aboutsummaryrefslogtreecommitdiff
path: root/ansible/roles/borg-rsyncnet/tasks
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2022-11-17 09:48:45 +0100
committerTrygve Laugstøl <trygvis@inamo.no>2022-11-17 09:49:06 +0100
commit6fbf9f40f88f51450cc2d2dbbc46ca5c70ffbad0 (patch)
tree2846954ec3725f33cdbc1c33722f8ef7c4d8ad13 /ansible/roles/borg-rsyncnet/tasks
parent70f235f0ec9937fa41b80fe2d8c5355649c24ea9 (diff)
downloadinfra-6fbf9f40f88f51450cc2d2dbbc46ca5c70ffbad0.tar.gz
infra-6fbf9f40f88f51450cc2d2dbbc46ca5c70ffbad0.tar.bz2
infra-6fbf9f40f88f51450cc2d2dbbc46ca5c70ffbad0.tar.xz
infra-6fbf9f40f88f51450cc2d2dbbc46ca5c70ffbad0.zip
borg
Diffstat (limited to 'ansible/roles/borg-rsyncnet/tasks')
-rw-r--r--ansible/roles/borg-rsyncnet/tasks/borg-init.yml67
-rw-r--r--ansible/roles/borg-rsyncnet/tasks/main.yml55
2 files changed, 122 insertions, 0 deletions
diff --git a/ansible/roles/borg-rsyncnet/tasks/borg-init.yml b/ansible/roles/borg-rsyncnet/tasks/borg-init.yml
new file mode 100644
index 0000000..9b6980d
--- /dev/null
+++ b/ansible/roles/borg-rsyncnet/tasks/borg-init.yml
@@ -0,0 +1,67 @@
+# - debug: var=client.value
+
+- with_items: "{{ client.value.repos }}"
+ assert:
+ that:
+ - "item in borg__passphrases[client.key]"
+ fail_msg: "{{ item }} is missing from borg-secrets.yml"
+ success_msg: ""
+
+- set_fact:
+ ssh_key: "{{ client.value.ssh_key_path if client.value.ssh_key_path is defined else default_file_path }}"
+ vars:
+ default_file_path: "files/borg/{{ client.key }}/ssh-key"
+# - debug: var=ssh_key
+
+- name: mkdir client dir
+ loop: "{{ client.value.repos | dict2items }}"
+ local_action: command ssh {{ ansible_user }}@{{ inventory_hostname }} mkdir -p "{{ borg_rsyncnet__home }}/{{ client.key }}"
+
+- name: ls client dir
+ local_action: command {{ ssh }} mkdir -p "{{ borg_rsyncnet__home }}/{{ client.key }}"; ls "{{ borg_rsyncnet__home }}/{{ client.key }}"
+ register: dirs
+ changed_when: False
+# - debug: var=dirs
+
+# This doesn't work as the ssh command doesn't allow sending
+# environment variables and borg the passphrase to be sent via env
+# variables.
+# - name: borg init
+# loop: "{{ client.value.repos | dict2items }}"
+# loop_control:
+# label: "{{ item.key }}"
+# local_action: command {{ ssh }} /usr/local/bin/borg1/borg1 init --encryption repokey "{{ path }}"
+# environment:
+# BORG_PASSPHRASE: "{{ borg__passphrases[client.key][item.key] }}"
+# when: item.key not in dirs.stdout_lines
+# vars:
+# remote: "{{ ansible_user }}@{{ inventory_hostname }}"
+# path: "{{ borg_rsyncnet__home }}/{{ client.key }}/{{ item.key }}"
+
+- name: borg init
+ loop: "{{ client.value.repos | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ local_action: command borg init --encryption repokey "{{ remote }}:{{ path }}"
+ environment:
+ BORG_PASSPHRASE: "{{ borg__passphrases[client.key][item.key] }}"
+ when: item.key not in dirs.stdout_lines
+ vars:
+ remote: "{{ ansible_user }}@{{ inventory_hostname }}"
+ path: "{{ borg_rsyncnet__home }}/{{ client.key }}/{{ item.key }}"
+
+- local_action:
+ module: stat
+ path: "{{ ssh_key }}"
+ register: ssh_key_stat
+
+- local_action:
+ module: file
+ path: "{{ (playbook_dir + '/' + ssh_key) | dirname }}"
+ state: directory
+ become: no
+
+- name: Generating SSH key
+ local_action: command ssh-keygen -t ed25519 -N "" -f "{{ ssh_key }}" -C "borg@{{ client.key }}"
+ when: not ssh_key_stat.stat.exists
+ become: no
diff --git a/ansible/roles/borg-rsyncnet/tasks/main.yml b/ansible/roles/borg-rsyncnet/tasks/main.yml
new file mode 100644
index 0000000..289ed53
--- /dev/null
+++ b/ansible/roles/borg-rsyncnet/tasks/main.yml
@@ -0,0 +1,55 @@
+- set_fact:
+ ssh: ssh -o SendEnv=BORG_PASSPHRASE {{ ansible_user }}@{{ inventory_hostname }}
+
+- name: get the authorized_keys from rsync.net
+ local_action: command {{ ssh }} cat .ssh/authorized_keys
+ register: authorized_keys
+ changed_when: false
+
+# - debug: var=authorized_keys.stdout
+
+- include_tasks: borg-init.yml
+ loop: "{{ borg_rsyncnet__clients | dict2items }}"
+ loop_control:
+ label: "{{ client.key }}"
+ loop_var: client
+ when: client.value.state | default("present") != "absent"
+
+- name: Remove all "borg:" lines from authorized keys
+ set_fact:
+ other_lines: |
+ {% for line in authorized_keys.stdout_lines %}
+ {% if line | regex_search('borg: ') is none %}
+ {{ line }}
+ {% endif %}
+ {% endfor %}
+
+# - debug: var=other_lines.stdout
+
+- name: Generate a new authorized_keys with other lines + generated list
+ set_fact:
+ authorized_keys: |
+ {% for line in other_lines | split("\n") -%}
+ {{ line.strip() }}
+ {% endfor %}
+ {% for client, config in borg_rsyncnet__clients.items() %}
+ {% set state=config.state | default('present') %}
+ {% if state == 'present' %}
+ {% set key=lookup('file', 'borg/' + client + '/ssh-key.pub') %}
+ {{ key }} # borg: {{ client }}, state={{state}}
+ {% else %}
+ # borg: {{ client }}, state={{state}}
+ {% endif %}
+ {% endfor %}
+# "
+# restrict,command="{{ borg_rsyncnet___borg_remote_path }} serve --append-only{% for r in config.repos %} --restrict-to-repository {{ borg_rsyncnet__home }}/repos{{ client }}/{{ r }}{% endfor %}" {{ key }} # borg: {{ client }}, state={{state}}
+
+# - debug: var=other_lines
+# - debug:
+# msg: "{{ authorized_keys }}"
+
+- name: Deploy authorized_keys
+ local_action:
+ module: shell
+ cmd: "{{ ssh }} dd of=.ssh/authorized_keys"
+ stdin: "{{ authorized_keys }}"