viq/pillars_mine.sls

## pillars_mine.sls
mine_functions:
  external_ip:
    - mine_function: grains.get
    - key: external_ip
  ssh.host_keys:
    - keydir: /etc/ssh
    - private: False
  ssh_backup_key:
    - mine_function: ssh.user_keys
    - user: root
    - pubfile: '/root/.ssh/backup_key.pub'
    - prvfile: False
mine_interval: 5

## states_borg_init.sls
{% from "borg/map.jinja" import borg with context %}
backup ssh key:
  cmd.run:
    - name: 'ssh-keygen -q -t ed25519 -C "{{ salt.grains.get('id') }} backup key" -f {{ borg.backup_key}} -N ""'
    - creates: {{ borg.backup_key }}
  module.wait:
    - mine.send:
      - ssh_backup_key
      - mine_function: ssh.user.keys
      - user: root
      - pubfile: '{{borg.backup_key}}.pub'
      - prvfile: False
    - watch:
      - cmd: backup ssh key
borg backup programs:
  pkg.installed:
    - pkgs:
      - {{borg.borg_package}}
      - {{borg.borgmatic_package}}

borgmatic configuration:
  file.serialize:
    - name: /etc/borgmatic/config.yaml
    - mode: 0600
    - formatter: yaml
    - dataset: {{borg.borgmatic}}
    - require:
      - pkg: borg backup programs
  cmd.run:
    - name: validate-borgmatic-config
    - onchanges:
      - file: borgmatic configuration
      - pkg: borg backup programs
  cron.present:
    - name: {{ salt['cmd.which']('borgmatic') }}
    - identifier: "BORGMATIC_BACKUP"
    - comment: "Borg backup"
    - hour: '*/{{borg.every_hours}}'
    - minute: random
    - require:
      - cmd: borgmatic configuration
      - cron: borg cron paths

borg cron paths:
  cron.env_present:
    - user: root
    - name: PATH
    - value: '/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin'

borg repo initialization:
  cmd.run:
    - name: borgmatic init -e {{borg.encryption}}
    - onchanges:
      - file: borgmatic configuration

{% for algo, ssh_key in borg.borgbase.ssh_key.items() %}
borgbase public {{algo}} key:
  ssh_known_hosts.present:
    - name: '*.repo.borgbase.com'
    - key: {{ssh_key}}
    - enc: {{algo}}
    - hash_known_hosts: False
    - require_in:
      - cmd: borg repo initialization
      - cron: borgmatic configuration
{% endfor %}

{% for host in ['repo_host_1', 'repo_host_2'] %}
{% for source, ssh_key_string in salt['mine.get'](host, 'ssh.host_keys')[host].items() %}
{% set ssh_key = ssh_key_string.split(' ')  %}
{{host}} host ssh {{ssh_key[0]}} key:
  ssh_known_hosts.present:
    - name: {{host}}
    - enc: {{ssh_key[0]}}
    - key: {{ssh_key[1]}}
    - hash_known_hosts: False
    - require_in:
      - cmd: borg repo initialization
      - cron: borgmatic configuration
{% endfor %}
{% endfor %}

## states_borg_repo.sls
{% from "borg/map.jinja" import borg with context %}
borg backup user:
  user.present:
    - name: borg
    - fullname: Borg Backup User
    - shell: {{borg.user_shell}}
borg backup support:
  pkg.installed:
    - name: {{borg.borg_package}}
{% for host, key in salt['mine.get']('*', 'ssh_backup_key') | dictsort() %}
backup repo for {{host}}:
{% if salt['grains.get']('zfs_support', False) %}
  zfs.filesystem_present:
    - name: "{{borg.zfs_base}}/{{host}}"
    - properties:
        mountpoint: {{borg.repo_base}}/{{host}}
    - require_in:
      - file: backup repo for {{host}}
{% endif %}
  file.directory:
    - name: {{borg.repo_base}}/{{host}}
    - user: borg
    - dir_mode: 0750
    - makedirs: True
    - require:
      - user: borg backup user
{% endfor %}
access to backup repos:
  ssh_auth.manage:
    - user: borg
    - ssh_keys:
{% for host, key in salt['mine.get']('*', 'ssh_backup_key') | dictsort() %}
      - 'command="cd {{borg.repo_base}}/{{host}} && borg serve --restrict-to-path {{borg.repo_base}}/{{host}}",restrict {{key['root']['backup_key.pub']}}'
{% endfor %}

