Backups: move secrets to config file

Allow run backup script with sudo
2025-12-07 15:14:55 +03:00
parent c74683cfe7
commit a95da35389
4 changed files with 209 additions and 168 deletions
--- a/playbook-backups.yml
+++ b/playbook-backups.yml
@@ -4,13 +4,39 @@

  vars_files:
    - vars/secrets.yml
-    - vars/secrets.yml

  vars:
+    backup_config_dir: "/etc/backup"
+    backup_config_file: "{{ (backup_config_dir, 'config.ini') | path_join }}"
+
    restic_shell_script: "{{ (bin_prefix, 'restic-shell.sh') | path_join }}"
    backup_all_script: "{{ (bin_prefix, 'backup-all.py') | path_join }}"

  tasks:
+    - name: "Create backup config directory"
+      ansible.builtin.file:
+        path: "{{ backup_config_dir }}"
+        state: "directory"
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: "Create backup config file"
+      ansible.builtin.template:
+        src: "files/backups/config.template.ini"
+        dest: "{{ backup_config_file }}"
+        owner: root
+        group: root
+        mode: "0640"
+
+    - name: "Allow user to run the backup script without a password"
+      ansible.builtin.lineinfile:
+        path: /etc/sudoers
+        state: present
+        line: "{{ primary_user }} ALL=(ALL) NOPASSWD: {{ backup_all_script }}"
+        validate: /usr/sbin/visudo -cf %s # ВАЖНО: проверка синтаксиса перед сохранением
+        create: no # Файл уже должен существовать
+
    - name: "Copy restic shell script"
      ansible.builtin.template:
        src: "files/backups/restic-shell.sh.j2"
@@ -20,8 +46,8 @@
        mode: "0700"

    - name: "Copy backup all script"
-      ansible.builtin.template:
-        src: "files/backups/backup-all.template.py"
+      ansible.builtin.copy:
+        src: "files/backups/backup-all.py"
        dest: "{{ backup_all_script }}"
        owner: root
        group: root