Backups: Move to backup host

2023-12-25 17:45:59 +01:00
parent e6aece0237
commit 75c04207b6
9 changed files with 574 additions and 695 deletions
--- a/ansible/plays/common.yaml
+++ b/ansible/plays/common.yaml
@ -88,34 +88,56 @@
  hosts: backup
  become: true
  become_user: root
+  vars:
+    repo_path: "/var/home/backup/storagebox/{{ inventory_hostname }}"
+    password: "{{ backup.password }}"
+    pushkey: "{{ backup.pushkey }}"
  tasks:
    - name: Install backup script
+      vars:
+        repo: "ssh://{{ common.backup.user }}@{{ common.backup.url }}{{ repo_path }}"
      ansible.builtin.template:
        src: backup.sh.j2
        dest: /root/backup.sh
        mode: '0700'
        owner: root
-    - ansible.builtin.file:
+    - name: Generate SSH directory
+      ansible.builtin.file:
        path: /root/.ssh
        owner: root
        state: directory
        mode: '0700'
-    - name: Install SSH Keys
-      ansible.builtin.template:
-        src: storagebox.j2
-        dest: /root/.ssh/storagebox
-        mode: '0600'
+    - name: Generate SSH Key
+      community.crypto.openssh_keypair:
+        path: /root/.ssh/borgbackup
+        type: ed25519
        owner: root
+        mode: '0600'
+      register: keypair
+    - name: Register SSH Key with backup server
+      become: true
+      become_user: root
+      delegate_to: backup.unruhig.eu
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/authorized_keys/backup
+        state: present
+        search_string: "{{ keypair.public_key }}"
+        line: 'command="borg serve --restrict-to-repository {{ repo_path }}",restrict {{ keypair.public_key }}'
    - name: Add Known Hosts entries
      ansible.builtin.known_hosts:
        path: "/root/.ssh/known_hosts"
-        name: "{{ backup.known_hosts.name }}"
-        key: "{{ backup.known_hosts.key }}"
+        name: "backup.unruhig.eu"
+        key: "{{ item }}"
+      loop: "{{ hostvars['backup.unruhig.eu']['known_hosts'] }}"
 - name: Restore from Backup
  hosts: backup
  become: true
  become_user: root
  gather_facts: true
+  vars:
+    repo_path: "/var/home/backup/storagebox/{{ inventory_hostname }}"
+    password: "{{ backup.password }}"
+    pushkey: "{{ backup.pushkey }}"
  tasks:
    - name: Check if restore is needed
      ansible.builtin.stat:
@ -123,28 +145,20 @@
      register: setup_complete
    - block:
        - name: Install restore script
+          vars:
+            repo: "ssh://{{ common.backup.user }}@{{ common.backup.url }}{{ repo_path }}"
          ansible.builtin.template:
            src: restore.sh.j2
            dest: /root/restore.sh
            mode: '0700'
            owner: root
-        - name: Setup ssh directory
-          ansible.builtin.file:
-            path: /root/.ssh
-            owner: root
-            state: directory
-            mode: '0700'
-        - name: Install SSH Keys
-          ansible.builtin.template:
-            src: storagebox.j2
-            dest: /root/.ssh/storagebox
-            mode: '0600'
-            owner: root
-        - name: Add Known Hosts entries
-          ansible.builtin.known_hosts:
-            path: "/root/.ssh/known_hosts"
-            name: "{{ backup.known_hosts.name }}"
-            key: "{{ backup.known_hosts.key }}"
+        - name: Stop and mask backup service
+          become: true
+          become_user: root
+          ansible.builtin.systemd:
+            name: "borgbackup.service"
+            state: stopped
+            masked: true
        - name: Restore from Borg
          become: true
          become_user: root
@ -162,6 +176,13 @@
            owner: root
            group: root
            mode: 0600
+        - name: Unmask backup service
+          become: true
+          become_user: root
+          ansible.builtin.systemd:
+            name: "borgbackup.service"
+            state: stopped
+            masked: false
      when: not setup_complete.stat.exists
 - name: Setup Registry credentials
  hosts: all
--- a/ansible/plays/templates/backup.sh.j2
+++ b/ansible/plays/templates/backup.sh.j2
@ -1,11 +1,11 @@
 #!/bin/sh
 # Setting this, so the repo does not need to be given on the commandline:
-PUSH_KEY={{ backup.pushkey }}
+PUSH_KEY={{ pushkey }}

 # See the section "Passphrase notes" for more infos.
-export BORG_PASSPHRASE='{{ backup.password }}'
-export BORG_REPO=ssh://{{ backup.remote.user }}@{{ backup.remote.url }}
-export BORG_RSH='ssh -i /root/.ssh/storagebox'
+export BORG_PASSPHRASE='{{ password }}'
+export BORG_REPO='{{ repo }}'
+export BORG_RSH='ssh -i /root/.ssh/borgbackup'

 # some helpers and error handling:
 info() { printf "\n%s %s\n\n" "$( date )" "$*" >&2; }
--- a/ansible/plays/templates/restore.sh.j2
+++ b/ansible/plays/templates/restore.sh.j2
@ -3,9 +3,9 @@

 # Setting this, so the repo does not need to be given on the commandline:
 # See the section "Passphrase notes" for more infos.
-export BORG_PASSPHRASE='{{ backup.password }}'
-export BORG_REPO=ssh://{{ backup.remote.user }}@{{ backup.remote.url }}
-export BORG_RSH='ssh -i /root/.ssh/storagebox'
+export BORG_PASSPHRASE='{{ password }}'
+export BORG_REPO='{{ repo }}'
+export BORG_RSH='ssh -i /root/.ssh/borgbackup'

 {% if provision.from_backup.name is defined %}
 RESTORE_FROM={{ provision.from_backup.name }}