From d0682b2f4eb34e92481e8597d9e6957aaf16277c Mon Sep 17 00:00:00 2001 From: Frank Dornheim <524257+conloos@users.noreply.github.com> Date: Sun, 19 Mar 2023 11:30:48 +0100 Subject: [PATCH] - add hint to using a service user - renamed: borg_ssh_key_file to borg_ssh_key_file_path - removed advanced example --- README.md | 122 ++++-------------------------------------------------- 1 file changed, 8 insertions(+), 114 deletions(-) diff --git a/README.md b/README.md index a156ad3..1cb92c9 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,9 @@ Main features: ``` ## Example Playbook with service user +`` Attention: `` The following implementation leads to problems. +If you already use this role and use the user: "root" or the SSH key id_ed25519! + ``` - hosts: webservers roles: @@ -48,8 +51,8 @@ Main features: borg_encryption_passphrase: CHANGEME borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo borgmatic_timer: systemd - borg_ssh_key_file: "{{ backup_user_info.home }}/.ssh/backup" - borg_ssh_command: "ssh -i {{ borg_ssh_key_file }} -o StrictHostKeyChecking=no" + borg_ssh_key_file_path: "{{ backup_user_info.home }}/.ssh/backup" + borg_ssh_command: "ssh -i {{ borg_ssh_key_file_path }} -o StrictHostKeyChecking=no" borgbackup_user: "srv_backup" borgbackup_group: "srv_backup" borg_source_directories: @@ -71,116 +74,6 @@ Main features: port: 5433 ``` -## Fullautomated Playbook with service user -> this has sudo power -``` -- name: Configure backup - hosts: test.lab - pre_tasks: - - name: Get home of {{ borgbackup_user }} - ansible.builtin.user: - name: "{{ borgbackup_user }}" - state: present - register: user_info - changed_when: false - check_mode: true # Important, otherwise user will be created - - - name: Save the user_info, we need them for the home_dir - ansible.builtin.set_fact: - backup_user_info: "{{ user_info }}" - vars_files: [] - vars: - borg_encryption_passphrase: "CHANGEME" - borg_repository: "USER@TARGET_SERVER:/PATH/TO/BACKUP" - borgbackup_user: "srv_backup" - borgbackup_group: "srv_backup" - borg_repository: "{{ vault_borg.backup_user }}@{{ backup_server }}:{{ backup_path }}/{{ ansible_host }}" - borg_ssh_key_file: "{{ backup_user_info.home }}/.ssh/backup" - borg_ssh_command: "ssh -i {{ borg_ssh_key_file }} -o StrictHostKeyChecking=no" - borgmatic_timer: systemd - borg_source_directories: - - /srv/www - - /var/lib/automysqlbackup - borg_exclude_patterns: - - /srv/www/old-sites - borg_retention_policy: - keep_hourly: 3 - keep_daily: 7 - keep_weekly: 4 - keep_monthly: 6 - borgmatic_hooks: - before_backup: - - echo "`date` - Starting backup." - tasks: - - name: Configure Borg Backup and Backupmatic - tags: - - always - - install_backup - ansible.builtin.include_role: - name: ansible_role_borgbackup - apply: - tags: - - always - - - - name: Copy SSH-Key to Target {{ borg_repository }} and Init Repo - tags: - - never - - backup_init_repo - block: - - name: Read ssh key - ansible.builtin.slurp: - src: "{{ backup_user_info.home }}/.ssh/backup.pub" - register: backup_local_ssh_key - - - name: Set authorized key taken from file - ansible.posix.authorized_key: - # example: - # borg_repository: m5vz9gp4@m5vz9gp4.repo.borgbase.com:repo - # have three parts: "username"@"FQDN":"path/to/store/backup", specific: - # a) user: m5vz9gp4 - # b) fqdn: m5vz9gp4.repo.borgbase.co - # c) dir: repo - user: "{{ borg_repository | regex_search('(.*)@', '\\1') | first }}" # part a) - state: present - key: "{{ backup_local_ssh_key['content'] | b64decode }}" - delegate_to: "{{ borg_repository | regex_search('@(.*):', '\\1') | first }}" # part b) - - - name: Init repository - ansible.builtin.command: - cmd: "su - {{ borgbackup_user }} -c '/usr/local/bin/borgmatic rcreate --encryption keyfile --append-only'" - - - name: Activate systemd service and timer - when: - - borgmatic_timer is defined and borgmatic_timer == "systemd" - tags: - - never - - backup_init_repo - block: - - name: Populate service facts - ansible.builtin.service_facts: - - - name: Start borgmatic services - ansible.builtin.systemd: - name: "{{ item }}" - state: started - enabled: true - masked: false - daemon_reload: true - when: "item in services" - with_items: - - borgmatic.service - - # bug: Need own section without masked else the timer are skipped - - name: Start borgmatic timers - ansible.builtin.systemd: - name: "{{ item }}" - state: started - enabled: true - daemon_reload: true - with_items: - - "borgmatic.timer" -``` - ## Installation @@ -230,9 +123,10 @@ $ ANSIBLE_STDOUT_CALLBACK=yaml ansible-playbook test.example.com -t backup_insta - `borg_remote_rate_limit`: Remote network upload rate limit in kiBytes/second. - `borg_retention_policy`: Retention policy for how many backups to keep in each category (daily, weekly, monthly, etc). - `borg_source_directories`: List of local folders to back up. Default is `/etc/hostname` to prevent an empty backup. -- `borg_ssh_key_file`: SSH-key to be used. Default `~/.ssh/backup` +- `borg_ssh_key_name`: Name of the SSH public and pivate key. Default `id_ed25519` +- `borg_ssh_key_file_path`: SSH-key to be used. Default `~/.ssh/{{ borg_ssh_key_name }}` +- `borg_ssh_key_type`: The algorithm used to generate the SSH private key. Choose: `rsa`, `dsa`, `rsa1`, `ecdsa`, `ed25519`. Default: `ed25519` - `borg_ssh_command`: Command to use instead of just "ssh". This can be used to specify ssh options. -- `borg_ssh_key_type`: The algorithm used to generate the SSH private key. Choose: `rsa`, `dsa`, `rsa1`, `ecdsa`, `ed25519`. Default: `rsa` - `borg_version`: Force a specific borg version to be installed - `borg_venv_path`: Path to store the venv for `borg(backup)` and `borgmatic`