From ce5a075f23f758a0d1c83dfe29b8289c4d90877c Mon Sep 17 00:00:00 2001
From: Sylvia van Os <sylvia@hackerchick.me>
Date: Wed, 27 Mar 2019 14:18:32 +0100
Subject: [PATCH] Add support for letting restic run certain commands with sudo
 (#50)

* Add support for letting restic run certain commands with sudo

* Support limiting to users
---
 README.md                   | 10 ++++++++++
 defaults/main.yml           |  5 +++++
 tasks/configure.yml         | 10 ++++++++++
 templates/restic.sudoers.j2 |  4 ++++
 4 files changed, 29 insertions(+)
 create mode 100644 templates/restic.sudoers.j2

diff --git a/README.md b/README.md
index d4ddc1c..09059ab 100644
--- a/README.md
+++ b/README.md
@@ -30,12 +30,22 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults
 | `restic_cron_mailto` | restic_user | who to mail results of the restic crons to, set to "" to not mail |
 | `restic_cron_stdout_file` | null | what file to log restic output to, null means include in mailto, use /dev/null to discard |
 | `restic_cron_stderr_file` | null | what file to log restic errors to, null means include in mailto, use /dev/null to discard |
+| `restic_sudo_command_whitelist` | [] | whitelist of commands restic is allowed to run with sudo |
 | `restic_repos` | [] | restic repositories and cron jobs configuration. More in [defaults/main.yml](defaults/main.yml) |
 
 ## Security
 
 To ensure high security this role can allow restic to be run as different user than root and still allowing read-only access to files. This is implemented by following [PR#1483](https://github.com/restic/restic/pull/1483) from restic repository.
 
+If you need to run certain tools as another user, make sure to list those in `restic_sudo_command_whitelist` as follows:
+```yaml
+restic_sudo_command_whitelist:
+   - command: /usr/bin/some_backup_related_command_that_needs_sudo
+     runas: root
+```
+
+Then, in your actual backup command, add the command as `sudo -u root /usr/bin/some_backup_related_command_that_needs_sudo`.
+
 ## Helpers
 
 This role also installs helper scripts to `restic_install_path`. These scripts are named after your repository and will ensure environment variables are correct for that repository.
diff --git a/defaults/main.yml b/defaults/main.yml
index 33fa273..9749f2e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -14,6 +14,11 @@ restic_cron_mailto: "{{ restic_user }}"
 restic_cron_stdout_file: null
 restic_cron_stderr_file: null
 
+restic_sudo_command_whitelist: []
+# restic_sudo_command_whitelist:
+#   - command: /usr/bin/some_backup_related_command_that_needs_sudo
+#     runas: root
+
 restic_repos: []
 # restic_repos:
 # - name: s3-example
diff --git a/tasks/configure.yml b/tasks/configure.yml
index a15c79a..9653f40 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -18,6 +18,16 @@
   no_log: true
   with_items: '{{ restic_repos }}'
 
+- name: Whitelist restic to run certain commands with sudo
+  template:
+    src: 'restic.sudoers.j2'
+    dest: "/etc/sudoers.d/restic-sudoers"
+    owner: root
+    group: root
+    mode: '0440'
+    validate: "visudo -cf %s"
+  when: restic_user != 'root'
+
 - name: Initialize restic repositories
   command: "{{ restic_install_path }}/restic-{{ item.name }} init"
   ignore_errors: true
diff --git a/templates/restic.sudoers.j2 b/templates/restic.sudoers.j2
new file mode 100644
index 0000000..d1135a2
--- /dev/null
+++ b/templates/restic.sudoers.j2
@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+{% for item in restic_sudo_command_whitelist %}
+{{ restic_user }} ALL = ({{ item.runas | default('ALL') }}) NOPASSWD: {{ item.command }}
+{% endfor %}