fix storage box permissions for backup-sync user

2020-11-29 15:56:59 +01:00
parent 7f3f811afb
commit 750241cd47
7 changed files with 16 additions and 105 deletions
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -23,14 +23,14 @@ backup_group: "{{ backup_owner }}"
 backup_chroot_dir: /mnt/backup

 storage_box_enabled: no
-storage_box_host: storage.example.com
+storage_box_host: "{{ storage_box_username.split('-') | first }}.your-storagebox.de"
 storage_box_port: 23
 storage_box_path: /home/backup
 storage_box_mount:
  path: "{{ backup_chroot_dir }}"
  owner: "{{ backup_owner }}"
  group: "{{ backup_group }}"
-  options: [rw,default_permissions]
+  options: "{{ storage_box_default_mount_options }}"
 storage_box_username: u123456-sub1
 storage_box_password: somesecret

--- a/roles/common/tasks/backup.yml
+++ b/roles/common/tasks/backup.yml
@@ -15,13 +15,14 @@
      name: "{{ backup_owner }}"
      groups: []

- name: Ensure backup directory is read-only for backup user
+- name: Create backup directory
  file:
    path: "{{ backup_chroot_dir }}"
    state: directory
    owner: root
    group: root
-    mode: "og=rx"
+    mode: "755"
+  when: not storage_box_enabled

 - name: Include Storage Box backup tasks
  import_tasks: backup_storage_box.yml
--- a/roles/common/tasks/backup_storage_box.yml
+++ b/roles/common/tasks/backup_storage_box.yml
@@ -85,7 +85,7 @@
    path: /etc/auto.backup.{{ storage_box_prefix }}
    regex: "^{{ storage_box_mount.path }} "
    line: |
-      {{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }},uid={{ storage_box_mount.owner }},gid={{ storage_box_mount.group }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }}
+      {{ storage_box_mount.path }} -fstype=fuse,{{ storage_box_mount.options | join(',') }} :sshfs\#{{ storage_box_host }}\:{{ storage_box_path }}
    state: present
    create: yes
  notify: reload autofs
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -4,6 +4,13 @@ storage_box_packages:
  - sshpass
  - sshfs
  - autofs
+storage_box_default_mount_options:
+  - rw
+  - default_permissions
+  - allow_other
+  - uid=root
+  - gid={{ backup_group }} 
 borg_packages:
  - borgbackup
-  - borgmatic
+  - borgmatic
+borg_umask: "{{ storage_box_enabled | ternary('0027', '0022') }}"