A role to backup remote files using age encrypted tarballs, with user's SSH keys from GitHub.
- age encryption tool must be installed in the host running the playbook.
- Creates one or more tarballs of the paths defined in
remote_backup_paths. - Downloads the tarballs locally to a temporary path.
- Encrypts the tarballs combining the all the SSH keys of all Github users, using the URI https://github.com/{user}.keys
- Safely deletes any unencrypted file left behind, using shred.
The generated files follow the pattern: { hostname }_{ path }_{ random string }.tgz.age, converting any dots, slashes and asterisks, for example: www_example_net__var_log_dmesg@_bxhlndi5.tgz.age would be the backup of /var/log/dmesg* from www.example.net.
To decrypt the backup files, use age tool with your SSH published in Github, as this example:
cat www_example_net__var_log_dmesg@_bxhlndi5.tgz.age | age -d -i ~/.ssh/id_ed25519 > www_example_net__var_log_dmesg@_bxhlndi5.tgz
tar xvzf www_example_net__var_log_dmesg@_bxhlndi5.tgz
...| Variable | Description | Default Value |
|---|---|---|
remote_backup_paths |
Paths on the remote host(s) to generate the backups from (required) | [] |
github_users |
Github usernames to fetch SSH keys used to encrypt (required) | [] |
remote_backup_temp_path |
Path in the remote host(s) to store the temporal tarballs | /tmp |
local_backup_temp_path |
Path in the localhost to store the temporal tarballs | /tmp |
local_backup_destination |
Destination path of the encrypted backups | ./ |
---
- hosts: all
become: true
vars:
remote_backup_paths:
- "/var/log/auth*"
- "/etc/ssl/certs/"
github_users:
- "vdo"
- "ahasna"
roles:
- vdo.age_backupApache License 2.0