mirror/ infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2024-05-26 15:26:03 +02:00
Code Issues

Use restrict key option and relative borg command 

No functional change; the "restrict" key option is a shorthand for:

- no-agent-forwarding
- no-port-forwarding
- no-X11-forwarding
- no-pty
- no-user-rc

It was added in OpenSSH 7.2 (2016-02-29) as a convenient way to specify
an authorized key should have "all current and future key restrictions"
applied to it.

Also switch to a relative borg command since its location is not really
standardized; on rsync.net it appears to be located under usr/local/bin
(though /usr/bin/borg works too, even if it doesn't exist!) and Hetzner
just forces its own command, ignoring ours. 🐱

The Borg documentation seems to agree with both the above alterations:

[1] https://borgbackup.readthedocs.io/en/stable/usage/serve.html
This commit is contained in:
Evangelos Foutras 2021-06-28 20:46:54 +03:00
parent 3fa8851afb
commit 3561a38398
No known key found for this signature in database
GPG Key ID: 51E8B148A9999C34
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/borg_server/tasks/main.yml
View File

@ -37,5 +37,5 @@
user: borg
key: "{{ item.stdout }}"
manage_dir: true
key_options: "command=\"/usr/bin/borg serve --restrict-to-path {{ backup_dir }}/{{ item['item'] }}\",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc"
key_options: "command=\"borg serve --restrict-to-path {{ backup_dir }}/{{ item['item'] }}\",restrict"
with_items: "{{ ssh_keys.results }}"

2
roles/hetzner_storagebox/templates/authorized_keys.j2
View File

@ -13,5 +13,5 @@
# Client machines keys
{% for client_key in client_ssh_keys.results %}
command="/usr/bin/borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc {{ client_key['stdout'] }}
command="borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",restrict {{ client_key['stdout'] }}
{% endfor %}

2
roles/rsync_net/templates/authorized_keys.j2
View File

@ -13,5 +13,5 @@
# Client machines keys
{% for client_key in client_ssh_keys.results %}
command="/usr/bin/borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc {{ client_key['stdout'] }}
command="borg serve --restrict-to-path {{ backup_dir }}/{{ client_key['item'] }}",restrict {{ client_key['stdout'] }}
{% endfor %}