diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 0e952823ddf11617a44788b85b8c0704bf380039..683562168d954fc79629e590c35b0f9a9ae1a604 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -2299,7 +2299,6 @@ Distribution compatibility Role is compatible with the following distributions: -- Debian 8 (Jessie) - Debian 9 (Stretch) diff --git a/roles/backup_client/defaults/main.yml b/roles/backup_client/defaults/main.yml index 0c480990eab5f7ca2d1fe2b60f88fbc49817d747..350a361d734f23639f116d51064070e3d7cf0ff9 100644 --- a/roles/backup_client/defaults/main.yml +++ b/roles/backup_client/defaults/main.yml @@ -4,20 +4,3 @@ backup_additional_encryption_keys: [] backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}" backup_server_destination: /duplicity backup_server_port: 2222 - -# Internal parameters. - -# GnuPG 2 binary in Debian Jessie and Debian Stretch is different. Additionally, -# Debian Jessie duply configuration expects short keys, while Debian Stretch -# expects long keys. We set-up parameters for this here in a bit of a workaround -# way instead of setting facts within the playbook. -backup_client_gnupg_details: - jessie: - binary: gpg2 - cutoff: '8' - stretch: - binary: gpg - cutoff: '0' - -gnupg_binary: "{{ backup_client_gnupg_details[ansible_distribution_release]['binary'] }}" -gnupg_key_cutoff: "{{ backup_client_gnupg_details[ansible_distribution_release]['cutoff'] }}" diff --git a/roles/backup_client/handlers/main.yml b/roles/backup_client/handlers/main.yml index c9ed4bfd30385d53c5b2f82826970dcf7694a9ec..94b2a14452c82e26591dae129aaaeec9c1255582 100644 --- a/roles/backup_client/handlers/main.yml +++ b/roles/backup_client/handlers/main.yml @@ -23,7 +23,7 @@ mode: 0700 - name: Import private keys - command: "{{ gnupg_binary }} --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc" + command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc" tags: # [ANSIBLE0012] Commands should not change things if nothing needs doing # This task is invoked only if user is very specific about requiring to @@ -32,5 +32,5 @@ - skip_ansible_lint - name: Import public keys - command: "{{ gnupg_binary }} --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc" + command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc" when: backup_additional_encryption_keys | length > 0 diff --git a/roles/backup_client/molecule/default/molecule.yml b/roles/backup_client/molecule/default/molecule.yml index 8d8fba9e573f887732f4ab44cc6822060b36378f..8a2fbc34ba3f8c7963b662dd5f859ce5de90eb72 100644 --- a/roles/backup_client/molecule/default/molecule.yml +++ b/roles/backup_client/molecule/default/molecule.yml @@ -18,7 +18,7 @@ lint: # stupid legacy design decisions! platforms: - name: backup-server - box: debian/contrib-jessie64 + box: debian/contrib-stretch64 memory: 512 cpus: 1 interfaces: @@ -27,30 +27,6 @@ platforms: network_name: private_network type: static - - name: parameters-mandatory-j64 - groups: - - parameters-mandatory - box: debian/contrib-jessie64 - memory: 256 - cpus: 1 - interfaces: - - auto_config: true - ip: 10.31.127.20 - network_name: private_network - type: static - - - name: parameters-optional-j64 - groups: - - parameters-optional - box: debian/contrib-jessie64 - memory: 256 - cpus: 1 - interfaces: - - auto_config: true - ip: 10.31.127.21 - network_name: private_network - type: static - - name: parameters-mandatory-s64 groups: - parameters-mandatory diff --git a/roles/backup_client/molecule/default/tests/test_parameters_mandatory.py b/roles/backup_client/molecule/default/tests/test_parameters_mandatory.py index 805a5800f5d855b6b4a0c2ed5946088f671934e7..5f0c0d804629d65f74ea594703df034c816763bd 100644 --- a/roles/backup_client/molecule/default/tests/test_parameters_mandatory.py +++ b/roles/backup_client/molecule/default/tests/test_parameters_mandatory.py @@ -64,25 +64,13 @@ def test_duply_configuration_content(host): with host.sudo(): - ansible_facts = host.ansible("setup")["ansible_facts"] - duply_configuration = host.file('/etc/duply/main/conf') - if ansible_facts['ansible_distribution_release'] == 'jessie': - assert "GPG_KEYS_ENC='1A129C54'" in duply_configuration.content - assert "GPG_KEY_SIGN='1A129C54'" in duply_configuration.content - assert "TARGET='sftp://bak-parameters-mandatory-j64@10.31.127.10:2222//duplicity'" in duply_configuration.content - assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \ - "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content - - elif ansible_facts['ansible_distribution_release'] == 'stretch': - assert "GPG_KEYS_ENC='59C26F031A129C54'" in duply_configuration.content - assert "GPG_KEY_SIGN='59C26F031A129C54'" in duply_configuration.content - assert "TARGET='pexpect+sftp://bak-parameters-mandatory-s64@10.31.127.10:2222//duplicity'" in duply_configuration.content - assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \ - "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content - else: - raise Exception("Failed to execute content check for: %s" % ansible_facts['ansible_distribution_release']) + assert "GPG_KEYS_ENC='59C26F031A129C54'" in duply_configuration.content + assert "GPG_KEY_SIGN='59C26F031A129C54'" in duply_configuration.content + assert "TARGET='pexpect+sftp://bak-parameters-mandatory-s64@10.31.127.10:2222//duplicity'" in duply_configuration.content + assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \ + "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content def test_duply_gnupg_keyring_private_keys(host): @@ -92,18 +80,7 @@ def test_duply_gnupg_keyring_private_keys(host): """ with host.sudo(): - ansible_facts = host.ansible("setup")["ansible_facts"] - - if ansible_facts['ansible_distribution_release'] == 'jessie': - gpg_binary = 'gpg2' - key_offset = 8 - elif ansible_facts['ansible_distribution_release'] == 'stretch': - gpg_binary = 'gpg' - key_offset = 8 - else: - raise Exception("Failed to execute check for distribution release: %s" % ansible_facts['ansible_distribution_release']) - - private_key_listing = host.run('%s --homedir /etc/duply/main/gnupg --list-public-keys' % gpg_binary) + private_key_listing = host.run('gpg --homedir /etc/duply/main/gnupg --list-public-keys') assert private_key_listing.rc == 0 - assert '59C26F031A129C54'[key_offset:] in private_key_listing.stdout + assert '59C26F031A129C54' in private_key_listing.stdout diff --git a/roles/backup_client/molecule/default/tests/test_parameters_optional.py b/roles/backup_client/molecule/default/tests/test_parameters_optional.py index b9ec176e5e78bff814796eabaaccdb68983c6203..ff1f54f7418d5faa66a02eb48894ff5a0c59965e 100644 --- a/roles/backup_client/molecule/default/tests/test_parameters_optional.py +++ b/roles/backup_client/molecule/default/tests/test_parameters_optional.py @@ -63,24 +63,13 @@ def test_duply_configuration_content(host): with host.sudo(): - ansible_facts = host.ansible("setup")["ansible_facts"] - duply_configuration = host.file('/etc/duply/main/conf') - if ansible_facts['ansible_distribution_release'] == 'jessie': - assert "TARGET='sftp://backupuser@10.31.127.10:3333//duplicity/parameters-optional-j64'" in duply_configuration.content - assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \ - "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content - assert "GPG_KEYS_ENC='7A4F400A,C3A9444B,28063B3F,71223B72'" in duply_configuration.content - assert "GPG_KEY_SIGN='7A4F400A'" in duply_configuration.content - elif ansible_facts['ansible_distribution_release'] == 'stretch': - assert "GPG_KEYS_ENC='C4B2AE9F7A4F400A,3093C91BC3A9444B,86816FD928063B3F,8A14CD6C71223B72'" in duply_configuration.content - assert "GPG_KEY_SIGN='C4B2AE9F7A4F400A'" in duply_configuration.content - assert "TARGET='pexpect+sftp://backupuser@10.31.127.10:3333//duplicity/parameters-optional-s64'" in duply_configuration.content - assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \ - "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content - else: - raise Exception("Failed to execute check for distribution release: %s" % ansible_facts['ansible_distribution_release']) + assert "GPG_KEYS_ENC='C4B2AE9F7A4F400A,3093C91BC3A9444B,86816FD928063B3F,8A14CD6C71223B72'" in duply_configuration.content + assert "GPG_KEY_SIGN='C4B2AE9F7A4F400A'" in duply_configuration.content + assert "TARGET='pexpect+sftp://backupuser@10.31.127.10:3333//duplicity/parameters-optional-s64'" in duply_configuration.content + assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \ + "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content def test_duply_gnupg_keyring_private_keys(host): @@ -90,21 +79,11 @@ def test_duply_gnupg_keyring_private_keys(host): """ with host.sudo(): - ansible_facts = host.ansible("setup")["ansible_facts"] - - if ansible_facts['ansible_distribution_release'] == 'jessie': - gpg_binary = 'gpg2' - key_offset = 8 - elif ansible_facts['ansible_distribution_release'] == 'stretch': - gpg_binary = 'gpg' - key_offset = 8 - else: - raise Exception("Failed to execute check for distribution release: %s" % ansible_facts['ansible_distribution_release']) - private_key_listing = host.run('%s --homedir /etc/duply/main/gnupg --list-public-keys' % gpg_binary) + private_key_listing = host.run('gpg --homedir /etc/duply/main/gnupg --list-public-keys') assert private_key_listing.rc == 0 - assert 'C4B2AE9F7A4F400A'[key_offset:] in private_key_listing.stdout + assert 'C4B2AE9F7A4F400A' in private_key_listing.stdout def test_duply_gnupg_keyring_public_keys(host): @@ -114,22 +93,11 @@ def test_duply_gnupg_keyring_public_keys(host): """ with host.sudo(): - ansible_facts = host.ansible("setup")["ansible_facts"] - - if ansible_facts['ansible_distribution_release'] == 'jessie': - gpg_binary = 'gpg2' - key_offset = 8 - elif ansible_facts['ansible_distribution_release'] == 'stretch': - gpg_binary = 'gpg' - key_offset = 8 - else: - raise Exception("Failed to execute check for distribution release: %s" % ansible_facts['ansible_distribution_release']) - - public_key_listing = host.run('%s --homedir /etc/duply/main/gnupg --list-public-keys' % gpg_binary) + public_key_listing = host.run('gpg --homedir /etc/duply/main/gnupg --list-public-keys') keys = ['3093C91BC3A9444B', '86816FD928063B3F', '8A14CD6C71223B72'] assert public_key_listing.rc == 0 for key in keys: - assert key[key_offset:] in public_key_listing.stdout + assert key in public_key_listing.stdout diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml index d9162e178a50a8fceaf05f3d828e71304c7625f4..65ac161dfefcd6d0d8870fc9ca6e65961ce691e3 100644 --- a/roles/backup_client/tasks/main.yml +++ b/roles/backup_client/tasks/main.yml @@ -55,8 +55,8 @@ - Import public keys - name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format) - shell: "set -o pipefail && {{ gnupg_binary }} --no-tty --list-packets /etc/duply/main/private_keys.asc | grep keyid: | - head -n1 | sed -e 's/.*: //' | sed -re 's/^.{{ '{' + gnupg_key_cutoff + '}' }}//'" + shell: "set -o pipefail && gpg --no-tty --list-packets /etc/duply/main/private_keys.asc | grep keyid: | + head -n1 | sed -e 's/.*: //'" args: executable: /bin/bash register: backup_encryption_key_id @@ -64,8 +64,8 @@ failed_when: not backup_encryption_key_id.stdout - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format) - shell: "set -o pipefail && {{ gnupg_binary }} --no-tty --list-packets /etc/duply/main/public_keys.asc | grep keyid: | - sed -e 's/.*: //' | sort -u | sed -re 's/^.{{ '{' + gnupg_key_cutoff + '}' }}//' | tr '\n' ',' | sed -e 's/,$//'" + shell: "set -o pipefail && gpg --no-tty --list-packets /etc/duply/main/public_keys.asc | grep keyid: | + sed -e 's/.*: //' | sort -u | tr '\n' ',' | sed -e 's/,$//'" args: executable: /bin/bash when: backup_additional_encryption_keys | length > 0 diff --git a/roles/backup_client/templates/duply_main_conf.j2 b/roles/backup_client/templates/duply_main_conf.j2 index ccd7f5d79829c425fff9b32d4735d851263511c5..b2ff4393f658c7a3f8965c28eb4c80a4c3cfd2ab 100644 --- a/roles/backup_client/templates/duply_main_conf.j2 +++ b/roles/backup_client/templates/duply_main_conf.j2 @@ -9,11 +9,7 @@ GPG_KEY_SIGN='{{ backup_encryption_key_id.stdout }}' GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always" # Destination where the backups are stored at. -{% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %} TARGET='pexpect+sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}/{{ backup_server_destination }}' -{% else %} -TARGET='sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}/{{ backup_server_destination }}' -{% endif %} # Base directory to backup (root). File selection is done via include/exclude # patterns. @@ -51,11 +47,7 @@ DUPL_PARAMS="$DUPL_PARAMS --use-agent" # ssh-options. Use dedicated known hosts and identity file when connecting over # SFTP. Using -oLogLevel=ERROR makes output a bit less verbose. This is mainly # to avoid output from sftp telling us it added IP address to known_hosts. -{% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %} DUPL_PARAMS="$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'" -{% else %} -DUPL_PARAMS="$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'" -{% endif %} # By default we exclude everything, and then include only specific patterns. DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include"