From 6fbf9f40f88f51450cc2d2dbbc46ca5c70ffbad0 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Thu, 17 Nov 2022 09:48:45 +0100 Subject: borg --- ansible/borg/README.md | 4 ++ ansible/borg/borg-clients.yml | 19 ++++--- ansible/borg/borg-rsyncnet.yml | 26 ++++++++++ ansible/borg/borg-target.yml | 3 +- ansible/borg/group_vars/all.yml | 44 ++++++++-------- ansible/inventory | 3 ++ ansible/roles/borg-client/tasks/main.yml | 11 +++- ansible/roles/borg-job/tasks/main.yml | 7 ++- ansible/roles/borg-rsyncnet/defaults/main.yml | 5 ++ ansible/roles/borg-rsyncnet/tasks/borg-init.yml | 67 +++++++++++++++++++++++++ ansible/roles/borg-rsyncnet/tasks/main.yml | 55 ++++++++++++++++++++ 11 files changed, 213 insertions(+), 31 deletions(-) create mode 100644 ansible/borg/README.md create mode 100644 ansible/borg/borg-rsyncnet.yml create mode 100644 ansible/roles/borg-rsyncnet/defaults/main.yml create mode 100644 ansible/roles/borg-rsyncnet/tasks/borg-init.yml create mode 100644 ansible/roles/borg-rsyncnet/tasks/main.yml diff --git a/ansible/borg/README.md b/ansible/borg/README.md new file mode 100644 index 0000000..4a3ecd0 --- /dev/null +++ b/ansible/borg/README.md @@ -0,0 +1,4 @@ +# Generating a new key pair: + + host=akili + ssh-keygen -t ed25519 -N "" -f borg/files/borg/$host/ssh-key diff --git a/ansible/borg/borg-clients.yml b/ansible/borg/borg-clients.yml index a155bb7..ad8b1e5 100644 --- a/ansible/borg/borg-clients.yml +++ b/ansible/borg/borg-clients.yml @@ -1,25 +1,30 @@ - hosts: - - conflatorio - - birgitte + - akili - arius + - birgitte + - conflatorio roles: - role: borg-client - tags: borg-client,never + tags: borg-client become: yes + vars: + borg_client__target: zh2569.rsync.net - hosts: - - conflatorio - - birgitte + - akili - arius + - birgitte + - conflatorio roles: - role: borg-job tags: borg-job become: yes vars: - borg_job__target: malabaricus.vpn.trygvis.io - borg_job__username: borg + borg_job__target: zh2569.rsync.net + borg_job__username: zh2569 borg_job__name: home borg_job__on_calendar: daily + borg_job__borg_remote_path: /usr/local/bin/borg1/borg1 borg_job__settings: patterns: | P sh diff --git a/ansible/borg/borg-rsyncnet.yml b/ansible/borg/borg-rsyncnet.yml new file mode 100644 index 0000000..b365e5e --- /dev/null +++ b/ansible/borg/borg-rsyncnet.yml @@ -0,0 +1,26 @@ +- hosts: + - zh2569.rsync.net + gather_facts: no + roles: + - role: borg-rsyncnet + vars: + borg_rsyncnet___borg_remote_path: /usr/local/bin/borg1/borg1 + borg_rsyncnet__clients: + conflatorio: + state: present + repos: + home: + db: + foo: + state: absent + repos: + home: + db: + birgitte: + state: present + repos: + home: +# arius: +# state: present +# repos: +# home: diff --git a/ansible/borg/borg-target.yml b/ansible/borg/borg-target.yml index ac3c5a9..d359446 100644 --- a/ansible/borg/borg-target.yml +++ b/ansible/borg/borg-target.yml @@ -1,5 +1,6 @@ - hosts: - - malabaricus +# Not used anymore +# - malabaricus roles: - role: borg-target tags: borg-target diff --git a/ansible/borg/group_vars/all.yml b/ansible/borg/group_vars/all.yml index e95de0e..ba95af6 100644 --- a/ansible/borg/group_vars/all.yml +++ b/ansible/borg/group_vars/all.yml @@ -1,21 +1,25 @@ $ANSIBLE_VAULT;1.1;AES256 -39313266306464353731363233373264623362623139633634316166373635346331343030646533 -3037313262343961653434373030623635386135386632360a376133363832656466363738393730 -33386133666536383739646536393163323037313632653232343162313065613165666435623563 -3336383935663464340a303066313338663739373937633665363033386636633239336663396566 -61626562663461626531613137316165626166343462626264626437333935643633306431636531 -34613238623732323165616531343134623334653231383665303432323365643664326331393432 -38363435376438663230343362343032333465616238393264636664666133323164623132643137 -34303736373366386237326163626363306638613737383533633762343236313435653034366137 -34393466353638393664633238636134636236373338636436633861646330313237636164623361 -63346463336131373461643633323238663065626537346565326666643732396635373935326364 -61636664356663353961643961356566373235326365623533393663666331333231643565353538 -35326664363438643837643330316264353433356362643435336466316564653538633165633633 -31316139353566626335303934616631613663633361333835396633666462373536646537346335 -62383338326661343831326237343430313061623661373561343839323463623234393736303834 -38336533383233333164363033663263633931616161386332343062343263633765343561363363 -61623437363861306136383837306161643834666430303161623237666434316361643136646333 -34323430653736636433373735646530396233616434623661663961363538613430613863373962 -34656662626264353464633530636264306238383861653963653065663331376435323333623834 -62643563313861383136313231373164633339656335343161393230346165336265623130663366 -61623661643664656563 +61376265656230393066336630633231383930333663653230323261653932373561376166653064 +3032316332386463616132323131356131383533613438360a303537653562353561316164626363 +32633765646266636234353663636632656161643938656535613861376331336665346238633262 +3436653537653331320a613065643861336661613135666632383035666465613933393434383336 +39663538646135306138316436356431323065663633323362303035363331643634303139376331 +66346230646131643465383461626266613563363965396631613031653332303935613061396337 +33313438643264326239666134336266333332346234383063616665336530396533363330633539 +36396561616335653462353762363632613832653566333833313135653030653261323431313333 +34303830613438643335323136626265626161353735303165373562343037623061663465646232 +37646130356263666132653035626665653636366339646661353030323565333933326363353139 +61653236396338316539633339373534663465616533616431666330303139626539653562333238 +38336236356535373437633838636534383730313064303938663434643632653439616337653738 +66393133373864323066373432353131646163363033646634303361313935353463613962383237 +38616239613132366137333537353161646361623566653932376263343631353530343439373734 +35393236343332356661636131346466663463396665303134356539313562306263356135363764 +31316462656135393961626330643865623364653162303335656530656265316263393163343134 +32343766386138343139663563616462303031663332343963323131386661376537626338656265 +65393762626433636661623234626435313531363866393736643566646230663830333536336638 +30623437383237363664633764323139353065666331353263373935396436646237623761666662 +65633336353935353834613131336134383762373762653634353530666336666665333262326161 +39353239396236303332316333633935643630613432353239653837353038363164643561303637 +34333233623863653464333065396536666332656530376466343736393834633634656332343833 +33663666633061393831663664386564363338386166333339353135636265633363366433643032 +31363361613639636435 diff --git a/ansible/inventory b/ansible/inventory index a903558..9078262 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -50,6 +50,9 @@ all: conflatorio-test5: ansible_host: "fd56:1ae9:097d:3ddd:5375:e67b:7878:310d" + zh2569.rsync.net: + ansible_user: zh2569 + children: workstation: children: diff --git a/ansible/roles/borg-client/tasks/main.yml b/ansible/roles/borg-client/tasks/main.yml index d5767cd..6e34850 100644 --- a/ansible/roles/borg-client/tasks/main.yml +++ b/ansible/roles/borg-client/tasks/main.yml @@ -1,4 +1,4 @@ -- tags: packages +- tags: packages,never apt: name: - borgbackup @@ -19,6 +19,15 @@ owner: root group: root +- command: ssh-keyscan zh2569.rsync.net + register: keyscan + when: borg_client__target is defined + +- copy: + dest: /etc/tergum/ssh_known_hosts + content: "{{ keyscan.stdout }}" + when: keyscan is defined + - name: "/etc/systemd/system/tergum@.service" copy: dest: "/etc/systemd/system/tergum@.service" diff --git a/ansible/roles/borg-job/tasks/main.yml b/ansible/roles/borg-job/tasks/main.yml index 10076d6..8e562bd 100644 --- a/ansible/roles/borg-job/tasks/main.yml +++ b/ansible/roles/borg-job/tasks/main.yml @@ -14,9 +14,12 @@ copy: dest: "/etc/tergum/jobs/{{ borg_job__name }}/env" content: | - BORG_REPO={{ borg_job__username }}@{{ borg_job__target }}:{{ ansible_hostname }}/{{ borg_job__name }} - BORG_RSH=ssh -i /etc/tergum/ssh-key + BORG_REPO={{ borg_job__username }}@{{ borg_job__target }}:borg/{{ ansible_hostname }}/{{ borg_job__name }} + BORG_RSH=ssh -i /etc/tergum/ssh-key -o GlobalKnownHostsFile=/etc/tergum/ssh_known_hosts BORG_PASSPHRASE={{ borg__passphrases[ansible_hostname][borg_job__name] }} + {% if borg_job__borg_remote_path is defined %} + BORG_REMOTE_PATH={{ borg_job__borg_remote_path }} + {% endif %} # BORG_KEYS_DIR # BORG_SECURITY_DIR diff --git a/ansible/roles/borg-rsyncnet/defaults/main.yml b/ansible/roles/borg-rsyncnet/defaults/main.yml new file mode 100644 index 0000000..7c8ffd9 --- /dev/null +++ b/ansible/roles/borg-rsyncnet/defaults/main.yml @@ -0,0 +1,5 @@ +borg_rsyncnet__user: zh2569 +borg_rsyncnet__host: zh2569.rsync.net +borg_rsyncnet__home: borg + +borg_rsyncnet__repos: diff --git a/ansible/roles/borg-rsyncnet/tasks/borg-init.yml b/ansible/roles/borg-rsyncnet/tasks/borg-init.yml new file mode 100644 index 0000000..9b6980d --- /dev/null +++ b/ansible/roles/borg-rsyncnet/tasks/borg-init.yml @@ -0,0 +1,67 @@ +# - debug: var=client.value + +- with_items: "{{ client.value.repos }}" + assert: + that: + - "item in borg__passphrases[client.key]" + fail_msg: "{{ item }} is missing from borg-secrets.yml" + success_msg: "" + +- set_fact: + ssh_key: "{{ client.value.ssh_key_path if client.value.ssh_key_path is defined else default_file_path }}" + vars: + default_file_path: "files/borg/{{ client.key }}/ssh-key" +# - debug: var=ssh_key + +- name: mkdir client dir + loop: "{{ client.value.repos | dict2items }}" + local_action: command ssh {{ ansible_user }}@{{ inventory_hostname }} mkdir -p "{{ borg_rsyncnet__home }}/{{ client.key }}" + +- name: ls client dir + local_action: command {{ ssh }} mkdir -p "{{ borg_rsyncnet__home }}/{{ client.key }}"; ls "{{ borg_rsyncnet__home }}/{{ client.key }}" + register: dirs + changed_when: False +# - debug: var=dirs + +# This doesn't work as the ssh command doesn't allow sending +# environment variables and borg the