From 3561a38398e9efeb25ce214db11cc1acc933fdf8 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Mon, 28 Jun 2021 20:46:54 +0300
Subject: [PATCH] Use restrict key option and relative borg command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

No functional change; the "restrict" key option is a shorthand for:

- no-agent-forwarding
- no-port-forwarding
- no-X11-forwarding
- no-pty
- no-user-rc

It was added in OpenSSH 7.2 (2016-02-29) as a convenient way to specify
an authorized key should have "all current and future key restrictions"
applied to it.

Also switch to a relative borg command since its location is not really
standardized; on rsync.net it appears to be located under usr/local/bin
(though /usr/bin/borg works too, even if it doesn't exist!) and Hetzner
just forces its own command, ignoring ours. ðŸ±

The Borg documentation seems to agree with both the above alterations:

[1] https://borgbackup.readthedocs.io/en/stable/usage/serve.html
---
 roles/borg_server/tasks/main.yml                      | 2 +-
 roles/hetzner_storagebox/templates/authorized_keys.j2 | 2 +-
 roles/rsync_net/templates/authorized_keys.j2          | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/borg_server/tasks/main.yml b/roles/borg_server/tasks/main.yml
index 739e77c82..40d6bc71c 100644
--- a/roles/borg_server/tasks/main.yml
+++ b/roles/borg_server/tasks/main.yml
@@ -37,5 +37,5 @@
     user: borg
     key: "{{ item.stdout }}"
     manage_dir: true
-    key_options: "command=\"/usr/bin/borg serve --restrict-to-path {{ backup_dir }}/{{ item['item'] }}\",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc"
+    key_options: "command=\"borg serve --restrict-to-path {{ backup_dir }}/{{ item['item'] }}\",restrict"
   with_items: "{{ ssh_keys.results }}"
diff --git a/roles/hetzner_storagebox/templates/authorized_keys.j2 b/roles/hetzner_storagebox/templates/authorized_keys.j2
index d742cd4cf..038383da6 100644
--- a/roles/hetzner_storagebox/templates/authorized_keys.j2
+++ b/roles/hetzner_storagebox/templates/authorized_keys.j2
@@ -13,5 +13,5 @@
 
 # Client machines keys
 {% for client_key in client_ssh_keys.results %}
-command="/usr/bin/borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc {{ client_key['stdout'] }}
+command="borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",restrict {{ client_key['stdout'] }}
 {% endfor %}
diff --git a/roles/rsync_net/templates/authorized_keys.j2 b/roles/rsync_net/templates/authorized_keys.j2
index d742cd4cf..038383da6 100644
--- a/roles/rsync_net/templates/authorized_keys.j2
+++ b/roles/rsync_net/templates/authorized_keys.j2
@@ -13,5 +13,5 @@
 
 # Client machines keys
 {% for client_key in client_ssh_keys.results %}
-command="/usr/bin/borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc {{ client_key['stdout'] }}
+command="borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",restrict {{ client_key['stdout'] }}
 {% endfor %}
-- 
GitLab