Files
@ b4004db97776
Branch filter:
Location: majic-ansible-roles/roles/backup_server/tasks/main.yml - annotation
b4004db97776
4.4 KiB
text/x-yaml
MAR-218: Fix incorrect logic for switching directory:
- No piping can be used (since that would be a subshell and would not
affect the working directory for the remainder of the script run).
- No piping can be used (since that would be a subshell and would not
affect the working directory for the remainder of the script run).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 | 500658358454 500658358454 500658358454 c10934519e18 a20ca43cd967 a20ca43cd967 a20ca43cd967 57b1e111d650 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 55d6b2e2f4f3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 55d6b2e2f4f3 55d6b2e2f4f3 3dca599dbdc9 3dca599dbdc9 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 55d6b2e2f4f3 3dca599dbdc9 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 922cda0a1834 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 500658358454 500658358454 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 500658358454 500658358454 c10934519e18 3e0c2160c487 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 500658358454 500658358454 c10934519e18 989f5c583406 989f5c583406 989f5c583406 989f5c583406 7cabc17c71c3 922cda0a1834 500658358454 500658358454 55d6b2e2f4f3 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 500658358454 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 55d6b2e2f4f3 500658358454 500658358454 c10934519e18 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 3dca599dbdc9 7cabc17c71c3 500658358454 500658358454 7387caca37f3 7387caca37f3 0c330b88956a 9f0f315631e4 7387caca37f3 989f5c583406 | ---
- name: Install backup software
ansible.builtin.apt:
name:
- duplicity
- duply
state: present
- name: Create directory for storing backups
ansible.builtin.file:
path: "/srv/backups"
state: directory
owner: root
group: root
mode: "0751"
- name: Create backup client groups
ansible.builtin.group:
name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
gid: "{{ item.uid | default(omit) }}"
system: true
with_items: "{{ backup_clients }}"
- name: Create backup client users
ansible.builtin.user:
name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
groups: "backup"
uid: "{{ item.uid | default(omit) }}"
system: true
createhome: false
state: present
home: "/srv/backups/{{ item.server }}"
with_items: "{{ backup_clients }}"
- name: Create home directories for backup client users
ansible.builtin.file:
path: "/srv/backups/{{ item.server }}"
state: directory
owner: root
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: "0750"
with_items: "{{ backup_clients }}"
- name: Create duplicity directories for backup client users
ansible.builtin.file:
path: "/srv/backups/{{ item.server }}/duplicity"
state: directory
owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: "0770"
with_items: "{{ backup_clients }}"
- name: Create SSH directory for backup client users
ansible.builtin.file:
path: "/srv/backups/{{ item.server }}/.ssh"
state: directory
owner: root
group: root
mode: "0751"
with_items: "{{ backup_clients }}"
- name: Populate authorized keys for backup client users
ansible.posix.authorized_key:
user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
key: "{{ item.public_key }}"
manage_dir: false
state: present
with_items: "{{ backup_clients }}"
- name: Set-up authorized_keys file permissions for backup client users
ansible.builtin.file:
path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"
state: file
owner: root
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: "0640"
with_items: "{{ backup_clients }}"
- name: Deny the backup group login via regular SSH
ansible.builtin.lineinfile:
dest: "/etc/ssh/sshd_config"
state: present
line: "DenyGroups backup"
notify:
- Restart SSH
- name: Set-up directory for the backup OpenSSH server instance
ansible.builtin.file:
path: "/etc/ssh-backup/"
state: directory
owner: root
group: root
mode: "0700"
- name: Deploy configuration file for the backup OpenSSH server instance service
ansible.builtin.copy:
src: "ssh-backup.default"
dest: "/etc/default/ssh-backup"
owner: root
group: root
mode: "0644"
notify:
- Restart backup SSH server
- name: Deploy configuration file for the backup OpenSSH server instance
ansible.builtin.copy:
src: "backup-sshd_config"
dest: "/etc/ssh-backup/sshd_config"
owner: root
group: root
mode: "0600"
notify:
- Restart backup SSH server
- name: Deploy the private keys for backup OpenSSH server instance
ansible.builtin.template:
src: "ssh_host_key.j2"
dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"
owner: root
group: root
mode: "0600"
with_dict: "{{ backup_host_ssh_private_keys }}"
notify:
- Restart backup SSH server
no_log: true
- name: Deploy backup OpenSSH server systemd service file
ansible.builtin.copy:
src: "ssh-backup.service"
dest: "/etc/systemd/system/ssh-backup.service"
owner: root
group: root
mode: "0644"
notify:
- Reload systemd
- Restart backup SSH server
- name: Start and enable OpenSSH backup service
ansible.builtin.service:
name: "ssh-backup"
state: started
enabled: true
- name: Deploy firewall configuration for backup server
ansible.builtin.template:
src: "ferm_backup.conf.j2"
dest: "/etc/ferm/conf.d/40-backup.conf"
owner: root
group: root
mode: "0640"
notify:
- Restart ferm
- name: Explicitly run all handlers
ansible.builtin.import_tasks: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|