allow access to backups through sftp in ro mode

roles/common/tasks/backup.yml

@@ -1,34 +1,27 @@
 # 1. Backup incrémental tous les jours vers la storage box:
-#   1. Dans /mnt/backups, accessible en ro pour l'user system "backup"
-#      -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme)
+#   1. Dans /mnt/backups, accessible en ro pour l'user "backup-sync"
+#      -> un seul backup repository = celui de la storage box en sftp (ou via le point de montage en sshfs)
 #      -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups)
-#   2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host.
+#   2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host
+#      -> Stocker la clé dans un lieu sûr
 # 2. D'autres machines se connectent pour récupérer les backups (rsync):
-#   1. En sftp chrooté via l'user system "backup"
-#   2. Donner accès SSH pour ces machines à l'user system "backup"
+#   1. En sftp chrooté via l'user "backup-sync"
+#   2. Donner accès SSH pour ces machines à l'user "backup-sync"
+# Note: L'user "backup" est déjà utilisé par Ubuntu, donc ne pas l'utiliser pour éviter des conflits (mauvais home, etc.)
 
-- name: Create SSH directory
+- include_tasks: user.yml
+  vars:
+    user:
+      name: "{{ backup_owner }}"
+      groups: []
+
+- name: Ensure backup directory is read-only for backup user
   file:
-    path: "{{ ssh_config_dir }}"
+    path: "{{ backup_chroot_dir }}"
     state: directory
-    mode: "700"
-
-- name: Create SSH config file
-  file:
-    path: "{{ ssh_config_dir }}/config"
-    state: touch
-    access_time: preserve
-    modification_time: preserve
-    mode: "600"
-
-- name: Create backup user
-  user:
-    name: "{{ backup_owner }}"
-    shell: /bin/bash
-    # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
-    password: '*'
-    state: present
-    update_password: always
+    owner: root
+    group: root
+    mode: "og=rx"
 
 - name: Include Storage Box backup tasks
   import_tasks: backup_storage_box.yml

roles/common/tasks/backup_borg.yml

@@ -7,25 +7,25 @@
     loop_var: borg_package
 
 - name: Initialize Borg repository
-  command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
+  command: borg init --make-parent-dirs --umask "{{ borgmatic_config.storage.umask }}" -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
   environment:
-    BORG_PASSPHRASE: "{{ borg_passphrase }}"
+    BORG_PASSPHRASE: "{{ borgmatic_config.storage.encryption_passphrase }}"
   changed_when: "'A repository already exists' not in _borg_backup_init.stderr"
   failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr
   register: _borg_backup_init
 
 - name: Create Borgmatic config directory
   file:
-    path: /etc/borgmatic
+    path: "{{ borgmatic_config_dir }}"
     state: directory
     owner: root
     group: root
     mode: "755"
 
-- name: Copy Borgmatic config file
+- name: Copy Borgmatic config files
   copy:
     content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}"
-    dest: /etc/borgmatic/config.yaml
+    dest: "{{ borgmatic_config_dir }}/config.yaml"
     owner: root
     group: root
     mode: "600"

roles/common/tasks/backup_storage_box.yml

@@ -6,11 +6,25 @@
   loop_control:
     loop_var: storage_box_package
 
+- name: Create SSH directory
+  file:
+    path: "{{ ssh_config_dir }}"
+    state: directory
+    mode: "700"
+
 - name: Generate SSH key pair for storage box {{ storage_box_host }}
   openssh_keypair:
     path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}"
     type: ed25519
 
+- name: Create SSH config file
+  file:
+    path: "{{ ssh_config_dir }}/config"
+    state: touch
+    access_time: preserve
+    modification_time: preserve
+    mode: "600"
+
 - name: Update SSH config file for storage box {{ storage_box_host }}
   blockinfile:
     path: "{{ ssh_config_dir }}/config"

roles/common/tasks/openssh.yml

@@ -8,7 +8,7 @@
     owner: "0"
     group: "0"
     mode: "0644"
-    validate: '/usr/sbin/sshd -T -f %s'
+    validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
   notify: restart openssh
 
 - name: Trigger OpenSSH handlers