add example for service account

2025-05-20 01:15:09 +02:00 · 2023-03-10 18:31:30 +01:00 · 2023-03-10 18:31:30 +01:00 · 3a80957fe8
commit 3a80957fe8
parent 2e8fc5e266
10 changed files with 55 additions and 240 deletions
--- a/README.md
+++ b/README.md
@ -12,7 +12,7 @@ Main features:
 - Provision new remote [BorgBase.com](https://www.borgbase.com) repo for storing backups (optional)
-## Example Playbook
+## Example Playbook with root as backup user
 ```
 - hosts: webservers
@ -40,6 +40,37 @@ Main features:
        port: 5433
 ```
 ## Example Playbook with service user
 ```
 - hosts: webservers
  roles:
  - role: m3nu.ansible_role_borgbackup
    borg_encryption_passphrase: CHANGEME
    borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo
    borgmatic_timer: systemd
    backup_ssh_key_file: "{{ backup_user_info.home }}/.ssh/id_rsa"
    backup_ssh_command: "ssh -i {{ backup_ssh_key_file }} -o StrictHostKeyChecking=no"
    borgmatic_timer: systemd
    borgbackup_user: "srv_backup"
    borgbackup_group: "srv_backup"
    borg_source_directories:
      - /srv/www
      - /var/lib/automysqlbackup
    borg_exclude_patterns:
      - /srv/www/old-sites
    borg_retention_policy:
      keep_hourly: 3
      keep_daily: 7
      keep_weekly: 4
      keep_monthly: 6
    borgmatic_hooks:
      before_backup:
      - echo "`date` - Starting backup."
      postgresql_databases:
      - name: users
        hostname: database1.example.org
        port: 5433
 ```
 ## Installation
--- a/tasks/02_create_backup_user_and_group.yml
+++ b/tasks/02_create_backup_user_and_group.yml
@ -1,37 +0,0 @@
 ---
 - name: Setup backup environment
  tags:
    - install_backup
  when:
    - install_backup is not defined or install_backup
    - backup_create_local_user is not defined or backup_create_local_user
  block:
    - name: Add local backup group
      ansible.builtin.group:
        name: "{{ borgbackup_group }}"
        state: present
    - name: Add local backup user
      ansible.builtin.user:
        name: "{{ borgbackup_user }}"
        shell: "/bin/bash"
        groups: "{{ borgbackup_group }}"
        comment: "Backup User Account"
        append: true
    - name: Add sudo users
      community.general.sudoers:
        name: "backup"
        state: present
        user: "{{ borgbackup_user }}"
        nopassword: true
        commands: 
          - "/opt/borgmatic/bin/borg"
          - "/usr/local/bin/borgmatic -C -p -c /etc/borgmatic/{{ borgmatic_config_name }}"
          - "/usr/local/bin/borgmatic -k -c /etc/borgmatic/{{ borgmatic_config_name }}"
          - "/usr/local/bin/borgmatic -c /etc/borgmatic/{{ borgmatic_config_name }}"
    - name: Install Links to borg and borgmatic
      ansible.builtin.include_tasks:
        file: noauto_create_links_and_install_helperscripts.yml
 ...
--- a/tasks/02_create_key.yml
+++ b/tasks/02_create_key.yml
@ -1,69 +0,0 @@
 ---
 - name: Create ssh-key (if neeeded) for {{ borgbackup_user }} 
  when: 
    - install_backup is not defined or install_backup
    - backup_id_rsa is not defined or backup_id_rsa | length == 0
  tags:
    - install_backup
  block:
    - name: Ensire directory exist
      ansible.builtin.file:
        path: "/home/{{ borgbackup_user }}/.ssh/"
        state: directory
        mode: "0700"
        owner: "{{ borgbackup_user }}"
        group: "{{ borgbackup_group }}"
    - name: Generate an OpenSSH keypair with the default values (4096 bits, rsa)
      community.crypto.openssh_keypair:
        path: "/home/{{ borgbackup_user }}/.ssh/id_rsa"
        mode: "0600"
        owner: "{{ borgbackup_user }}"
        group: "{{ borgbackup_group }}"
    - name: Set key permission
      ansible.builtin.file:
        path: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub"
        mode: "0644"
        owner: "{{ borgbackup_user }}"
        group: "{{ borgbackup_group }}"
    - name: Read ssh key
      ansible.builtin.slurp:
        src: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub"
      register: backup_local_ssh_key
    - name: Set authorized key taken from file
      ansible.posix.authorized_key:
        user: "{{ backup_repository | regex_search('(.*)@', '\\1') | first }}"
        state: present
        key: "{{ backup_local_ssh_key['content'] | b64decode }}"
