From 00e6a694de7c5d95cd899cea87a5e26110831aef Mon Sep 17 00:00:00 2001
From: Sheppy <sheppy@atlantishq.de>
Date: Sun, 15 Jan 2023 17:26:54 +0100
Subject: [PATCH] feat: slapd via slapcat backup

---
 group_vars/all.yaml                           |  3 ++
 group_vars/usermanagement.yaml                |  3 ++
 roles/backup-vm/files/backup_priv_key         | 38 +++++++++++++++++
 roles/backup-vm/files/config                  |  3 ++
 roles/backup-vm/tasks/main.yaml               | 42 +++++++++++++++++++
 roles/backup-vm/templates/slapd_backup.sh     | 14 +++++++
 roles/base/tasks/main.yaml                    | 16 +++++++
 .../base/templates/authorized_keys_sheppy.j2  |  3 ++
 .../files/services_async.conf                 |  9 ++++
 roles/sshd-config/tasks/main.yaml             |  5 +++
 roles/usermanagement/files/slapd_backup.sh    |  8 ++++
 roles/usermanagement/tasks/ldap.yaml          | 13 ++++++
 12 files changed, 157 insertions(+)
 create mode 100644 roles/backup-vm/files/backup_priv_key
 create mode 100644 roles/backup-vm/files/config
 create mode 100644 roles/backup-vm/templates/slapd_backup.sh
 create mode 100644 roles/base/templates/authorized_keys_sheppy.j2
 create mode 100644 roles/usermanagement/files/slapd_backup.sh

diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index 5f752bf..119aefa 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -1,6 +1,8 @@
 ---
 checks:
+extra_sheppy_pubkeys:
 nsca_server: 192.168.122.107
+ldap_server: 192.168.122.112
 nsca_password: HISTORY_PURGED_SECRET
 RSYSLOG_SERVER: internal.monitoring.atlantishq.de
 influxdb_telegraf_password: HISTORY_PURGED_SECRET
@@ -20,6 +22,7 @@ async_icinga_static_services:
     - { "name" : "backup_kathi_laptop",     "timeout" : "30d", "token" : "HISTORY_PURGED_SECRET" }
     - { "name" : "mail_atlantishq",         "timeout" : "1h",  "token" : "HISTORY_PURGED_SECRET" }
     - { "name" : "ths_caldav_backup",       "timeout" : "2d",  "token" : "HISTORY_PURGED_SECRET" }
+    - { "name" : "slapd_backup",            "timeout" : "2d",  "token" : "HISTORY_PURGED_SECRET" }
 
 keycloak_admin_password: HISTORY_PURGED_SECRET
 keycloak_postgres_password: HISTORY_PURGED_SECRET
diff --git a/group_vars/usermanagement.yaml b/group_vars/usermanagement.yaml
index 7b4765d..34aa0a4 100644
--- a/group_vars/usermanagement.yaml
+++ b/group_vars/usermanagement.yaml
@@ -6,3 +6,6 @@ ldap_suffix: "dc=atlantishq,dc=de"
 ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de"
 ldap_user_dn: "ou=People,dc=atlantishq,dc=de"
 ldap_connection_url: ldap://192.168.122.112
+
+extra_sheppy_pubkeys: |
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaABPy9h009vUQj+gewvhIO9kDpUBkkW5dGz6HsDxp6FLeZ0KOMTPZyRkwPHkC3Jee8vkTl2fFi7wjXhkWSpPe7H/RFdn6nHf5RSvM4aEwhkjD7E1lvf9lLRUXnISeFXFOdD3hpRXqT5yVP9O1S3Rk3b+i9HPlcw1vDmFHS5mZ+rXmxQSyHD8uuyCEL1Ri5IOz9XxycaJ/MHX2XaHWU+xgrQ2uvWrvhnibB3bhtf94GrHJQXRfjUc4nF3SG3937Fkdit5LozuDE3/mLoNN6PwXz13Z2acClpjiyOZQxpa2+TpwE5i2rWoZwsXv//yzohHbA30+qYSxJYQrYZ1XRyOSPFWSp3wwcuj8yMMqMJT2e75ZyWaHuoYuindOFW4VMR7pFppssnnbdLHvJGe5PZMSDxlyhUtkAK4p1nf2nEng3VjCBcn6UWK1po5DQmcLwkd0cQbWTLxHjH4sAtfyp7A8jsGLXrhWraMOOoU0JVkamZrq2BuSyaC5S7+KdvGCg3U= backupvm
