allow access to backups through sftp in ro mode

master
HgO 2020-11-29 13:04:38 +01:00
parent a06ff04caa
commit 7f3f811afb
12 changed files with 75 additions and 43 deletions

View File

@ -19,13 +19,9 @@ storage_box_host: storage.pirateparty.be
storage_box_username: "{{ vault_storage_box_username }}" storage_box_username: "{{ vault_storage_box_username }}"
storage_box_password: "{{ vault_storage_box_password }}" storage_box_password: "{{ vault_storage_box_password }}"
borg_passphrase: "{{ vault_borg_passphrase }}"
# Add SSH keys in playbooks/files/ssh/<username>/ # Add SSH keys in playbooks/files/ssh/<username>/
users: users:
- name: hgo - name: hgo
- name: tierce - name: tierce
- name: backup
groups: []
acme_email: it@pirateparty.be acme_email: it@pirateparty.be

View File

@ -11,7 +11,8 @@ borgmatic_config:
- "{{ mastodon_home }}/elasticsearch" - "{{ mastodon_home }}/elasticsearch"
- "{{ mastodon_home }}/redis" - "{{ mastodon_home }}/redis"
storage: storage:
encryption_passphrase: "{{ borg_passphrase }}" umask: "{{ borg_umask }}"
encryption_passphrase: "{{ vault_borg_passphrase }}"
compression: zlib,7 compression: zlib,7
retention: retention:
keep_hourly: 24 keep_hourly: 24

View File

@ -6,7 +6,8 @@ borgmatic_config:
repositories: repositories:
- "{{ borg_repository }}" - "{{ borg_repository }}"
storage: storage:
encryption_passphrase: "{{ borg_passphrase }}" umask: "{{ borg_umask }}"
encryption_passphrase: "{{ vault_borg_passphrase }}"
compression: zlib,7 compression: zlib,7
retention: retention:
keep_hourly: 24 keep_hourly: 24

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcLrF84oKOGw5zahiEbmugh5BYhsnFwJSEX+EAVZcwj root@batato.be

View File

@ -18,15 +18,16 @@ user_default_groups:
openssh_port: "22" openssh_port: "22"
backup_owner: backup backup_owner: backup-sync
backup_group: "{{ backup_owner }}" backup_group: "{{ backup_owner }}"
backup_chroot_dir: /mnt/backup
storage_box_enabled: no storage_box_enabled: no
storage_box_host: storage.example.com storage_box_host: storage.example.com
storage_box_port: 23 storage_box_port: 23
storage_box_path: /home/backup storage_box_path: /home/backup
storage_box_mount: storage_box_mount:
path: "/mnt/backup" path: "{{ backup_chroot_dir }}"
owner: "{{ backup_owner }}" owner: "{{ backup_owner }}"
group: "{{ backup_group }}" group: "{{ backup_group }}"
options: [rw,default_permissions] options: [rw,default_permissions]
@ -34,14 +35,14 @@ storage_box_username: u123456-sub1
storage_box_password: somesecret storage_box_password: somesecret
borg_encryption_mode: keyfile borg_encryption_mode: keyfile
borg_passphrase: "{{ vault_borg_passphrase }}"
borg_repository: |- borg_repository: |-
{%- if storage_box_enabled -%} {%- if storage_box_enabled -%}
{{ storage_box_host }}:{{ storage_box_path }}/borg {{ storage_box_host }}:{{ storage_box_path }}/borg
{%- else -%} {%- else -%}
{{ storage_box_mount.path }}/borg {{ backup_chroot_dir }}/borg
{%- endif -%} {%- endif -%}
borgmatic_config_dir: /etc/borgmatic
borgmatic_config: borgmatic_config:
location: location:
source_directories: source_directories:
@ -69,7 +70,8 @@ borgmatic_config:
- /var/snap - /var/snap
exclude_caches: true exclude_caches: true
storage: storage:
encryption_passphrase: "{{ borg_passphrase }}" umask: "{{ borg_umask }}"
encryption_passphrase: "{{ vault_borg_passphrase }}"
compression: zlib,7 compression: zlib,7
retention: retention:
keep_hourly: 24 keep_hourly: 24

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM210TheGfg4/YnQxbopJ41Q2ADv3uPViWtv8+4MoAAy ppbe@vagrant

View File

@ -0,0 +1,17 @@
borgmatic_config:
location:
source_directories:
- /home
- /root
repositories:
- "{{ borg_repository }}"
exclude_caches: true
storage:
umask: "{{ borg_umask }}"
encryption_passphrase: "{{ vault_borg_passphrase }}"
compression: zlib,7
retention:
keep_hourly: 24
keep_daily: 7
keep_weekly: 4
keep_monthly: 6

