feat(backup_server): add backup_path_clean option (#2)

roles/borg_server/README.md

@@ -35,11 +35,17 @@ The server uses these keys to restrict hosts into a single directory where they
 - Whether to set owner/group/mode for the backup directories
 - Should be left on unless you know what you're doing.
   Disabling this option can be useful, e.g. if you are using an NFS mount as your storage
-- Default: `yes`
+- Default: `true`
+
+##### `borg_server_backups_path_clean`
+- Remove any directories in the backups path that are not hosts in authorized_hosts
+- **WARNING:** This will cause data loss if other applications are writing into `borg_server_backups_path`
+- Default: `false`
 
 ##### `borg_server_authorized_hosts`
 - List of hosts that will have access to the backup server
 - Each entry is a dict containing the host name and its ssh public key
+- Required: yes
 - Example:
   ```yaml
   borg_server_authorized_hosts:
@@ -49,7 +55,6 @@ The server uses these keys to restrict hosts into a single directory where they
       key: ssh-rsa key-goes-here
     ...
   ```
-- Default: `false`
 
 ## Example Playbooks
 

roles/borg_server/defaults/main.yml

@@ -6,6 +6,7 @@ borg_server_config_path: /etc/borg-server
 
 borg_server_backups_path: /var/borg-server
 borg_server_backups_set_permissions: yes
+borg_server_backups_path_clean: no
 
 #borg_server_authorized_hosts:
 #  - name: myhost1.my.domain

roles/borg_server/molecule/default/converge.yml

@@ -6,6 +6,8 @@
       include_role:
         name: "borg_server"
       vars:
+        borg_server_backups_path_clean: yes
+        borg_server_backups_path: /var/borg-server-molecule
         borg_server_authorized_hosts:
           - name: "test-host.localdomain"
             key: "{{ lookup('file', 'files/id_rsa.pub') }}"

roles/borg_server/molecule/default/molecule.yml

@@ -11,8 +11,8 @@ platforms:
   #   use systemd functionality. This *should* be possible with unpriliged
   #   containers as well, but is quite the headache.
   # - they are connected to a shared network to allow simulating a remote CA
-  - name: borgmatic-ubuntu-20
-    hostname: borgmatic-ubuntu-20.localdomain
+  - name: borg-server-ubuntu-20
+    hostname: borg-server-ubuntu-20.localdomain
     groups:
       - ubuntu
     image: "geerlingguy/docker-ubuntu2004-ansible"
@@ -22,8 +22,8 @@ platforms:
     override_command: false
     pre_build_image: true
 
-  - name: borgmatic-ubuntu-18
-    hostname: borgmatic-ubuntu-18.localdomain
+  - name: borg-server-ubuntu-18
+    hostname: borg-server-ubuntu-18.localdomain
     groups:
       - ubuntu
     image: "geerlingguy/docker-ubuntu1804-ansible"
@@ -33,8 +33,8 @@ platforms:
     override_command: false
     pre_build_image: true
 
-  - name: borgmatic-debian-10
-    hostname: borgmatic-debian10.localdomain
+  - name: borg-server-debian-10
+    hostname: borg-server-debian10.localdomain
     groups:
       - ubuntu
     image: "geerlingguy/docker-debian10-ansible"

roles/borg_server/molecule/default/prepare.yml

@@ -5,3 +5,16 @@
         name:
           - openssh-server
         update_cache: yes
+
+- hosts: all
+  vars:
+    borg_server_backups_path:
+  tasks:
+    - name: Create backups path # noqa risky-file-permissions
+      file:
+        path: /var/borg-server-molecule
+        state: directory
+    - name: Add a dirty file to the backup directory # noqa risky-file-permissions
+      copy:
+        content: ""
+        dest: "/var/borg-server-molecule/molecule-dirty-file"

roles/borg_server/molecule/default/verify.yml

@@ -5,7 +5,7 @@
   tasks:
     - name: Look for backup host dir
       stat:
-        path: "/var/borg-server/test-host.localdomain"
+        path: "/var/borg-server-molecule/test-host.localdomain"
       register: borg_server_backup_dir
     - name: Verify that backup dir got created
       assert:
@@ -19,5 +19,13 @@
     - name: Verify that key is present
       assert:
         that:
-          - "'cd /var/borg-server/test-host.localdomain; borg serve --restrict-to-path /var/borg-server/test-host.localdomain' in borg_server_authorized_keys.stdout"
+          - "'cd /var/borg-server-molecule/test-host.localdomain; borg serve --restrict-to-path /var/borg-server-molecule/test-host.localdomain' in borg_server_authorized_keys.stdout"
           - "'restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDyaA8lzdTJ7BCfINstM1IycLC7ghbVEz0reGj8v+s0+/+ltryuUNqrfVqud2vWhWWRsdW5l9c0RKESPEkReqe5qmzfArS1DicDjbS4O8ekhd4p2SgzFSRRm31W0C5KDnusc9f4xGenO4lKZW+AQ5qbQAoFr1l+6HyQU/7GRg0hcSN6obQwURIFj2SjsEav0Vv8BL9KkPG4p85YGiWxaNwsgmrNSx2qQjPFgKYUftF0oV4kCGIF8WdL5rwofGtHuCD7C7+8uKn4x7t6XetP8cti325y7LTlXcxe+OHJen0GhLAu4+u3q+z0uQipbiUMx3KhDDKMdM/kNrEtBkkCp0GQ+9yOT4Th9xK5ICX8LFIPWooCciF1vfNgF7y/UWdxtfX6d1aGqUchlSC1sh2NqvZujc04/3EzNtkZiulFBWLWAxwDMNgprL0OiPpwyGLqJILqizBt4MW7cTd73hZR6kSkmpkTupszWfbfa+g/qS35sMjcxJqzUbpOFE4V9cKeE0= molecule' in borg_server_authorized_keys.stdout"
+
+    - name: Look for dirty file
+      stat:
+        path: /var/borg-server-molecule-molecule/molecule-dirty-file
+      register: borg_server_dirty_file
+    - name: Verify that dirty file got removed
+      assert:
+        that: not borg_server_dirty_file.stat.exists

roles/borg_server/tasks/main.yml

@@ -56,6 +56,21 @@
     loop: "{{ borg_server_authorized_hosts }}"
   when: not borg_server_backups_set_permissions
 
+- block:
+  - name: Get currently present directories and files
+    command: "python3 -c \"import os; import json; print(json.dumps(os.listdir('{{ borg_server_backups_path }}')));\""
+    changed_when: no
+    register: borg_server_backups_current_files
+  - name: Get files and directories to remove
+    set_fact:
+      borg_server_backups_to_remove: "{{ (borg_server_backups_current_files.stdout|from_json) | difference(borg_server_authorized_hosts|map(attribute='name')) }}"
+  - name: Clean directory of external files
+    file:
+      path: "{{ borg_server_backups_path }}/{{ item }}"
+      state: absent
+    loop: "{{ borg_server_backups_to_remove }}"
+  when: borg_server_backups_path_clean
+
 - name: authorized_keys is installed
   template:
     src: authorized_keys.j2