Commit 39cd4cc6 authored by Jocelyn Delalande's avatar Jocelyn Delalande

Make backup script runnable by unprivilledged user

parent bad14264
......@@ -10,7 +10,14 @@
ssh_key_comment: "borg backup {{ borg_ynh_backup_user }}@{{ ansible_hostname }}"
- name: Create scripts directory
file: path={{ borg_ynh_backup_bin_path }} mode=0644 owner=root group=root state=directory
file: path={{ borg_ynh_backup_bin_path }} mode=0655 owner=root group=root state=directory
- name: Give rights on the log file
file:
path: "{{ borg_ynh_backup_log_path }}"
state: touch
owner: "{{ borg_ynh_backup_user }}"
group: "{{ borg_ynh_backup_user }}"
- name: Put scripts in place
template: src={{ item.src }} dest={{ item.dest }} mode=0755 owner=root group=root
......@@ -24,5 +31,11 @@
- src: borg-ynh-backup.j2
dest: "{{ borg_ynh_backup_backup_script }}"
- name: Setup sudoers
template:
src: sudoers.j2
dest: /etc/sudoers.d/50-borg-ynh-backup
validate: visudo -cf %s
- name: Setup cron task
template: src=borg-ynh-backup.j2 dest=/etc/cron.d/borg-ynh-backup mode=0744
\ No newline at end of file
#!/bin/sh
# This script is meant to be executed via sudo, as root.
# It must explicitly be authorized in a sudoers file
set -e
TMP_PATH={{ borg_ynh_backup_tmp_path }}
REPOSITORY={{ borg_ynh_backup_repository }}
......@@ -9,5 +10,11 @@ ARCHIVE="${REPOSITORY}::${ARCHIVE_NAME}"
export BORG_RSH="ssh -i {{ borg_ynh_backup_ssh_key }}"
export BORG_PASSPHRASE="notsosecret"
export BORG_KEYS_DIR="{{ borg_ynh_backup_home }}/.borg/keys"
export BORG_CACHE_DIR="{{ borg_ynh_backup_home }}/.borg/cache"
borg create -v --stats "${ARCHIVE}" ${TMP_PATH}
# Give back the backup cache to the dedicated user
chown -R {{ borg_ynh_backup_user }}:{{ borg_ynh_backup_user }} \
{{ borg_ynh_backup_home }}/.borg/cache
......@@ -13,6 +13,8 @@ BACKUP_DATE=`date +%Y-%m-%d`
ARCHIVE=${REPOSITORY}::$BACKUP_DATE
export BORG_RSH="ssh -i {{ borg_ynh_backup_ssh_key }}"
export BORG_PASSPHRASE="notsosecret"
export BORG_KEYS_DIR="{{ borg_ynh_backup_home }}/.borg/keys"
export BORG_CACHE_DIR="{{ borg_ynh_backup_home }}/.borg/cache"
YNH_BACKUP_CREATE={{ borg_ynh_backup_sudoed_create }}
BORG_BACKUP_PUSH={{ borg_ynh_backup_sudoed_push }}
......@@ -24,7 +26,7 @@ trap '[ "$?" -eq 0 ] || cleanup' EXIT
cleanup()
{
echo "Something bad happened during backup, check ${LOG_PATH}"
sudo $YNH_BACKUP_CLEANUP
sudo -n $YNH_BACKUP_CLEANUP
exit $1
}
......@@ -34,17 +36,17 @@ ts_log()
}
ts_log "Cleaning up."
sudo $YNH_BACKUP_CLEANUP
sudo -n $YNH_BACKUP_CLEANUP
ts_log "Performing yunohost backup."
sudo $YNH_BACKUP_CREATE $BACKUP_DATE >> ${LOG_PATH} 2>&1
sudo -n $YNH_BACKUP_CREATE $BACKUP_DATE >> ${LOG_PATH} 2>&1
ts_log "Initializing repository, if needed."
borg list ${REPOSITORY} >/dev/null 2>&1 || \
borg init --encryption=keyfile ${REPOSITORY} >> ${LOG_PATH} 2>&1
ts_log "Creating archive ${ARCHIVE}."
sudo $BORG_BACKUP_PUSH $BACKUP_DATE >> ${LOG_PATH} 2>&1
sudo -n $BORG_BACKUP_PUSH $BACKUP_DATE >> ${LOG_PATH} 2>&1
ts_log "Rotating old backups."
borg prune -v $REPOSITORY \
......@@ -54,5 +56,5 @@ borg prune -v $REPOSITORY \
>> ${LOG_PATH} 2>&1
ts_log "Cleaning up."
sudo $YNH_BACKUP_CLEANUP
sudo -n $YNH_BACKUP_CLEANUP
exit 0
{{ borg_ynh_backup_user }} {{ ansible_hostname }} = (root) NOPASSWD: {{ borg_ynh_backup_sudoed_create }}, {{ borg_ynh_backup_sudoed_push }}, {{ borg_ynh_backup_sudoed_cleanup }}
#!/bin/sh
# This script is meant to be executed via sudo, as root.
# It must explicitly be authorized in a sudoers file
set -e
TMP_PATH={{ borg_ynh_backup_tmp_path }}
sudo umount ${TMP_PATH}/data/*/* >/dev/null 2>&1 || /bin/true
sudo umount ${TMP_PATH}/data/* >/dev/null 2>&1 || /bin/true
sudo rm -rf ${TMP_PATH}
umount ${TMP_PATH}/data/*/* >/dev/null 2>&1 || /bin/true
umount ${TMP_PATH}/data/* >/dev/null 2>&1 || /bin/true
rm -rf ${TMP_PATH}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment