Skip to content
Snippets Groups Projects
Verified Commit 62c78dfa authored by Evangelos Foutras's avatar Evangelos Foutras :smiley_cat:
Browse files

Use sub-accounts for backups to Hetzner Storage Box

This offers improved separation between the server backups and should
avoid bumping against the storage box 10 concurrent connection limit.

Fixes: #362
parent 29e7f1c8
No related branches found
No related tags found
1 merge request!434Use sub-accounts for backups to Hetzner Storage Box
Pipeline #9353 passed
......@@ -8,7 +8,7 @@ You'll have to get the correct username from the vault.
We use two different borg backup hosts: A primary one and an offsite one.
The URL format for the primary one is
ssh://<hetzner_storagebox_username>@u236610.your-storagebox.de:23/~/backup/<hostname>
ssh://<hetzner_storagebox_username>@u236610.your-storagebox.de:23/~/backup/<hostname>/repo
while for the offsite one it's
......@@ -22,7 +22,7 @@ placeholder with your desired full address to the backup repository. For instanc
becomes
misc/borg.sh ssh://<hetzner_storagebox_username>@u236610.your-storagebox.de:23/~/backup/homedir.archlinux.org::20191127-084357
misc/borg.sh ssh://<hetzner_storagebox_username>@u236610.your-storagebox.de:23/~/backup/homedir.archlinux.org/repo::20191127-084357
A convenience wrapper script is available at `misc/borg.sh` which makes sure you
use the correct keyfile for the given server.
......
$ANSIBLE_VAULT;1.1;AES256
30353736373466623531333732393935376435353939366632383839376531653761656631646638
3831333465373263336232653931643162656363653039320a383736393636613231386465663430
37313062303933653633626637623539363565316161666433656138393036343538623863386666
3039346264393066620a396231646534303262616162346261643639323838313635366332653861
39353239393134326130383766323832383361656431336335616138363865623865356538636139
63363234343962333166313038646633613534653963613961656336646464393338373635663832
62396633363932663931633532363732653766356136393137363366376134363135663864313935
63323635666431353165396235633066313334316161396163646633366536366361643331386461
6535
37316639623364363536666561383935376436663233323431626639316438646631643165663734
6431386565316161653535656137393634656333633863330a353364633135376461343137663938
34343133336337656237373961303530393765383338613937313332313433363838383064363061
3061376164316662350a313534656536303164626464353030356339353237313834336632393039
65333832336635633730326230323934383733653533346135656431356534303765383365323538
66323437313839653733323063343436386130343139343761363037646437653263333066316665
63373335656238336136323961356133353833313737303538313936663366303435306134326138
30396366336130386263356264336361343231313763326239643562666662346634616639663165
33653962323336613537616363323931366235373930326436643863376463656165303433643635
3632343163323137633630373561333731616334306135616234
$ANSIBLE_VAULT;1.1;AES256
39623835306534616661653830393863636639343938313031316132376662316530366330623162
3936383035626238336439363638633634623036343238300a366332303632323235303038343534
34643833623730346430623961396464353235393465313264313465653864316131636665373864
6565333732636366330a326664316638353065643838633865333036616331313637303736303865
39316434636563653237376131636266333834626331356331613039366664373561353631666336
63643439383163636239396232626131393431303637623236613433313533666562623339653239
61336566613136383537623863316533343465343237636563313633653136373734376561373164
30386533346162333662393337633133666138356139343331313662383038633561313265613534
38343833313534303839316264633436313831633631666539663062396363333334
---
backup_hosts:
- host: "ssh://{{ hetzner_storagebox_username }}@u236610.your-storagebox.de:23"
dir: "~/backup/{{ inventory_hostname }}"
- host: "ssh://u236610.your-storagebox.de:23"
dir: "~/repo"
suffix: ""
- host: "ssh://{{ rsync_net_username }}@prio.ch-s012.rsync.net:22"
dir: "~/backup/{{ inventory_hostname }}"
......
......@@ -9,8 +9,17 @@
(?i)password: "{{ hetzner_storagebox_password }}"
delegate_to: localhost
