From 55e67e987d7b80b09c350da119d8ab76a9e3c05e Mon Sep 17 00:00:00 2001
From: camille <camille@prugnard.fr>
Date: Tue, 3 Jan 2023 16:55:38 +0100
Subject: [PATCH] add feature to use only one key for many servers and some
 improvements

---
 defaults/main.yml         |  27 ++++++-
 tasks/duplicity.yml       | 161 ++++++++++++++++++++++++++++++++++----
 tasks/main.yml            |   2 +-
 templates/exclude.list.j2 |  29 ++-----
 4 files changed, 182 insertions(+), 37 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index f85c227..555b86c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,9 +1,10 @@
 ---
 # duplicity
+duplicity_oneforall_key: False
 duplicity_archive_dir: '/duplicity'
 
 duplicity_gpg_real_name: 'duplicity'
-duplicity_gpg_email: 'backup@localhost'
+duplicity_gpg_email: 'team-lca@alterway.fr'
 
 duplicity_cron_backup_minute: '0'
 duplicity_cron_backup_hour: '3'
@@ -16,3 +17,27 @@ duplicity_full_older_than: '6'
 duplicity_remove_older_than: '8'
 
 duplicity_exclude_filelist: '/etc/duplicity/exclude.list'
+duplicity_list:
+  - /var/lib/bareos
+  - /dev
+  - /media
+  - /mnt
+  - /proc
+  - /sys
+  - /tmp
+  - /var/cache
+  - /var/tmp
+  - /var/lib/mongodb
+  - /var/lib/mysql
+  - /var/lib/postgresql
+  - /var/lib/redis
+  - /var/lib/solr
+  - /var/lib/elasticsearch
+  - /var/spool/postfix
+  - /var/www
+  - /VMs
+  - /.journal
+  - /.fsck
+  - /zpve
+
+duplicity_list_custom:
diff --git a/tasks/duplicity.yml b/tasks/duplicity.yml
index 7138ebd..b47fc8b 100644
--- a/tasks/duplicity.yml
+++ b/tasks/duplicity.yml
@@ -7,27 +7,48 @@
       - duplicity_s3_passphrase is defined
       - duplicity_s3_access_key is defined
       - duplicity_s3_secret_key is defined
-  tags: ['backup_duplicity']
+  tags: ['backup']
 
 - name: duplicity | install packages
   apt:
     name: 
       - duplicity
     state: present
-  tags: ['backup_duplicity']
+  tags: ['backup']
 
-- name: duplicity | check for dedicated GPG key
+- name: duplicity | check for dedicated GPG key standalone
   shell: |
     gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
   register: duplicity_get_key
-  tags: ['backup_duplicity']
+  when:
+    - duplicity_oneforall_key == False
+  tags: ['backup']
+
+- name: duplicity | check for dedicated GPG key infra
+  shell: |
+    gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
+  register: duplicity_get_key
+  delegate_to: localhost
+  when:
+    - duplicity_oneforall_key == True
+  tags: ['backup']
 
 - set_fact:
     duplicity_gpg_key: "{{ duplicity_get_key.stdout }}"
-  when: duplicity_get_key.stdout != ''
-  tags: ['backup_duplicity']
+  when:
+    - duplicity_oneforall_key == False
+    - duplicity_get_key.stdout != ''
+  tags: ['backup']
 
