.run(["gopass", "ls", "--flat"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-    if gopass_keys_cmd.returncode != 0:
-        logging.error(gopass_keys_cmd.stderr.decode())
-    gopass_keys = map(bytes.decode, gopass_keys_cmd.stdout.splitlines())
-    
-    try:
-        gopass_keyname = next(key for key in gopass_keys if key.endswith(gopass_key_path))
-    except StopIteration:
-        logging.error(f"Cannot find '{gopass_key_path}' entry in gopass")
-
-    ansible_vault_pass_cmd = subprocess.run(["gopass", "show", "-o", gopass_keyname], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-    if ansible_vault_pass_cmd.returncode != 0:
-      logging.error(ansible_vault_pass_cmd.stderr.decode())
-    print(ansible_vault_pass_cmd.stdout.decode())
-
-if __name__ == '__main__':
-    main()