majic-ansible-roles Files · roles/backup_client/molecule/default/prepare.yml

Files @ 0a435b5ba2cf

Branch filter:

Location: majic-ansible-roles/roles/backup_client/molecule/default/prepare.yml - annotation

0a435b5ba2cf 3.5 KiB text/x-yaml Show Source Show as Raw Download as Raw

branko

MAR-218: Upgrade test site for Ansible 10.x and fix linting errors:

- Disable name checks when importing playbooks into top-level playbook
to avoid naming duplication.

88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
694893c0259a
9882e078677e
88290d45ad87
694893c0259a
88290d45ad87
c10934519e18
9882e078677e
88290d45ad87
88290d45ad87
c10934519e18
9882e078677e
9882e078677e
88290d45ad87
694893c0259a
694893c0259a
9882e078677e
88290d45ad87
88290d45ad87
88290d45ad87
c10934519e18
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
7cabc17c71c3
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
9f0a023d7371
c10934519e18
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
8d2978c32f31
c10934519e18
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
88290d45ad87
c10934519e18
9f0a023d7371
9f0a023d7371
88290d45ad87
88290d45ad87
7cabc17c71c3
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
c10934519e18
88290d45ad87
88290d45ad87
88290d45ad87
c10934519e18
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
c10934519e18
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
c10934519e18
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
c10934519e18
9882e078677e
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
c10934519e18
8d2978c32f31
88290d45ad87
88290d45ad87
88290d45ad87
7cabc17c71c3
8d2978c32f31
88290d45ad87
88290d45ad87
c10934519e18
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
7cabc17c71c3
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
c10934519e18
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
12e2e1882f77
12e2e1882f77
88290d45ad87
88290d45ad87

---

- name: Prepare
  hosts: all
  become: true
  gather_facts: false
  tasks:

    - name: Install python for Ansible
      ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
      changed_when: false

    - name: Update all caches to avoid errors due to missing remote archives
      ansible.builtin.apt:
        update_cache: true
      changed_when: false

- name: Prepare, helpers
  hosts: backup-server
  become: true
  tasks:

    - name: Deploy SSH server keys
      ansible.builtin.copy:
        content: "{{ lookup('file', item.key) + '\n' }}"
        dest: "{{ item.value }}"
        owner: root
        group: root
        mode: "0600"
      with_dict:
        tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
        tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
        tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
      notify:
        - Restart ssh

    - name: Drop the outdated public keys
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      with_items:
        - /etc/ssh/ssh_host_rsa_key.pub
        - /etc/ssh/ssh_host_ed25519_key.pub
        - /etc/ssh/ssh_host_ecdsa_key.pub

    - name: Force the use of internal-sftp subsystem for SFTP
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^Subsystem.*sftp"
        line: "Subsystem sftp internal-sftp"
        state: present

    - name: Deploy custom SSH server configuration that chroots users
      ansible.builtin.copy:
        src: "tests/data/backup_server-sshd-chroot_backup_users.conf"
        dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf"
        owner: root
        group: root
        mode: "0600"
      notify:
        - Restart ssh

    - name: Set-up backup group that will contain all backup users
      ansible.builtin.group:
        name: "backup-users"

    - name: Set-up backup user groups
      ansible.builtin.group:
        name: "{{ item.name }}"
      with_items: "{{ backup_users }}"

    - name: Set-up backup users
      ansible.builtin.user:
        name: "{{ item.name }}"
        group: "{{ item.name }}"
        groups:
          - "backup-users"
      with_items: "{{ backup_users }}"

    - name: Set-up authorised keys
      ansible.posix.authorized_key:
        user: "{{ item.name }}"
        key: "{{ item.key }}"
      with_items: "{{ backup_users }}"

    - name: Set-up port forwarding
      ansible.builtin.command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
      changed_when: false
      with_items:
        - 2222
        - 3333

    - name: Change ownership of home directories for SFTP chroot to work
      ansible.builtin.file:
        path: "/home/{{ item.name }}"
        state: directory
        owner: root
        group: root
        mode: "0755"
      with_items: "{{ backup_users }}"

    - name: Set-up duplicity backup directories
      ansible.builtin.file:
        path: "~{{ item.name }}/duplicity"
        state: directory
        owner: root
        group: backup-users
        mode: "0770"
      with_items: "{{ backup_users }}"

  handlers:
    - name: Restart ssh
      ansible.builtin.service:
        name: ssh
        state: restarted

  vars:
    backup_users:
      - name: bak-param-mandatory-bookworm
        key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
      - name: backupuser
        key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"