ansible: Add restricted rsync endpoint

ansible/hosts

@@ -9,3 +9,4 @@ motis:
       ansible_host: vm-motis.spline.de
       transitous_nginx_site_include_extra: /etc/ssl/routing.spline.inf.fu-berlin.de/include.nginx
       transitous_domain: routing.spline.de
+      transitous_rsync_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4Pxul2Bci8Vjowx4Q75wQaAXvvWvw1HsCzxBRgi/tI jbb@hyperion"

ansible/motis.yml

@@ -5,13 +5,7 @@
 - name: Set up MOTIS servers
   hosts: motis
   roles:
+    - rsync
     - motis
     - motis-proxy
     - nginx
-  tasks:
-    - name: Install rsync
-      apt:
-        name:
-          - rsync
-          - htop
-          - zstd

ansible/roles/rsync/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: Install rsync
+  apt:
+    name:
+      - rsync
+      - bubblewrap
+      - dash
+
+- name: Create user for rsync upload
+  user:
+    name: rsync
+    shell: /usr/bin/dash
+
+- name: Create rsync target directory
+  file:
+    path: /srv/rsync/transitous/
+    state: directory
+    owner: rsync
+
+- name: Add restricted authorized key for rsync
+  authorized_key:
+    user: rsync
+    state: present
+    key: 'command="bwrap --new-session --die-with-parent --cap-drop ALL --unshare-all --ro-bind /usr/lib/ /usr/lib/ --ro-bind /usr/bin/env /usr/bin/env --ro-bind /usr/bin/python3 /usr/bin/python3 --ro-bind /usr/bin/rrsync /usr/bin/rrsync --ro-bind /usr/bin/rsync /usr/bin/rsync --ro-bind /lib/ /lib/ --ro-bind /lib64/ /lib64 --bind /srv/rsync/transitous/ /srv/rsync/transitous/ -- /usr/bin/rrsync -wo /srv/rsync/transitous/",restrict {{ transitous_rsync_public_key }}'