Add support for letting restic run certain commands with sudo (#50)

* Add support for letting restic run certain commands with sudo * Support limiting to users
paulfantom · Mar 27, 2019 · ce5a075 · ce5a075
1 parent 7c7c9ad
commit ce5a075
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -30,12 +30,22 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults
 | `restic_cron_mailto` | restic_user | who to mail results of the restic crons to, set to "" to not mail |
 | `restic_cron_stdout_file` | null | what file to log restic output to, null means include in mailto, use /dev/null to discard |
 | `restic_cron_stderr_file` | null | what file to log restic errors to, null means include in mailto, use /dev/null to discard |
+| `restic_sudo_command_whitelist` | [] | whitelist of commands restic is allowed to run with sudo |
 | `restic_repos` | [] | restic repositories and cron jobs configuration. More in [defaults/main.yml](defaults/main.yml) |
 
 ## Security
 
 To ensure high security this role can allow restic to be run as different user than root and still allowing read-only access to files. This is implemented by following [PR#1483](https://github.com/restic/restic/pull/1483) from restic repository.
 
+If you need to run certain tools as another user, make sure to list those in `restic_sudo_command_whitelist` as follows:
+```yaml
+restic_sudo_command_whitelist:
+   - command: /usr/bin/some_backup_related_command_that_needs_sudo
+     runas: root
+```
+
+Then, in your actual backup command, add the command as `sudo -u root /usr/bin/some_backup_related_command_that_needs_sudo`.
+
 ## Helpers
 
 This role also installs helper scripts to `restic_install_path`. These scripts are named after your repository and will ensure environment variables are correct for that repository.

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -14,6 +14,11 @@ restic_cron_mailto: "{{ restic_user }}"
 restic_cron_stdout_file: null
 restic_cron_stderr_file: null
 
+restic_sudo_command_whitelist: []
+# restic_sudo_command_whitelist:
+#   - command: /usr/bin/some_backup_related_command_that_needs_sudo
+#     runas: root
+
 restic_repos: []
 # restic_repos:
 # - name: s3-example

diff --git a/tasks/configure.yml b/tasks/configure.yml
@@ -18,6 +18,16 @@
   no_log: true
   with_items: '{{ restic_repos }}'
 
+- name: Whitelist restic to run certain commands with sudo
+  template:
+    src: 'restic.sudoers.j2'
+    dest: "/etc/sudoers.d/restic-sudoers"
+    owner: root
+    group: root
+    mode: '0440'
+    validate: "visudo -cf %s"
+  when: restic_user != 'root'
+
 - name: Initialize restic repositories
   command: "{{ restic_install_path }}/restic-{{ item.name }} init"
   ignore_errors: true

diff --git a/templates/restic.sudoers.j2 b/templates/restic.sudoers.j2
@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+{% for item in restic_sudo_command_whitelist %}
+{{ restic_user }} ALL = ({{ item.runas | default('ALL') }}) NOPASSWD: {{ item.command }}
+{% endfor %}