Skip to content

Commit

Permalink
fix(#474): auto generate keys per host, authorize those keys on backu…
Browse files Browse the repository at this point in the history 
…p host

Closes #474
  • Loading branch information
@JacobCoffee
JacobCoffee committed Aug 22, 2024
1 parent 37e194a commit 4ccf1e5
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 30 deletions.
16 changes: 8 additions & 8 deletions pillar/prod/backup/server.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,39 +6,39 @@ backup-server:
directory: /backup/python-docs
user: python-docs
increment_retention: 7D
authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhlpt0GMToIVMYBg5IvxXEE+D5rQQQEQxqzd8GFjA7GivE7jmxJJFHzDB+lA9mlaWEseNhDakzOma6PxDNdJ9lrBHDb/PeA/++oMsoQ2nU5BAbESXCrkSz9I6wh01oKGF4TytQNek4mv41R97eQioLRYFXsG0CvYsccudyQVwpDkhk/pBW3pqGudtY8JM3bjJI85EwcarQdqPj6dLy8STx8lTuOcSAOhLY5EPG34ZciHf3uFlgg6TYAkh5m8nT6nKEYsswQJIGqfJnLuTQVBuUODJ/tLQzjiOAPTcIKPJArPf/lAxqhuu6kiTX4aRl/gN68GnOvrgDvWbjVBXw3hrN
downloads:
directory: /backup/python-downloads
user: downloads
increment_retention: 365D
authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCezDzZ3nfM5NpU6qAGXkU5122LmZHfe2+KjAdtgZr06OC9ke1kRO6mb+49JwO22zBxhdVOFEwiQsmtaeT3qh3FEcRB94rzvmBxwKiPuySMve4X7S+M/ozXDcJcdKnZ9jPwle2rJ9wag/0/6uCZtlHJFh0DZ4UI5Ttw6Pwq+X0T5ropD7i78OAbsaUn+lXU6k+ehIsWWjYjS/k8WFXW4WgMXchXk5AZYG7ZAOyWLLbmzDXMEqMmWe83EAArSF2fWOs1LoGyYRx4S1BVOo9w9HVAcbIPiccX0AtWLKzByoZ8fUILxdLmMeDrqohZXtbU/ci6V+AEBwNLRZsmvpfMeEJd
mail-python-org:
directory: /backup/mail-python-org
user: mail-python-org
increment_retention: 15D
authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN9voJiSP7mTsY8so/S8qMizKpJvLxFMWAyrYiTM41APvVpIU62JXfnU4nZxtPaDnqfyuXQzgYh7NgiqU7/OomQ5oyLzoZ6BH8kk4p1RT+tM1s9lR88jxalwSQqt7Av+p7qn4HuJkYAL0k0+AjHI559bFKtyDZYDpZz/JSP++keRqPXMtOk4Nd4z6KR18mzF5NV7rXNjHDExrpVb7kex8UVqXbNj8+dgl37PdXN4cAxlQoOALFbHxGGdxLqvJyalr1GZaxNRul6JUHaRFUkt6rVl90lp6+SO21i6hg5H3fL7eynJto6R0jDFiVNe6JfJs4XdXGYKIZlzhhqMOgbm0t
python-bugs:
directory: /backup/python-bugs
user: python-bugs
increment_retention: 30D
authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsMBXD2hOm536YI0GMSratv8cM1CZ1M3J1bsvj2NqD9PEp10o3FD5ofr81kB+BTyFKMnpwxuP/dcoCfiY4dCF1COIa82nUtvuklFYTVybW8dL7DevWxoX0F6PeK8Ox+kcuASjmgx2UJ/pisKEIhFQYTF4bmevSRXbLv94461dxOO6j2MOgtJRGDmr/2OhA30VAnjMw1U+4flZd6FLodfq1udX8NVTBg05BIAwLNYLFrvLO8yMlqZzb4TbA53w29yyNIoSlXBLtG+K19mAA3ki+rqZdhdS+k6u1/u0AVUcDvmX1MrOtcvucy74SIesBDJfdyR7OFpHmAx4/aDPVdmGV
gnumailman-data:
directory: /backup/gnumailman-data
user: gnumailman
increment_retention: 90D
authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcqPefaRsYhkulCx/TtNOX4BaVqfGePoQraS8ELmujkrX3KP56u2uKshIUob8uCf/daRhlWnKKIyy8redICHc/+CmUSZjSgETgdbnVIYW17sZ+hCvME8AEc/FAObFrU9BEmOHU0LwA6SY2YclL9knz/Pd94aojXGhx5FjStJg/AfOuhcSzn1dgRfBERm9JPplgubFeVDocBJ816glLydh5Qg0TG1sgJtS2dczvhc0wwfQqnAVQtnhmxjVUBedj4efNaJhXK1N1aa+i5ev3k9Es6yXV/2jyAGEXAn8eiciVHCUt0vNDz+nNnckCHCQitkaA3VnF03Di5BaiJRTqyiyzRdtzh832O3DQLO54ep/S+jgYoFfajPnFbChHNTNpVI7VJHpsE8W8XEwvcf/ZU3sW5XHxfvwYq9KjOw7LWF26IT8pka2/WPClWeG3xKs10ndV2sNUmWpRJMIRQ82JFr2/4L23qzoI++7CDjb63X6eZeK+QtLTaj6pLel9nZVIapU=
hg:
directory: /backup/python-hg
user: hg
increment_retention: 90D
authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDS0sTCNKlCfJd/TyiKW3HRwTUouo3+PvPOK3ddyfpY17bJ4KdpaMZgc7fNg5VKzFvvuHBqjvVJsdewP3LesLOuaQCQoSu1DniLoodZGRdJ9gqgtbRZf4ekzsn7E7WZUnVI0fbofvFWjbPt3PSxVtm8hCqwmwia53Ehh9G3xRurDhNUqIjrGcTStM3kloQHjKing+EGdCqPvikuwN1eMZXyNnt4zuoU4e39JGCBqRBfXumvrYvYzuNbAN8OZtNAfByzLFJ6DIWq0ihK6WS/KRYKGKivaaK26whafutfv44bP0w3LvZZyTMGGqiS/zLNPx0tkYK3JEt4bpLlyHZHbIBh
hg-mercurial-static:
directory: /backup/hg-mercurial-static
user: hg
increment_retention: 90D
hg-svn-config:
directory: /backup/hg-svn-config
user: hg
increment_retention: 90D
buildbot:
directory: /backup/buildbot
user: buildbot
increment_retention: 90D
authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6ViDGniFFi9MeshjdKfh/qw3oXsYCLryh3t/wY9V43l209khYhXAh5k14QcbTu8b6H1MGNhq2jjMKLv2C2xzXubSZfUKFEhJp9MRG0xg3mxR9kGRu5wEmNbRavFKA2d0oiQFfMTRNUGCzPL5mn98EuFUuOtM+dMiXJ5eJdcFb5i0R8o31JzeaA37ogyYbmFYd20dsMlHEV7WdTILp0GeHxyq4t9NXMBu7cBvsLr4dSUQxlehTbHy5q0ZKWML0q1GVo65bAsTmh9byrEN5iUhWRRTTj/Pp9V15cYRtMc8qMTBNnDCKXtctfj3SuEUp47TCRbkyg2dFb/mUWCbVrgT9
moin:
directory: /backup/moin
user: moin
increment_retention: 90D
authorized_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCr9RaD7FYNH4LSiC1d7UEwLo4o78+d8VZebRqsXfHH/J6xH6iBj8bEhzv08tVIVUb//T8fBM/N9bf9FYxiQPo/TouSkolaSNNkpPveXP3CtOUaR8f+W6C5Q4UfV0JRw0VRv7qfo5jjDpL7wMlq2wvI8ZS/0lODhUQg7TFUHSbaRM4j9CjokhQZLXoMa/V7M6S1OWjt9y3VrGNlT1EBAO/aQPmCNU8jStkJXvW/L9/jRU2RzTCGeuOBveKBe3HoXTaQbgqngilqZN+xfHNHtTMlF/KfgtZgl5l3C/nzlzkvBMSWOMiBLVtapUMdB6nNBAxY6Gb2OC5OjnMIoZ3X7efzKpasCJZ1mRwvaFU8XC2166+PVdWpj+UJ1Nv18Nl7Qzf3a04LOiV3s+0hxfYxDg1rsT+XyW/r65Tupp7u4MGgw1U/AtiH/Rsjl6IcGGsguMqQO6QlFcVPTTaEZvxAV54yMRlvzmc1hBDVbzKuUeE/yShpf1b9OsZODvyEjRFtDc=
33 changes: 22 additions & 11 deletions salt/backup/client/init.sls
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
{% set backup_host = salt['pillar.get']('backup:target_host') %}
{% set backup_user = salt['pillar.get']('backup:user') %}
{% set backup_key_location = '/etc/backup/.ssh' %}

