revert back to push backups
This commit is contained in:
parent
685db7b685
commit
063fbc56fd
14 changed files with 95 additions and 203 deletions
|
@ -1,10 +1,14 @@
|
|||
borg_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM root@max"
|
||||
dataserver_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D root@lewis"
|
||||
user_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRBrKmIKP5BFhLSdntatIgSC0R/D9EEZlak5Yt0DfUe root@lewis"
|
||||
kingston1tb_mount_point: "/mnt/kingston1TB"
|
||||
kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609"
|
||||
backup_location: "{{ kingston1tb_mount_point }}/atlas_backup"
|
||||
|
||||
admin_public_keys:
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
|
||||
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
|
||||
|
||||
hyp_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZreEhS/rMHfJB7IenEEfk38zCjmyce+X2AWxzU/N81 User Certificate Authority for *.hyp"
|
||||
|
||||
backup_hosts:
|
||||
- atlas
|
||||
|
||||
apt_install_packages:
|
||||
- borgbackup
|
||||
|
|
|
@ -4,4 +4,4 @@ all:
|
|||
hosts:
|
||||
lewis:
|
||||
ansible_user: root
|
||||
ansible_host: lewis.lan
|
||||
ansible_host: lewis.hyp
|
||||
|
|
83
lewis.yml
83
lewis.yml
|
@ -1,6 +1,83 @@
|
|||
- name: Setup homeserver
|
||||
hosts: dataserver
|
||||
|
||||
handlers:
|
||||
- name: restart sshd
|
||||
systemd:
|
||||
name: sshd
|
||||
state: restarted
|
||||
|
||||
tasks:
|
||||
- name: Copy backup user principals file
|
||||
copy:
|
||||
dest: /etc/ssh/backup_principals
|
||||
content: hypervisor
|
||||
|
||||
- name: Copy hyp user SSH CA public key
|
||||
copy:
|
||||
dest: /etc/ssh/hyp_user.pub
|
||||
content: "{{ hyp_user_ca_public_key }}"
|
||||
|
||||
- name: Copy user certificate sshd config
|
||||
copy:
|
||||
src: "sshd_user_certificates.conf"
|
||||
dest: /etc/ssh/sshd_config.d/user_certificates.conf
|
||||
notify: restart sshd
|
||||
|
||||
- name: Ensure backup directory exists
|
||||
file:
|
||||
path: "{{ kingston1tb_mount_point }}/hosts"
|
||||
state: directory
|
||||
|
||||
- name: Create backup respositories
|
||||
command:
|
||||
cmd: "borg init -e none {{ kingston1tb_mount_point }}/hosts/{{ item }}"
|
||||
creates: "{{ kingston1tb_mount_point }}/hosts/{{ item }}"
|
||||
with_items: "{{ backup_hosts }}"
|
||||
|
||||
- name: Create extra disk moint point
|
||||
file:
|
||||
path: "{{ kingston1tb_mount_point }}"
|
||||
state: directory
|
||||
|
||||
- name: Mount extra disk
|
||||
ansible.posix.mount:
|
||||
path: "{{ kingston1tb_mount_point }}"
|
||||
src: "UUID={{ kingston1tb_uuid }}"
|
||||
fstype: ext4
|
||||
passno: 1
|
||||
state: present
|
||||
|
||||
- name: Generate host key pair
|
||||
openssh_keypair:
|
||||
path: /etc/ssh/ssh_host_ed25519_key
|
||||
type: ed25519
|
||||
comment: "{{ ansible_host }}"
|
||||
register: host_key
|
||||
|
||||
- name: Check whether host certificate exists
|
||||
stat:
|
||||
path: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
register: cert_stat
|
||||
|
||||
- name: Generate SSH host certificate
|
||||
command:
|
||||
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
|
||||
register: host_certificate
|
||||
delegate_to: localhost
|
||||
when: not cert_stat.stat.exists
|
||||
|
||||
- name: Place host certificate
|
||||
copy:
|
||||
dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
|
||||
content: "{{ host_certificate.stdout }}"
|
||||
mode: 0644
|
||||
when: not cert_stat.stat.exists
|
||||
|
||||
- name: Enable host certificate
|
||||
copy:
|
||||
dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
|
||||
content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
|
||||
|
||||
roles:
|
||||
- {role: 'common', tags: 'common'}
|
||||
- {role: 'system', tags: 'system'}
|
||||
- {role: 'borg', tags: 'borg'}
|
||||
- apt
|
||||
|
|
3
requirements.yml
Normal file
3
requirements.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
- name: apt
|
||||
src: https://github.com/sunscrapers/ansible-role-apt.git
|
||||
scm: git
|
|
@ -1,10 +0,0 @@
|
|||
[Unit]
|
||||
Description=Backup data daily
|
||||
|
||||
[Timer]
|
||||
OnCalendar=*-*-* 3:00:00
|
||||
Persistent=true
|
||||
RandomizedDelaySec=1h
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
|
@ -1,47 +0,0 @@
|
|||
- name: Install borg
|
||||
apt:
|
||||
pkg:
|
||||
- borgbackup
|
||||
- borgmatic
|
||||
- name: Copy borg backup config
|
