feat: full untested ansible setup

roles/backupagent/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart ssh after backupagent change
+  ansible.builtin.service:
+    name: ssh
+    state: restarted

roles/backupagent/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+- name: Ensure backupagent user exists
+  ansible.builtin.user:
+    name: "{{ backupagent.name }}"
+    shell: "{{ backupagent.shell }}"
+    create_home: true
+    state: present
+
+- name: Ensure backupagent SSH directory exists
+  ansible.builtin.file:
+    path: "/home/{{ backupagent.name }}/.ssh"
+    state: directory
+    owner: "{{ backupagent.name }}"
+    group: "{{ backupagent.name }}"
+    mode: "0700"
+
+- name: Install backupagent authorized keys
+  ansible.builtin.copy:
+    dest: "/home/{{ backupagent.name }}/.ssh/authorized_keys"
+    content: |
+      {% for key in backupagent.authorized_keys %}
+      {{ key }}
+      {% endfor %}
+    owner: "{{ backupagent.name }}"
+    group: "{{ backupagent.name }}"
+    mode: "0600"
+
+- name: Allow passwordless sudo for backup rsync
+  ansible.builtin.template:
+    src: backupagent-sudoers.j2
+    dest: /etc/sudoers.d/backupagent-rsync
+    owner: root
+    group: root
+    mode: "0440"
+    validate: /usr/sbin/visudo -cf %s
+
+- name: Restrict SSH settings for backupagent
+  ansible.builtin.template:
+    src: backupagent-sshd-match.conf.j2
+    dest: /etc/ssh/sshd_config.d/60-backupagent.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart ssh after backupagent change

roles/backupagent/templates/backupagent-sshd-match.conf.j2

@@ -0,0 +1,15 @@
+Match User {{ backupagent.name }}
+    AuthenticationMethods publickey
+    PasswordAuthentication no
+    KbdInteractiveAuthentication no
+    PubkeyAuthentication yes
+    PermitTTY no
+    X11Forwarding no
+    AllowAgentForwarding no
+    AllowTcpForwarding no
+    AllowStreamLocalForwarding no
+    PermitTunnel no
+    GatewayPorts no
+    PermitUserEnvironment no
+    PermitUserRC no
+    PermitOpen none

roles/backupagent/templates/backupagent-sudoers.j2

@@ -0,0 +1 @@
+{{ backupagent.name }} ALL=(root) NOPASSWD: {{ backupagent.sudo_commands | join(', ') }}