Files @ 3722152897ec
Branch filter:

Location: majic-ansible-roles/roles/backup_client/molecule/default/prepare.yml - annotation

branko
MAR-218: Disable Ansible lints for prefixed role variable names:

- At this point in time, it does not make much sense to introduce
prefixing and breaking every single role invocation.
- Might be worth revisting down the line, although it would require
understanding a bit more clearly if prefixing has any kind of
special logic handling or it's pure guidelines.
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
694893c0259a
9882e078677e
88290d45ad87
694893c0259a
88290d45ad87
e75d5d4fba3b
9882e078677e
88290d45ad87
88290d45ad87
88290d45ad87
9882e078677e
9882e078677e
88290d45ad87
694893c0259a
694893c0259a
9882e078677e
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
8d2978c32f31
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
9f0a023d7371
88290d45ad87
88290d45ad87
9f0a023d7371
9f0a023d7371
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
9882e078677e
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
8d2978c32f31
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
8d2978c32f31
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
88290d45ad87
12e2e1882f77
12e2e1882f77
88290d45ad87
88290d45ad87
---

- name: Prepare
  hosts: all
  become: true
  gather_facts: false
  tasks:

    - name: Install python for Ansible
      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
      changed_when: false

    - name: Update all caches to avoid errors due to missing remote archives
      apt:
        update_cache: true
      changed_when: false

- name: Prepare, helpers
  hosts: backup-server
  become: true
  tasks:

    - name: Deploy SSH server keys
      copy:
        content: "{{ lookup('file', item.key) + '\n' }}"
        dest: "{{ item.value }}"
        owner: root
        group: root
        mode: 0600
      with_dict:
        tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
        tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
        tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
      notify:
        - Restart ssh

    - name: Drop the outdated public keys
      file:
        path: "{{ item }}"
        state: absent
      with_items:
        - /etc/ssh/ssh_host_rsa_key.pub
        - /etc/ssh/ssh_host_ed25519_key.pub
        - /etc/ssh/ssh_host_ecdsa_key.pub

    - name: Force the use of internal-sftp subsystem for SFTP
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^Subsystem.*sftp"
        line: "Subsystem sftp internal-sftp"
        state: present

    - name: Deploy custom SSH server configuration that chroots users
      copy:
        src: "tests/data/backup_server-sshd-chroot_backup_users.conf"
        dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf"
        owner: root
        group: root
        mode: 0600
      notify:
        - Restart ssh

    - name: Set-up backup group that will contain all backup users
      group:
        name: "backup-users"

    - name: Set-up backup user groups
      group:
        name: "{{ item.name }}"
      with_items: "{{ backup_users }}"

    - name: Set-up backup users
      user:
        name: "{{ item.name }}"
        group: "{{ item.name }}"
        groups:
          - "backup-users"
      with_items: "{{ backup_users }}"

    - name: Set-up authorised keys
      authorized_key:
        user: "{{ item.name }}"
        key: "{{ item.key }}"
      with_items: "{{ backup_users }}"

    - name: Set-up port forwarding
      command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
      changed_when: false
      with_items:
        - 2222
        - 3333

    - name: Change ownership of home directories for SFTP chroot to work
      file:
        path: "/home/{{ item.name }}"
        state: directory
        owner: root
        group: root
        mode: 0755
      with_items: "{{ backup_users }}"

    - name: Set-up duplicity backup directories
      file:
        path: "~{{ item.name }}/duplicity"
        state: directory
        owner: root
        group: backup-users
        mode: 0770
      with_items: "{{ backup_users }}"

  handlers:
    - name: Restart ssh
      service:
        name: ssh
        state: restarted

  vars:
    backup_users:
      - name: bak-param-mandatory-bookworm
        key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
      - name: backupuser
        key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"