## states_firewall_ssh-ipset.sls
ssh hosts ipset:
  ipset.set_present:
    - name: ssh_in
    - set_type: hash:ip
    - timeout: 300

add hosts to ssh ipset:
  ipset.present:
    - set_name: ssh_in
    - entry:
      {%- for host, ip in salt['publish.publish']('*', 'grains.get', 'external_ip').items()|sort -%}
      {%- if ip %}
      - {{ ip }}
      {%- endif %}
      {%- endfor %}
    - require:
      - ipset: ssh hosts ipset
	mine_functions:
	external_ip:
	- mine_function: grains.get
	- key: external_ip
	ssh.host_keys:
	- keydir: /etc/ssh
	- private: False
	ssh_backup_key:
	- mine_function: ssh.user_keys
	- user: root
	- pubfile: '/root/.ssh/backup_key.pub'
	- prvfile: False
	mine_interval: 5
	{% from "borg/map.jinja" import borg with context %}
	backup ssh key:
	cmd.run:
	- name: 'ssh-keygen -q -t ed25519 -C "{{ salt.grains.get('id') }} backup key" -f {{ borg.backup_key}} -N ""'
	- creates: {{ borg.backup_key }}
	module.wait:
	- mine.send:
	- ssh_backup_key
	- mine_function: ssh.user.keys
	- user: root
	- pubfile: '{{borg.backup_key}}.pub'
	- prvfile: False
	- watch:
	- cmd: backup ssh key
	borg backup programs:
	pkg.installed:
	- pkgs:
	- {{borg.borg_package}}
	- {{borg.borgmatic_package}}

	borgmatic configuration:
	file.serialize:
	- name: /etc/borgmatic/config.yaml
	- mode: 0600
	- formatter: yaml
	- dataset: {{borg.borgmatic}}
	- require:
	- pkg: borg backup programs
	cmd.run:
	- name: validate-borgmatic-config
	- onchanges:
	- file: borgmatic configuration
	- pkg: borg backup programs
	cron.present:
	- name: {{ salt['cmd.which']('borgmatic') }}
	- identifier: "BORGMATIC_BACKUP"
	- comment: "Borg backup"
	- hour: '*/{{borg.every_hours}}'
	- minute: random
	- require:
	- cmd: borgmatic configuration
	- cron: borg cron paths

	borg cron paths:
	cron.env_present:
	- user: root
	- name: PATH
	- value: '/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/sbin:/usr/local/bin'

	borg repo initialization:
	cmd.run:
	- name: borgmatic init -e {{borg.encryption}}
	- onchanges:
	- file: borgmatic configuration

	{% for algo, ssh_key in borg.borgbase.ssh_key.items() %}
	borgbase public {{algo}} key:
	ssh_known_hosts.present:
	- name: '*.repo.borgbase.com'
	- key: {{ssh_key}}
	- enc: {{algo}}
	- hash_known_hosts: False
	- require_in:
	- cmd: borg repo initialization
	- cron: borgmatic configuration
	{% endfor %}

	{% for host in ['repo_host_1', 'repo_host_2'] %}
	{% for source, ssh_key_string in salt['mine.get'](host, 'ssh.host_keys')[host].items() %}
	{% set ssh_key = ssh_key_string.split(' ') %}
	{{host}} host ssh {{ssh_key[0]}} key:
	ssh_known_hosts.present:
	- name: {{host}}
	- enc: {{ssh_key[0]}}
	- key: {{ssh_key[1]}}
	- hash_known_hosts: False
	- require_in:
	- cmd: borg repo initialization
	- cron: borgmatic configuration
	{% endfor %}
	{% endfor %}
	{% from "borg/map.jinja" import borg with context %}
	borg backup user:
	user.present:
	- name: borg
	- fullname: Borg Backup User
	- shell: {{borg.user_shell}}
	borg backup support:
	pkg.installed:
	- name: {{borg.borg_package}}
	{% for host, key in salt['mine.get']('*', 'ssh_backup_key') \| dictsort() %}
	backup repo for {{host}}:
	{% if salt['grains.get']('zfs_support', False) %}
	zfs.filesystem_present:
	- name: "{{borg.zfs_base}}/{{host}}"
	- properties:
	mountpoint: {{borg.repo_base}}/{{host}}
	- require_in:
	- file: backup repo for {{host}}
	{% endif %}
	file.directory:
	- name: {{borg.repo_base}}/{{host}}
	- user: borg
	- dir_mode: 0750
	- makedirs: True
	- require:
	- user: borg backup user
	{% endfor %}
	access to backup repos:
	ssh_auth.manage:
	- user: borg
	- ssh_keys:
	{% for host, key in salt['mine.get']('*', 'ssh_backup_key') \| dictsort() %}
	- 'command="cd {{borg.repo_base}}/{{host}} && borg serve --restrict-to-path {{borg.repo_base}}/{{host}}",restrict {{key['root']['backup_key.pub']}}'
	{% endfor %}
	ssh hosts ipset:
	ipset.set_present:
	- name: ssh_in
	- set_type: hash:ip
	- timeout: 300

	add hosts to ssh ipset:
	ipset.present:
	- set_name: ssh_in
	- entry:
	{%- for host, ip in salt['publish.publish']('*', 'grains.get', 'external_ip').items()\|sort -%}
	{%- if ip %}
	- {{ ip }}
	{%- endif %}
	{%- endfor %}
	- require:
	- ipset: ssh hosts ipset