From e43c3aaae306dcc50e1080444a9bfd83d5ecb61e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20=C5=BD=C3=A1=C4=8Dek?= <jakub@zacekj.cz>
Date: Fri, 15 May 2026 18:38:11 +0200
Subject: [PATCH] Add backup role and manage_ssh_keys role

- Borgmatic backup role driven by per-host config in group_vars/all/backup.yml
- manage_ssh_keys role with add/remove paths; remove_ssh_key_playbook.yml uses it

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 backup.yml                                    |  8 +++++
 group_vars/all/backup.yml                     | 15 ++++++++++
 remove_ssh_key_playbook.yml                   |  6 ++++
 roles/backup/tasks/main.yml                   | 30 +++++++++++++++++++
 roles/backup/templates/borgmatic.yaml.j2      |  3 ++
 roles/manage_ssh_keys/tasks/add_ssh_key.yml   |  4 +++
 roles/manage_ssh_keys/tasks/main.yml          |  5 ++++
 .../manage_ssh_keys/tasks/remove_ssh_key.yml  | 10 +++++++
 8 files changed, 81 insertions(+)
 create mode 100644 backup.yml
 create mode 100644 group_vars/all/backup.yml
 create mode 100644 remove_ssh_key_playbook.yml
 create mode 100644 roles/backup/tasks/main.yml
 create mode 100644 roles/backup/templates/borgmatic.yaml.j2
 create mode 100644 roles/manage_ssh_keys/tasks/add_ssh_key.yml
 create mode 100644 roles/manage_ssh_keys/tasks/main.yml
 create mode 100644 roles/manage_ssh_keys/tasks/remove_ssh_key.yml

diff --git a/backup.yml b/backup.yml
new file mode 100644
index 0000000..6407df7
--- /dev/null
+++ b/backup.yml
@@ -0,0 +1,8 @@
+---
+- name: Install borgmatic and deploy per-host config
+  hosts: all
+  become: true
+  tags: never,backup
+
+  roles:
+    - role: backup
diff --git a/group_vars/all/backup.yml b/group_vars/all/backup.yml
new file mode 100644
index 0000000..b14726a
--- /dev/null
+++ b/group_vars/all/backup.yml
@@ -0,0 +1,15 @@
+---
+# Per-host borgmatic config. Keys must match inventory_hostname.
+# Hosts not listed here are skipped by the `backup` role.
+# The value under each host is rendered verbatim as the borgmatic
+# config file (see https://torsion.org/borgmatic/docs/reference/configuration/).
+backup_hosts: {}
+  # jim:
+  #   source_directories:
+  #     - /home
+  #     - /etc
+  #   repositories:
+  #     - path: ssh://user@backup.example.com/./backups/jim
+  #   keep_daily: 7
+  #   keep_weekly: 4
+  #   keep_monthly: 6
diff --git a/remove_ssh_key_playbook.yml b/remove_ssh_key_playbook.yml
new file mode 100644
index 0000000..20ebde9
--- /dev/null
+++ b/remove_ssh_key_playbook.yml
@@ -0,0 +1,6 @@
+- name: Remove SSH key
+  hosts: all
+  become: yes
+  roles:
+    - role: manage_ssh_keys
+      remove_user: true
diff --git a/roles/backup/tasks/main.yml b/roles/backup/tasks/main.yml
new file mode 100644
index 0000000..d2020c6
--- /dev/null
+++ b/roles/backup/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Skip hosts without backup config
+  ansible.builtin.debug:
+    msg: "No entry in backup_hosts for {{ inventory_hostname }}; skipping backup role."
+  when: inventory_hostname not in (backup_hosts | default({}))
+
+- name: Configure borgmatic
+  when: inventory_hostname in (backup_hosts | default({}))
+  block:
+
+    - name: Install borgmatic
+      ansible.builtin.package:
+        name: borgmatic
+        state: present
+
+    - name: Ensure /etc/borgmatic exists
+      ansible.builtin.file:
+        path: /etc/borgmatic
+        state: directory
+        owner: root
+        group: root
+        mode: '0750'
+
+    - name: Deploy borgmatic config
+      ansible.builtin.template:
+        src: borgmatic.yaml.j2
+        dest: /etc/borgmatic/config.yaml
+        owner: root
+        group: root
+        mode: '0640'
diff --git a/roles/backup/templates/borgmatic.yaml.j2 b/roles/backup/templates/borgmatic.yaml.j2
new file mode 100644
index 0000000..be8f742
--- /dev/null
+++ b/roles/backup/templates/borgmatic.yaml.j2
@@ -0,0 +1,3 @@
+#jinja2: trim_blocks: True, lstrip_blocks: True
+# Managed by Ansible — do not edit by hand.
+{{ backup_hosts[inventory_hostname] | to_nice_yaml(indent=2, width=1000) }}
diff --git a/roles/manage_ssh_keys/tasks/add_ssh_key.yml b/roles/manage_ssh_keys/tasks/add_ssh_key.yml
new file mode 100644
index 0000000..8c0f6b5
--- /dev/null
+++ b/roles/manage_ssh_keys/tasks/add_ssh_key.yml
@@ -0,0 +1,4 @@
+- name: Add user and authorized key
+  authorized_keys:
+    user: "{{ user }}"
+    key: "{{ key }}"
diff --git a/roles/manage_ssh_keys/tasks/main.yml b/roles/manage_ssh_keys/tasks/main.yml
new file mode 100644
index 0000000..c2395e6
--- /dev/null
+++ b/roles/manage_ssh_keys/tasks/main.yml
@@ -0,0 +1,5 @@
+- include_tasks: add_ssh_key.yml
+  when: add_user | default(false)
+
+- include_tasks: remove_ssh_key.yml
+  when: remove_user | default(false)
diff --git a/roles/manage_ssh_keys/tasks/remove_ssh_key.yml b/roles/manage_ssh_keys/tasks/remove_ssh_key.yml
new file mode 100644
index 0000000..bc0fc7c
--- /dev/null
+++ b/roles/manage_ssh_keys/tasks/remove_ssh_key.yml
@@ -0,0 +1,10 @@
+- name: Remove authorized key
+  authorized_keys:
+    user: "{{ user }}"
+    key: "{{ key }}"
+    state: absent
+
+- name: Ensure user is absent
+  user:
+    name: "{{ user }}"
+    state: absent