View File

@ -1,34 +1,27 @@
# 1. Backup incrémental tous les jours vers la storage box: # 1. Backup incrémental tous les jours vers la storage box:
# 1. Dans /mnt/backups, accessible en ro pour l'user system "backup" # 1. Dans /mnt/backups, accessible en ro pour l'user "backup-sync"
# -> un seul backup host = celui de la storage box en sftp (pourrait être autre chose à terme) # -> un seul backup repository = celui de la storage box en sftp (ou via le point de montage en sshfs)
# -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups) # -> via autofs + sshfs (permet de libérer la connexion en dehors de la phase de backups)
# 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host. # 2. Chiffrement avec clé symétrique. La clé n'est connue que par l'host
# -> Stocker la clé dans un lieu sûr
# 2. D'autres machines se connectent pour récupérer les backups (rsync): # 2. D'autres machines se connectent pour récupérer les backups (rsync):
# 1. En sftp chrooté via l'user system "backup" # 1. En sftp chrooté via l'user "backup-sync"
# 2. Donner accès SSH pour ces machines à l'user system "backup" # 2. Donner accès SSH pour ces machines à l'user "backup-sync"
# Note: L'user "backup" est déjà utilisé par Ubuntu, donc ne pas l'utiliser pour éviter des conflits (mauvais home, etc.)
- name: Create SSH directory - include_tasks: user.yml
vars:
user:
name: "{{ backup_owner }}"
groups: []
- name: Ensure backup directory is read-only for backup user
file: file:
path: "{{ ssh_config_dir }}" path: "{{ backup_chroot_dir }}"
state: directory state: directory
mode: "700" owner: root
group: root
- name: Create SSH config file mode: "og=rx"
file:
path: "{{ ssh_config_dir }}/config"
state: touch
access_time: preserve
modification_time: preserve
mode: "600"
- name: Create backup user
user:
name: "{{ backup_owner }}"
shell: /bin/bash
# See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
password: '*'
state: present
update_password: always
- name: Include Storage Box backup tasks - name: Include Storage Box backup tasks
import_tasks: backup_storage_box.yml import_tasks: backup_storage_box.yml

View File

@ -7,25 +7,25 @@
loop_var: borg_package loop_var: borg_package
- name: Initialize Borg repository - name: Initialize Borg repository
command: borg init --make-parent-dirs -e "{{ borg_encryption_mode }}" "{{ borg_repository }}" command: borg init --make-parent-dirs --umask "{{ borgmatic_config.storage.umask }}" -e "{{ borg_encryption_mode }}" "{{ borg_repository }}"
environment: environment:
BORG_PASSPHRASE: "{{ borg_passphrase }}" BORG_PASSPHRASE: "{{ borgmatic_config.storage.encryption_passphrase }}"
changed_when: "'A repository already exists' not in _borg_backup_init.stderr" changed_when: "'A repository already exists' not in _borg_backup_init.stderr"
failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr failed_when: _borg_backup_init.rc >= 2 and 'A repository already exists' not in _borg_backup_init.stderr
register: _borg_backup_init register: _borg_backup_init
- name: Create Borgmatic config directory - name: Create Borgmatic config directory
file: file:
path: /etc/borgmatic path: "{{ borgmatic_config_dir }}"
state: directory state: directory
owner: root owner: root
group: root group: root
mode: "755" mode: "755"
- name: Copy Borgmatic config file - name: Copy Borgmatic config files
copy: copy:
content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}" content: "{{ borgmatic_config | to_nice_yaml(indent=2) }}"
dest: /etc/borgmatic/config.yaml dest: "{{ borgmatic_config_dir }}/config.yaml"
owner: root owner: root
group: root group: root
mode: "600" mode: "600"

View File

@ -6,11 +6,25 @@
loop_control: loop_control:
loop_var: storage_box_package loop_var: storage_box_package
- name: Create SSH directory
file:
path: "{{ ssh_config_dir }}"
state: directory
mode: "700"
- name: Generate SSH key pair for storage box {{ storage_box_host }} - name: Generate SSH key pair for storage box {{ storage_box_host }}
openssh_keypair: openssh_keypair:
path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}" path: "{{ ssh_config_dir }}/{{ storage_box_prefix }}"
type: ed25519 type: ed25519
- name: Create SSH config file
file:
path: "{{ ssh_config_dir }}/config"
state: touch
access_time: preserve
modification_time: preserve
mode: "600"
- name: Update SSH config file for storage box {{ storage_box_host }} - name: Update SSH config file for storage box {{ storage_box_host }}
blockinfile: blockinfile:
path: "{{ ssh_config_dir }}/config" path: "{{ ssh_config_dir }}/config"

View File

@ -8,7 +8,7 @@
owner: "0" owner: "0"
group: "0" group: "0"
mode: "0644" mode: "0644"
validate: '/usr/sbin/sshd -T -f %s' validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s'
notify: restart openssh notify: restart openssh
- name: Trigger OpenSSH handlers - name: Trigger OpenSSH handlers

View File

@ -14,4 +14,10 @@ PrintMotd no
AcceptEnv LANG LC_* AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp
Match Group {{ backup_owner }}
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory {{ backup_chroot_dir }}
ForceCommand internal-sftp