-- name: duplicity | generate dedicated GPG key
+- set_fact:
+    duplicity_gpg_key: "{{ duplicity_get_key.stdout }}"
+  delegate_to: localhost
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_get_key.stdout != ''
+  tags: ['backup']
+
+- name: duplicity | generate dedicated GPG key standalone
   shell: |
     gpg --batch --gen-key <<EOF
     %echo Generating a OpenPGP key
@@ -43,15 +64,127 @@
     Expire-Date: 0
     %commit
     EOF
-  when: duplicity_gpg_key is undefined
-  tags: ['backup_duplicity']
+  when:
+    - duplicity_oneforall_key == False
+    - duplicity_gpg_key is undefined
+  tags: ['backup']
+
+- name: duplicity | generate dedicated GPG key infra
+  shell: |
+    gpg --batch --gen-key <<EOF
+    %echo Generating a OpenPGP key
+    %no-protection
+    Key-Type: eddsa
+    Key-Curve: Ed25519
+    Key-Usage: cert
+    Subkey-Type: ecdh
+    Subkey-Curve: Curve25519
+    Subkey-Usage: encrypt
+    Name-Real: "{{ duplicity_gpg_real_name }}"
+    Name-Email: "{{ duplicity_gpg_email }}"
+    Expire-Date: 0
+    %commit
+    EOF
+  delegate_to: localhost
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_gpg_key is undefined
+  tags: ['backup']
+
+- name: duplicity | check for dedicated GPG key infra on remote
+  shell: |
+    gpg --list-options show-only-fpr-mbox --list-secret-keys -a "{{ duplicity_gpg_real_name }}" | awk '{print $1}'
+  register: duplicity_get_key_remote
+  when:
+    - duplicity_oneforall_key == True
+  tags: ['backup']
+
+- set_fact:
+    duplicity_gpg_key_remote: "{{ duplicity_get_key_remote.stdout }}"
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_get_key_remote.stdout != ''
+  tags: ['backup']
+
+- name: duplicity | export public key
+  shell: |
+    gpg --export -a "{{ duplicity_gpg_real_name }}" > /home/ansible/{{ duplicity_gpg_real_name }}_public.key
+  delegate_to: localhost
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_gpg_key_remote is undefined
+  tags: ['backup']
+
+- name: duplicity | export private key
+  shell: |
+    gpg --export-secret-key -a "{{ duplicity_gpg_real_name }}" > /home/ansible/{{ duplicity_gpg_real_name }}_private.key
+  delegate_to: localhost
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_gpg_key_remote is undefined
+  tags: ['backup']
+
+- name: duplicity | copy keys to the server
+  copy:
+    src: "{{ item }}"
+    dest: "{{ item }}"
+  with_items:
+   - "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
+   - "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_gpg_key_remote is undefined
+  tags: ['backup']
+
+- name: duplicity | import keys to the server
+  shell: |
+    gpg --import {{ item }}
+  with_items:
+   - "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
+   - "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_gpg_key_remote is undefined
+  tags: ['backup']
+
+- name: duplicity | import ownertrust
+  shell: "/usr/bin/echo '{{ duplicity_gpg_key }}:6:' |/usr/bin/gpg --import-ownertrust"
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_gpg_key_remote is undefined
+  tags: ['backup']
+
+- name: duplicity | delete exported keys
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: absent
+  with_items:
+   - "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
+   - "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
+  delegate_to: localhost
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_gpg_key_remote is undefined
+  tags: ['backup']
+
+- name: duplicity | delete exported keys on remote
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: absent
+  with_items:
+   - "/home/ansible/{{ duplicity_gpg_real_name }}_public.key"
+   - "/home/ansible/{{ duplicity_gpg_real_name }}_private.key"
+  when:
+    - duplicity_oneforall_key == True
+    - duplicity_gpg_key_remote is undefined
+  tags: ['backup']
 
 - name: duplicity | create configuration directory
   file:
     path: /etc/duplicity
     state: directory
     mode: '0755'
-  tags: ['backup_duplicity']
+  tags: ['backup']
 
 - name: duplicity | copy configuration file
   template:
@@ -60,7 +193,7 @@
     owner: root
     group: root
     mode: 0600
-  tags: ['backup_duplicity']
+  tags: ['backup']
 
 - name: duplicity | copy exclude.list
   template:
@@ -69,7 +202,7 @@
     owner: root
     group: root
     mode: 0644
-  tags: ['backup_duplicity']
+  tags: ['backup']
 
 - name: duplicity | create backup cronjob
   cron:
@@ -83,7 +216,7 @@
     job: "source /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --s3-use-new-style -v 4 --archive-dir={{ duplicity_archive_dir }} --full-if-older-than {{ duplicity_full_older_than }}D / \"{{ duplicity_s3_path }}\" --exclude-filelist {{ duplicity_exclude_filelist }}"
   when: 
     - duplicity_gpg_key is defined
-  tags: ['backup_duplicity']
+  tags: ['backup']
 
 - name: duplicity | create cleanup cronjob
   cron:
@@ -97,4 +230,4 @@
     job: "source /etc/duplicity/duplicity.cnf && duplicity --encrypt-key {{ duplicity_gpg_key }} --force --s3-use-new-style -v 4 remove-older-than {{ duplicity_remove_older_than }}D \"{{ duplicity_s3_path }}\""
   when: 
     - duplicity_gpg_key is defined
-  tags: ['backup_duplicity']
+  tags: ['backup']
diff --git a/tasks/main.yml b/tasks/main.yml
index fa8fc50..49e394c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -7,6 +7,6 @@
    service: "{{ item }}"
   include_tasks: "{{ item }}.yml"
   tags:
-    - backup_duplicity
+    - backup
   with_items:
     - "{{ backup_services }}"
diff --git a/templates/exclude.list.j2 b/templates/exclude.list.j2
index 53445cd..284d7f4 100644
--- a/templates/exclude.list.j2
+++ b/templates/exclude.list.j2
@@ -1,21 +1,8 @@
-/var/lib/bareos
-/dev
-/media
-/mnt
-/proc
-/sys
-/tmp
-/var/cache
-/var/tmp
-/var/lib/mongodb
-/var/lib/mysql
-/var/lib/postgresql
-/var/lib/redis
-/var/lib/solr
-/var/lib/elasticsearch
-/var/spool/postfix
-/var/www
-/VMs
-/.journal
-/.fsck
-/zpve
+{% for exclude in duplicity_list -%}
+{{ exclude }}
+{% endfor %}
+{% if duplicity_list_custom is iterable %}
+{% for exclude in duplicity_list_custom -%}
+{{ exclude }}
+{% endfor %}
+{% endif %}