From 874ec197fea3b9c27c4a13816c37fe83a4307ecf Mon Sep 17 00:00:00 2001 From: counterweight Date: Thu, 21 Aug 2025 22:45:47 +0200 Subject: [PATCH] more stuff --- ansible/example.inventory.ini | 2 +- .../lnbits/deploy_lnbits_playbook.yml | 35 -------- .../lnbits/setup_backup_lnbits_to_lapy.yml | 86 +++++++++++++++++++ 3 files changed, 87 insertions(+), 36 deletions(-) create mode 100644 ansible/services/lnbits/setup_backup_lnbits_to_lapy.yml diff --git a/ansible/example.inventory.ini b/ansible/example.inventory.ini index cb24bbf..e6aaec0 100644 --- a/ansible/example.inventory.ini +++ b/ansible/example.inventory.ini @@ -7,4 +7,4 @@ your.vps.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_ # Local connection to laptop: this assumes you're running ansible commands from your personal laptop # Make sure to adjust the username [lapy] -localhost ansible_connection=local ansible_user=your laptop user \ No newline at end of file +localhost ansible_connection=local ansible_user=your laptop user gpg_recipient=your_email@example.com gpg_key_id=your_gpg_key_id_here \ No newline at end of file diff --git a/ansible/services/lnbits/deploy_lnbits_playbook.yml b/ansible/services/lnbits/deploy_lnbits_playbook.yml index ea92a82..75b24f7 100644 --- a/ansible/services/lnbits/deploy_lnbits_playbook.yml +++ b/ansible/services/lnbits/deploy_lnbits_playbook.yml @@ -128,41 +128,6 @@ enabled: yes state: started - - name: Create Fail2Ban filter for LNBits - copy: - dest: /etc/fail2ban/filter.d/lnbits.local - owner: root - group: root - mode: '0644' - content: | - [INCLUDES] - before = common.conf - - [Definition] - failregex = ^.*?Invalid credentials.*?IP: .*$ - ignoreregex = - - - name: Create Fail2Ban jail for LNBits - copy: - dest: /etc/fail2ban/jail.d/lnbits.local - owner: root - group: root - mode: '0644' - content: | - [lnbits] - enabled = true - port = http,https - filter = lnbits - logpath = /var/log/lnbits/lnbits.log - maxretry = 10 - findtime = 10m - bantime = 1h - - - name: Restart fail2ban to apply changes - systemd: - name: fail2ban - state: restarted - - name: Ensure Caddy sites-enabled directory exists file: path: "{{ caddy_sites_dir }}" diff --git a/ansible/services/lnbits/setup_backup_lnbits_to_lapy.yml b/ansible/services/lnbits/setup_backup_lnbits_to_lapy.yml new file mode 100644 index 0000000..376b394 --- /dev/null +++ b/ansible/services/lnbits/setup_backup_lnbits_to_lapy.yml @@ -0,0 +1,86 @@ +- name: Configure local backup for LNBits from remote + hosts: lapy + gather_facts: no + vars_files: + - ../../infra_vars.yml + - ./lnbits_vars.yml + vars: + remote_data_path: "{{ lnbits_data_dir }}" + remote_lnbits_dir: "{{ lnbits_dir }}/lnbits" + gpg_recipient: "{{ hostvars['localhost']['gpg_recipient'] | default('') }}" + gpg_key_id: "{{ hostvars['localhost']['gpg_key_id'] | default('') }}" + + tasks: + - name: Debug remote backup vars + debug: + msg: + - "remote_host={{ remote_host }}" + - "remote_user={{ remote_user }}" + - "remote_data_path='{{ remote_data_path }}'" + - "local_backup_dir={{ local_backup_dir }}" + - "gpg_recipient={{ gpg_recipient }}" + - "gpg_key_id={{ gpg_key_id }}" + + - name: Ensure local backup directory exists + file: + path: "{{ local_backup_dir }}" + state: directory + mode: '0755' + + - name: Ensure ~/.local/bin exists + file: + path: "{{ lookup('env', 'HOME') }}/.local/bin" + state: directory + mode: '0755' + + - name: Create backup script + copy: + dest: "{{ backup_script_path }}" + mode: '0750' + content: | + #!/bin/bash + set -euo pipefail + + TIMESTAMP=$(date +'%Y-%m-%d') + ENCRYPTED_BACKUP="{{ local_backup_dir }}/lnbits-backup-$TIMESTAMP.tar.gz.gpg" + + {% if remote_key_file %} + SSH_CMD="ssh -i {{ remote_key_file }} -p {{ hostvars[remote_host]['ansible_port'] | default(22) }}" + {% else %} + SSH_CMD="ssh -p {{ hostvars[remote_host]['ansible_port'] | default(22) }}" + {% endif %} + + # Stop LNBits service before backup + echo "Stopping LNBits service..." + $SSH_CMD {{ remote_user }}@{{ remote_host }} "sudo systemctl stop lnbits.service" + + # Create encrypted backup on the fly + # First, create a tar archive of the data directory and pipe it through gpg + echo "Creating backup..." + $SSH_CMD {{ remote_user }}@{{ remote_host }} "cd {{ remote_data_path }} && tar -czf - ." | \ + gpg --encrypt --recipient "{{ gpg_recipient }}" --output "$ENCRYPTED_BACKUP" + + # Also backup the .env file separately (smaller, might need quick access) + $SSH_CMD {{ remote_user }}@{{ remote_host }} "cat {{ remote_lnbits_dir }}/.env" | \ + gpg --encrypt --recipient "{{ gpg_recipient }}" --output "{{ local_backup_dir }}/lnbits-env-$TIMESTAMP.gpg" + + # Start LNBits service after backup + echo "Starting LNBits service..." + $SSH_CMD {{ remote_user }}@{{ remote_host }} "sudo systemctl start lnbits.service" + + # Rotate old encrypted backups (keep 14 days) + find "{{ local_backup_dir }}" -name "lnbits-backup-*.tar.gz.gpg" -mtime +13 -delete + find "{{ local_backup_dir }}" -name "lnbits-env-*.gpg" -mtime +13 -delete + + echo "Backup completed successfully" + + - name: Ensure cronjob for backup exists + cron: + name: "LNBits backup" + user: "{{ lookup('env', 'USER') }}" + job: "{{ backup_script_path }}" + minute: 5 + hour: "9,12,15,18" + + - name: Run the backup script to make the first backup + command: "{{ backup_script_path }}"