From 3a80957fe82bcb5c2e8d064248794413cc3b32dc Mon Sep 17 00:00:00 2001 From: Frank Dornheim <524257+conloos@users.noreply.github.com> Date: Fri, 10 Mar 2023 18:31:30 +0100 Subject: [PATCH] add example for service account --- README.md | 33 ++++++++- tasks/02_create_backup_user_and_group.yml | 37 ---------- tasks/02_create_key.yml | 69 ------------------- tasks/02_user_management.yml | 33 ++++++--- tasks/03_configure.yml | 23 ------- .../03_create_links_to_borg_and_borgmatic.yml | 33 --------- tasks/04_init_borg_repo.yml | 10 --- tasks/05_install_timer.yml | 22 ------ ...create_links_and_install_helperscripts.yml | 33 --------- templates/config.yaml.j2 | 2 +- 10 files changed, 55 insertions(+), 240 deletions(-) delete mode 100644 tasks/02_create_backup_user_and_group.yml delete mode 100644 tasks/02_create_key.yml delete mode 100755 tasks/03_configure.yml delete mode 100644 tasks/03_create_links_to_borg_and_borgmatic.yml delete mode 100644 tasks/04_init_borg_repo.yml delete mode 100644 tasks/05_install_timer.yml delete mode 100644 tasks/noauto_create_links_and_install_helperscripts.yml diff --git a/README.md b/README.md index 70167f3..5612bd5 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Main features: - Provision new remote [BorgBase.com](https://www.borgbase.com) repo for storing backups (optional) -## Example Playbook +## Example Playbook with root as backup user ``` - hosts: webservers @@ -40,6 +40,37 @@ Main features: port: 5433 ``` +## Example Playbook with service user +``` +- hosts: webservers + roles: + - role: m3nu.ansible_role_borgbackup + borg_encryption_passphrase: CHANGEME + borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo + borgmatic_timer: systemd + backup_ssh_key_file: "{{ backup_user_info.home }}/.ssh/id_rsa" + backup_ssh_command: "ssh -i {{ backup_ssh_key_file }} -o StrictHostKeyChecking=no" + borgmatic_timer: systemd + borgbackup_user: "srv_backup" + borgbackup_group: "srv_backup" + borg_source_directories: + - /srv/www + - /var/lib/automysqlbackup + borg_exclude_patterns: + - /srv/www/old-sites + borg_retention_policy: + keep_hourly: 3 + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 6 + borgmatic_hooks: + before_backup: + - echo "`date` - Starting backup." + postgresql_databases: + - name: users + hostname: database1.example.org + port: 5433 +``` ## Installation diff --git a/tasks/02_create_backup_user_and_group.yml b/tasks/02_create_backup_user_and_group.yml deleted file mode 100644 index bb3ede3..0000000 --- a/tasks/02_create_backup_user_and_group.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -- name: Setup backup environment - tags: - - install_backup - when: - - install_backup is not defined or install_backup - - backup_create_local_user is not defined or backup_create_local_user - block: - - name: Add local backup group - ansible.builtin.group: - name: "{{ borgbackup_group }}" - state: present - - - name: Add local backup user - ansible.builtin.user: - name: "{{ borgbackup_user }}" - shell: "/bin/bash" - groups: "{{ borgbackup_group }}" - comment: "Backup User Account" - append: true - - - name: Add sudo users - community.general.sudoers: - name: "backup" - state: present - user: "{{ borgbackup_user }}" - nopassword: true - commands: - - "/opt/borgmatic/bin/borg" - - "/usr/local/bin/borgmatic -C -p -c /etc/borgmatic/{{ borgmatic_config_name }}" - - "/usr/local/bin/borgmatic -k -c /etc/borgmatic/{{ borgmatic_config_name }}" - - "/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}" - - - name: Install Links to borg and borgmatic - ansible.builtin.include_tasks: - file: noauto_create_links_and_install_helperscripts.yml -... diff --git a/tasks/02_create_key.yml b/tasks/02_create_key.yml deleted file mode 100644 index 0970cdf..0000000 --- a/tasks/02_create_key.