- name: create a home directory for each sub-account
expect:
command: bash -c "echo 'mkdir {{ backup_dir }}/{{ item }}' | sftp -P 23 {{ hetzner_storagebox_username }}@{{ inventory_hostname }}"
responses:
(?i)password: "{{ hetzner_storagebox_password }}"
delegate_to: localhost
loop: "{{ backup_clients }}"
- name: fetch ssh keys from each borg client machine
command: cat /root/.ssh/id_rsa.pub
check_mode: false
register: client_ssh_keys
delegate_to: "{{ item }}"
with_items: "{{ backup_clients }}"
......@@ -19,16 +28,81 @@
- name: create tempfile
tempfile: state=file
check_mode: false
register: tempfile
delegate_to: localhost
- name: fill tempfile
copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" mode=preserve
delegate_to: localhost
no_log: true
- name: upload authorized_keys file
- name: upload authorized_keys for Arch DevOps
expect:
command: bash -c "echo -e 'mkdir .ssh \n chmod 700 .ssh \n put {{ tempfile.path }} .ssh/authorized_keys \n chmod 600 .ssh/authorized_keys' | sftp -P 23 {{ hetzner_storagebox_username }}@{{ inventory_hostname }}"
responses:
(?i)password: "{{ hetzner_storagebox_password }}"
delegate_to: localhost
- name: upload authorized_keys for each backup client
include_tasks: upload_client_authorized_keys.yml
loop: "{{ client_ssh_keys.results }}"
loop_control:
label: "{{ item.item }}"
- name: retrieve sub-account information
uri:
url: https://robot-ws.your-server.de/storagebox/{{ hetzner_storagebox_id }}/subaccount
user: "{{ hetzner_webservice_username }}"
password: "{{ hetzner_webservice_password }}"
delegate_to: localhost
check_mode: false
register: subaccounts_raw
no_log: true
- name: get list of sub-accounts
set_fact:
subaccounts: "{{ subaccounts_raw.json | json_query('[].subaccount') }}"
- name: create missing sub-accounts
uri:
timeout: 60
url: https://robot-ws.your-server.de/storagebox/{{ hetzner_storagebox_id }}/subaccount
user: "{{ hetzner_webservice_username }}"
password: "{{ hetzner_webservice_password }}"
method: POST
body_format: form-urlencoded
body:
homedirectory: "{{ backup_dir }}/{{ item }}"
comment: "{{ item }}"
ssh: "true"
delegate_to: localhost
loop: "{{ backup_clients | difference(subaccounts | json_query('[].comment')) }}"
register: new_subaccounts_raw
no_log: true
- name: update list of sub-accounts
set_fact:
subaccounts: "{{ subaccounts + [item.json.subaccount | combine({'comment': item.invocation.module_args.body.comment})] }}"
loop: "{{ new_subaccounts_raw.results }}"
loop_control:
label: "{{ item.invocation.module_args.body.comment }}"
- name: match usernames to backup clients
set_fact:
backup_client_usernames: "{{ backup_client_usernames|default({}) | combine({item.comment: item.username}) }}"
loop: "{{ subaccounts }}"
loop_control:
label: "{{ {item.comment: item.username} }}"
- name: configure ssh on backup clients
blockinfile:
path: /root/.ssh/config
create: true
mode: 0600
block: |
Host {{ inventory_hostname }}
User {{ backup_client_usernames[item] }}
marker: '# {mark} HETZNER STORAGE BOX BACKUP CLIENT CONFIG'
delegate_to: "{{ item }}"
loop: "{{ backup_clients }}"
---
- name: fill tempfile
copy: content="{{ lookup('template', 'authorized_keys_client.j2') }}" dest="{{ tempfile.path }}" mode=preserve
delegate_to: localhost
no_log: true
- name: upload authorized_keys file to {{ backup_dir }}/{{ item.item }}
expect:
command: bash -c "echo -e 'mkdir {{ backup_dir }}/{{ item.item }}/.ssh \n chmod 700 {{ backup_dir }}/{{ item.item }}/.ssh \n put {{ tempfile.path }} {{ backup_dir }}/{{ item.item }}/.ssh/authorized_keys \n chmod 600 {{ backup_dir }}/{{ item.item }}/.ssh/authorized_keys' | sftp -P 23 {{ hetzner_storagebox_username }}@{{ inventory_hostname }}"
responses:
(?i)password: "{{ hetzner_storagebox_password }}"
delegate_to: localhost
......@@ -10,8 +10,3 @@
{% endif %}
{% endif %}
{% endfor %}
# Client machines keys
{% for client_key in client_ssh_keys.results %}
command="borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",restrict {{ client_key['stdout'] }}
{% endfor %}
restrict {{ item['stdout'] }}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment