Files @ c8d4251a6ea5
Branch filter:

Location: majic-ansible-roles/roles/backup_server/tasks/main.yml - annotation

branko
MAR-131: Added support for specifying Python version in wsgi_website role:

- Introduced additional role parameter for specifying the Python
version.
- Updated tests to verify new functionality.
- Fixed existing tests to account for differences between Python 2 and
Python 3 - including changes to WSGI test applications.
- Updated documentation, documenting new parameter and fixing one
minor typo.
- Updated release notes.
- Bumped default version of Gunicorn/futures used.
500658358454
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
57b1e111d650
500658358454
500658358454
500658358454
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
55d6b2e2f4f3
922cda0a1834
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
55d6b2e2f4f3
55d6b2e2f4f3
3dca599dbdc9
3dca599dbdc9
922cda0a1834
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
922cda0a1834
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
922cda0a1834
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
922cda0a1834
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
55d6b2e2f4f3
3dca599dbdc9
922cda0a1834
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
922cda0a1834
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
500658358454
500658358454
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
500658358454
500658358454
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
500658358454
500658358454
500658358454
500658358454
989f5c583406
989f5c583406
989f5c583406
989f5c583406
989f5c583406
989f5c583406
922cda0a1834
500658358454
500658358454
55d6b2e2f4f3
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
500658358454
500658358454
500658358454
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
55d6b2e2f4f3
500658358454
500658358454
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
3dca599dbdc9
500658358454
500658358454
7387caca37f3
7387caca37f3
7387caca37f3
7387caca37f3
7387caca37f3
989f5c583406
---

- name: Install backup software
  apt:
    name: "{{ item }}"
    state: present
  with_items:
    - duplicity
    - duply

- name: Create directory for storing backups
  file:
    path: "/srv/backups"
    state: directory
    owner: root
    group: root
    mode: 0751
  tags:
    # [ANSIBLE0009] Octal file permissions must contain leading zero
    #   Misleading message, linting is complaining here actually because of the
    #   executable bit without read/write for others (e.g. the "1" in "0751").
    - skip_ansible_lint

- name: Create backup client groups
  group:
    name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    gid: "{{ item.uid | default(omit) }}"
    system: true
  with_items: "{{ backup_clients }}"

- name: Create backup client users
  user:
    name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    groups: "backup"
    uid: "{{ item.uid | default(omit) }}"
    system: true
    createhome: false
    state: present
    home: "/srv/backups/{{ item.server }}"
  with_items: "{{ backup_clients }}"

- name: Create home directories for backup client users
  file:
    path: "/srv/backups/{{ item.server }}"
    state: directory
    owner: root
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: 0750
  with_items: "{{ backup_clients }}"

- name: Create duplicity directories for backup client users
  file:
    path: "/srv/backups/{{ item.server }}/duplicity"
    state: directory
    owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: 0770
  with_items: "{{ backup_clients }}"

- name: Create SSH directory for backup client users
  file:
    path: "/srv/backups/{{ item.server }}/.ssh"
    state: directory
    owner: root
    group: root
    mode: 0751
  with_items: "{{ backup_clients }}"
  tags:
    # [ANSIBLE0009] Octal file permissions must contain leading zero
    #   Misleading message, linting is complaining here actually because of the
    #   executable bit without read/write for others (e.g. the "1" in "0751").
    - skip_ansible_lint

- name: Populate authorized keys for backup client users
  authorized_key:
    user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    key: "{{ item.public_key }}"
    manage_dir: false
    state: present
  with_items: "{{ backup_clients }}"

- name: Set-up authorized_keys file permissions for backup client users
  file:
    path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"
    state: file
    owner: root
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: 0640
  with_items: "{{ backup_clients }}"

- name: Deny the backup group login via regular SSH
  lineinfile:
    dest: "/etc/ssh/sshd_config"
    state: present
    line: "DenyGroups backup"
  notify:
    - Restart SSH

- name: Set-up directory for the backup OpenSSH server instance
  file:
    path: "/etc/ssh-backup/"
    state: directory
    owner: root
    group: root
    mode: 0700

- name: Deploy configuration file for the backup OpenSSH server instance service
  copy:
    src: "ssh-backup.default"
    dest: "/etc/default/ssh-backup"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart backup SSH server

- name: Deploy configuration file for the backup OpenSSH server instance
  copy:
    src: "backup-sshd_config"
    dest: "/etc/ssh-backup/sshd_config"
    owner: root
    group: root
    mode: 0600
  notify:
    - Restart backup SSH server

- name: Deploy the private keys for backup OpenSSH server instance
  template:
    src: "ssh_host_key.j2"
    dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"
    owner: root
    group: root
    mode: 0600
  with_dict: "{{ backup_host_ssh_private_keys }}"
  notify:
    - Restart backup SSH server
  no_log: true

- name: Deploy backup OpenSSH server systemd service file
  copy:
    src: "ssh-backup.service"
    dest: "/etc/systemd/system/ssh-backup.service"
    owner: root
    group: root
    mode: 0644
  notify:
    - Reload systemd
    - Restart backup SSH server

- name: Start and enable OpenSSH backup service
  service:
    name: "ssh-backup"
    state: started
    enabled: true

- name: Deploy firewall configuration for backup server
  template:
    src: "ferm_backup.conf.j2"
    dest: "/etc/ferm/conf.d/40-backup.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers