borg

11 files changed, 213 insertions, 31 deletions

diff --git a/ansible/borg/README.md b/ansible/borg/README.md
new file mode 100644
index 0000000..4a3ecd0
--- /dev/null
+++ b/ansible/borg/README.md
@@ -0,0 +1,4 @@
+# Generating a new key pair:
+
+    host=akili
+    ssh-keygen -t ed25519 -N "" -f borg/files/borg/$host/ssh-key
diff --git a/ansible/borg/borg-clients.yml b/ansible/borg/borg-clients.yml
index a155bb7..ad8b1e5 100644
--- a/ansible/borg/borg-clients.yml
+++ b/ansible/borg/borg-clients.yml
@@ -1,25 +1,30 @@
 - hosts:
-    - conflatorio
-    - birgitte
+    - akili
     - arius
+    - birgitte
+    - conflatorio
   roles:
     - role: borg-client
-      tags: borg-client,never
+      tags: borg-client
       become: yes
+      vars:
+        borg_client__target: zh2569.rsync.net
 
 - hosts:
-    - conflatorio
-    - birgitte
+    - akili
     - arius
+    - birgitte
+    - conflatorio
   roles:
     - role: borg-job
       tags: borg-job
       become: yes
       vars:
-        borg_job__target: malabaricus.vpn.trygvis.io
-        borg_job__username: borg
+        borg_job__target: zh2569.rsync.net
+        borg_job__username: zh2569
         borg_job__name: home
         borg_job__on_calendar: daily
+        borg_job__borg_remote_path: /usr/local/bin/borg1/borg1
         borg_job__settings:
           patterns: |
             P sh
diff --git a/ansible/borg/borg-rsyncnet.yml b/ansible/borg/borg-rsyncnet.yml
new file mode 100644
index 0000000..b365e5e
--- /dev/null
+++ b/ansible/borg/borg-rsyncnet.yml
@@ -0,0 +1,26 @@
+- hosts:
+    - zh2569.rsync.net
+  gather_facts: no
+  roles:
+    - role: borg-rsyncnet
+  vars:
+    borg_rsyncnet___borg_remote_path: /usr/local/bin/borg1/borg1
+    borg_rsyncnet__clients:
+      conflatorio:
+        state: present
+        repos:
+          home:
+          db:
+      foo:
+        state: absent
+        repos:
+          home:
+          db:
+      birgitte:
+        state: present
+        repos:
+          home:
+#      arius:
+#        state: present
+#        repos:
+#          home:
diff --git a/ansible/borg/borg-target.yml b/ansible/borg/borg-target.yml
index ac3c5a9..d359446 100644
--- a/ansible/borg/borg-target.yml
+++ b/ansible/borg/borg-target.yml
@@ -1,5 +1,6 @@
 - hosts:
-    - malabaricus
+# Not used anymore
+#    - malabaricus
   roles:
     - role: borg-target
       tags: borg-target
diff --git a/ansible/borg/group_vars/all.yml b/ansible/borg/group_vars/all.yml
index e95de0e..ba95af6 100644
--- a/ansible/borg/group_vars/all.yml
+++ b/ansible/borg/group_vars/all.yml
@@ -1,21 +1,25 @@
 $ANSIBLE_VAULT;1.1;AES256
-39313266306464353731363233373264623362623139633634316166373635346331343030646533
-3037313262343961653434373030623635386135386632360a376133363832656466363738393730
-33386133666536383739646536393163323037313632653232343162313065613165666435623563
-3336383935663464340a303066313338663739373937633665363033386636633239336663396566
-61626562663461626531613137316165626166343462626264626437333935643633306431636531
-34613238623732323165616531343134623334653231383665303432323365643664326331393432
-38363435376438663230343362343032333465616238393264636664666133323164623132643137
-34303736373366386237326163626363306638613737383533633762343236313435653034366137
-34393466353638393664633238636134636236373338636436633861646330313237636164623361
-63346463336131373461643633323238663065626537346565326666643732396635373935326364
-61636664356663353961643961356566373235326365623533393663666331333231643565353538
-35326664363438643837643330316264353433356362643435336466316564653538633165633633
-31316139353566626335303934616631613663633361333835396633666462373536646537346335
-62383338326661343831326237343430313061623661373561343839323463623234393736303834
-38336533383233333164363033663263633931616161386332343062343263633765343561363363
-61623437363861306136383837306161643834666430303161623237666434316361643136646333
-34323430653736636433373735646530396233616434623661663961363538613430613863373962
-34656662626264353464633530636264306238383861653963653065663331376435323333623834
-62643563313861383136313231373164633339656335343161393230346165336265623130663366
-61623661643664656563
+61376265656230393066336630633231383930333663653230323261653932373561376166653064
+3032316332386463616132323131356131383533613438360a303537653562353561316164626363
+32633765646266636234353663636632656161643938656535613861376331336665346238633262
+3436653537653331320a613065643861336661613135666632383035666465613933393434383336
+39663538646135306138316436356431323065663633323362303035363331643634303139376331
+66346230646131643465383461626266613563363965396631613031653332303935613061396337
+33313438643264326239666134336266333332346234383063616665336530396533363330633539
+36396561616335653462353762363632613832653566333833313135653030653261323431313333
+34303830613438643335323136626265626161353735303165373562343037623061663465646232
+37646130356263666132653035626665653636366339646661353030323565333933326363353139
+61653236396338316539633339373534663465616533616431666330303139626539653562333238
+38336236356535373437633838636534383730313064303938663434643632653439616337653738
+66393133373864323066373432353131646163363033646634303361313935353463613962383237
+38616239613132366137333537353161646361623566653932376263343631353530343439373734
+35393236343332356661636131346466663463396665303134356539313562306263356135363764
+31316462656135393961626330643865623364653162303335656530656265316263393163343134
+32343766386138343139663563616462303031663332343963323131386661376537626338656265
+65393762626433636661623234626435313531363866393736643566646230663830333536336638
+30623437383237363664633764323139353065666331353263373935396436646237623761666662
+65633336353935353834613131336134383762373762653634353530666336666665333262326161
+39353239396236303332316333633935643630613432353239653837353038363164643561303637
+34333233623863653464333065396536666332656530376466343736393834633634656332343833
+33663666633061393831663664386564363338386166333339353135636265633363366433643032
+31363361613639636435
diff --git a/ansible/inventory b/ansible/inventory
index a903558..9078262 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -50,6 +50,9 @@ all:
     conflatorio-test5:
       ansible_host: "fd56:1ae9:097d:3ddd:5375:e67b:7878:310d"
 
