Commit 7aeff42e authored by Jocelyn Delalande's avatar Jocelyn Delalande

borg-ynh-backup: Handle passphrase properly

parent b45d3414
......@@ -12,6 +12,10 @@ Backup Yunohost, via borg, to a remote repository over SSH.
- borg_ynh_backup_weekly: 4
- borg_ynh_backup_daily: 7
You can either :
- Choose your own passphrase and set it via `borg_ynh_backup_passphrase_path` var
- Let the playbook generate a strong one for you (be sure to back it up then)
Set up client & server
----------------------
......@@ -22,12 +26,13 @@ If you set up both borg client and server, the easiest way is :
- setup the server, configuring the given public_key
- perform a test run by hand running `/etc/cron.d/borg-ynh-backup` if nothing
appears, then it worked :-)
- **backup your client private keys** (ssh & repo encryption), by hand, somewhere offline :
- /root/.borg/
- /root/.ssh/id_rsa_borg
- **backup your client private keys** (ssh, repo key and repo key passphrase),
by hand, somewhere offline :
- *~borg/.borg/pass* folder
- *~borg/.ssh/id_rsa* file
TODO
----
- Use compression
- handle properly the passphrase
- switch to repokey security
......@@ -4,6 +4,7 @@ borg_ynh_backup_ssh_key: "{{ borg_ynh_backup_home }}/.ssh/id_rsa"
borg_ynh_backup_log_path: /var/log/borg-ynh-backup.log
borg_ynh_backup_tmp_path: /home/yunohost.backup/borg-tmp/
borg_ynh_backup_borg_path: /usr/local/bin/borg
borg_ynh_backup_passphrase_path: "{{ borg_ynh_backup_home }}/.borg/pass/borg-ynh-passphrase"
borg_ynh_backup_bin_path: "{{ borg_ynh_backup_home }}/bin"
borg_ynh_backup_sudoed_create: "{{ borg_ynh_backup_bin_path }}/ynh-backup-create"
......
- name: Check that borg is installed (see borg-common role)
file: path={{ borg_ynh_borg_path }} state=file follow=yes
file: path={{ borg_ynh_backup_borg_path }} state=file follow=yes
- include: passphrase.yml
tags: [borg.passphrase]
- name: Create dedicated user
user:
......
# The passphrase is stored on borg client
# It is either defined in vars or generated randomly.
- name: Ensure borg passphrase dir exists
file:
path: "{{ borg_ynh_backup_passphrase_path|dirname }}"
mode: 0700
owner: "{{ borg_ynh_backup_user }}"
state: directory
recurse: yes
- name: Checks if a passphrase is already stored
stat: path={{ borg_ynh_backup_passphrase_path }}
register: passphrase_file
- name: Generate a random passphrase (if none provided)
when: borg_ynh_backup_passphrase is undefined and passphrase_file.stat.islnk is undefined
command: openssl rand -base64 200
register: generated_passphrase
- name: Record generated passphrase
set_fact: borg_ynh_backup_passphrase={{ generated_passphrase.stdout }}
when: generated_passphrase.changed
- name: Store passphrase
when: borg_ynh_backup_passphrase is defined
copy:
content: "{{ borg_ynh_backup_passphrase }}"
dest: "{{ borg_ynh_backup_passphrase_path }}"
backup: yes
owner: "{{ borg_ynh_backup_user }}"
mode: 0700
......@@ -9,7 +9,7 @@ ARCHIVE_NAME=$1
ARCHIVE="${REPOSITORY}::${ARCHIVE_NAME}"
export BORG_RSH="ssh -i {{ borg_ynh_backup_ssh_key }}"
export BORG_PASSPHRASE="notsosecret"
export BORG_PASSPHRASE="`cat {{ borg_ynh_backup_passphrase_path }}`"
export BORG_KEYS_DIR="{{ borg_ynh_backup_home }}/.borg/keys"
export BORG_CACHE_DIR="{{ borg_ynh_backup_home }}/.borg/cache"
......
......@@ -12,7 +12,7 @@ REPOSITORY={{ borg_ynh_backup_repository }}
BACKUP_DATE=`date +%Y-%m-%d`
ARCHIVE=${REPOSITORY}::$BACKUP_DATE
export BORG_RSH="ssh -i {{ borg_ynh_backup_ssh_key }}"
export BORG_PASSPHRASE="notsosecret"
export BORG_PASSPHRASE="`cat {{ borg_ynh_backup_passphrase_path }}`"
export BORG_KEYS_DIR="{{ borg_ynh_backup_home }}/.borg/keys"
export BORG_CACHE_DIR="{{ borg_ynh_backup_home }}/.borg/cache"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment