Installation

Installation with Ansible

Two roles are used to install the project:

• vbotka.rcb

• vbotka.rsnapshot

Important

• rsync must be installed both on rcb-clients and rcb- server (see Inventory hosts below).

• The roles vbotka.rcb and vbotka.rsnapshot configure rcb-clients only

• On rcb-clients, rsync will be installed by vbotka.rsnapshot as a requirement of rsnapshot

• On the rcb-server, it’s up to you to install rsync

1) Required collections

The roles vbotka.rcb and vbotka.rsnapshot require collection community.general. In addition to this, vbotka.rcb requires also community.crypto. These collections should be included in standard Ansible packages. If they are not or if you want to use the latest versions install them

shell> ansible-galaxy collections install community.crypto
shell> ansible-galaxy collections install community.general

2) Install rsnapshot

Use Ansible role vbotka.rsnapshot to install and configure rsnapshot on the clients.

shell> ansible-galaxy install vbotka.rsnapshot

Create playbook

shell> cat rsnapshot.yml
- hosts: rcb_clients
  become: true
  become_user: root
  become_method: sudo
  roles:
    - vbotka.rsnapshot

Configure rsnapshot

rsnapshot_test: true
rsnapshot_no_create_root: '0'
rsnapshot_backup_points:
  - {dir: /etc/, host: localhost/}
  - {dir: /usr/local/etc/, host: localhost/}
  - {dir: /var/backups/, host: localhost/}
rsnapshot_backup_points_test:
  - {dir: /scratch/rcb-test/, host: localhost/}
rsnapshot_exclude:
  - regex: '.git/'
  - regex: '.#*'

Run the playbook

shell> ansible-playbook rsnapshot.yml

3) Install rcb

Use Ansible roles vbotka.rcb and vbotka.ansible_lib

shell> ansible-galaxy install vbotka.rcb
shell> ansible-galaxy install vbotka.ansible_lib

Download the example of an Ansible project

Download the examples of the Ansible playbooks, inventory and configuration

shell> tree .
├── ansible.cfg
├── hosts
├── rcb-backup-server.yml
├── rcb-devel.yml
├── rcb_privatekey_passphrase.yml
└── rcb.yml

The playbooks rcb.yml and rcb-backup-server.yml configure the rcb-clients and rcb-server respectively (see Inventory hosts below). The playbook rcb-devel.yml is used in the development. The file rcb_privatekey_passphrase.yml keeps the passphrase. It’s plain-text for the purpose of testing. In production, you might want to encrypt it by Ansible vault or any other password management.

4) Configure rcb

Configuration ansible.cfg

In the configuration file ansible.cfg change roles_path to where you installed the role vbotka.rcb

[defaults]
inventory = $PWD/hosts
roles_path = $HOME/.ansible/roles
stdout_callback = yaml

Inventory hosts

In the inventory hosts, there are two groups. To test the project, there is only one host in each group. Later you might want add more clients and, optionally, more servers. Fit the hosts and the variables to your needs

[rcb_clients]
10.1.0.12

[rcb_clients:vars]
ansible_connection=ssh
ansible_user=admin
ansible_python_interpreter=/usr/bin/python3.10

[rcb_server]
10.1.0.10

[rcb_server:vars]
ansible_connection=ssh
ansible_user=admin
ansible_python_interpreter=/usr/local/bin/python3.8

Common variables in rcb.yml and rcb-backup-server.yml

Change the below variables in both playbooks:

• rcb_root_public_keys_dir: The directory on the Ansible controller to store the public keys of the clients.

• rcb_bck_dst: The directory on the backup server to store the backups.

• rcb_bck_user: The owner of the directory rcb_bck_dst

• rcb_bck_group: The group of the directory rcb_bck_dst

Playbook rcb.yml

In the playbook rcb.yml which will configure the client(s) in the inventory group rcb_clients, change at least following variables:

• rcb_bck_host: The backup server.

• rcb_rcb_bck_root: The directory on the client which will be synchronized to backup server {{ rcb_bck_dst }}/{{ ansible_hostname }}

• rcb_rcb_rst_root: The directory on the client where the backup from the server will be eventually restored.

• rcb_rcb_crt_root: The directory for the client certificate, keys, and passphrase.

• rcb_cert_cn: CN of the client certificate.

