support append_only mode

tasks/borg-client.yml

@@ -25,7 +25,7 @@
   authorized_key:
     user: "{{ item.user }}"
     key: "{{ sshkey.stdout }}"
-    key_options: 'command="cd {{ item.home }}{{ item.pool }}/{{ inventory_hostname }};borg serve --restrict-to-path {{ item.home }}/{{ item.pool }}/{{ inventory_hostname }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
+    key_options: 'command="cd {{ item.home }}{{ item.pool }}/{{ inventory_hostname }};borg serve {% if borgbackup_appendonly %}--append-only {% endif %}--restrict-to-path {{ item.home }}/{{ item.pool }}/{{ inventory_hostname }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
   delegate_to: "{{ item.fqdn }}"
   when: item.type == 'normal'
   with_items: "{{ backupservers }}"
@@ -43,7 +43,7 @@
   authorized_key:
     user: "{{ ansible_user_id }}"
     key: "{{ sshkey.stdout }}"
-    key_options: 'command="cd {{ item.home }}{{ item.pool }}/{{ inventory_hostname }};borg serve --restrict-to-path {{ item.home }}/{{ item.pool }}/{{ inventory_hostname }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
+    key_options: 'command="cd {{ item.home }}{{ item.pool }}/{{ inventory_hostname }};borg serve {% if borgbackup_appendonly %}--append-only {% endif %}--restrict-to-path {{ item.home }}/{{ item.pool }}/{{ inventory_hostname }}",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc'
     path: "/tmp/rsync.net-{{ item.fqdn }}-authkeys"
     manage_dir: no
   delegate_to: localhost

tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - include: install.yml
   when: >
     borgbackup_required == True or
@@ -12,3 +11,8 @@
   when: >
     borgbackup_required == True and
     inventory_hostname not in groups.backupservers
+
+- include: management.yml
+  when: >
+    inventory_hostname in groups.borgbackup_management and
+    inventory_hostname not in groups.backupservers

tasks/management.yml

@@ -0,0 +1,55 @@
+---
+- name: management | put management station prune script
+  template:
+    src: prune.sh.j2
+    dest: "~{{ borgbackup_management_user }}/prune.sh"
+    owner: "{{ borgbackup_management_user }}"
+    group: "{{ borgbackup_management_user }}"
+    mode: 0700
+
+- name: management | put management sshpubkey on the normal backupserver
+  authorized_key:
+    user: "{{ item.user }}"
+    key: "{{ borgbackup_management_sshkey }}"
+  delegate_to: "{{ item.fqdn }}"
+  when: item.type == 'normal'
+  with_items: "{{ backupservers }}"
+
+
+# rsync.net has no python, so we can only use raw to manage ssh keys - workaround with local tmp file
+- name: management | get rsync.net authorized_keys file
+  raw: scp {{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys /tmp/rsync.net-{{ item.fqdn }}-authkeys
+  delegate_to: localhost
+  become: no
+  when: item.type == 'rsync.net'
+  with_items: "{{ backupservers }}"
+  changed_when: false
+
+- name: management | modify local rsync.net authorized_keys
+  authorized_key:
+    user: "{{ ansible_user_id }}"
+    key: "{{ borgbackup_management_sshkey }}"
+    path: "/tmp/rsync.net-{{ item.fqdn }}-authkeys"
+    manage_dir: no
+  delegate_to: localhost
+  become: no
+  when: item.type == 'rsync.net'
+  with_items: "{{ backupservers }}"
+  register: authkeys
+
+- name: management | upload local authorized_keys to rsync.net
+  raw: scp /tmp/rsync.net-{{ item.fqdn }}-authkeys {{ item.user }}@{{ item.fqdn }}:.ssh/authorized_keys
+  delegate_to: localhost
+  become: no
+  when: item.type == 'rsync.net' and authkeys.changed
+  with_items: "{{ backupservers }}"
+
+- name: management | remove tmp authorized_keys files
+  file:
+    path: /tmp/rsync.net-{{ item.fqdn }}-authkeys
+    state: absent
+  delegate_to: localhost
+  become: no
+  with_items: "{{ backupservers }}"
+  when: authkeys.changed
+  changed_when: false