From cb3ec07121f683f65ba5dc1a10487139a0b935aa Mon Sep 17 00:00:00 2001 From: Jeltz Date: Mon, 15 Mar 2021 07:25:09 +0100 Subject: [PATCH] Use 'inventory_hostname' instead of 'ansible_fqdn' While 'ansible_fdqn' can be changed by a compromised host, 'inventory_hostname' can't (hopefully). It should therefore no longer be possible for the said host to access the backups of another host. --- roles/borgbackup_client/tasks/main.yml | 29 ++------------------------ 1 file changed, 2 insertions(+), 27 deletions(-) diff --git a/roles/borgbackup_client/tasks/main.yml b/roles/borgbackup_client/tasks/main.yml index defe34f..f96b9a0 100644 --- a/roles/borgbackup_client/tasks/main.yml +++ b/roles/borgbackup_client/tasks/main.yml @@ -51,7 +51,7 @@ group: root mode: u=rw,g=r,o= vars: - borg_host_dir: "/borg/{{ ansible_fqdn }}" + borg_host_dir: "/borg/{{ inventory_hostname }}" - name: Create SSH key openssh_keypair: @@ -63,36 +63,11 @@ mode: u=rw,g=,o= register: ssh_key -#- name: Gather server facts -# delegate_to: "{{ borg_server_host }}" -# delegate_facts: true -# setup: -# gather_subset: -# - all -# register: server_facts -# -#- name: Add server key to known hosts -# known_hosts: -# hash_host: true -# host: "{{ hostname }}" -# key: "{{ hostname }} {{ facts['ansible_ssh_host_key_' + item + '_public_keytype'] }} {{ facts['ansible_ssh_host_key_' + item + '_public'] }}" -# loop: -# - ecdsa -# - ed25519 -# - rsa -# vars: -# hostname: {{ borg_server_host }} -# facts: {{ server_facts['ansible_facts'] }} - - name: Gather SSH host keys delegate_to: "{{ borg_server_host }}" command: "ssh-keyscan {{ borg_server_host }}" register: keys -- name: DEBUG - debug: - var: keys.stdout_lines - - name: Add server key to known hosts known_hosts: hash_host: true @@ -109,7 +84,7 @@ key: "{{ ssh_key.public_key }}" key_options: "{{ options | join(',') }}" vars: - borg_host_dir: "/borg/{{ ansible_fqdn }}" + borg_host_dir: "/borg/{{ inventory_hostname }}" options: - 'command="borg serve --restrict-to-path {{ borg_host_dir }}"' - no-agent-forwarding