create & set permissions/ownership of repository root folder; create & start docker container running docker.io/fphammerle/borgbackup-sshd:0.1.0-borgbackup1.1.15r0-openssh8.4p1r3-arm64; fetch ssh host keys

README.md

@@ -0,0 +1,29 @@
+# Ansible Role: borgbackup-sshd 💾 🐳
+
+Single-user [OpenSSH server](https://www.openssh.com/) restricted to [BorgBackup](https://www.borgbackup.org/) backend
+
+## Required Variables
+
+```yaml
+borgbackup_sshd_container_name: borgbackup_sshd
+borgbackup_sshd_published_port: 2200
+borgbackup_sshd_repository_path: /var/backups/borgbackup/
+```
+
+## Optional Variables
+
+```yaml
+borgbackup_sshd_container_image: fphammerle/borgbackup-sshd@sha256:2ac782a8e35742a0f90ea71423567df92d0772ebc04845fdc5d141987d8fe078
+borgbackup_sshd_client_public_keys: |-
+    ssh-rsa ...
+    ssh-rsa ...
+borgbackup_sshd_client_public_keys_append_only: |-
+    ssh-rsa ...
+    ssh-rsa ...
+```
+
+## Returned Variables
+
+```yaml
+borgbackup_sshd_host_keys
+```

defaults/main.yml

@@ -0,0 +1,7 @@
+# https://github.com/fphammerle/docker-borgbackup-sshd/tags
+# object a890c27fad132f3e1f91e3df2a880754a9c1f8f7
+# tag docker/0.1.0-borgbackup1.1.15r0-openssh8.4p1r3-arm64
+borgbackup_sshd_container_image: fphammerle/borgbackup-sshd@sha256:2ac782a8e35742a0f90ea71423567df92d0772ebc04845fdc5d141987d8fe078
+
+borgbackup_sshd_client_public_keys: ''
+borgbackup_sshd_client_public_keys_append_only: ''

tasks/main.yml

@@ -0,0 +1,63 @@
+- name: "create repository's root directory {{ borgbackup_sshd_repository_path }}"
+  file:
+    path: '{{ borgbackup_sshd_repository_path }}'
+    state: directory
+    mode: u=rwx,go=x
+  register: _repo_dir
+- docker_container:
+    name: '{{ borgbackup_sshd_container_name }}'
+    image: '{{ borgbackup_sshd_container_image }}'
+    env:
+      SSH_CLIENT_PUBLIC_KEYS: "{{ borgbackup_sshd_client_public_keys }}"
+      SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY: "{{ borgbackup_sshd_client_public_keys_append_only }}"
+    read_only: yes
+    mounts:
+    - type: volume
+      source: '{{ borgbackup_sshd_container_name }}_host_keys'
+      target: /etc/ssh/host_keys
+      read_only: no
+    - type: bind
+      source: '{{ _repo_dir.path }}'
+      target: /repository
+      read_only: no
+    - type: tmpfs
+      target: /home/borg/.ssh # authorized_keys
+      tmpfs_size: 16k
+      tmpfs_mode: '1777'
+    - type: tmpfs
+      # > FileNotFoundError: [Errno 2] No usable temporary directory found [...]
+      target: /tmp
+      tmpfs_size: 1M
+      tmpfs_mode: '1777'
+    published_ports: ['0.0.0.0:{{ borgbackup_sshd_published_port }}:2200']
+    cap_drop: [ALL]
+    security_opts: [no-new-privileges]
+    cpu_quota: 8000
+    cpu_period: 10000
+    # 64MiB was insufficient for two parallel operations, e.g. `borg create` & `borg list`
+    memory: 128M
+    restart_policy: unless-stopped
+    state: started
+  register:  _container
+- name: determine offset of user namespace remapping
+  stat:
+    path: '{{ _container.container.ResolvConfPath }}'
+  register: _container_resolvconf
+- name: adapt ownership of repository's root directory
+  file:
+    path: '{{ _repo_dir.path }}'
+    owner: '{{ _container_resolvconf.stat.uid + 100 }}'
+- name: wait for host keys
+  wait_for:
+    path: "{{ (_container.container.Mounts | items2dict(key_name='Destination', value_name='Source'))['/etc/ssh/host_keys'] }}/{{ item }}.pub"
+  loop: [rsa, ed25519]
+  register: _host_keys_files
+- name: read host keys
+  slurp:
+    src: '{{ item }}'
+  loop: "{{ _host_keys_files.results | map(attribute='path') | list }}"
+  register: _host_keys_base64
+- name: decode host keys
+  set_fact:
+    borgbackup_sshd_host_keys: >-
+      {{ _host_keys_base64.results | map(attribute='content') | map('b64decode') | map('trim') | list }}