diff --git a/.github/linters/.jscpd.json b/.github/linters/.jscpd.json new file mode 100644 index 000000000..b12845277 --- /dev/null +++ b/.github/linters/.jscpd.json @@ -0,0 +1,3 @@ +{ + "ignore": ["**/truenas/files/scripts/**"] +} diff --git a/.github/workflows/helm-release-differ.yaml b/.github/workflows/helm-release-differ.yaml index 2e69d6f1c..a7b5cb9ba 100644 --- a/.github/workflows/helm-release-differ.yaml +++ b/.github/workflows/helm-release-differ.yaml @@ -68,7 +68,7 @@ jobs: with: issue-number: "${{ github.event.pull_request.number }}" comment-author: "${{ env.BOT_USERNAME }}" - body-includes: helm-release.yaml + body-includes: "${{ matrix.file }}" - name: Create or update comment uses: peter-evans/create-or-update-comment@v2 with: diff --git a/.github/workflows/lint.yaml b/.github/workflows/megalinter.yaml similarity index 80% rename from .github/workflows/lint.yaml rename to .github/workflows/megalinter.yaml index 0e9f7edda..7cfa3da6b 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/megalinter.yaml @@ -13,21 +13,23 @@ concurrency: jobs: build: - name: Lint + name: MegaLinter runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 with: fetch-depth: 0 + - name: Generate Token uses: tibdex/github-app-token@v1 id: generate-token with: app_id: "${{ secrets.BOT_APP_ID }}" private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + - name: MegaLinter - uses: oxsecurity/megalinter@v6.0.3 + uses: oxsecurity/megalinter@v6.0.4 env: GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" PRINT_ALPACA: false @@ -40,10 +42,10 @@ jobs: "ACTION_ACTIONLINT", "ANSIBLE_ANSIBLE_LINT", "COPYPASTE_JSCPD", - "CREDENTIALS_SECRETLINT", - "GIT_GIT_DIFF", "KUBERNETES_KUBEVAL", "MARKDOWN_MARKDOWNLINT", + "REPOSITORY_GIT_DIFF", + "REPOSITORY_SECRETLINT", "TERRAFORM_TERRAFORM_FMT", "YAML_PRETTIER", "YAML_YAMLLINT" @@ -53,19 +55,13 @@ jobs: ) }} ANSIBLE_DIRECTORY: ansible - ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: .ansible-lint + ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: .github/linters/.ansible-lint + COPYPASTE_JSCPD_CONFIG_FILE: .github/linters/.jspcd.json KUBERNETES_DIRECTORY: cluster KUBERNETES_KUBEVAL_ARGUMENTS: --ignore-missing-schemas KUBERNETES_KUBEVAL_FILTER_REGEX_INCLUDE: "(kubernetes)" MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .github/linters/.markdownlint.yaml MARKDOWN_MARKDOWNLINT_RULES_PATH: .github/ YAML_YAMLLINT_CONFIG_FILE: .github/linters/.yamllint.yaml + YAML_PRETTIER_CONFIG_FILE: .github/linters/.prettierrc.yaml YAML_PRETTIER_FILTER_REGEX_EXCLUDE: "(.*\\.sops\\.ya?ml)" - - name: Archive production artifacts - if: ${{ success() }} || ${{ failure() }} - uses: actions/upload-artifact@v3 - with: - name: MegaLinter reports - path: | - report - mega-linter.log diff --git a/.github/workflows/scan-containers.yaml b/.github/workflows/scan-containers.yaml index ec01b12b3..6b9ad821a 100644 --- a/.github/workflows/scan-containers.yaml +++ b/.github/workflows/scan-containers.yaml @@ -64,8 +64,7 @@ jobs: image-ref: ${{ matrix.containers }} vuln-type: os,library severity: CRITICAL,HIGH - format: template - template: "@/contrib/sarif.tpl" + format: sarif output: trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 diff --git a/.github/workflows/schedule-renovate.yaml b/.github/workflows/schedule-renovate.yaml index 32dbe1787..bfa2932dd 100644 --- a/.github/workflows/schedule-renovate.yaml +++ b/.github/workflows/schedule-renovate.yaml @@ -44,7 +44,7 @@ jobs: echo "DRY_RUN=${{ github.event.inputs.dryRun || env.DRY_RUN }}" >> "${GITHUB_ENV}" echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "${GITHUB_ENV}" - name: Renovate - uses: renovatebot/github-action@v32.112.0 + uses: renovatebot/github-action@v32.111.0 with: configurationFile: .github/renovate.json5 token: "x-access-token:${{ steps.generate-token.outputs.token }}" diff --git a/ansible/roles/truenas/files/scripts/borgserver.bash b/ansible/roles/truenas/files/scripts/borgserver.bash new file mode 100644 index 000000000..c7c5f334f --- /dev/null +++ b/ansible/roles/truenas/files/scripts/borgserver.bash @@ -0,0 +1,96 @@ +#!