allow access to backups through sftp in ro mode
parent
a06ff04caa
commit
7f3f811afb
|
@ -19,13 +19,9 @@ storage_box_host: storage.pirateparty.be
|
||||||
storage_box_username: "{{ vault_storage_box_username }}"
|
storage_box_username: "{{ vault_storage_box_username }}"
|
||||||
storage_box_password: "{{ vault_storage_box_password }}"
|
storage_box_password: "{{ vault_storage_box_password }}"
|
||||||
|
|
||||||
borg_passphrase: "{{ vault_borg_passphrase }}"
|
|
||||||
|
|
||||||
# Add SSH keys in playbooks/files/ssh/<username>/
|
# Add SSH keys in playbooks/files/ssh/<username>/
|
||||||
users:
|
users:
|
||||||
- name: hgo
|
- name: hgo
|
||||||
- name: tierce
|
- name: tierce
|
||||||
- name: backup
|
|
||||||
groups: []
|
|
||||||
|
|
||||||
acme_email: it@pirateparty.be
|
acme_email: it@pirateparty.be
|
|
@ -11,7 +11,8 @@ borgmatic_config:
|
||||||
- "{{ mastodon_home }}/elasticsearch"
|
- "{{ mastodon_home }}/elasticsearch"
|
||||||
- "{{ mastodon_home }}/redis"
|
- "{{ mastodon_home }}/redis"
|
||||||
storage:
|
storage:
|
||||||
encryption_passphrase: "{{ borg_passphrase }}"
|
umask: "{{ borg_umask }}"
|
||||||
|
encryption_passphrase: "{{ vault_borg_passphrase }}"
|
||||||
compression: zlib,7
|
compression: zlib,7
|
||||||
retention:
|
retention:
|
||||||
keep_hourly: 24
|
keep_hourly: 24
|
||||||
|
|
|
@ -6,7 +6,8 @@ borgmatic_config:
|
||||||
repositories:
|
repositories:
|
||||||
- "{{ borg_repository }}"
|
- "{{ borg_repository }}"
|
||||||
storage:
|
storage:
|
||||||
encryption_passphrase: "{{ borg_passphrase }}"
|
umask: "{{ borg_umask }}"
|
||||||
|
encryption_passphrase: "{{ vault_borg_passphrase }}"
|
||||||
compression: zlib,7
|
compression: zlib,7
|
||||||
retention:
|
retention:
|
||||||
keep_hourly: 24
|
keep_hourly: 24
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcLrF84oKOGw5zahiEbmugh5BYhsnFwJSEX+EAVZcwj root@batato.be
|
|
@ -18,15 +18,16 @@ user_default_groups:
|
||||||
|
|
||||||
openssh_port: "22"
|
openssh_port: "22"
|
||||||
|
|
||||||
backup_owner: backup
|
backup_owner: backup-sync
|
||||||
backup_group: "{{ backup_owner }}"
|
backup_group: "{{ backup_owner }}"
|
||||||
|
backup_chroot_dir: /mnt/backup
|
||||||
|
|
||||||
storage_box_enabled: no
|
storage_box_enabled: no
|
||||||
storage_box_host: storage.example.com
|
storage_box_host: storage.example.com
|
||||||
storage_box_port: 23
|
storage_box_port: 23
|
||||||
storage_box_path: /home/backup
|
storage_box_path: /home/backup
|
||||||
storage_box_mount:
|
storage_box_mount:
|
||||||
path: "/mnt/backup"
|
path: "{{ backup_chroot_dir }}"
|
||||||
owner: "{{ backup_owner }}"
|
owner: "{{ backup_owner }}"
|
||||||
group: "{{ backup_group }}"
|
group: "{{ backup_group }}"
|
||||||
options: [rw,default_permissions]
|
options: [rw,default_permissions]
|
||||||
|
@ -34,14 +35,14 @@ storage_box_username: u123456-sub1
|
||||||
storage_box_password: somesecret
|
storage_box_password: somesecret
|
||||||
|
|
||||||
borg_encryption_mode: keyfile
|
borg_encryption_mode: keyfile
