From 0a724359dcf946202e7c97a12e83f4f5b171a3ed Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sun, 7 Apr 2024 17:21:41 +0000
Subject: [PATCH] rclone: Add ssh key generation and run as backup

---
 roles/rclone/tasks/main.yml           | 49 +++++++++++++++++++++------
 roles/rclone/templates/rclone.conf.j2 |  2 +-
 2 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml
index 9700039..1019fb7 100644
--- a/roles/rclone/tasks/main.yml
+++ b/roles/rclone/tasks/main.yml
@@ -8,25 +8,55 @@
   ansible.builtin.file:
     path: /etc/rclone
     state: directory
-    mode: "0755"
+    mode: "0750"
     owner: root
-    group: "{{ ansible_wheel }}"
+    group: backup
 
 - name: Create host config
   ansible.builtin.template:
     dest: /etc/rclone/rclone.conf
     src: rclone.conf.j2
-    mode: "0644"
+    mode: "0640"
     owner: root
-    group: "{{ ansible_wheel }}"
+    group: backup
+
+- name: Create ssh keys
+  ansible.builtin.command:
+    argv:
+      - ssh-keygen
+      - -t
+      - ed25519
+      - -C
+      - "backup@{{ inventory_hostname }}"
+      - -N
+      - ""
+      - -f
+      - /etc/rclone/id_ed25519
+    creates: /etc/rclone/id_ed25519
+
+- name: Fix ssh key permissions
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: root
+    group: backup
+    mode: "0640"
+  with_items:
+    - /etc/rclone/id_ed25519
+    - /etc/rclone/id_ed25519.pub
+
+- name: Fetch ssh public key
+  ansible.builtin.fetch:
+    src: /etc/rclone/id_ed25519.pub
+    dest: ../files/ssh/backup.pub
+    flat: true
 
 - name: Create log directory
   ansible.builtin.file:
     path: /var/log/rclone
     state: directory
     mode: "0750"
-    owner: "{{ local_user | default('root') }}"
-    group: "{{ local_user | default(ansible_wheel) }}"
+    owner: backup
+    group: backup
 
 - name: Copy rclone sync script
   ansible.builtin.copy:
@@ -40,16 +70,13 @@
   ansible.builtin.cron:
     name: MAILTO
     env: true
-    user: "{{ local_user }}"
+    user: backup
     value: root
-  when:
-    - local_user is defined
-    - local_user != "root"
 
 - name: Add rclone sync cron job
   ansible.builtin.cron:
     name: rclone-sync
-    user: "{{ local_user | default('root') }}"
+    user: backup
     hour: "3"
     minute: "{{ 60 | random(seed=inventory_hostname) }}"
     job: /usr/local/bin/rclone-sync
diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2
index 9389314..440fcc6 100644
--- a/roles/rclone/templates/rclone.conf.j2
+++ b/roles/rclone/templates/rclone.conf.j2
@@ -5,6 +5,6 @@
 type = sftp
 host = {{ host }}
 user = {{ remote_user }}
-key_file = {{ private_key | default('~/.ssh/id_ed25519') }}
+key_file = /etc/rclone/id_ed25519
 known_hosts_file = /etc/ssh/ssh_known_hosts                                    
 {% endfor %}