Files
@ 17cf34f73ca6
Branch filter:
Location: majic-ansible-roles/roles/backup_server/tasks/main.yml - annotation
17cf34f73ca6
3.9 KiB
text/x-yaml
MAR-28: Implemented additional tests for mail_server role:
- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.
- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 989f5c583406 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 989f5c583406 500658358454 500658358454 500658358454 989f5c583406 500658358454 500658358454 500658358454 500658358454 500658358454 989f5c583406 500658358454 500658358454 500658358454 500658358454 989f5c583406 989f5c583406 989f5c583406 989f5c583406 989f5c583406 989f5c583406 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 989f5c583406 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 989f5c583406 500658358454 500658358454 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 989f5c583406 | ---
- name: Install backup software
apt: name="{{ item }}" state=installed
with_items:
- duplicity
- duply
- name: Create directory for storing backups
file: path="/srv/backups" state=directory
owner="root" group="root" mode=0751
- name: Create backup client groups
group: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
gid="{{ item.uid | default(omit) }}" system="yes"
with_items: "{{ backup_clients }}"
- name: Create backup client users
user: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
groups="backup"
uid="{{ item.uid | default(omit) }}"
system=yes createhome=no state=present home="/srv/backups/{{ item.server }}"
with_items: "{{ backup_clients }}"
- name: Create home directories for backup client users
file: path="/srv/backups/{{ item.server }}" state=directory
owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode=750
with_items: "{{ backup_clients }}"
- name: Create duplicity directories for backup client users
file: path="/srv/backups/{{ item.server }}/duplicity" state=directory
owner="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode=770
with_items: "{{ backup_clients }}"
- name: Create SSH directory for backup client users
file: path="/srv/backups/{{ item.server }}/.ssh" state=directory
owner="root" group="root" mode=751
with_items: "{{ backup_clients }}"
- name: Populate authorized keys for backup client users
authorized_key: user="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
key="{{ item.public_key }}" manage_dir="no" state="present"
with_items: "{{ backup_clients }}"
- name: Set-up authorized_keys file permissions for backup client users
file: path="/srv/backups/{{ item.server }}/.ssh/authorized_keys" state=file
owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode=640
with_items: "{{ backup_clients }}"
- name: Deny the backup group login via regular SSH
lineinfile: dest="/etc/ssh/sshd_config" state=present line="DenyGroups backup"
notify:
- Restart SSH
- name: Set-up directory for the backup OpenSSH server instance
file: path="/etc/ssh-backup/" state=directory
owner="root" group="root" mode="0700"
- name: Deploy configuration file for the backup OpenSSH server instance service
copy: src="ssh-backup.default" dest="/etc/default/ssh-backup"
owner="root" group="root" mode="0644"
notify:
- Restart backup SSH server
- name: Deploy configuration file for the backup OpenSSH server instance
copy: src="backup-sshd_config" dest="/etc/ssh-backup/sshd_config"
owner="root" group="root" mode="0600"
notify:
- Restart backup SSH server
- name: Deploy the private keys for backup OpenSSH server instance
template:
src: "ssh_host_key.j2"
dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"
owner: root
group: root
mode: 0600
with_dict: "{{ backup_host_ssh_private_keys }}"
no_log: True
notify:
- Restart backup SSH server
- name: Deploy backup OpenSSH server systemd service file
copy: src="ssh-backup.service" dest="/etc/systemd/system/ssh-backup.service"
owner=root group=root mode=0644
notify:
- Reload systemd
- Restart backup SSH server
- name: Start and enable OpenSSH backup service
service: name="ssh-backup" state="started" enabled="yes"
- name: Deploy firewall configuration for backup server
template: src="ferm_backup.conf.j2" dest="/etc/ferm/conf.d/40-backup.conf" owner=root group=root mode=0640
notify:
- Restart ferm
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "handlers | default(False) | bool() == True"
tags:
- handlers
|