f23fc62ada
SSH keys moved to /etc/ssh/backup_keys/ (ssh_home_t) and backup scripts to /usr/local/bin/ (bin_t) to fix SELinux denials - container_file_t context blocked rsync from exec'ing ssh. Also fixes skudak key path mismatch (was truenas_skudak, key deployed as truenas_skudak-cloud). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
60 lines
1.4 KiB
YAML
60 lines
1.4 KiB
YAML
---
|
|
- name: create backup SSH key directory
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: /etc/ssh/backup_keys
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
|
|
- name: deploy {{ backup_name }} backup SSH key
|
|
become: true
|
|
ansible.builtin.copy:
|
|
content: "{{ ssh_key_content }}"
|
|
dest: "{{ ssh_key_path }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
setype: ssh_home_t
|
|
|
|
- name: template {{ backup_name }} backup script
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: nextcloud/cloud-backup.sh.j2
|
|
dest: "{{ script_path }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
setype: bin_t
|
|
|
|
- name: template {{ backup_name }} backup systemd service
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: nextcloud/cloud-backup.service.j2
|
|
dest: "/etc/systemd/system/{{ backup_name }}-backup.service"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
vars:
|
|
instance_name: "{{ backup_name }}"
|
|
|
|
- name: template {{ backup_name }} backup systemd timer
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: nextcloud/cloud-backup.timer.j2
|
|
dest: "/etc/systemd/system/{{ backup_name }}-backup.timer"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
vars:
|
|
instance_name: "{{ backup_name }}"
|
|
|
|
- name: enable and start {{ backup_name }} backup timer
|
|
become: true
|
|
ansible.builtin.systemd:
|
|
name: "{{ backup_name }}-backup.timer"
|
|
enabled: true
|
|
state: started
|
|
daemon_reload: true
|