passphrase to be sent via env +# variables. +# - name: borg init +# loop: "{{ client.value.repos | dict2items }}" +# loop_control: +# label: "{{ item.key }}" +# local_action: command {{ ssh }} /usr/local/bin/borg1/borg1 init --encryption repokey "{{ path }}" +# environment: +# BORG_PASSPHRASE: "{{ borg__passphrases[client.key][item.key] }}" +# when: item.key not in dirs.stdout_lines +# vars: +# remote: "{{ ansible_user }}@{{ inventory_hostname }}" +# path: "{{ borg_rsyncnet__home }}/{{ client.key }}/{{ item.key }}" + +- name: borg init + loop: "{{ client.value.repos | dict2items }}" + loop_control: + label: "{{ item.key }}" + local_action: command borg init --encryption repokey "{{ remote }}:{{ path }}" + environment: + BORG_PASSPHRASE: "{{ borg__passphrases[client.key][item.key] }}" + when: item.key not in dirs.stdout_lines + vars: + remote: "{{ ansible_user }}@{{ inventory_hostname }}" + path: "{{ borg_rsyncnet__home }}/{{ client.key }}/{{ item.key }}" + +- local_action: + module: stat + path: "{{ ssh_key }}" + register: ssh_key_stat + +- local_action: + module: file + path: "{{ (playbook_dir + '/' + ssh_key) | dirname }}" + state: directory + become: no + +- name: Generating SSH key + local_action: command ssh-keygen -t ed25519 -N "" -f "{{ ssh_key }}" -C "borg@{{ client.key }}" + when: not ssh_key_stat.stat.exists + become: no diff --git a/ansible/roles/borg-rsyncnet/tasks/main.yml b/ansible/roles/borg-rsyncnet/tasks/main.yml new file mode 100644 index 0000000..289ed53 --- /dev/null +++ b/ansible/roles/borg-rsyncnet/tasks/main.yml @@ -0,0 +1,55 @@ +- set_fact: + ssh: ssh -o SendEnv=BORG_PASSPHRASE {{ ansible_user }}@{{ inventory_hostname }} + +- name: get the authorized_keys from rsync.net + local_action: command {{ ssh }} cat .ssh/authorized_keys + register: authorized_keys + changed_when: false + +# - debug: var=authorized_keys.stdout + +- include_tasks: borg-init.yml + loop: "{{ borg_rsyncnet__clients | dict2items }}" + loop_control: + label: "{{ client.key }}" + loop_var: client + when: client.value.state | default("present") != "absent" + +- name: Remove all "borg:" lines from authorized keys + set_fact: + other_lines: | + {% for line in authorized_keys.stdout_lines %} + {% if line | regex_search('borg: ') is none %} + {{ line }} + {% endif %} + {% endfor %} + +# - debug: var=other_lines.stdout + +- name: Generate a new authorized_keys with other lines + generated list + set_fact: + authorized_keys: | + {% for line in other_lines | split("\n") -%} + {{ line.strip() }} + {% endfor %} + {% for client, config in borg_rsyncnet__clients.items() %} + {% set state=config.state | default('present') %} + {% if state == 'present' %} + {% set key=lookup('file', 'borg/' + client + '/ssh-key.pub') %} + {{ key }} # borg: {{ client }}, state={{state}} + {% else %} + # borg: {{ client }}, state={{state}} + {% endif %} + {% endfor %} +# " +# restrict,command="{{ borg_rsyncnet___borg_remote_path }} serve --append-only{% for r in config.repos %} --restrict-to-repository {{ borg_rsyncnet__home }}/repos{{ client }}/{{ r }}{% endfor %}" {{ key }} # borg: {{ client }}, state={{state}} + +# - debug: var=other_lines +# - debug: +# msg: "{{ authorized_keys }}" + +- name: Deploy authorized_keys + local_action: + module: shell + cmd: "{{ ssh }} dd of=.ssh/authorized_keys" + stdin: "{{ authorized_keys }}" -- cgit v1.2.3