Add support for append-only keys (#197)

* Add support for append-only keys * add documentation and simplify template --------- Co-authored-by: Max Hösel <git@maxhoesel.de>
maxhoesel-ansible · Jul 19, 2024 · 83c238d · 83c238d
1 parent 9b3b1b3
commit 83c238d
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/roles/borg_server/README.md b/roles/borg_server/README.md
@@ -45,6 +45,7 @@ The server uses these keys to restrict hosts into a single directory where they
 ##### `borg_server_authorized_hosts`
 - List of hosts that will have access to the backup server
 - Each entry is a dict containing the host name and its ssh public key
+    - You can optionally specify `append_only` to run in [Append-only mode](https://borgbackup.readthedocs.io/en/stable/usage/notes.html#append-only-mode-forbid-compaction)
 - Required: yes
 - Example:
   ```yaml
@@ -53,6 +54,7 @@ The server uses these keys to restrict hosts into a single directory where they
       key: ssh-rsa key-goes-here
     - name: host2.my.domain
       key: ssh-rsa key-goes-here
+      append_only: true
     ...
   ```
 
@@ -69,4 +71,5 @@ The server uses these keys to restrict hosts into a single directory where they
             key: ssh-rsa key-goes-here
           - name: host2.my.domain
             key: ssh-rsa key-goes-here
+            append_only: true
 ```
diff --git a/roles/borg_server/molecule/default/converge.yml b/roles/borg_server/molecule/default/converge.yml
@@ -11,3 +11,6 @@
         borg_server_authorized_hosts:
           - name: "test-host.localdomain"
             key: "{{ lookup('file', 'files/id_rsa.pub') }}"
+          - name: "test-append.localdomain"
+            key: "{{ lookup('file', 'files/id_rsa.pub') }}"
+            append_only: yes
diff --git a/roles/borg_server/molecule/default/verify.yml b/roles/borg_server/molecule/default/verify.yml
@@ -19,7 +19,8 @@
     - name: Verify that key is present
       assert:
         that:
-          - "'cd /var/borg-server-molecule/test-host.localdomain; borg serve --restrict-to-path /var/borg-server-molecule/test-host.localdomain' in borg_server_authorized_keys.stdout"
+          - "'cd /var/borg-server-molecule/test-host.localdomain; borg serve --restrict-to-path /var/borg-server-molecule/test-host.localdomain\"' in borg_server_authorized_keys.stdout"
+          - "'cd /var/borg-server-molecule/test-append.localdomain; borg serve --restrict-to-path /var/borg-server-molecule/test-append.localdomain --append-only\"' in borg_server_authorized_keys.stdout"
           - "'restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDyaA8lzdTJ7BCfINstM1IycLC7ghbVEz0reGj8v+s0+/+ltryuUNqrfVqud2vWhWWRsdW5l9c0RKESPEkReqe5qmzfArS1DicDjbS4O8ekhd4p2SgzFSRRm31W0C5KDnusc9f4xGenO4lKZW+AQ5qbQAoFr1l+6HyQU/7GRg0hcSN6obQwURIFj2SjsEav0Vv8BL9KkPG4p85YGiWxaNwsgmrNSx2qQjPFgKYUftF0oV4kCGIF8WdL5rwofGtHuCD7C7+8uKn4x7t6XetP8cti325y7LTlXcxe+OHJen0GhLAu4+u3q+z0uQipbiUMx3KhDDKMdM/kNrEtBkkCp0GQ+9yOT4Th9xK5ICX8LFIPWooCciF1vfNgF7y/UWdxtfX6d1aGqUchlSC1sh2NqvZujc04/3EzNtkZiulFBWLWAxwDMNgprL0OiPpwyGLqJILqizBt4MW7cTd73hZR6kSkmpkTupszWfbfa+g/qS35sMjcxJqzUbpOFE4V9cKeE0= molecule' in borg_server_authorized_keys.stdout"
 
     - name: Look for dirty file

diff --git a/roles/borg_server/templates/authorized_keys.j2 b/roles/borg_server/templates/authorized_keys.j2
@@ -1,3 +1,4 @@
 {% for host in borg_server_authorized_hosts %}
-command="cd {{ borg_server_backups_path }}/{{ host.name }}; borg serve --restrict-to-path {{ borg_server_backups_path }}/{{ host.name }}",restrict {{ host.key }}
+{% set append_only = " --append-only" if (host.append_only | d(false)) else '' %}
+command="cd {{ borg_server_backups_path }}/{{ host.name }}; borg serve --restrict-to-path {{ borg_server_backups_path }}/{{ host.name }}{{ append_only }}",restrict {{ host.key }}
 {% endfor %}