diff --git a/roles/backup-vm/files/backup_priv_key b/roles/backup-vm/files/backup_priv_key
new file mode 100644
index 0000000..dfa714e
--- /dev/null
+++ b/roles/backup-vm/files/backup_priv_key
@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA2gAT8vYdNPb1EI/oHsL4SDvZA6VAZJFuXRs+h7A8aehS3mdCjjEz
+2ckZMDx5AtyXnvL5E5dnxYu8I14ZFkqT3ux/0RXZ+px3+UUrzOGhMIZIw+xNZb3/ZS0VF5
+yEnhVxTnQ94aUV6k+clT/TtUt0ZN2/ovRz5XMNbw5hR0uZmfq15sUEshw/LrsghC9UYuSD
+s/V8cnGifzB19l2h1lPsYK0Nrr1q74Z4mwd24bX/eBqxyUF0X41HOJxd0ht/d+xZHYreS6
+M7gxN/5i6DTej8F89d2dmnApaY4sjmUMaWtvk6cBOYtq1qGcLF7//8s6IR2wN9PqmEsSWE
+K2GdV0cjkjxVkqd8MHLo/MjDKjCU9nu+Wclmh7qGLop3ThVuFTEe6RaabLJ523Sx7yRnuT
+2TEg8ZcoVLZACuKdZ39pxJ4N1YwgXJ+lFitaaOQ0JnC8JHdHEG1ky8R4x+LALX8qewPI7B
+i164Vq2jDjqFNCVZGpma6tgbksmguUu/inbxgoN1AAAFiNBNJKrQTSSqAAAAB3NzaC1yc2
+EAAAGBANoAE/L2HTT29RCP6B7C+Eg72QOlQGSRbl0bPoewPGnoUt5nQo4xM9nJGTA8eQLc
+l57y+ROXZ8WLvCNeGRZKk97sf9EV2fqcd/lFK8zhoTCGSMPsTWW9/2UtFRechJ4VcU50Pe
+GlFepPnJU/07VLdGTdv6L0c+VzDW8OYUdLmZn6tebFBLIcPy67IIQvVGLkg7P1fHJxon8w
+dfZdodZT7GCtDa69au+GeJsHduG1/3gasclBdF+NRzicXdIbf3fsWR2K3kujO4MTf+Yug0
+3o/BfPXdnZpwKWmOLI5lDGlrb5OnATmLatahnCxe///LOiEdsDfT6phLElhCthnVdHI5I8
+VZKnfDBy6PzIwyowlPZ7vlnJZoe6hi6Kd04VbhUxHukWmmyyedt0se8kZ7k9kxIPGXKFS2
+HISTORY_PURGED_SECRET
+HISTORY_PURGED_SECRET
+Mc8ZOELh69lmbawt4NE1+EI5eiZr5oRrlqpdtr5PO224iF5FZ5zgQ8esD9kx2BRDtoNHsK
+fbTekaD7TyPFOY+4SD9rXCjwlQwPVC8SPCW+rks7BXqbmjFBH4P/iZOUHIrrJR4YgNbsyP
+ru60JE3oWOclTCX/4iYzHB8XFDkGRYS3NpVjkKluYoMfJCOVmOI6MHxhj7f7LRMVRI+OG0
+iXbg5gEeQPtavjB1aR3JuajYIRaxbJUzKCgE4+yeljvObSdG9THUiuFOTEkXcdtYnPu3uy
+d2LcBQzLJ0BY6YvIoI4OFV6lqRRBXMleUSKzHFgkHUuRAKyPtVrE38HV/X5qQeBlg89/7/
+XuwZDq+A7fSm95uj85bmrUXBKBog/F31UW+1P3lZ7j/ZxmcPwcJTJvPTFOSweynimeSZB/
+lwFJpiDhxJjlfpWF0GxgIHdsjD4CZgSpSKCh/kI954f4HnhWEXbs8quoGwgrjIElTFAAAA
+wEbaLe1mPdp8LsvOTbWNiF9eT5pKO2pwkJPINJ20ylxwYaap0Xda79shdskkxKTCwIFvoA
+xjdE6B1HKqzsWHu7fiQ29/btdAZav+930tMSxemIwhNe9aHyOgoujNS8UaxaR/sSTnj19V
+7DyetxFPGW1H1A/KKnPm+muqgO7KARHoQ+0x3I6pJzM+XHN5DT5FNSdtVm+xWCNsXwL4bk
+HISTORY_PURGED_SECRET
+yRrPXB1cRhrLYOJNX+ykl/xPPx4YeZmrDmNfzcC8DULC/5HkXEygpsxuzK1SbGM0eeQyMu
+LboVYxgslC0QjIfDS3x7CYUMsrK1r1nleGxYFpXRBTqKty6nNR53Unum2QAsGW90xfoD1N
+NEeb2d/wgG/QHmTh6BzJ6JYqjc/ATsqfR5aKoNnh1stRHu6TzrIK4Y/6e/HEoXElwOyeYX
+DadG5VfnD4jglgQR78sHtaSSIpvCADAAAAwQDbdcgfXQ93mIDnk97aXbrR/tP76+0QmsM2
+IImV3/mhnjwsYXHnYTBoci6t+L+zClpW2FIj532XKSBF+fxIOTpnMW4grKICivbWmcrCj+
+aA+w+mshv4K1A+TDlzfW4c+UHpp26UopkaFMrG9hvNoDcREyYqERf1YnxZCLTGgNQLpDUa
+rveYj+PzCjTzUzH2wgtNttIDWeekFxTJP/7a7sdaRe4DzMMn0B0UDVKGgKY7s5q1xL0IJq
+8oXFJvSt894ScAAAASc2hlcHB5QGF0bGFudGlzcGFkAQ==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/roles/backup-vm/files/config b/roles/backup-vm/files/config
new file mode 100644
index 0000000..5490bae
--- /dev/null
+++ b/roles/backup-vm/files/config
