More backup solution engineering

2025-08-20 17:32:18 -04:00 · 2025-08-20 17:32:18 -04:00 · 16e9c32e41
commit 16e9c32e41
parent 752353cc41
2 changed files with 106 additions and 2 deletions
--- a/inventories/core_infrastructure.yml
+++ b/inventories/core_infrastructure.yml
@ -25,8 +25,28 @@ all:
      ansible_host: "10.42.0.3"
    openocean:
      ansible_host: "172.16.132.2"
+      backup_url: "172.16.132.2"
+      backup_user: "backup"
+      backup_user_password: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        31336636333061393333326263353835636431313739613462356531623532663137626466613433
+        3438616239333536643835643933333461323666343864640a386361306163623261656630643837
+        65396139333264636333656337383766393931393934373335646231336330656561303039326665
+        3331636339356236330a333330373264306163393162386330393763613332376261373433303035
+        65633034366439343232356639346665326234666630633063616437376131396463
+      backup_location: "/backup/pfsense"
    boardwalk:
      ansible_host: "10.77.7.2"
+      backup_url: "10.77.7.2"
+      backup_user: "backup"
+      backup_user_password: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        34313763623733323133393734326533333661343239393037666462323732393839386131393165
+        6233376533623431333238373039353330616265363566320a393730343938306430313864666534
+        36363736303436643163313636303931323032366136616634366363383036303737356336343638
+        6566663062336566320a323536303233393431363263313933643839303435356266656136343438
+        35306638356564333962656433323735656136386130373233393765616265306636
+      backup_location: "/backup/pfsense"
  children:
    docker_nodes:
      hosts:
--- a/playbooks/backup_protocol.yml
+++ b/playbooks/backup_protocol.yml
@ -1,6 +1,90 @@
 ---
- name: Backup Protocol
-  hosts: all
+# Bits an pieces of this play are stolen from https://github.com/gavinwill/ansible-role-pfsense-backup/tree/main
+- name: PFSense Backups
+  hosts: pfsense_nodes
+  tasks:
+    - name: Get Cookies and CSRF Token
+      ansible.builtin.uri:
+        url: "https://{{ backup_url }}/diag_backup.php"
+        validate_certs: false
+        method: GET
+        return_content: true
+      register: pfsense_cookie_token
+      no_log: "{{ pfsense_backup_disable_logging | default(false) }}"
+      delegate_to: blacktide
+
+    - name: Set CSRF Token and Cookie Fact
+      ansible.builtin.set_fact:
+        pfsense_backup_csrf: "{{ pfsense_cookie_token.content | regex_search('var\\s+csrfMagicToken\\s+=\\s+\\\"([a-f0-9sidp:;,]+)\\\"', '\\1') }}"
+        pfsense_backup_cookie: "{{ pfsense_cookie_token.set_cookie }}"
+      no_log: "{{ pfsense_backup_disable_logging | default(false) }}"
+
+    - name: Authenticate with backup page and register backup CSRF
+      ansible.builtin.uri:
+        url: "https://{{ backup_url }}/diag_backup.php"
+        validate_certs: false
+        follow_redirects: false
+        method: POST
+        return_content: true
+        body_format: form-urlencoded
+        status_code: 302
+        body:
+          login: Login
+          usernamefld: "{{ backup_user }}"
+          passwordfld: "{{ backup_user_password }}"
+          __csrf_magic: "{{ pfsense_backup_csrf }}"
+        headers:
+          Cookie: "{{ pfsense_backup_cookie }}"
+      register: pfsense_cookie_token_2
+      delegate_to: blacktide
+      no_log: "{{ pfsense_backup_disable_logging | default(false) }}"
+
+    - name: Set Cookie Fact from Backup page
+      ansible.builtin.set_fact:
+        pfsense_backup_cookie_1: "{{ pfsense_cookie_token_2.set_cookie }}"
+      no_log: "{{ pfsense_backup_disable_logging | default(false) }}"
+
+    - name: Fetch Target page for new CSRF token
+      ansible.builtin.uri:
+        url: "https://{{ backup_url }}/diag_backup.php"
+        validate_certs: false
+        follow_redirects: false
+        method: GET
+        return_content: true
+        headers:
+          Cookie: "{{ pfsense_backup_cookie_1 }}"
+      register: pfsense_cookie_token_3
+      delegate_to: blacktide
+      no_log: "{{ pfsense_backup_disable_logging | default(false) }}"
+
+    - name: Set fact for CSRF Token and Cookie
+      ansible.builtin.set_fact:
+        pfsense_backup_csrf_1: "{{ pfsense_cookie_token3.content | regex_search('var\\s+csrfMagicToken\\s+=\\s+\\\"([a-f0-9sidp:;,]+)\\\"', '\\1') }}"
+        pfsense_backup_cookie_2: "{{ pfsense_cookie_token_3.set_cookie }}"
+      no_log: "{{ pfsense_backup_disable_logging | default(false) }}"
+
+    - name: Download Backup Configuration
+      ansible.builtin.uri:
+        url: "https://{{ backup_url }}/diag_backup.php"
+        validate_certs: false
+        follow_redirects: false
+        method: "POST"
+        return_content: true
+        body_format: form-urlencoded
+        body:
+          download: download
+          backupssh: "yes"
+          backupdata: "yes"
+          donotbackuprrd: "yes"
+          __csrf_magic: "{{ pfsense_backup_csrf_1 }}"
+        headers:
+          Cookie: "{{ pfsense_backup_cookie_2 }}"
+        dest: "{{ backup_location }}/{{ inventory_hostname }}_{{ now().strftime('%Y%m%d%H%M%S') }}.xml"
+      changed_when: false
+      no_log: "{{ pfsense_backup_disable_logging | default(false) }}"
+    
+- name: Docker Infrastructure Compose Backups
+  hosts: docker_nodes
  become: true
  become_method: sudo
  collections: