Home Explore Help
Sign In
fphammerle
/
ansible-role-borgbackup-sshd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 29dd0515c2
Branches Tags
ansible-role-bo...
/
tasks
/
main.yml

main.yml 2.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. - name: "create repository's root directory {{ borgbackup_sshd_repository_path }}"
    2. 

  2.   file:
    3. 

  3.     path: '{{ borgbackup_sshd_repository_path }}'
    4. 

  4.     state: directory
    5. 

  5.     mode: u=rwx,go=x
    6. 

  6.   register: _repo_dir
    7. 

  7. - docker_container:
    8. 

  8.     name: '{{ borgbackup_sshd_container_name }}'
    9. 

  9.     image: '{{ borgbackup_sshd_container_image }}'
    10. 

  10.     env:
    11. 

  11.       SSH_CLIENT_PUBLIC_KEYS: "{{ borgbackup_sshd_client_public_keys }}"
    12. 

  12.       SSH_CLIENT_PUBLIC_KEYS_APPEND_ONLY: "{{ borgbackup_sshd_client_public_keys_append_only }}"
    13. 

  13.     read_only: yes
    14. 

  14.     mounts:
    15. 

  15.     - type: volume
    16. 

  16.       source: '{{ borgbackup_sshd_container_name }}_host_keys'
    17. 

  17.       target: /etc/ssh/host_keys
    18. 

  18.       read_only: no
    19. 

  19.     - type: bind
    20. 

  20.       source: '{{ _repo_dir.path }}'
    21. 

  21.       target: /repository
    22. 

  22.       read_only: no
    23. 

  23.     - type: tmpfs
    24. 

  24.       target: /home/borg/.ssh # authorized_keys
    25. 

  25.       tmpfs_size: 16k
    26. 

  26.       tmpfs_mode: '1777'
    27. 

  27.     - type: tmpfs
    28. 

  28.       # > FileNotFoundError: [Errno 2] No usable temporary directory found [...]
    29. 

  29.       target: /tmp
    30. 

  30.       tmpfs_size: 1M
    31. 

  31.       tmpfs_mode: '1777'
    32. 

  32.     published_ports: ['0.0.0.0:{{ borgbackup_sshd_published_port }}:2200']
    33. 

  33.     cap_drop: [ALL]
    34. 

  34.     security_opts: [no-new-privileges]
    35. 

  35.     cpu_quota: 8000
    36. 

  36.     cpu_period: 10000
    37. 

  37.     # 64MiB was insufficient for two parallel operations, e.g. `borg create` & `borg list`
    38. 

  38.     memory: 128M
    39. 

  39.     restart_policy: unless-stopped
    40. 

  40.     state: started
    41. 

  41.   register:  _container
    42. 

  42. - name: determine offset of user namespace remapping
    43. 

  43.   stat:
    44. 

  44.     path: '{{ _container.container.ResolvConfPath }}'
    45. 

  45.   register: _container_resolvconf
    46. 

  46. - name: adapt ownership of repository's root directory
    47. 

  47.   file:
    48. 

  48.     path: '{{ _repo_dir.path }}'
    49. 

  49.     owner: '{{ _container_resolvconf.stat.uid + 100 }}'
    50. 

  50. - name: wait for host keys
    51. 

  51.   wait_for:
    52. 

  52.     path: "{{ (_container.container.Mounts | items2dict(key_name='Destination', value_name='Source'))['/etc/ssh/host_keys'] }}/{{ item }}.pub"
    53. 

  53.   loop: [rsa, ed25519]
    54. 

  54.   register: _host_keys_files
    55. 

  55. - name: read host keys
    56. 

  56.   slurp:
    57. 

  57.     src: '{{ item }}'
    58. 

  58.   loop: "{{ _host_keys_files.results | map(attribute='path') | list }}"
    59. 

  59.   register: _host_keys_base64
    60. 

  60. - name: decode host keys
    61. 

  61.   set_fact:
    62. 

  62.     borgbackup_sshd_host_keys: >-
    63. 

  63.       {{ _host_keys_base64.results | map(attribute='content') | map('b64decode') | map('trim') | list }}
    64.