include:
- backup.base
Expand All @@ -8,21 +11,29 @@ include:
- group: root
- mode: "0755"

/etc/backup/.ssh:
{{ backup_key_location }}:
file.directory:
- user: root
- group: root
- mode: "0755"

{% for backup, config in salt['pillar.get']('backup:directories', {}).items() %}
{{ backup_host }}-ssh-key-create:
cmd.run:
- name: ssh-keygen -t rsa -b 4096 -f {{ backup_key_location }}/id_rsa_{{ backup_host }} -N ""
- creates: {{ backup_key_location }}/id_rsa_{{ backup_host }}

{{ backup }}-ssh-key:
file.managed:
- name: /etc/backup/.ssh/id_rsa_{{ backup }}
- contents_pillar: backup-secret:directories:{{ backup }}:ssh_key
- user: {{ config['user'] }}
- mode: "0600"
- show_diff: False
# We publish the public key to the mine so that the backup server can consume all of them
# and add them to the `authorized_keys` file
{{ backup_host }}-public-key-publish:
module.run:
- name: mine.send
- m_name: cmd.run
- kwargs:
cmd: cat {{ backup_key_location }}/id_rsa_{{ backup_host }}.pub
- onchanges:
- cmd: {{ backup_host }}-ssh-key-create

{% for backup, config in salt['pillar.get']('backup:directories', {}).items() %}

{{ backup }}-script-dir:
file.directory:
Expand All @@ -39,9 +50,9 @@ include:
- context:
pre_script: '{{ config.get('pre_script', ":") }}'
{% if grains["oscodename"] == "noble" -%}
remote_command: '/usr/bin/rdiff-backup --terminal-verbosity 1 --remote-schema "ssh -i /etc/backup/.ssh/id_rsa_{{ backup }} -C %s rdiff-backup server" backup --no-eas {%- for exclude in config.get('exclude', []) %} --exclude {{ exclude }} {%- endfor %} {{ config['source_directory'] }} {{ config['target_user'] }}@{{ config['target_host'] }}::{{ config['target_directory'] }}'
remote_command: '/usr/bin/rdiff-backup --terminal-verbosity 1 --remote-schema "ssh -i {{ backup_key_location }}/id_rsa_{{ backup_host }} -C %s rdiff-backup server" --no-eas {%- for exclude in config.get("exclude", []) %} --exclude {{ exclude }} {%- endfor %} {{ config["source_directory"] }} {{ config["target_user"] }}@{{ backup_host }}::{{ config["target_directory"] }}'
{% else %}
remote_command: '/usr/bin/rdiff-backup --terminal-verbosity 1 {%- for exclude in config.get('exclude', []) %} --exclude {{ exclude }} {%- endfor %} --no-eas --remote-schema "ssh -i /etc/backup/.ssh/id_rsa_{{ backup }} -C %s rdiff-backup server" {{ config['source_directory'] }} {{ config['target_user'] }}@{{ config['target_host'] }}::{{ config['target_directory'] }}'
remote_command: '/usr/bin/rdiff-backup --terminal-verbosity 1 {%- for exclude in config.get("exclude", []) %} --exclude {{ exclude }} {%- endfor %} --no-eas --remote-schema "ssh -i {{ backup_key_location }}/id_rsa_{{ backup_host }} -C %s rdiff-backup server" {{ config["source_directory"] }} {{ config["target_user"] }}@{{ backup_host }}::{{ config["target_directory"] }}'
{% endif %}
post_script: '{{ config.get('post_script', ":") }}'
cleanup_script: '{{ config.get('cleanup_script', ":") }}'
Expand Down
44 changes: 33 additions & 11 deletions salt/backup/server/init.sls
View file
Original file line number Diff line number Diff line change
@@ -1,28 +1,50 @@
{% set backup_hosts = salt['mine.get']('*', 'cmd.run') %}
{% set target_host = salt['pillar.get']('backup:target_host') %}

include:
- backup.base

/backup:
file.directory:
- user: root
- group: root
- mode: "0755"

{% for backup, config in salt['pillar.get']('backup-server:backups', {}).items() %}

{{ backup }}-user:
user.present:
- name: {{ config['user'] }}

{{ backup }}-ssh:
ssh_auth:
- present
{{ backup }}-ssh-dir:
file.directory:
- name: /home/{{ config['user'] }}/.ssh
- user: {{ config['user'] }}
- names:
- {{ config['authorized_key'] }}
- options:
- command="rdiff-backup server"
- no-pty
- no-port-forwarding
- no-agent-forwarding
- no-X11-forwarding
- group: {{ config['user'] }}
- mode: 0700
- makedirs: True
- require:
- user: {{ config['user'] }}

{{ backup }}-authorized-keys:
file.managed:
- name: /home/{{ config['user'] }}/.ssh/authorized_keys
- user: {{ config['user'] }}
- group: {{ config['user'] }}
- mode: 0600
- replace: False
- require:
- file: {{ backup }}-ssh-dir

{% for host, pubkey in backup_hosts.items() %}
{{ backup }}-{{ host }}-ssh-key:
file.append:
- name: /home/{{ config['user'] }}/.ssh/authorized_keys
- text: 'command="rdiff-backup server",no-pty,no-port-forwarding,no-agent-forwarding,no-X11-forwarding {{ pubkey }}'
- require:
- file: {{ backup }}-authorized-keys
{% endfor %}

{{ backup }}:
file.directory:
- name: {{ config['directory'] }}
Expand Down

0 comments on commit 4ccf1e5

Please sign in to comment.