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -- name: Create ssh-key (if neeeded) for {{ borgbackup_user }} - when: - - install_backup is not defined or install_backup - - backup_id_rsa is not defined or backup_id_rsa | length == 0 - tags: - - install_backup - block: - - name: Ensire directory exist - ansible.builtin.file: - path: "/home/{{ borgbackup_user }}/.ssh/" - state: directory - mode: "0700" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - - - name: Generate an OpenSSH keypair with the default values (4096 bits, rsa) - community.crypto.openssh_keypair: - path: "/home/{{ borgbackup_user }}/.ssh/id_rsa" - mode: "0600" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - - - name: Set key permission - ansible.builtin.file: - path: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub" - mode: "0644" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - - - name: Read ssh key - ansible.builtin.slurp: - src: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub" - register: backup_local_ssh_key - - - name: Set authorized key taken from file - ansible.posix.authorized_key: - user: "{{ backup_repository | regex_search('(.*)@', '\\1') | first }}" - state: present - key: "{{ backup_local_ssh_key['content'] | b64decode }}" - # This is a bit tricky, the string backup_repository consists of three parts: - # "username"@"FQDN":"path/to/store/backup". - # With the regex we use the FQDN part to store the ssh-key on the target system. - delegate_to: "{{ backup_repository | regex_search('@(.*):', '\\1') | first }}" - -- name: Install ssh cert and key - when: - - install_backup is not defined or install_backup - - backup_id_rsa is defined and backup_id_rsa | length > 0 - - backup_id_rsa_pub is defined and backup_id_rsa_pub | length > 0 - tags: - - install_backup - block: - - name: Copy existing id_rsa, not genereting one - ansible.builtin.copy: - content: "{{ backup_id_rsa }}" - dest: "/home/{{ borgbackup_user }}/.ssh/id_rsa" - mode: "0600" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - - - name: Copy existing id_rsa.pub, not genereting one - ansible.builtin.copy: - content: "{{ backup_id_rsa_pub }}" - dest: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub" - mode: "0644" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" -... diff --git a/tasks/02_user_management.yml b/tasks/02_user_management.yml index c3679fd..d439d41 100644 --- a/tasks/02_user_management.yml +++ b/tasks/02_user_management.yml @@ -1,20 +1,31 @@ --- # So in different positions in that role we need the user home # Since we cannot be sure that this FSH is compatible we will determine it. -- name: Get home if borgbackup_user == "root" - when: borgbackup_user == "root" - ansible.builtin.user: - name: "{{ borgbackup_user }}" - state: present - register: user_info - changed_when: false - check_mode: true # Important, otherwise user will be created +- name: Get home dir + when: + - borgbackup_user == "root" + - install_backup is not defined or install_backup + tags: + - install_backup + block: + - name: Get home if borgbackup_user == "root" + ansible.builtin.user: + name: "{{ borgbackup_user }}" + state: present + register: user_info + changed_when: false + check_mode: true # Important, otherwise user will be created -- name: Save the user_info, we need them for the home_dir - ansible.builtin.set_fact: - backup_user_info: "{{ user_info }}" + - name: Save the user_info, we need them for the home_dir + ansible.builtin.set_fact: + backup_user_info: "{{ user_info }}" - name: Create User if borgbackup_user != "root" + when: + - borgbackup_user == "root" + - install_backup is not defined or install_backup + tags: + - install_backup ansible.builtin.include_tasks: file: noauto_create_backup_user_and_group.yml ... diff --git a/tasks/03_configure.yml b/tasks/03_configure.yml deleted file mode 100755 index f81d0b7..0000000 --- a/tasks/03_configure.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Configure borgbackup - when: - - install_backup is not defined or install_backup - tags: - - install_backup - block: - - name: Ensure /etc/borgmatic exists - ansible.builtin.file: - path: /etc/borgmatic - state: directory - mode: "0700" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - - - name: Add Borgmatic configuration - ansible.builtin.template: - src: config.yaml.j2 - dest: "/etc/borgmatic/{{ borgmatic_config_name }}" - mode: "0600" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" -... diff --git a/tasks/03_create_links_to_borg_and_borgmatic.yml b/tasks/03_create_links_to_borg_and_borgmatic.yml deleted file mode 100644 index 8710479..0000000 --- a/tasks/03_create_links_to_borg_and_borgmatic.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: Create borgmatic command in /usr/local/bin - ansible.builtin.copy: - content: | - #!/bin/bash - . "{{ borg_venv_path }}"/bin/activate - borgmatic "$@" - dest: /usr/local/bin/borgmatic - mode: "0755" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - -- name: Create borg command in /usr/local/bin - ansible.builtin.copy: - content: | - #!/bin/bash - . "{{ borg_venv_path }}"/bin/activate - borg "$@" - dest: /usr/local/bin/borg - mode: "0755" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - -- name: Install helper scripts - ansible.builtin.copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ item.owner }}" - group: "{{ item.group }}" - mode: "{{ item.mode }}" - with_items: - - { src: "docker.sh", dest: "/usr/local/bin/docker.sh", owner: "{{ borgbackup_user }}", group: "{{ borgbackup_group }}", mode: "0770" } -... diff --git a/tasks/04_init_borg_repo.yml b/tasks/04_init_borg_repo.yml deleted file mode 100644 index a1b2bda..0000000 --- a/tasks/04_init_borg_repo.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Init repository - when: - - install_backup is not defined or install_backup - - borgmatic_initialization_repo is not defined or borgmatic_initialization_repo - tags: - - install_backup - ansible.builtin.command: - cmd: "su - {{ borgbackup_user }} -c '/usr/local/bin/borgmatic rcreate --encryption keyfile --append-only'" -... diff --git a/tasks/05_install_timer.yml b/tasks/05_install_timer.yml deleted file mode 100644 index 6a9115c..0000000 --- a/tasks/05_install_timer.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Create borgbackup timer - when: - - install_backup is not defined or install_backup - - borgmatic_timer is defined and borgmatic_timer == "systemd" - tags: - - install_backup - block: - - name: Timer Systemd - ansible.builtin.include_tasks: - file: noauto_create_timer.yml - -- name: Create borgbackup cron - when: - - install_backup is not defined or install_backup - - borgmatic_timer is defined or not borgmatic_timer == "systemd" - tags: - - install_backup - block: - - name: Install cron backup job - ansible.builtin.include_tasks: - file: noauto_create_cronjobs.yml diff --git a/tasks/noauto_create_links_and_install_helperscripts.yml b/tasks/noauto_create_links_and_install_helperscripts.yml deleted file mode 100644 index e03c398..0000000 --- a/tasks/noauto_create_links_and_install_helperscripts.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: Create borgmatic command in /usr/local/bin - ansible.builtin.copy: - content: | - #!/bin/bash - . "{{ borg_venv_path }}"/bin/activate - borgmatic "$@" - dest: /usr/local/bin/borgmatic - mode: "0755" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - -- name: Create borg command in /usr/local/bin - ansible.builtin.copy: - content: | - #!/bin/bash - . "{{ borg_venv_path }}"/bin/activate - borg "$@" - dest: /usr/local/bin/borg - mode: "0755" - owner: "{{ borgbackup_user }}" - group: "{{ borgbackup_group }}" - -- name: Install helper scripts - ansible.builtin.copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "{{ item.owner }}" - group: "{{ item.group }}" - mode: "{{ item.mode }}" - with_items: - - { src: "docker.sh", dest: "/usr/local/bin/docker.sh", owner: "{{ backup_owner }}", group: "{{ backup_group }}", mode: "0770" } -... diff --git a/templates/config.yaml.j2 b/templates/config.yaml.j2 index af17a5e..dd066e9 100644 --- a/templates/config.yaml.j2 +++ b/templates/config.yaml.j2 @@ -112,7 +112,7 @@ storage: # Path for Borg encryption key files. Defaults to # $borg_base_directory/.config/borg/keys - borg_keys_directory: /home/{{ borgbackup_user }}/.config/borg/keys + borg_keys_directory: {{ backup_user_info.home }}/.config/borg/keys # Retention policy for how many backups to keep in each category. See # https://borgbackup.readthedocs.org/en/stable/usage.html#borg-prune for details.