/usr/bin/env bash + +PUID=${PUID:-1000} +PGID=${PGID:-1000} + +usermod -o -u "$PUID" borg &>/dev/null +groupmod -o -g "$PGID" borg &>/dev/null + +BORG_DATA_DIR=/backups +SSH_KEY_DIR=/keys +BORG_CMD='cd ${BORG_DATA_DIR}/${client_name}; borg serve --restrict-to-path ${BORG_DATA_DIR}/${client_name} ${BORG_SERVE_ARGS}' +AUTHORIZED_KEYS_PATH=/home/borg/.ssh/authorized_keys + +# Append only mode? +BORG_APPEND_ONLY=${BORG_APPEND_ONLY:=no} + +source /etc/os-release +echo "########################################################" +echo -n " * BorgServer powered by " +borg -V +echo " * Based on k8s-at-home" +echo "########################################################" +echo " * User id: $(id -u borg)" +echo " * Group id: $(id -g borg)" +echo "########################################################" + + +# Precheck if BORG_ADMIN is set +if [ "${BORG_APPEND_ONLY}" == "yes" ] && [ -z "${BORG_ADMIN}" ] ; then + echo "WARNING: BORG_APPEND_ONLY is active, but no BORG_ADMIN was specified!" +fi + +# Precheck directories & client ssh-keys +for dir in BORG_DATA_DIR SSH_KEY_DIR ; do + dirpath=$(eval echo '$'${dir}) + echo " * Testing Volume ${dir}: ${dirpath}" + if [ ! -d "${dirpath}" ] ; then + echo "ERROR: ${dirpath} is no directory!" + exit 1 + fi + + if [ "$(find ${SSH_KEY_DIR}/clients ! -regex '.*/\..*' -a -type f | wc -l)" == "0" ] ; then + echo "ERROR: No SSH-Pubkey file found in ${SSH_KEY_DIR}" + exit 1 + fi +done + +# Create SSH-Host-Keys on persistent storage, if not exist +mkdir -p ${SSH_KEY_DIR}/host 2>/dev/null +echo " * Checking / Preparing SSH Host-Keys..." +for keytype in ed25519 rsa ; do + if [ ! -f "${SSH_KEY_DIR}/host/ssh_host_${keytype}_key" ] ; then + echo " ** Creating SSH Hostkey [${keytype}]..." + ssh-keygen -q -f "${SSH_KEY_DIR}/host/ssh_host_${keytype}_key" -N '' -t ${keytype} + fi +done + +echo "########################################################" +echo " * Starting SSH-Key import..." + +# Add every key to borg-users authorized_keys +rm ${AUTHORIZED_KEYS_PATH} &>/dev/null +for keyfile in $(find "${SSH_KEY_DIR}/clients" ! -regex '.*/\..*' -a -type f); do + client_name=$(basename ${keyfile}) + mkdir ${BORG_DATA_DIR}/${client_name} 2>/dev/null + echo " ** Adding client ${client_name} with repo path ${BORG_DATA_DIR}/${client_name}" + + # If client is $BORG_ADMIN unset $client_name, so path restriction equals $BORG_DATA_DIR + # Otherwise add --append-only, if enabled + borg_cmd=${BORG_CMD} + if [ "${client_name}" == "${BORG_ADMIN}" ] ; then + echo " ** Client '${client_name}' is BORG_ADMIN! **" + unset client_name + elif [ "${BORG_APPEND_ONLY}" == "yes" ] ; then + borg_cmd="${BORG_CMD} --append-only" + fi + + echo -n "restrict,command=\"$(eval echo -n \"${borg_cmd}\")\" " >> ${AUTHORIZED_KEYS_PATH} + cat ${keyfile} >> ${AUTHORIZED_KEYS_PATH} + echo >> ${AUTHORIZED_KEYS_PATH} +done +chmod 0600 "${AUTHORIZED_KEYS_PATH}" + +echo " * Validating structure of generated ${AUTHORIZED_KEYS_PATH}..." +ERROR=$(ssh-keygen -lf ${AUTHORIZED_KEYS_PATH} 2>&1 >/dev/null) +if [ $? -ne 0 ]; then + echo "ERROR: ${ERROR}" + exit 1 +fi + +chown -R borg:borg ${BORG_DATA_DIR} +chown borg:borg ${AUTHORIZED_KEYS_PATH} +chmod 600 ${AUTHORIZED_KEYS_PATH} + +echo "########################################################" +echo " * Init done!"