      # This is a bit tricky, the string backup_repository consists of three parts: 
      # "username"@"FQDN":"path/to/store/backup".
      # With the regex we use the FQDN part to store the ssh-key on the target system.
      delegate_to: "{{ backup_repository | regex_search('@(.*):', '\\1') | first }}"
 - name: Install ssh cert and key
  when:
    - install_backup is not defined or install_backup
    - backup_id_rsa is defined and backup_id_rsa | length > 0
    - backup_id_rsa_pub is defined and backup_id_rsa_pub | length > 0
  tags:
    - install_backup
  block:
    - name: Copy existing id_rsa, not genereting one
      ansible.builtin.copy:
        content: "{{ backup_id_rsa }}"
        dest: "/home/{{ borgbackup_user }}/.ssh/id_rsa"
        mode: "0600"
        owner: "{{ borgbackup_user }}"
        group: "{{ borgbackup_group }}"
    - name: Copy existing id_rsa.pub, not genereting one
      ansible.builtin.copy:
        content: "{{ backup_id_rsa_pub }}"
        dest: "/home/{{ borgbackup_user }}/.ssh/id_rsa.pub"
        mode: "0644"
        owner: "{{ borgbackup_user }}"
        group: "{{ borgbackup_group }}"
 ...
--- a/tasks/02_user_management.yml
+++ b/tasks/02_user_management.yml
@ -1,20 +1,31 @@
 ---
 # So in different positions in that role we need the user home
 # Since we cannot be sure that this FSH is compatible we will determine it.
- name: Get home if borgbackup_user == "root"
+- name: Get home dir
-  when: borgbackup_user == "root"
+  when: 
-  ansible.builtin.user:
+    - borgbackup_user == "root"
-    name: "{{ borgbackup_user }}"
+    - install_backup is not defined or install_backup
-    state: present
+  tags:
-  register: user_info
+    - install_backup
-  changed_when: false
+  block:
-  check_mode: true  # Important, otherwise user will be created
+    - name: Get home if borgbackup_user == "root"
      ansible.builtin.user:
        name: "{{ borgbackup_user }}"
        state: present
      register: user_info
      changed_when: false
      check_mode: true  # Important, otherwise user will be created
- name: Save the user_info, we need them for the home_dir
+    - name: Save the user_info, we need them for the home_dir
-  ansible.builtin.set_fact:
+      ansible.builtin.set_fact:
-    backup_user_info: "{{ user_info }}"
+      backup_user_info: "{{ user_info }}"
 - name: Create User if borgbackup_user != "root"
  when: 
    - borgbackup_user == "root"
    - install_backup is not defined or install_backup
  tags:
    - install_backup
  ansible.builtin.include_tasks:
    file: noauto_create_backup_user_and_group.yml
 ...
--- a/tasks/03_configure.yml
+++ b/tasks/03_configure.yml
@ -1,23 +0,0 @@
 ---
 - name: Configure borgbackup
  when:
    - install_backup is not defined or install_backup
  tags:
    - install_backup
  block:
    - name: Ensure /etc/borgmatic exists
      ansible.builtin.file:
        path: /etc/borgmatic
        state: directory
        mode: "0700"
        owner: "{{ borgbackup_user }}"
        group: "{{ borgbackup_group }}"
    - name: Add Borgmatic configuration
      ansible.builtin.template:
        src: config.yaml.j2
        dest: "/etc/borgmatic/{{ borgmatic_config_name }}"
        mode: "0600"
        owner: "{{ borgbackup_user }}"
        group: "{{ borgbackup_group }}"
 ...