||||
template:
|
||||
src: "{{ role_path }}/templates/backup.yml.j2"
|
||||
dest: /root/backup.yml
|
||||
- name: Copy systemd service
|
||||
template:
|
||||
src: "{{ role_path }}/templates/backup.service.j2"
|
||||
dest: "/etc/systemd/system/backup.service"
|
||||
register: service
|
||||
- name: Copy systemd timer
|
||||
copy:
|
||||
src: "{{ role_path }}/files/backup.timer"
|
||||
dest: "/etc/systemd/system/backup.timer"
|
||||
register: timer
|
||||
- name: Enable timer
|
||||
systemd:
|
||||
name: backup.timer
|
||||
enabled: true
|
||||
state: started
|
||||
daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}"
|
||||
- name: Create extra disk moint point
|
||||
file:
|
||||
path: "{{ kingston1tb_mount_point }}"
|
||||
state: directory
|
||||
- name: Mount extra disk
|
||||
ansible.posix.mount:
|
||||
path: "{{kingston1tb_mount_point }}"
|
||||
src: "UUID={{ kingston1tb_uuid }}"
|
||||
fstype: ext4
|
||||
passno: 1
|
||||
state: present
|
||||
- name: Install borg
|
||||
apt:
|
||||
name: borgbackup
|
||||
- name: Add Borg public key
|
||||
authorized_key:
|
||||
key: "{{ borg_public_key }}"
|
||||
user: "{{ ansible_user_id }}"
|
||||
- name: Create Borg repository
|
||||
command:
|
||||
cmd: "borg init -e none {{ backup_location }}"
|
||||
creates: "{{ backup_location }}"
|
|
@ -1,6 +0,0 @@
|
|||
[Unit]
|
||||
Description=Backup data using borgmatic
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/borgmatic --config /root/backup.yml
|
||||
Type=oneshot
|
|
@ -1,14 +0,0 @@
|
|||
location:
|
||||
source_directories:
|
||||
- /mnt/atlas
|
||||
repositories:
|
||||
- {{ backup_location }}
|
||||
retention:
|
||||
keep_daily: 7
|
||||
keep_weekly: 4
|
||||
keep_monthly: 6
|
||||
hooks:
|
||||
before_everything:
|
||||
- echo down | ssh backup-control@atlas.lan
|
||||
after_everything:
|
||||
- echo up | ssh backup-control@atlas.lan
|
|
@ -1,7 +0,0 @@
|
|||
- name: APT upgrade
|
||||
apt:
|
||||
autoremove: true
|
||||
upgrade: yes
|
||||
state: latest
|
||||
update_cache: yes
|
||||
cache_valid_time: 86400 # One day
|
|
@ -1,2 +0,0 @@
|
|||
CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub
|
||||
IdentityFile /etc/ssh/ssh_user_ed25519_key
|
|
@ -1,25 +0,0 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
38633038656332643033396338303864343332636434633331366266383235316235313236646361
|
||||
6634313931303637616535373966316165656564366437330a393465356237626631303063363061
|
||||
62323737343635316139636664663937333233323737376238656566633037613938383737306132
|
||||
6237633230623962320a643433323532646261366532346234653332323336653162366433626465
|
||||
31386461393535303730333865356364646137386634643630353831383039353763396536313439
|
||||
30333335623364306166346232303862633636633066323062313531363234396362653232316261
|
||||
36666132623030323332623334323632636639646239363032626364646334643461346662616366
|
||||
39656266643937663531656137353031353130366238326535383261333539353439353566313537
|
||||
38353632353039643530613766313033313063333331333733613939383731663262623766626266
|
||||
64363061306166353633333634363332633461346538316661666364626639366132356434343631
|
||||
61373432633863643237386435386633366161393934646562343261386335353638353033343932
|
||||
62393633366163613064393966663830646237613265396462376238396639363566363865303861
|
||||
36343666326632626166323430303137323236346137346131623636653236353061343633383437
|
||||
61396534636166353038626162376335363137636164616631646261366332303135306237356432
|
||||
61626261656332666536343039316333303431653931666233363366613166663266663130656633
|
||||
39316363326532653665626136393135373863383234326638303466353930653038303433643536
|
||||
30666237363230306634333162396562623034386232666465343631306433373764626634613635
|
||||
63343965623163356536626162613863373033396565366361353538323933656165653932653937
|
||||
34666538353139636366333765363733336134396566613134303530633666326165306131353535
|
||||
33653133663166333964326330366530643730363861626261666366383334613661303762636663
|
||||
34376531343732346630643466616638323537633665373333346162306361393836326533636630
|
||||
61656335306337643930613662613832626530653630343566643661356666313331316438366538
|
||||
37333166636639363838303665626137643731626338356662656338393335343239376635303633
|
||||
35663237653238313133
|
|
@ -1,25 +0,0 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
