bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: move cloud backup keys and scripts out of container volume paths

Browse Source 
SSH keys moved to /etc/ssh/backup_keys/ (ssh_home_t) and backup scripts
to /usr/local/bin/ (bin_t) to fix SELinux denials - container_file_t
context blocked rsync from exec'ing ssh. Also fixes skudak key path
mismatch (was truenas_skudak, key deployed as truenas_skudak-cloud).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Bastian de Byl
2026-03-05 14:45:03 -05:00
parent d4b01468ba
commit f23fc62ada
3 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ansible/roles/podman/tasks/containers/cloud-backup.yml
View File

@@ -1,12 +1,22 @@
--- ---
- name: create backup SSH key directory
become: true
ansible.builtin.file:
path: /etc/ssh/backup_keys
state: directory
owner: root
group: root
mode: 0700
- name: deploy {{ backup_name }} backup SSH key - name: deploy {{ backup_name }} backup SSH key
become: true become: true
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ ssh_key_content }}" content: "{{ ssh_key_content }}"
dest: "/root/.ssh/truenas_{{ backup_name }}" dest: "{{ ssh_key_path }}"
owner: root owner: root
group: root group: root
mode: 0600 mode: 0600
setype: ssh_home_t
- name: template {{ backup_name }} backup script - name: template {{ backup_name }} backup script
become: true become: true
@@ -16,6 +26,7 @@
owner: root owner: root
group: root group: root
mode: 0755 mode: 0755
setype: bin_t
- name: template {{ backup_name }} backup systemd service - name: template {{ backup_name }} backup systemd service
become: true become: true

4
ansible/roles/podman/tasks/containers/home/cloud.yml
View File

@@ -88,8 +88,8 @@
vars: vars:
backup_name: cloud backup_name: cloud
data_path: "{{ cloud_path }}/data" data_path: "{{ cloud_path }}/data"
ssh_key_path: /root/.ssh/truenas_cloud ssh_key_path: /etc/ssh/backup_keys/cloud
ssh_key_content: "{{ cloud_backup_ssh_key }}" ssh_key_content: "{{ cloud_backup_ssh_key }}"
ssh_user: cloud ssh_user: cloud
remote_path: /mnt/glacier/nextcloud remote_path: /mnt/glacier/nextcloud
script_path: "{{ cloud_path }}/backup.sh" script_path: /usr/local/bin/cloud-backup.sh

4
ansible/roles/podman/tasks/containers/skudak/cloud.yml
View File

@@ -135,8 +135,8 @@
vars: vars:
backup_name: skudak-cloud backup_name: skudak-cloud
data_path: "{{ cloud_skudak_path }}/data" data_path: "{{ cloud_skudak_path }}/data"
ssh_key_path: /root/.ssh/truenas_skudak ssh_key_path: /etc/ssh/backup_keys/skudak-cloud
ssh_key_content: "{{ cloud_skudak_backup_ssh_key }}" ssh_key_content: "{{ cloud_skudak_backup_ssh_key }}"
ssh_user: skucloud ssh_user: skucloud
remote_path: /mnt/glacier/skudakcloud remote_path: /mnt/glacier/skudakcloud
script_path: "{{ cloud_skudak_path }}/backup.sh" script_path: /usr/local/bin/skudak-cloud-backup.sh