Files
@ 10f53ae8f131
Branch filter:
Location: majic-ansible-roles/roles/backup_server/tasks/main.yml - annotation
10f53ae8f131
4.4 KiB
text/x-yaml
MAR-218: Enable case-sensitive column name handling for database privileges:
- This will become a new default in the next major release of the
community.mysql collection.
- Gets rid of the Ansible mysql_user module warning.
- This will become a new default in the next major release of the
community.mysql collection.
- Gets rid of the Ansible mysql_user module warning.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 | 500658358454 500658358454 500658358454 c10934519e18 a20ca43cd967 a20ca43cd967 a20ca43cd967 57b1e111d650 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 55d6b2e2f4f3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 55d6b2e2f4f3 55d6b2e2f4f3 3dca599dbdc9 3dca599dbdc9 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 55d6b2e2f4f3 3dca599dbdc9 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 500658358454 500658358454 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 500658358454 500658358454 c10934519e18 3e0c2160c487 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 500658358454 500658358454 c10934519e18 989f5c583406 989f5c583406 989f5c583406 989f5c583406 7cabc17c71c3 922cda0a1834 500658358454 500658358454 55d6b2e2f4f3 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 500658358454 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 55d6b2e2f4f3 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 7387caca37f3 7387caca37f3 c10934519e18 9f0f315631e4 7387caca37f3 989f5c583406 | ---
- name: Install backup software
ansible.builtin.apt:
name:
- duplicity
- duply
state: present
- name: Create directory for storing backups
ansible.builtin.file:
path: "/srv/backups"
state: directory
owner: root
group: root
mode: "0751"
- name: Create backup client groups
ansible.builtin.group:
name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
gid: "{{ item.uid | default(omit) }}"
system: true
with_items: "{{ backup_clients }}"
- name: Create backup client users
ansible.builtin.user:
name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
groups: "backup"
uid: "{{ item.uid | default(omit) }}"
system: true
createhome: false
state: present
home: "/srv/backups/{{ item.server }}"
with_items: "{{ backup_clients }}"
- name: Create home directories for backup client users
ansible.builtin.file:
path: "/srv/backups/{{ item.server }}"
state: directory
owner: root
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: "0750"
with_items: "{{ backup_clients }}"
- name: Create duplicity directories for backup client users
ansible.builtin.file:
path: "/srv/backups/{{ item.server }}/duplicity"
state: directory
owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: "0770"
with_items: "{{ backup_clients }}"
- name: Create SSH directory for backup client users
ansible.builtin.file:
path: "/srv/backups/{{ item.server }}/.ssh"
state: directory
owner: root
group: root
mode: "0751"
with_items: "{{ backup_clients }}"
- name: Populate authorized keys for backup client users
ansible.posix.authorized_key:
user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
key: "{{ item.public_key }}"
manage_dir: false
state: present
with_items: "{{ backup_clients }}"
- name: Set-up authorized_keys file permissions for backup client users
ansible.builtin.file:
path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"
state: file
owner: root
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: "0640"
with_items: "{{ backup_clients }}"
- name: Deny the backup group login via regular SSH
ansible.builtin.lineinfile:
dest: "/etc/ssh/sshd_config"
state: present
line: "DenyGroups backup"
notify:
- Restart SSH
- name: Set-up directory for the backup OpenSSH server instance
ansible.builtin.file:
path: "/etc/ssh-backup/"
state: directory
owner: root
group: root
mode: "0700"
- name: Deploy configuration file for the backup OpenSSH server instance service
ansible.builtin.copy:
src: "ssh-backup.default"
dest: "/etc/default/ssh-backup"
owner: root
group: root
mode: "0644"
notify:
- Restart backup SSH server
- name: Deploy configuration file for the backup OpenSSH server instance
ansible.builtin.copy:
src: "backup-sshd_config"
dest: "/etc/ssh-backup/sshd_config"
owner: root
group: root
mode: "0600"
notify:
- Restart backup SSH server
- name: Deploy the private keys for backup OpenSSH server instance
ansible.builtin.template:
src: "ssh_host_key.j2"
dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"
owner: root
group: root
mode: "0600"
with_dict: "{{ backup_host_ssh_private_keys }}"
notify:
- Restart backup SSH server
no_log: true
- name: Deploy backup OpenSSH server systemd service file
ansible.builtin.copy:
src: "ssh-backup.service"
dest: "/etc/systemd/system/ssh-backup.service"
owner: root
group: root
mode: "0644"
notify:
- Reload systemd
- Restart backup SSH server
- name: Start and enable OpenSSH backup service
ansible.builtin.service:
name: "ssh-backup"
state: started
enabled: true
- name: Deploy firewall configuration for backup server
ansible.builtin.template:
src: "ferm_backup.conf.j2"
dest: "/etc/ferm/conf.d/40-backup.conf"
owner: root
group: root
mode: "0640"
notify:
- Restart ferm
- name: Explicitly run all handlers
ansible.builtin.include_tasks: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|