+    zh2569.rsync.net:
+      ansible_user: zh2569
+
   children:
     workstation:
       children:
diff --git a/ansible/roles/borg-client/tasks/main.yml b/ansible/roles/borg-client/tasks/main.yml
index d5767cd..6e34850 100644
--- a/ansible/roles/borg-client/tasks/main.yml
+++ b/ansible/roles/borg-client/tasks/main.yml
@@ -1,4 +1,4 @@
-- tags: packages
+- tags: packages,never
   apt:
     name:
       - borgbackup
@@ -19,6 +19,15 @@
     owner: root
     group: root
 
+- command: ssh-keyscan zh2569.rsync.net
+  register: keyscan
+  when: borg_client__target is defined
+
+- copy:
+    dest: /etc/tergum/ssh_known_hosts
+    content: "{{ keyscan.stdout }}"
+  when: keyscan is defined
+
 - name: "/etc/systemd/system/tergum@.service"
   copy:
     dest: "/etc/systemd/system/tergum@.service"
diff --git a/ansible/roles/borg-job/tasks/main.yml b/ansible/roles/borg-job/tasks/main.yml
index 10076d6..8e562bd 100644
--- a/ansible/roles/borg-job/tasks/main.yml
+++ b/ansible/roles/borg-job/tasks/main.yml
@@ -14,9 +14,12 @@
   copy:
     dest: "/etc/tergum/jobs/{{ borg_job__name }}/env"
     content: |
-      BORG_REPO={{ borg_job__username }}@{{ borg_job__target }}:{{ ansible_hostname }}/{{ borg_job__name }}
-      BORG_RSH=ssh -i /etc/tergum/ssh-key
+      BORG_REPO={{ borg_job__username }}@{{ borg_job__target }}:borg/{{ ansible_hostname }}/{{ borg_job__name }}
+      BORG_RSH=ssh -i /etc/tergum/ssh-key -o GlobalKnownHostsFile=/etc/tergum/ssh_known_hosts
       BORG_PASSPHRASE={{ borg__passphrases[ansible_hostname][borg_job__name] }}
+      {% if borg_job__borg_remote_path is defined %}
+      BORG_REMOTE_PATH={{ borg_job__borg_remote_path }}
+      {% endif %}
 
