Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/vdo/ansible-gpg-backup

Ansible role to backup remote files using GnuPG (PGP) encryption
https://github.com/vdo/ansible-gpg-backup

Last synced: 23 days ago
JSON representation

Ansible role to backup remote files using GnuPG (PGP) encryption

Host: GitHub
URL: https://github.com/vdo/ansible-gpg-backup
Owner: vdo
License: apache-2.0
Created: 2023-10-05T08:24:37.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2023-10-06T12:53:12.000Z (about 1 year ago)
Last Synced: 2024-04-18T12:24:15.108Z (8 months ago)
Homepage:
Size: 9.77 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        vdo.gpg_backup

==============

A role to backup remote files using [GnuPG](https://gnupg.org/) to encrypt tarballs, importing keys if necessary.

Requirements

------------

* [GnuPG](https://gnupg.org/) encryption tool must be installed in the host running the playbook. It's included in most distributions.

How this role works

-------------------

* Creates one or more tarballs of the paths defined in `remote_backup_paths`.

* Downloads the tarballs locally to a temporary path.

* Encrypts the tarballs with all the recipients defined. Any single recipient can decrypt the files!

* Safely deletes any unencrypted file left behind, using [shred](https://linux.die.net/man/1/shred).

The generated files follow the pattern: `{ hostname }_{ path }_{ random string }.tgz.gpg`, converting any dots, slashes and asterisks, for example: `www_example_net__var_log_dmesg@_bxhlndi5.tgz.gpg` would be the backup of `/var/log/dmesg*` from `www.example.net`.

The recipient strings can be any of the GnuPG accepted user ids, and [they can be many](https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html). The recommended one is the **fingerprint**, to avoid ambiguities.

Note: The imported key(s) will be assumed as valid in any case.

Role Variables

--------------

|Variable|Description|Default Value

|---|---|---|

|`remote_backup_paths`| Paths on the remote host(s) to generate the backups from (required) | []

|`gpg_recipients`| User ID(s) of the public keys used to encrypt (required)| []

|`gpg_keyserver`| PGP keystore server to use, in case keys are imported | `hkps://keys.openpgp.org`

|`gpg_import_keys`| User ID(s) of the public keys to be imported from the keyserver | []

|`remote_backup_temp_path`| Path in the remote host(s) to store the temporal tarballs |`/tmp`

|`local_backup_temp_path`| Path in the localhost to store the temporal tarballs |`/tmp`

|`local_backup_destination`| Destination path of the encrypted backups |`./`

Example Playbook

----------------

```yaml

---

- hosts: all

  become: true

  vars:

    remote_backup_paths:

      - "/var/log/audit/*"

      - "/etc/ssl/certs/"

    gpg_recipients:

      - "DE4EFCA3E1AB9E41CE96CECB18C09E865EC948A1"

      - "[email protected]"

    gpg_keyserver: 'keyserver.ubuntu.com'

    gpg_import_keys: 

      - "DE4EFCA3E1AB9E41CE96CECB18C09E865EC948A1"

  roles:

    - vdo.gpg_backup

```

License

-------

Apache License 2.0