@@ -0,0 +1,3 @@
+Host *
+    User sheppy
+    IdentityFile ~/.ssh/backup_priv_key
diff --git a/roles/backup-vm/tasks/main.yaml b/roles/backup-vm/tasks/main.yaml
index fb84150..28841d9 100644
--- a/roles/backup-vm/tasks/main.yaml
+++ b/roles/backup-vm/tasks/main.yaml
@@ -30,3 +30,45 @@
     repo: https://github.com/FAUSheppy/backup-tools
     dest: /home/sheppy/backups/backup-tools/
     version: master
+
+- name: Create SSH Dir
+  file:
+    path: /home/sheppy/.ssh/
+    state: directory
+    owner: sheppy
+    group: sheppy
+
+- name: Copy SSH config and backup priv key
+  copy:
+    src: "{{ item }}"
+    dest: "/home/sheppy/.ssh/{{ item }}"
+    owner: sheppy
+    group: sheppy
+    mode: 0600
+  with_items:
+    - backup_priv_key
+    - config
+
+- name: template SLAPD backup script
+  template:
+    src: slapd_backup.sh
+    dest: /home/sheppy/
+    owner: sheppy
+    group: sheppy
+    mode: 0700
+
+- name: Add slapd script to cron
+  cron:
+    minute: "10"
+    hour: "1"
+    name: SLAPD via rsync backup
+    job: /home/sheppy/slapd_backup.sh
+    user: sheppy
+
+- name: Add ths nextcloud backup script to cron
+  cron:
+    minute: "0"
+    hour: "1"
+    name: THS Caldav Backup
+    job: /home/sheppy/ths_cal_backup.sh
+    user: sheppy
diff --git a/roles/backup-vm/templates/slapd_backup.sh b/roles/backup-vm/templates/slapd_backup.sh
new file mode 100644
index 0000000..dc47f6d
--- /dev/null
+++ b/roles/backup-vm/templates/slapd_backup.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+
+DIR=/home/sheppy/slapd_backup
+
+rsync -r --remove-source-files sheppy@192.168.122.112:$DIR /home/sheppy
+
+~/backups/backup-tools/backup_manager.py --extensions ldif -- $DIR
+
+rsync --delete --rsh="/usr/bin/sshpass -p HISTORY_PURGED_SECRET ssh -p23" -r slapd_backup/${BACKUP_NAME} u244665-sub2@u244665.your-storagebox.de:./
+
+curl -H "Content-Type: application/json" \
+     -X POST https://async-icinga.atlantishq.de/ \
+     -d '{ "service" : "slapd_backup", "token" : "HISTORY_PURGED_SECRET", "status" : "OK", "info" : "" }'
diff --git a/roles/base/tasks/main.yaml b/roles/base/tasks/main.yaml
index 02b3bbb..0908d14 100644
--- a/roles/base/tasks/main.yaml
+++ b/roles/base/tasks/main.yaml
@@ -24,3 +24,19 @@
     src: check_dir_size_for_backup.py
     dest: /opt/check_dir_size_for_backup.py
     mode: 0755
+
+- name: Create sheppy .ssh dir
+  file:
+    path: /home/sheppy/.ssh/
+    state: directory
+    owner: sheppy
+    group: sheppy
+    mode: 0700
+
+- name: Template Sheppy authorized keys
+  template:
+    src: authorized_keys_sheppy.j2
+    dest: /home/sheppy/.ssh/authorized_keys
+    owner: sheppy
+    group: sheppy
+    mode: 0600
diff --git a/roles/base/templates/authorized_keys_sheppy.j2 b/roles/base/templates/authorized_keys_sheppy.j2
new file mode 100644
index 0000000..6adbd4f
--- /dev/null
+++ b/roles/base/templates/authorized_keys_sheppy.j2