---

- hosts: rcb_clients
  become: true
  become_user: root
  become_method: sudo

  vars_files:
    - rcb_privatekey_passphrase.yml

  vars:

    rcb_bck_host: 10.1.0.10
    rcb_bck_dst: /export/rcbackup
    rcb_bck_dst_test: /export/rcbackup-test
    rcb_root_public_keys_dir: copy/rcb-root-ssh-pub-keys
    rcb_rcb_bck_root: /export/backup
    rcb_rcb_rst_root: /export/restore
    rcb_rcb_crt_root: /root/rcb/cert
    rcb_cert_cn: rcb_client_01.example.org

  roles:
    - vbotka.rcb

# EOF
...

Playbook rcb-backup-server.yml

In the playbook rcb-backup-server.yml which will configure the server(s) in the inventory group rcb_server, change at least the variable:

• rcb_bck_shell: The login shell of rcb_bck_user

---

- hosts: rcb_server
  become: true
  become_user: root
  become_method: sudo

  vars:

    rcb_root_public_keys_dir: copy/rcb-root-ssh-pub-keys
    rcb_bck_dst: /export/rcbackup
    rcb_bck_dst_test: /export/rcbackup-test
    rcb_bck_user: rcbackup
    rcb_bck_group: rcbackup
    rcb_bck_shell: /usr/local/bin/bash

  tasks:

    - name: "Create user {{ rcb_bck_user }}"
      ansible.builtin.user:
        name: "{{ rcb_bck_user }}"
        shell: "{{ rcb_bck_shell }}"
      register: rcbuser

    - name: "Create directories"
      ansible.builtin.file:
        state: directory
        path: "{{ item }}"
        owner: "{{ rcb_bck_user }}"
        group: "{{ rcb_bck_group }}"
        mode: '0700'
      loop:
        - "{{ rcb_bck_dst }}"
        - "{{ rcb_bck_dst_test }}"

    - name: "Debug Public keys"
      ansible.builtin.debug:
        msg: "Public key {{ item }}"
      with_fileglob: "{{ rcb_root_public_keys_dir }}/{{ inventory_hostname }}/*.id_rsa.pub"
      loop_control:
        label: "{{ item|basename }}"
      when: debug|d(false)|bool

    - name: "Set up authorized_keys for {{ rcb_bck_user }}
             to {{ rcb_root_public_keys_dir }}/{{ inventory_hostname }}"
      ansible.posix.authorized_key:
        user: "{{ rcb_bck_user }}"
        key: "{{ lookup('file', '{{ item }}')}}"
      with_fileglob: "{{ rcb_root_public_keys_dir }}/{{ inventory_hostname }}/*.id_rsa.pub"
      loop_control:
        label: "{{ item|basename }}"

# EOF
...

Note

You can customize this playbook and depending on the OS install the required rsync.

File rcb_privatekey_passphrase.yml

Create a file with passphrase to the private key of the client certificate

rcb_privatekey_passphrase: my secret passphrase

Include the file rcb_privatekey_passphrase.yml in the playbook rcb.yml. The passphrase will be used to generate OpenSSL:

• Private key {{ rcb_rcb_crt_root }}/backup.key

• Certificate Signing Request {{ rcb_rcb_crt_root }}/backup.csr

• Self Signed Certificate {{ rcb_rcb_crt_root }}/backup.crt

For later use, the passphrase will be stored in the file {{ rcb_privatekey_passphrase_file }} (default={{ rcb_rcb_crt_root }}/pem-pass-phrase).

See also

• Protecting sensitive data with Ansible vault

Important

• Enable DEFAULT_GATHERING. The variables ansible_os_family and ansible_distribution_* are needed to customize variables.

• The variable ansible_hostname is needed to configure rcb_clients.

Review the configuration

Enable both rcb_debug and rcb_debug_classified

shell> ansible-playbook -t rcb_debug -e rcb_debug=true -e rcb_debug_classified=true rcb.yml

PLAY [10.1.0.12] *********************************************************************************

TASK [Gathering Facts] ***********************************************************************
ok: [10.1.0.12]

TASK [vbotka.rcb : vars: Set variables for al_include_os_vars_path] **************************
ok: [10.1.0.12]

TASK [vars: Include OS vars] *****************************************************************

TASK [vbotka.ansible_lib : al_include_os_vars_path: Debug] ***********************************
skipping: [10.1.0.12]

TASK [vbotka.ansible_lib : al_include_os_vars_path: End of play when al_os_vars_path not defined] ***
skipping: [10.1.0.12]

TASK [vbotka.ansible_lib : al_include_os_vars_path: Vars from /home/admin/.ansible/roles/vbotka.rcb/vars/defaults] ***
ok: [10.1.0.12]

