Files
@ 3722152897ec
Branch filter:
Location: majic-ansible-roles/roles/backup_client/molecule/default/prepare.yml - annotation
3722152897ec
3.2 KiB
text/x-yaml
MAR-218: Disable Ansible lints for prefixed role variable names:
- At this point in time, it does not make much sense to introduce
prefixing and breaking every single role invocation.
- Might be worth revisting down the line, although it would require
understanding a bit more clearly if prefixing has any kind of
special logic handling or it's pure guidelines.
- At this point in time, it does not make much sense to introduce
prefixing and breaking every single role invocation.
- Might be worth revisting down the line, although it would require
understanding a bit more clearly if prefixing has any kind of
special logic handling or it's pure guidelines.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 | 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 694893c0259a 9882e078677e 88290d45ad87 694893c0259a 88290d45ad87 e75d5d4fba3b 9882e078677e 88290d45ad87 88290d45ad87 88290d45ad87 9882e078677e 9882e078677e 88290d45ad87 694893c0259a 694893c0259a 9882e078677e 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 8d2978c32f31 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 9f0a023d7371 88290d45ad87 88290d45ad87 9f0a023d7371 9f0a023d7371 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 9882e078677e 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 8d2978c32f31 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 8d2978c32f31 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 88290d45ad87 12e2e1882f77 12e2e1882f77 88290d45ad87 88290d45ad87 | ---
- name: Prepare
hosts: all
become: true
gather_facts: false
tasks:
- name: Install python for Ansible
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
changed_when: false
- name: Update all caches to avoid errors due to missing remote archives
apt:
update_cache: true
changed_when: false
- name: Prepare, helpers
hosts: backup-server
become: true
tasks:
- name: Deploy SSH server keys
copy:
content: "{{ lookup('file', item.key) + '\n' }}"
dest: "{{ item.value }}"
owner: root
group: root
mode: 0600
with_dict:
tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
notify:
- Restart ssh
- name: Drop the outdated public keys
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/ssh/ssh_host_rsa_key.pub
- /etc/ssh/ssh_host_ed25519_key.pub
- /etc/ssh/ssh_host_ecdsa_key.pub
- name: Force the use of internal-sftp subsystem for SFTP
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^Subsystem.*sftp"
line: "Subsystem sftp internal-sftp"
state: present
- name: Deploy custom SSH server configuration that chroots users
copy:
src: "tests/data/backup_server-sshd-chroot_backup_users.conf"
dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf"
owner: root
group: root
mode: 0600
notify:
- Restart ssh
- name: Set-up backup group that will contain all backup users
group:
name: "backup-users"
- name: Set-up backup user groups
group:
name: "{{ item.name }}"
with_items: "{{ backup_users }}"
- name: Set-up backup users
user:
name: "{{ item.name }}"
group: "{{ item.name }}"
groups:
- "backup-users"
with_items: "{{ backup_users }}"
- name: Set-up authorised keys
authorized_key:
user: "{{ item.name }}"
key: "{{ item.key }}"
with_items: "{{ backup_users }}"
- name: Set-up port forwarding
command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
changed_when: false
with_items:
- 2222
- 3333
- name: Change ownership of home directories for SFTP chroot to work
file:
path: "/home/{{ item.name }}"
state: directory
owner: root
group: root
mode: 0755
with_items: "{{ backup_users }}"
- name: Set-up duplicity backup directories
file:
path: "~{{ item.name }}/duplicity"
state: directory
owner: root
group: backup-users
mode: 0770
with_items: "{{ backup_users }}"
handlers:
- name: Restart ssh
service:
name: ssh
state: restarted
vars:
backup_users:
- name: bak-param-mandatory-bookworm
key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
- name: backupuser
key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
|