@@ -0,0 +1,3 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoUijFwmZaYHbueDsa3T2BV5UfMxKpztbuJwSBZ5s0WbZlg/9E9SHeGztaN/SCyQZdtOA7bR6tQMWhx4fadvrjg5BrN1bjpNUb2/rAxuWw0yU0Yp2CWwE02m+3bMj4pXeaI2Mk/Ywubfl88W2/OrUpbhHoYeedAIblyzuOwDTS9MpjD/ita89d4CM9AdhGBw3qaggtIxD8A5hULbJWe0D5KdtBFG8RFOmBaEb/tmBvdpwja3i17/AejUdjfjQv8G3BSTbKvOvMRwmnmoE5YCstwHIFqrlmqorSGQIVo5knfcSqgFxs2wDv4OOrPJTWcmr3LmN5lVjHkjtzRQ8zE9sB sheppy-master
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDU2aDU+TOiOXzWpGDhqbpzFkhENPc0QYbsqfImaBIMlbSDs6gxuQRtO9QtqyThrDuPNWVQqooVRj5MgdR9i2uNd8eDr+HWhzuiymy+KAJm9e+E4VTvgTiD+EB0IKJ6Vqm86/M0nwLPu3KNY9k/jjG2DjKDNEqX5b6U9Psfq/HqB5NDNL/BvCTNknehSDCp8gyFYjrRijGz6vnVF8jfNGOaliJvwQI7GciV8/Q986J4RruF/KbIf2DhVjQogHOV1ZVtFpBffxA6+PkDR4kgLYnZM4L4WCHqOqS9Cen4lqJg+ZJMMDx/T0cWkJIdTq6+GUvNjNfrle6Ck72vT1aRAxpjNCo+w5FeV6PtSrE2yF6cLoca1ia7n9fBANI7Pb9WdPytLeBMvzGU3C8b2RilDS89Ri6UZr63YzDI1hmTVUCe73ct2aV5DnDw668Y3+9hT+vi2mC+zHcgfPfJ7erySDmxG1pi2yDlaJP9fLz4MMOtknTdq73nnQPF7MRbiHk1Ots= hypervisor
+{{ extra_sheppy_pubkeys }}
diff --git a/roles/monitoring-master/files/services_async.conf b/roles/monitoring-master/files/services_async.conf
index 6fa6576..6bacc01 100644
--- a/roles/monitoring-master/files/services_async.conf
+++ b/roles/monitoring-master/files/services_async.conf
@@ -180,3 +180,12 @@ apply Service "ths_caldav_backup" {
     vars.service_name = "ths_caldav_backup"
     assign where host.name == "async_icinga"
 }
+
+apply Service "slapd_backup" {
+    import "generic-service"
+    check_command = "gateway"
+    vars.protocol = "https"
+    vars.host = "async-icinga.atlantishq.de"
+    vars.service_name = "slapd_backup"
+    assign where host.name == "async_icinga"
+}
diff --git a/roles/sshd-config/tasks/main.yaml b/roles/sshd-config/tasks/main.yaml
index 3e749dd..c35f360 100644
--- a/roles/sshd-config/tasks/main.yaml
+++ b/roles/sshd-config/tasks/main.yaml
@@ -17,3 +17,8 @@
   copy:
     src: authorized_keys
     dest: /root/.ssh/authorized_keys
+
+- name: Authorized Keys
+  copy:
+    src: authorized_keys_sheppy
+    dest: /home/sheppy/.ssh/authorized_keys
diff --git a/roles/usermanagement/files/slapd_backup.sh b/roles/usermanagement/files/slapd_backup.sh
new file mode 100644
index 0000000..2309ab4
--- /dev/null
+++ b/roles/usermanagement/files/slapd_backup.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+DIR=/home/sheppy/slapd_backup/
+BACKUP_NAME=backup_$(date +%Y%m%d).ldif
+mkdir -p $DIR
+
+slapcat > ${DIR}${BACKUP_NAME}
+chown -R sheppy:sheppy $DIR
diff --git a/roles/usermanagement/tasks/ldap.yaml b/roles/usermanagement/tasks/ldap.yaml
index 7ad4c28..e2e7cd0 100644
--- a/roles/usermanagement/tasks/ldap.yaml
+++ b/roles/usermanagement/tasks/ldap.yaml
@@ -118,3 +118,16 @@
     - mail
     - soundlib
     - monitoring
+
+- name: Deploy Backup Script
+  copy:
+    src: slapd_backup.sh
+    dest: /opt/
+    mode: 0700
+
+- name: Create cronjob Slapd backup
+  cron:
+    hour: "0"
+    minute: "30"
+    name: SLAPD Backup (slapcat)
+    job: "/opt/slapd_backup.sh"