--- a/tasks/03_create_links_to_borg_and_borgmatic.yml
+++ b/tasks/03_create_links_to_borg_and_borgmatic.yml
@ -1,33 +0,0 @@
 ---
 - name: Create borgmatic command in /usr/local/bin
  ansible.builtin.copy:
    content: |
      #!/bin/bash
      . "{{ borg_venv_path }}"/bin/activate
      borgmatic "$@"
    dest: /usr/local/bin/borgmatic
    mode: "0755"
    owner: "{{ borgbackup_user }}"
    group: "{{ borgbackup_group }}"
 - name: Create borg command in /usr/local/bin
  ansible.builtin.copy:
    content: |
      #!/bin/bash
      . "{{ borg_venv_path }}"/bin/activate
      borg "$@"
    dest: /usr/local/bin/borg
    mode: "0755"
    owner: "{{ borgbackup_user }}"
    group: "{{ borgbackup_group }}"
 - name: Install helper scripts
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "{{ item.owner }}"
    group: "{{ item.group }}"
    mode: "{{ item.mode }}"
  with_items:
    - { src: "docker.sh", dest: "/usr/local/bin/docker.sh", owner: "{{ borgbackup_user }}", group: "{{ borgbackup_group }}", mode: "0770" }
 ...
--- a/tasks/04_init_borg_repo.yml
+++ b/tasks/04_init_borg_repo.yml
@ -1,10 +0,0 @@
 ---
 - name: Init repository
  when:
    - install_backup is not defined or install_backup
    - borgmatic_initialization_repo is not defined or borgmatic_initialization_repo
  tags:
    - install_backup
  ansible.builtin.command:
    cmd: "su - {{ borgbackup_user }} -c '/usr/local/bin/borgmatic rcreate --encryption keyfile --append-only'"
 ...
--- a/tasks/05_install_timer.yml
+++ b/tasks/05_install_timer.yml
@ -1,22 +0,0 @@
 ---
 - name: Create borgbackup timer
  when:
    - install_backup is not defined or install_backup
    - borgmatic_timer is defined and borgmatic_timer == "systemd"
  tags:
    - install_backup
  block:
    - name: Timer Systemd
      ansible.builtin.include_tasks:
        file: noauto_create_timer.yml
 - name: Create borgbackup cron
  when:
    - install_backup is not defined or install_backup
    - borgmatic_timer is defined or not borgmatic_timer == "systemd"
  tags:
    - install_backup
  block:
    - name: Install cron backup job
      ansible.builtin.include_tasks:
        file: noauto_create_cronjobs.yml
--- a/tasks/noauto_create_links_and_install_helperscripts.yml
+++ b/tasks/noauto_create_links_and_install_helperscripts.yml
@ -1,33 +0,0 @@
 ---
 - name: Create borgmatic command in /usr/local/bin
  ansible.builtin.copy:
    content: |
      #!/bin/bash
      . "{{ borg_venv_path }}"/bin/activate
      borgmatic "$@"
    dest: /usr/local/bin/borgmatic
    mode: "0755"
    owner: "{{ borgbackup_user }}"
    group: "{{ borgbackup_group }}"
 - name: Create borg command in /usr/local/bin
  ansible.builtin.copy:
    content: |
      #!/bin/bash
      . "{{ borg_venv_path }}"/bin/activate
      borg "$@"
    dest: /usr/local/bin/borg
    mode: "0755"
    owner: "{{ borgbackup_user }}"
    group: "{{ borgbackup_group }}"
 - name: Install helper scripts
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "{{ item.owner }}"
    group: "{{ item.group }}"
    mode: "{{ item.mode }}"
  with_items:
    - { src: "docker.sh", dest: "/usr/local/bin/docker.sh", owner: "{{ backup_owner }}", group: "{{ backup_group }}", mode: "0770" }
 ...
--- a/templates/config.yaml.j2
+++ b/templates/config.yaml.j2
@ -112,7 +112,7 @@ storage:
    # Path for Borg encryption key files. Defaults to
    # $borg_base_directory/.config/borg/keys
-    borg_keys_directory: /home/{{ borgbackup_user }}/.config/borg/keys
+    borg_keys_directory: {{ backup_user_info.home }}/.config/borg/keys
 # Retention policy for how many backups to keep in each category. See
 # https://borgbackup.readthedocs.org/en/stable/usage.html#borg-prune for details.