revert back to push backups

This commit is contained in:
Pim Kunis 2023-04-25 21:59:11 +02:00
parent 685db7b685
commit 063fbc56fd
14 changed files with 95 additions and 203 deletions

View file

@ -1,10 +1,14 @@
borg_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM root@max"
dataserver_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D root@lewis"
user_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRBrKmIKP5BFhLSdntatIgSC0R/D9EEZlak5Yt0DfUe root@lewis"
kingston1tb_mount_point: "/mnt/kingston1TB" kingston1tb_mount_point: "/mnt/kingston1TB"
kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609" kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"
backup_location: "{{ kingston1tb_mount_point }}/atlas_backup"
admin_public_keys: admin_public_keys:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
hyp_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZreEhS/rMHfJB7IenEEfk38zCjmyce+X2AWxzU/N81 User Certificate Authority for *.hyp"
backup_hosts:
- atlas
apt_install_packages:
- borgbackup

View file

@ -4,4 +4,4 @@ all:
hosts: hosts:
lewis: lewis:
ansible_user: root ansible_user: root
ansible_host: lewis.lan ansible_host: lewis.hyp

View file

@ -1,6 +1,83 @@
- name: Setup homeserver - name: Setup homeserver
hosts: dataserver hosts: dataserver
handlers:
- name: restart sshd
systemd:
name: sshd
state: restarted
tasks:
- name: Copy backup user principals file
copy:
dest: /etc/ssh/backup_principals
content: hypervisor
- name: Copy hyp user SSH CA public key
copy:
dest: /etc/ssh/hyp_user.pub
content: "{{ hyp_user_ca_public_key }}"
- name: Copy user certificate sshd config
copy:
src: "sshd_user_certificates.conf"
dest: /etc/ssh/sshd_config.d/user_certificates.conf
notify: restart sshd
- name: Ensure backup directory exists
file:
path: "{{ kingston1tb_mount_point }}/hosts"
state: directory
- name: Create backup respositories
command:
cmd: "borg init -e none {{ kingston1tb_mount_point }}/hosts/{{ item }}"
creates: "{{ kingston1tb_mount_point }}/hosts/{{ item }}"
with_items: "{{ backup_hosts }}"
- name: Create extra disk moint point
file:
path: "{{ kingston1tb_mount_point }}"
state: directory
- name: Mount extra disk
ansible.posix.mount:
path: "{{ kingston1tb_mount_point }}"
src: "UUID={{ kingston1tb_uuid }}"
fstype: ext4
passno: 1
state: present
- name: Generate host key pair
openssh_keypair:
path: /etc/ssh/ssh_host_ed25519_key
type: ed25519
comment: "{{ ansible_host }}"
register: host_key
- name: Check whether host certificate exists
stat:
path: /etc/ssh/ssh_host_ed25519_key-cert.pub
register: cert_stat
- name: Generate SSH host certificate
command:
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
register: host_certificate
delegate_to: localhost
when: not cert_stat.stat.exists
- name: Place host certificate
copy:
dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
content: "{{ host_certificate.stdout }}"
mode: 0644
when: not cert_stat.stat.exists
- name: Enable host certificate
copy:
dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
roles: roles:
- {role: 'common', tags: 'common'} - apt
- {role: 'system', tags: 'system'}
- {role: 'borg', tags: 'borg'}

3
requirements.yml Normal file
View file

@ -0,0 +1,3 @@
- name: apt
src: https://github.com/sunscrapers/ansible-role-apt.git
scm: git

View file

@ -1,10 +0,0 @@
[Unit]
Description=Backup data daily
[Timer]
OnCalendar=*-*-* 3:00:00
Persistent=true
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target

View file

@ -1,47 +0,0 @@
- name: Install borg
apt:
pkg:
- borgbackup
- borgmatic
- name: Copy borg backup config
template:
src: "{{ role_path }}/templates/backup.yml.j2"
dest: /root/backup.yml
- name: Copy systemd service
template:
src: "{{ role_path }}/templates/backup.service.j2"
dest: "/etc/systemd/system/backup.service"
register: service
- name: Copy systemd timer
copy:
src: "{{ role_path }}/files/backup.timer"
dest: "/etc/systemd/system/backup.timer"
register: timer
- name: Enable timer
systemd:
name: backup.timer
enabled: true
state: started
daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}"
- name: Create extra disk moint point
file:
path: "{{ kingston1tb_mount_point }}"
state: directory
- name: Mount extra disk
ansible.posix.mount:
path: "{{kingston1tb_mount_point }}"
src: "UUID={{ kingston1tb_uuid }}"
fstype: ext4
passno: 1
state: present
- name: Install borg
apt:
name: borgbackup
- name: Add Borg public key
authorized_key:
key: "{{ borg_public_key }}"
user: "{{ ansible_user_id }}"
- name: Create Borg repository
command:
cmd: "borg init -e none {{ backup_location }}"
creates: "{{ backup_location }}"

View file

@ -1,6 +0,0 @@
[Unit]
Description=Backup data using borgmatic
[Service]
ExecStart=/usr/bin/borgmatic --config /root/backup.yml
Type=oneshot

View file

@ -1,14 +0,0 @@
location:
source_directories:
- /mnt/atlas
repositories:
- {{ backup_location }}
retention:
keep_daily: 7
keep_weekly: 4
keep_monthly: 6
hooks:
before_everything:
- echo down | ssh backup-control@atlas.lan
after_everything:
- echo up | ssh backup-control@atlas.lan

View file

@ -1,7 +0,0 @@
- name: APT upgrade
apt:
autoremove: true
upgrade: yes
state: latest
update_cache: yes
cache_valid_time: 86400 # One day