 #      BORG_KEYS_DIR
 #      BORG_SECURITY_DIR
diff --git a/ansible/roles/borg-rsyncnet/defaults/main.yml b/ansible/roles/borg-rsyncnet/defaults/main.yml
new file mode 100644
index 0000000..7c8ffd9
--- /dev/null
+++ b/ansible/roles/borg-rsyncnet/defaults/main.yml
@@ -0,0 +1,5 @@
+borg_rsyncnet__user: zh2569
+borg_rsyncnet__host: zh2569.rsync.net
+borg_rsyncnet__home: borg
+
+borg_rsyncnet__repos:
diff --git a/ansible/roles/borg-rsyncnet/tasks/borg-init.yml b/ansible/roles/borg-rsyncnet/tasks/borg-init.yml
new file mode 100644
index 0000000..9b6980d
--- /dev/null
+++ b/ansible/roles/borg-rsyncnet/tasks/borg-init.yml
@@ -0,0 +1,67 @@
+# - debug: var=client.value
+
+- with_items: "{{ client.value.repos }}"
+  assert:
+    that:
+      - "item in borg__passphrases[client.key]"
+    fail_msg: "{{ item }} is missing from borg-secrets.yml"
+    success_msg: ""
+
+- set_fact:
+    ssh_key: "{{ client.value.ssh_key_path if client.value.ssh_key_path is defined else default_file_path }}"
+  vars:
+    default_file_path: "files/borg/{{ client.key }}/ssh-key"
+# - debug: var=ssh_key
+
+- name: mkdir client dir
+  loop: "{{ client.value.repos | dict2items }}"
+  local_action: command ssh {{ ansible_user }}@{{ inventory_hostname }} mkdir -p "{{ borg_rsyncnet__home }}/{{ client.key }}"
+
+- name: ls client dir
+  local_action: command {{ ssh }} mkdir -p "{{ borg_rsyncnet__home }}/{{ client.key }}"; ls "{{ borg_rsyncnet__home }}/{{ client.key }}"
+  register: dirs
+  changed_when: False
+# - debug: var=dirs
+
+# This doesn't work as the ssh command doesn't allow sending
+# environment variables and borg the passphrase to be sent via env
+# variables.
+# - name: borg init
+#   loop: "{{ client.value.repos | dict2items }}"
+#   loop_control:
+#     label: "{{ item.key }}"
+#   local_action: command {{ ssh }} /usr/local/bin/borg1/borg1 init --encryption repokey "{{ path }}"
+#   environment:
+#     BORG_PASSPHRASE: "{{ borg__passphrases[client.key][item.key] }}"
+#   when: item.key not in dirs.stdout_lines
+#   vars:
+#     remote: "{{ ansible_user }}@{{ inventory_hostname }}"
+#     path: "{{ borg_rsyncnet__home }}/{{ client.key }}/{{ item.key }}"
+
+- name: borg init
+  loop: "{{ client.value.repos | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  local_action: command borg init --encryption repokey "{{ remote }}:{{ path }}"
+  environment:
+    BORG_PASSPHRASE: "{{ borg__passphrases[client.key][item.key] }}"
+  when: item.key not in dirs.stdout_lines
+  vars:
+    remote: "{{ ansible_user }}@{{ inventory_hostname }}"
+    path: "{{ borg_rsyncnet__home }}/{{ client.key }}/{{ item.key }}"
+
+- local_action:
+    module: stat
+    path: "{{ ssh_key }}"
+  register: ssh_key_stat
+
+- local_action:
+    module: file
+    path: "{{ (playbook_dir + '/' + ssh_key) | dirname }}"
+    state: directory
+  become: no
+
+- name: Generating SSH key
+  local_action: command ssh-keygen -t ed25519 -N "" -f "{{ ssh_key }}" -C "borg@{{ client.key }}"
+  when: not ssh_key_stat.stat.exists
+  become: no
diff --git a/ansible/roles/borg-rsyncnet/tasks/main.yml b/ansible/roles/borg-rsyncnet/tasks/main.yml
new file mode 100644
index 0000000..289ed53
--- /dev/null
+++ b/ansible/roles/borg-rsyncnet/tasks/main.yml
@@ -0,0 +1,55 @@
+- set_fact:
+    ssh: ssh -o SendEnv=BORG_PASSPHRASE {{ ansible_user }}@{{ inventory_hostname }}
+
+- name: get the authorized_keys from rsync.net
+  local_action: command {{ ssh }} cat .ssh/authorized_keys
+  register: authorized_keys
+  changed_when: false
+
+# - debug: var=authorized_keys.stdout
+
+- include_tasks: borg-init.yml
+  loop: "{{ borg_rsyncnet__clients | dict2items }}"
+  loop_control:
+    label: "{{ client.key }}"
+    loop_var: client
+  when: client.value.state | default("present") != "absent"
+
+- name: Remove all "borg:" lines from authorized keys
+  set_fact:
+    other_lines: |
+      {% for line in authorized_keys.stdout_lines %}
+      {% if line | regex_search('borg: ') is none %}
+      {{ line }}
+      {% endif %}
+      {% endfor %}
+
+# - debug: var=other_lines.stdout
+
+- name: Generate a new authorized_keys with other lines + generated list
+  set_fact:
+    authorized_keys: |
+      {% for line in other_lines | split("\n") -%}
+      {{ line.strip() }}
+      {% endfor %}
+      {% for client, config in borg_rsyncnet__clients.items() %}
+      {% set state=config.state | default('present') %}
+      {% if state == 'present' %}
+      {% set key=lookup('file', 'borg/' + client + '/ssh-key.pub') %}
+      {{ key }} # borg: {{ client }}, state={{state}}
+      {% else %}
+      # borg: {{ client }}, state={{state}}
+      {% endif %}
+      {% endfor %}
+# "
+#      restrict,command="{{ borg_rsyncnet___borg_remote_path }} serve --append-only{% for r in config.repos %} --restrict-to-repository {{ borg_rsyncnet__home }}/repos{{ client }}/{{ r }}{% endfor %}" {{ key }} # borg: {{ client }}, state={{state}}
+
+# - debug: var=other_lines
+# - debug: 
+#     msg: "{{ authorized_keys }}"
+
+- name: Deploy authorized_keys
+  local_action:
+    module: shell
+    cmd: "{{ ssh }} dd of=.ssh/authorized_keys"
+    stdin: "{{ authorized_keys }}"