|
||||||
borg_passphrase: "{{ vault_borg_passphrase }}"
|
|
||||||
borg_repository: |-
|
borg_repository: |-
|
||||||
{%- if storage_box_enabled -%}
|
{%- if storage_box_enabled -%}
|
||||||
{{ storage_box_host }}:{{ storage_box_path }}/borg
|
{{ storage_box_host }}:{{ storage_box_path }}/borg
|
||||||
{%- else -%}
|
{%- else -%}
|
||||||
{{ storage_box_mount.path }}/borg
|
{{ backup_chroot_dir }}/borg
|
||||||
{%- endif -%}
|
{%- endif -%}
|
||||||
|
|
||||||
|
borgmatic_config_dir: /etc/borgmatic
|
||||||
borgmatic_config:
|
borgmatic_config:
|
||||||
location:
|
location:
|
||||||
source_directories:
|
source_directories:
|
||||||
|
@ -69,7 +70,8 @@ borgmatic_config:
|
||||||
- /var/snap
|
- /var/snap
|
||||||
exclude_caches: true
|
exclude_caches: true
|
||||||
storage:
|
storage:
|
||||||
encryption_passphrase: "{{ borg_passphrase }}"
|
umask: "{{ borg_umask }}"
|
||||||
|
encryption_passphrase: "{{ vault_borg_passphrase }}"
|
||||||
compression: zlib,7
|
compression: zlib,7
|
||||||
retention:
|
retention:
|
||||||
keep_hourly: 24
|
keep_hourly: 24
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM210TheGfg4/YnQxbopJ41Q2ADv3uPViWtv8+4MoAAy ppbe@vagrant
|
|
@ -0,0 +1,17 @@
|
||||||
|
borgmatic_config:
|
||||||
|
location:
|
||||||
|
source_directories:
|
||||||
|
- /home
|
||||||
|
- /root
|
||||||
|
repositories:
|
||||||
|
- "{{ borg_repository }}"
|
||||||
|
exclude_caches: true
|
||||||
|
storage:
|
||||||
|
umask: "{{ borg_umask }}"
|
||||||
|
encryption_passphrase: "{{ vault_borg_passphrase }}"
|
||||||
|
compression: zlib,7
|
||||||
|
retention:
|
||||||
|
keep_hourly: 24
|
||||||
|
keep_daily: 7
|
||||||
|
keep_weekly: 4
|
||||||
|
keep_monthly: 6
|
|
@ -1,34 +1,27 @@
|
||||||
# 1. Backup incrémental tous les jours vers la storage box:
|
# 1. Backup incrémental tous les jours vers la storage box:
|
||||||
# 1. Dans /mnt/backups, accessible en ro pour l'user system "backup"
|
# 1. Dans /mnt/backups, accessible en ro pour l'user "backup-sync"
|
||||||
# -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme)
|
# -> un seul backup repository = celui de la storage box en sftp (ou via le point de montage en sshfs)
|
||||||
# -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups)
|
# -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups)
|
||||||
# 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host.
|
# 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host
|
||||||
|
# -> Stocker la clé dans un lieu sûr
|
||||||
# 2. D'autres machines se connectent pour récupérer les backups (rsync):
|
# 2. D'autres machines se connectent pour récupérer les backups (rsync):
|
||||||
# 1. En sftp chrooté via l'user system "backup"
|
# 1. En sftp chrooté via l'user "backup-sync"
|
||||||
# 2. Donner accès SSH pour ces machines à l'user system "backup"
|
# 2. Donner accès SSH pour ces machines à l'user "backup-sync"
|
||||||
|
# Note: L'user "backup" est déjà utilisé par Ubuntu, donc ne pas l'utiliser pour éviter des conflits (mauvais home, etc.)
