feat: full untested ansible setup

2026-04-22 12:22:58 +02:00
parent b1d9b2a857
commit 0d967909e7
37 changed files with 1362 additions and 1 deletions
--- a/roles/backupagent/tasks/main.yml
+++ b/roles/backupagent/tasks/main.yml
@@ -0,0 +1,44 @@
+---
+- name: Ensure backupagent user exists
+  ansible.builtin.user:
+    name: "{{ backupagent.name }}"
+    shell: "{{ backupagent.shell }}"
+    create_home: true
+    state: present
+
+- name: Ensure backupagent SSH directory exists
+  ansible.builtin.file:
+    path: "/home/{{ backupagent.name }}/.ssh"
+    state: directory
+    owner: "{{ backupagent.name }}"
+    group: "{{ backupagent.name }}"
+    mode: "0700"
+
+- name: Install backupagent authorized keys
+  ansible.builtin.copy:
+    dest: "/home/{{ backupagent.name }}/.ssh/authorized_keys"
+    content: |
+      {% for key in backupagent.authorized_keys %}
+      {{ key }}
+      {% endfor %}
+    owner: "{{ backupagent.name }}"
+    group: "{{ backupagent.name }}"
+    mode: "0600"
+
+- name: Allow passwordless sudo for backup rsync
+  ansible.builtin.template:
+    src: backupagent-sudoers.j2
+    dest: /etc/sudoers.d/backupagent-rsync
+    owner: root
+    group: root
+    mode: "0440"
+    validate: /usr/sbin/visudo -cf %s
+
+- name: Restrict SSH settings for backupagent
+  ansible.builtin.template:
+    src: backupagent-sshd-match.conf.j2
+    dest: /etc/ssh/sshd_config.d/60-backupagent.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart ssh after backupagent change