From f23fc62adaa12fb22de2880d5367e3c2893661cf Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Thu, 5 Mar 2026 14:45:03 -0500 Subject: [PATCH] fix: move cloud backup keys and scripts out of container volume paths SSH keys moved to /etc/ssh/backup_keys/ (ssh_home_t) and backup scripts to /usr/local/bin/ (bin_t) to fix SELinux denials - container_file_t context blocked rsync from exec'ing ssh. Also fixes skudak key path mismatch (was truenas_skudak, key deployed as truenas_skudak-cloud). Co-Authored-By: Claude Opus 4.6 --- .../roles/podman/tasks/containers/cloud-backup.yml | 13 ++++++++++++- .../roles/podman/tasks/containers/home/cloud.yml | 4 ++-- .../roles/podman/tasks/containers/skudak/cloud.yml | 4 ++-- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/ansible/roles/podman/tasks/containers/cloud-backup.yml b/ansible/roles/podman/tasks/containers/cloud-backup.yml index b4db6c1..00bd37d 100644 --- a/ansible/roles/podman/tasks/containers/cloud-backup.yml +++ b/ansible/roles/podman/tasks/containers/cloud-backup.yml @@ -1,12 +1,22 @@ --- +- name: create backup SSH key directory + become: true + ansible.builtin.file: + path: /etc/ssh/backup_keys + state: directory + owner: root + group: root + mode: 0700 + - name: deploy {{ backup_name }} backup SSH key become: true ansible.builtin.copy: content: "{{ ssh_key_content }}" - dest: "/root/.ssh/truenas_{{ backup_name }}" + dest: "{{ ssh_key_path }}" owner: root group: root mode: 0600 + setype: ssh_home_t - name: template {{ backup_name }} backup script become: true @@ -16,6 +26,7 @@ owner: root group: root mode: 0755 + setype: bin_t - name: template {{ backup_name }} backup systemd service become: true diff --git a/ansible/roles/podman/tasks/containers/home/cloud.yml b/ansible/roles/podman/tasks/containers/home/cloud.yml index 215da89..0dddc81 100644 --- a/ansible/roles/podman/tasks/containers/home/cloud.yml +++ b/ansible/roles/podman/tasks/containers/home/cloud.yml @@ -88,8 +88,8 @@ vars: backup_name: cloud data_path: "{{ cloud_path }}/data" - ssh_key_path: /root/.ssh/truenas_cloud + ssh_key_path: /etc/ssh/backup_keys/cloud ssh_key_content: "{{ cloud_backup_ssh_key }}" ssh_user: cloud remote_path: /mnt/glacier/nextcloud - script_path: "{{ cloud_path }}/backup.sh" + script_path: /usr/local/bin/cloud-backup.sh diff --git a/ansible/roles/podman/tasks/containers/skudak/cloud.yml b/ansible/roles/podman/tasks/containers/skudak/cloud.yml index 6b6ca36..ab2df47 100644 --- a/ansible/roles/podman/tasks/containers/skudak/cloud.yml +++ b/ansible/roles/podman/tasks/containers/skudak/cloud.yml @@ -135,8 +135,8 @@ vars: backup_name: skudak-cloud data_path: "{{ cloud_skudak_path }}/data" - ssh_key_path: /root/.ssh/truenas_skudak + ssh_key_path: /etc/ssh/backup_keys/skudak-cloud ssh_key_content: "{{ cloud_skudak_backup_ssh_key }}" ssh_user: skucloud remote_path: /mnt/glacier/skudakcloud - script_path: "{{ cloud_skudak_path }}/backup.sh" + script_path: /usr/local/bin/skudak-cloud-backup.sh