TASK [vbotka.ansible_lib : al_include_os_vars_path: Debug result] ****************************
skipping: [10.1.0.12]

TASK [vbotka.ansible_lib : al_include_os_vars_path: Vars from /home/admin/.ansible/roles/vbotka.rcb/vars] ***
ok: [10.1.0.12]

TASK [vbotka.rcb : debug: RCB] ***************************************************************
ok: [10.1.0.12] => 
  msg: |-
    ansible_architecture: x86_64
    ansible_os_family: Debian
    ansible_distribution: Ubuntu
    ansible_distribution_major_version: 22
    ansible_distribution_version: 22.04
    ansible_distribution_release: jammy
    ansible_python_version: 3.10.12
    ansible_hostname: rcb_client_01.example.org
  
    rcb_apt_update_cache: False
    ubuntu_cache_valid_time: 14400
    rcb_install: True
    rcb_packages:
      - bash
      - git
      - hashdeep
      - rsnapshot
      - rsyncrypto
      - mtree-netbsd
      - bsd-mailx
  
    rcb_source_version: 1.1.2
    rcb_source_ignore_current_lock: False
    rcb_source_file: 1.1.2.tar.gz
    rcb_source_dir: rcb-1.1.2
    rcb_source_dest: /usr/local/src
    rcb_source_url: https://github.com/vbotka/rcb/archive
  
    rcb_root_public_keys_dir: copy/rcb-root-ssh-pub-keys
    rcb_bin_dir: /root/bin
    rcb_etc_dir: /usr/local/etc
  
    rcb_conf: rcb.conf
    rcb_rsnapshot_conf: rsnapshot.conf
    rcb_backup_conf: False
    rcb_rcb_email: root
    rcb_rcb_bck_root: /export/backup
    rcb_rcb_bck_prefix: snapshots/hourly.0
    rcb_rsyncrypto_trim_e: 4
    rcb_rsyncrypto_trim_d: 3
    rcb_rcb_rst_root: /export/restore
    rcb_rcb_crt_root: /root/rcb/cert
  
    rcb_test: False
    rcb_conf_test: rcb-test.conf
    rcb_rsnapshot_conf_test: rsnapshot-test.conf
    rcb_bck_dst_test: /export/rcbackup-test
    rcb_rcb_bck_prefix_test: snapshots-test/hourly.0

    rcb_cert_cn: rcb_client_01.example.org
    rcb_privatekey_cipher: auto
    rcb_privatekey_passphrase_file: /root/rcb/cert/pem-pass-phrase
    rcb_privatekey_passphrase_owner: root
    rcb_privatekey_passphrase_group: admin
    rcb_privatekey_passphrase_mode: 0640
    rcb_bck_host: 10.1.0.10
    rcb_bck_user: rcbackup
    rcb_bck_group: rcbackup
    rcb_bck_dst: /export/rcbackup
    rcb_link_restore: True
  
    rcb_rsnapshot_cron: True
    rcb_rsnapshot_cron_user: root
    rcb_rsnapshot_cron_path: /root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    rcb_rsnapshot_cron_mailto : root
  
    rcb_privatekey_passphrase: my secret passphrase

PLAY RECAP ***********************************************************************************
10.1.0.12: ok=5    changed=0    unreachable=0    failed=0    skipped=3    rescued=0    ignored=0

5) Run Ansible playbooks

Following workflow was tested with Ubuntu rcb_clients and FreeBSD rcb_server.

phase1. Create root’s SSH keys on rcb-clients

Create root’s SSH keys on the hosts from the inventory group rcb_clients and store the public keys on the localhost in the directory {{ rcb_root_public_keys_dir }}/{{ rcb_bck_host }}/root-{{ ansible_hostname }}.id_rsa.pub. root on the hosts from the inventory group rcb_clients will be authorized to ssh to {{ rcb_bck_user }}@{{ rcb_bck_host }}

shell> ansible-playbook -t phase1 rcb.yml

Configure rcb-server

Create user {{ rcb_bck_user }}. Create directories for encrypted backups {{ rcb_bck_dst }} and to test the encrypted backups {{ rcb_bck_dst_test }}. Configure the ssh access of rcb_clients to rcb_server. Put the root’s public keys of rcb_clients, created in phase1, into the ~/.ssh/authorized_keys of {{ rcb_bck_user }} on the host(s) from the inventory group rcb_server.

shell> ansible-playbook rcb-backup-server.yml

phase2. Configure rcb-clients

shell> ansible-playbook -t phase2 rcb.yml