View file

@ -1,2 +0,0 @@
CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub
IdentityFile /etc/ssh/ssh_user_ed25519_key

View file

@ -1,25 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
38633038656332643033396338303864343332636434633331366266383235316235313236646361
6634313931303637616535373966316165656564366437330a393465356237626631303063363061
62323737343635316139636664663937333233323737376238656566633037613938383737306132
6237633230623962320a643433323532646261366532346234653332323336653162366433626465
31386461393535303730333865356364646137386634643630353831383039353763396536313439
30333335623364306166346232303862633636633066323062313531363234396362653232316261
36666132623030323332623334323632636639646239363032626364646334643461346662616366
39656266643937663531656137353031353130366238326535383261333539353439353566313537
38353632353039643530613766313033313063333331333733613939383731663262623766626266
64363061306166353633333634363332633461346538316661666364626639366132356434343631
61373432633863643237386435386633366161393934646562343261386335353638353033343932
62393633366163613064393966663830646237613265396462376238396639363566363865303861
36343666326632626166323430303137323236346137346131623636653236353061343633383437
61396534636166353038626162376335363137636164616631646261366332303135306237356432
61626261656332666536343039316333303431653931666233363366613166663266663130656633
39316363326532653665626136393135373863383234326638303466353930653038303433643536
30666237363230306634333162396562623034386232666465343631306433373764626634613635
63343965623163356536626162613863373033396565366361353538323933656165653932653937
34666538353139636366333765363733336134396566613134303530633666326165306131353535
33653133663166333964326330366530643730363861626261666366383334613661303762636663
34376531343732346630643466616638323537633665373333346162306361393836326533636630
61656335306337643930613662613832626530653630343566643661356666313331316438366538
37333166636639363838303665626137643731626338356662656338393335343239376635303633
35663237653238313133

View file

@ -1,25 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
35346438336463383831313235653538373964643631303961373865643332623636383161333934
3531363564313239623935343032376535333962336336350a666439303639363735626562323530
39613366343331643331663434303531613230373934376537646665633630356462333932613537
3465383636323934300a343264636565623166646266313764643262343532376336333763363662
30623133303436373936323534366335663439626633313138366565303037323034613164646663
31366366346561623039633035373638636464626237353566376666643039626334633863626565
66356538326464363465623035396534663033646336393265326339346363376666396565346130
66313634373931323738613863653066313034373361646530666561633463626536633963613236
31616561316366633865383336363832663066343666356437616332376565326630316538663236
65383234643439633737336639306232383862366230316262353639313833393138643464393734
61313463323961623264386334666462623039663138326434643339633165393533386665393839
34643762643864316331343562366139343432313332356232386139663564323338633139363930
61346139346430643966346363393331616264396133613362393066363039303164623730356536
35313138613536626665393239663532663061636433316232393839323732393635316634376464
39313439656131643436393830356662383537353730373132346639366636613830616562613164
65623333663763653364616638663833333732356238303130626161653139646563633433353865
64346235616331363338303265396437623264353066646439643264646665343962373237376131
30326564623264336365653666616331616138356235323961323134373265646434643065666661
63616534333631323132663532623135393632333236613162623932316261316165616331396261
66383862303763313032653565323934303366313765326330303032353937386434656134336433
30616531323762343539666331336132313530316637393564643530303135366263633531393334
30346632383139333263326265356133316435636663613130626566333730623739653936366138
33663165616336363361323631643331346238333635623135623364663234366666393034663132
64616234633735636164

View file

@ -1,59 +0,0 @@
- name: Install sshfs
apt:
name: sshfs
- name: Add admins' authorized keys
authorized_key:
key: "{{ item }}"
user: "{{ ansible_user_id }}"
loop: "{{ admin_public_keys }}"
- name: Copy host public key
copy:
dest: "/etc/ssh/ssh_host_ed25519_key.pub"
content: "{{ dataserver_public_key }}"
mode: 0644
- name: Copy host private key
copy:
src: "{{ role_path }}/files/ssh_host_ed25519_key"
dest: "/etc/ssh/ssh_host_ed25519_key"
mode: 0600
- name: Copy user public key
copy:
dest: "/etc/ssh/ssh_user_ed25519_key.pub"
content: "{{ user_public_key }}"
mode: 0644
- name: Copy user private key
copy:
src: "{{ role_path }}/files/ssh_user_ed25519_key"
dest: "/etc/ssh/ssh_user_ed25519_key"
mode: 0600
- name: Copy ssh config
copy:
src: "{{ role_path }}/files/ssh.conf"
dest: "/etc/ssh/ssh_config.d/custom.conf"
- name: Check certificate existance
stat:
path: "/etc/ssh/ssh_user_ed25519_key-cert.pub"
register: cert_stat
- name: Generate user certificate
command:
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.lan '/root/ssh_ca/ssh_ca.sh user \"{{ user_public_key }}\" lewis.lan \"backup\"'"
register: cert
delegate_to: localhost
when: not cert_stat.stat.exists
- name: Place user certificate
copy:
dest: "/etc/ssh/ssh_user_ed25519_key-cert.pub"
content: "{{ cert.stdout }}"
mode: 0600
when: not cert_stat.stat.exists
- name: Create point mount for atlas data
file:
path: /mnt/atlas
state: directory
- name: Mount atlas data
mount:
src: "backup-share@atlas.lan:"
path: "/mnt/atlas"
state: mounted
fstype: fuse.sshfs
opts: "x-systemd.automount,_netdev,idmap=user,allow_other,reconnect,ro,ServerAliveInterval=15,ServerAliveCountMax=3"

View file

@ -0,0 +1,3 @@
Match User root
TrustedUserCAKeys /etc/ssh/hyp_user.pub
AuthorizedPrincipalsFile /etc/ssh/backup_principals