|
||||||
|
|
||||||
- name: Create SSH directory
|
- include_tasks: user.yml
|
||||||
|
vars:
|
||||||
|
user:
|
||||||
|
name: "{{ backup_owner }}"
|
||||||
|
groups: []
|
||||||
|
|
||||||
|
- name: Ensure backup directory is read-only for backup user
|
||||||
file:
|
file:
|
||||||
path: "{{ ssh_config_dir }}"
|
path: "{{ backup_chroot_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: "700"
|
owner: root
|
||||||
|
group: root
|
||||||
- name: Create SSH config file
|
mode: "og=rx"
|
||||||
file:
|
|
||||||
path: "{{ ssh_config_dir }}/config"
|
|
||||||
state: touch
|
|
||||||
access_time: preserve
|
|
||||||
modification_time: preserve
|
|
||||||
mode: "600"
|
|
||||||
|
|
||||||
- name: Create backup user
|
|
||||||
user:
|
|
||||||
name: "{{ backup_owner }}"
|
|
||||||
shell: /bin/bash
|
|
||||||
# See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
|
|
||||||
password: '*'
|
|
||||||
state: present
|
|
||||||
update_password: always
|
|
||||||
|
|
||||||
- name: Include Storage Box backup tasks
|
- name: Include Storage Box backup tasks
|
||||||
import_tasks: backup_storage_box.yml
|
import_tasks: backup_storage_box.yml
|
||||||
|
|
|
@ -7,25 +7,25 @@
|
||||||
loop_var: borg_package
|
loop_var: borg_package
|
||||||
|
|
||||||
- name: Initialize Borg repository
|
- name: Initialize Borg repository
|
||||||
command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
|
command: borg init --make-parent-dirs --umask "{{ borgmatic_config.storage.umask }}" -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
|
||||||
environment:
|
environment:
|
||||||
BORG_PASSPHRASE: "{{ borg_passphrase }}"
|
BORG_PASSPHRASE: "{{ borgmatic_config.storage.encryption_passphrase }}"
|
||||||
changed_when: "'A repository already exists' not in _borg_backup_init.stderr"
|
changed_when: "'A repository already exists' not in _borg_backup_init.stderr"
|
||||||
failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr
|
failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr
|
||||||
register: _borg_backup_init
|
register: _borg_backup_init
|
||||||
|
|
||||||
- name: Create Borgmatic config directory
|
- name: Create Borgmatic config directory
|
||||||
file:
|
file:
|
||||||
path: /etc/borgmatic
|
path: "{{ borgmatic_config_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "755"
|
mode: "755"
|
||||||
|
|
||||||
- name: Copy Borgmatic config file
|
- name: Copy Borgmatic config files
|
||||||
copy:
|
copy:
|
||||||
content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}"
|
content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}"
|
||||||
dest: /etc/borgmatic/config.yaml
|
dest: "{{ borgmatic_config_dir }}/config.yaml"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "600"
|
mode: "600"
|
||||||
|
|
|
@ -6,11 +6,25 @@
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: storage_box_package
|
loop_var: storage_box_package
|
||||||
|
|
||||||
|
- name: Create SSH directory
|
||||||
|
file:
|
||||||
|
path: "{{ ssh_config_dir }}"
|
||||||
|
state: directory
|
||||||
|
mode: "700"
|
||||||
|
|
||||||
- name: Generate SSH key pair for storage box {{ storage_box_host }}
|
- name: Generate SSH key pair for storage box {{ storage_box_host }}
|
||||||
openssh_keypair:
|
openssh_keypair:
|
||||||
path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}"
|
path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}"
|
||||||
type: ed25519
|
type: ed25519
|
||||||
|
|
||||||
|
- name: Create SSH config file
|
||||||
|
file:
|
||||||
|
path: "{{ ssh_config_dir }}/config"
|
||||||
|
state: touch
|
||||||
|
access_time: preserve
|
||||||
|
modification_time: preserve
|
||||||
|
mode: "600"
|
||||||
|
|
||||||
- name: Update SSH config file for storage box {{ storage_box_host }}
|
- name: Update SSH config file for storage box {{ storage_box_host }}
|
||||||
blockinfile:
|
blockinfile:
|
||||||
path: "{{ ssh_config_dir }}/config"
|
path: "{{ ssh_config_dir }}/config"
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
owner: "0"
|
owner: "0"
|
||||||
group: "0"
|
group: "0"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
validate: '/usr/sbin/sshd -T -f %s'
|
validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
|
||||||
notify: restart openssh
|
notify: restart openssh
|
||||||
|
|
||||||
- name: Trigger OpenSSH handlers
|
- name: Trigger OpenSSH handlers
|
||||||
|
|
|
@ -14,4 +14,10 @@ PrintMotd no
|
||||||
|
|
||||||
AcceptEnv LANG LC_*
|
AcceptEnv LANG LC_*
|
||||||
|
|
||||||
Subsystem sftp /usr/lib/openssh/sftp-server
|
Subsystem sftp internal-sftp
|
||||||
|
|
||||||
|
Match Group {{ backup_owner }}
|
||||||
|
X11Forwarding no
|
||||||
|
AllowTcpForwarding no
|
||||||
|
ChrootDirectory {{ backup_chroot_dir }}
|
||||||
|
ForceCommand internal-sftp
|
||||||
|
|
Loading…
Reference in New Issue