Files
@ ea69b2719d8e
Branch filter:
Location: majic-ansible-roles/roles/backup_server/tasks/main.yml - annotation
ea69b2719d8e
3.9 KiB
text/x-yaml
MAR-22: Implemented tests for the common role:
- Added missing documentation for pipreqcheck_uid and pipreqcheck_gid
parameters.
- Use static-hashed passwords for reproducibility during testing in test
playbook.
- Install Emacs and libmariadb-client-lgpl-dev-compat via test playbook on one
of the testing instances in order to test related tasks.
- Fixed parameter for connection limitting in test playbook.
- Added explicit parameters to test playbook for pipreqcheck_gid and
pipreqcheck_uid.
- Fixed deployment of ferm configuration file ot include setting user/group and
mode.
- Added tests covering common deployment, deployment when only mandatory
parameters are provided, and deployment when optional parameters are set as
well.
- Added missing documentation for pipreqcheck_uid and pipreqcheck_gid
parameters.
- Use static-hashed passwords for reproducibility during testing in test
playbook.
- Install Emacs and libmariadb-client-lgpl-dev-compat via test playbook on one
of the testing instances in order to test related tasks.
- Fixed parameter for connection limitting in test playbook.
- Added explicit parameters to test playbook for pipreqcheck_gid and
pipreqcheck_uid.
- Fixed deployment of ferm configuration file ot include setting user/group and
mode.
- Added tests covering common deployment, deployment when only mandatory
parameters are provided, and deployment when optional parameters are set as
well.
500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 922cda0a1834 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 500658358454 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 7387caca37f3 | ---
- name: Install backup software
apt: name="{{ item }}" state=installed
with_items:
- duplicity
- duply
- name: Create directory for storing backups
file: path="/srv/backups" state=directory
owner="root" group="root" mode=751
- name: Create backup client groups
group: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
gid="{{ item.uid | default(omit) }}" system="yes"
with_items: "{{ backup_clients }}"
- name: Create backup client users
user: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
groups="backup"
uid="{{ item.uid | default(omit) }}"
system=yes createhome=no state=present home="/srv/backups/{{ item.server }}"
with_items: "{{ backup_clients }}"
- name: Create home directories for backup client users
file: path="/srv/backups/{{ item.server }}" state=directory
owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode=750
with_items: "{{ backup_clients }}"
- name: Create duplicity directories for backup client users
file: path="/srv/backups/{{ item.server }}/duplicity" state=directory
owner="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode=770
with_items: "{{ backup_clients }}"
- name: Create SSH directory for backup client users
file: path="/srv/backups/{{ item.server }}/.ssh" state=directory
owner="root" group="root" mode=751
with_items: "{{ backup_clients }}"
- name: Populate authorized keys for backup client users
authorized_key: user="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
key="{{ item.public_key }}" manage_dir="no" state="present"
with_items: "{{ backup_clients }}"
- name: Set-up authorized_keys file permissions for backup client users
file: path="/srv/backups/{{ item.server }}/.ssh/authorized_keys" state=file
owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode=640
with_items: "{{ backup_clients }}"
- name: Deny the backup group login via regular SSH
lineinfile: dest="/etc/ssh/sshd_config" state=present line="DenyGroups backup"
notify:
- Restart SSH
- name: Set-up directory for the backup OpenSSH server instance
file: path="/etc/ssh-backup/" state=directory
owner="root" group="root" mode="700"
- name: Deploy configuration file for the backup OpenSSH server instance service
copy: src="ssh-backup.default" dest="/etc/default/ssh-backup"
owner="root" group="root" mode="644"
notify:
- Restart backup SSH server
- name: Deploy configuration file for the backup OpenSSH server instance
copy: src="backup-sshd_config" dest="/etc/ssh-backup/sshd_config"
owner="root" group="root" mode="600"
notify:
- Restart backup SSH server
- name: Deploy the private keys for backup OpenSSH server instance
copy: content="{{ item.value }}" dest="/etc/ssh-backup/ssh_host_{{ item.key }}_key"
owner="root" group="root" mode="600"
with_dict: "{{ backup_host_ssh_private_keys }}"
no_log: True
notify:
- Restart backup SSH server
- name: Deploy backup OpenSSH server systemd service file
copy: src="ssh-backup.service" dest="/etc/systemd/system/ssh-backup.service"
owner=root group=root mode=644
notify:
- Reload systemd
- Restart backup SSH server
- name: Start and enable OpenSSH backup service
service: name="ssh-backup" state="started" enabled="yes"
- name: Deploy firewall configuration for backup server
template: src="ferm_backup.conf.j2" dest="/etc/ferm/conf.d/40-backup.conf" owner=root group=root mode=640
notify:
- Restart ferm
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "handlers | default(False) | bool() == True"
tags:
- handlers
|