35346438336463383831313235653538373964643631303961373865643332623636383161333934
|
||||
3531363564313239623935343032376535333962336336350a666439303639363735626562323530
|
||||
39613366343331643331663434303531613230373934376537646665633630356462333932613537
|
||||
3465383636323934300a343264636565623166646266313764643262343532376336333763363662
|
||||
30623133303436373936323534366335663439626633313138366565303037323034613164646663
|
||||
31366366346561623039633035373638636464626237353566376666643039626334633863626565
|
||||
66356538326464363465623035396534663033646336393265326339346363376666396565346130
|
||||
66313634373931323738613863653066313034373361646530666561633463626536633963613236
|
||||
31616561316366633865383336363832663066343666356437616332376565326630316538663236
|
||||
65383234643439633737336639306232383862366230316262353639313833393138643464393734
|
||||
61313463323961623264386334666462623039663138326434643339633165393533386665393839
|
||||
34643762643864316331343562366139343432313332356232386139663564323338633139363930
|
||||
61346139346430643966346363393331616264396133613362393066363039303164623730356536
|
||||
35313138613536626665393239663532663061636433316232393839323732393635316634376464
|
||||
39313439656131643436393830356662383537353730373132346639366636613830616562613164
|
||||
65623333663763653364616638663833333732356238303130626161653139646563633433353865
|
||||
64346235616331363338303265396437623264353066646439643264646665343962373237376131
|
||||
30326564623264336365653666616331616138356235323961323134373265646434643065666661
|
||||
63616534333631323132663532623135393632333236613162623932316261316165616331396261
|
||||
66383862303763313032653565323934303366313765326330303032353937386434656134336433
|
||||
30616531323762343539666331336132313530316637393564643530303135366263633531393334
|
||||
30346632383139333263326265356133316435636663613130626566333730623739653936366138
|
||||
33663165616336363361323631643331346238333635623135623364663234366666393034663132
|
||||
64616234633735636164
|
|
@ -1,59 +0,0 @@
|
|||
- name: Install sshfs
|
||||
apt:
|
||||
name: sshfs
|
||||
- name: Add admins' authorized keys
|
||||
authorized_key:
|
||||
key: "{{ item }}"
|
||||
user: "{{ ansible_user_id }}"
|
||||
loop: "{{ admin_public_keys }}"
|
||||
- name: Copy host public key
|
||||
copy:
|
||||
dest: "/etc/ssh/ssh_host_ed25519_key.pub"
|
||||
content: "{{ dataserver_public_key }}"
|
||||
mode: 0644
|
||||
- name: Copy host private key
|
||||
copy:
|
||||
src: "{{ role_path }}/files/ssh_host_ed25519_key"
|
||||
dest: "/etc/ssh/ssh_host_ed25519_key"
|
||||
mode: 0600
|
||||
- name: Copy user public key
|
||||
copy:
|
||||
dest: "/etc/ssh/ssh_user_ed25519_key.pub"
|
||||
content: "{{ user_public_key }}"
|
||||
mode: 0644
|
||||
- name: Copy user private key
|
||||
copy:
|
||||
src: "{{ role_path }}/files/ssh_user_ed25519_key"
|
||||
dest: "/etc/ssh/ssh_user_ed25519_key"
|
||||
mode: 0600
|
||||
- name: Copy ssh config
|
||||
copy:
|
||||
src: "{{ role_path }}/files/ssh.conf"
|
||||
dest: "/etc/ssh/ssh_config.d/custom.conf"
|
||||
- name: Check certificate existance
|
||||
stat:
|
||||
path: "/etc/ssh/ssh_user_ed25519_key-cert.pub"
|
||||
register: cert_stat
|
||||
- name: Generate user certificate
|
||||
command:
|
||||
cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.lan '/root/ssh_ca/ssh_ca.sh user \"{{ user_public_key }}\" lewis.lan \"backup\"'"
|
||||
register: cert
|
||||
delegate_to: localhost
|
||||
when: not cert_stat.stat.exists
|
||||
- name: Place user certificate
|
||||
copy:
|
||||
dest: "/etc/ssh/ssh_user_ed25519_key-cert.pub"
|
||||
content: "{{ cert.stdout }}"
|
||||
mode: 0600
|
||||
when: not cert_stat.stat.exists
|
||||
- name: Create point mount for atlas data
|
||||
file:
|
||||
path: /mnt/atlas
|
||||
state: directory
|
||||
- name: Mount atlas data
|
||||
mount:
|
||||
src: "backup-share@atlas.lan:"
|
||||
path: "/mnt/atlas"
|
||||
state: mounted
|
||||
fstype: fuse.sshfs
|
||||
opts: "x-systemd.automount,_netdev,idmap=user,allow_other,reconnect,ro,ServerAliveInterval=15,ServerAliveCountMax=3"
|
3
sshd_user_certificates.conf
Normal file
3
sshd_user_certificates.conf
Normal file
|
@ -0,0 +1,3 @@
|
|||
Match User root
|
||||
TrustedUserCAKeys /etc/ssh/hyp_user.pub
|
||||
AuthorizedPrincipalsFile /etc/ssh/backup_principals
|
Reference in a new issue