diff --git a/ansible/roles/truenas/files/scripts/borgserver.bash b/ansible/roles/truenas/files/borgserver/rc.d similarity index 100% rename from ansible/roles/truenas/files/scripts/borgserver.bash rename to ansible/roles/truenas/files/borgserver/rc.d diff --git a/ansible/roles/truenas/files/borgserver/sshd_config b/ansible/roles/truenas/files/borgserver/sshd_config new file mode 100644 index 000000000..09fc06381 --- /dev/null +++ b/ansible/roles/truenas/files/borgserver/sshd_config @@ -0,0 +1,5 @@ +HostKey /keys/host/ssh_host_rsa_key +HostKey /keys/host/ssh_host_ed25519_key +AuthorizedKeysFile .ssh/authorized_keys +Subsystem sftp /usr/libexec/sftp-server +PermitRootLogin yes diff --git a/ansible/roles/truenas/tasks/jails/borgserver-init.yml b/ansible/roles/truenas/tasks/jails/borgserver-init.yml new file mode 100644 index 000000000..81d7ac2e0 --- /dev/null +++ b/ansible/roles/truenas/tasks/jails/borgserver-init.yml @@ -0,0 +1,112 @@ +--- +- name: jail-borgserver | get jail ip + ansible.builtin.shell: + cmd: iocage exec borgserver ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }' + changed_when: false + register: borgserver_jail_ip + become: true + +- block: + - name: jail-borgserver | create zfs pools + community.general.zfs: + name: "{{ item }}" + state: present + loop: + - "{{ pool_name }}/jail-mounts" + - "{{ pool_name }}/jail-mounts/borgserver" + - "{{ pool_name }}/jail-mounts/borgserver/backups" + - "{{ pool_name }}/jail-mounts/borgserver/keys" + + - name: jail-borgserver | create empty dirs + ansible.builtin.shell: + cmd: iocage exec borgserver mkdir -p /{{ item }} + loop: + - backups + - keys + + - name: jail-borgserver | mount dirs + ansible.builtin.shell: + cmd: iocage fstab -a borgserver /mnt/{{ pool_name }}/jail-mounts/borgserver/{{ item }} /{{ item }} nullfs rw 0 0 + loop: + - backups + - keys + become: true + +- block: + - name: jail-borgserver | packages + community.general.pkgng: + name: + #- py39-borgbackup + - sshguard + state: present + + - name: jail-borgserver | download borg cli + ansible.builtin.get_url: + url: https://github.com/borgbackup/borg/releases/download/1.2.1/borg-freebsd64 + dest: /usr/local/bin/borg + mode: 0755 + + - name: jail-borgserver | user borg + ansible.builtin.user: + name: borg + uid: 1000 + state: present + + - name: jail-borgserver | create directories + ansible.builtin.file: + path: /home/borg/.ssh + owner: 1000 + group: 1000 + state: directory + + - name: jail-borgserver | authorized_keys + ansible.builtin.file: + path: /home/borg/.ssh/authorized_keys + owner: 1000 + group: 1000 + state: touch + + - name: jail-borgserver | change folders mod + ansible.builtin.file: + path: "{{ item }}" + owner: 1000 + group: 1000 + loop: + - /backups + - /keys + + - name: jail-borgserver | copy sshd_config + ansible.builtin.copy: + src: borgserver/sshd_config + dest: /etc/ssh/sshd_config' + mode: 0644 + + - name: jail-borgserver | copy borgserver rc.d + ansible.builtin.copy: + src: borgserver/rc.d + dest: /etc/rc.d/borgserver + mode: 0755 + + - name: jail-borgserver | configure sshguard + community.general.sysrc: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + loop: + - { name: "sshguard_enable", value: "YES" } + - { name: "sshguard_danger_thresh", value: "30" } + - { name: "sshguard_release_interval", value: "600" } + - { name: "sshguard_reset_interval", value: "7200" } + + - name: jail-borgserver | start sshguard service + ansible.builtin.service: + name: sshguard + state: started + + - name: jail-borgserver | restart sshd service + ansible.builtin.service: + name: sshd + state: restarted + + delegate_to: "{{ borgserver_jail_ip.stdout }}" + remote_user: root diff --git a/ansible/roles/truenas/tasks/jails/init.yml b/ansible/roles/truenas/tasks/jails/init.yml index 17bcee127..32ed7dced 100644 --- a/ansible/roles/truenas/tasks/jails/init.yml +++ b/ansible/roles/truenas/tasks/jails/init.yml @@ -1,9 +1,4 @@ --- -- name: jail-prepare | {{ outside_item.item }} | start jail - ansible.builtin.shell: - cmd: iocage start {{ outside_item.item }} - become: true - - name: jail-prepare | {{ outside_item.item }} | create .ssh directory ansible.builtin.shell: cmd: iocage exec {{ outside_item.item }} 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys' diff --git a/ansible/roles/truenas/tasks/jails/postgres-conf.yml b/ansible/roles/truenas/tasks/jails/postgres-conf.yml index 5aed5ceb6..3f9c06a6f 100644 --- a/ansible/roles/truenas/tasks/jails/postgres-conf.yml +++ b/ansible/roles/truenas/tasks/jails/postgres-conf.yml @@ -8,7 +8,7 @@ - name: jail-postgres | copy letsencrypt certificate ansible.builtin.copy: - src: /mnt/storage/home/homelab/letsencrypt/xpander.ovh/{{ item.src }} + src: /mnt/storage/home/homelab/letsencrypt/{{ secret_domain }}/{{ item.src }} remote_src: true dest: /mnt/storage/jail-mounts/postgres/data{{ postgres_version }}/{{ item.dest }} owner: 770 diff --git a/ansible/roles/truenas/tasks/jails/postgres-init.yml b/ansible/roles/truenas/tasks/jails/postgres-init.yml index 6d5557b2a..c089fb2e7 100644 --- a/ansible/roles/truenas/tasks/jails/postgres-init.yml +++ b/ansible/roles/truenas/tasks/jails/postgres-init.yml @@ -52,7 +52,7 @@ state: present - name: jail-postgres | pip packages - ansible.builtint.pip: + ansible.builtin.pip: name: psycopg2 state: present diff --git a/ansible/roles/truenas/tasks/main.yml b/ansible/roles/truenas/tasks/main.yml index b1c4246e4..0c1bbac83 100644 --- a/ansible/roles/truenas/tasks/main.yml +++ b/ansible/roles/truenas/tasks/main.yml @@ -23,4 +23,14 @@ - ansible.builtin.include_tasks: jails/postgres-conf.yml + - ansible.builtin.shell: + cmd: test -f /mnt/storage/jail-mounts/borgserver/keys/host/ssh_host_ed25519_key + register: borgserver_data_exists + become: true + changed_when: false + failed_when: borgserver_data_exists.rc != 0 and borgserver_data_exists.rc != 1 + + - ansible.builtin.include_tasks: jails/borgserver-init.yml + when: borgserver_data_exists.rc == 1 + when: "main_nas"