diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 3f5dbc3e0b09977156642cc737eb38cfbbbeda67..35d30d8d19343334b5befe558fb2a86b345c67c2 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1430,6 +1430,7 @@ The role implements the following: locally-available keyring, deploys them to the server, and imports them. * Deploys private SSH key for logging-in into the backup server over SFTP. * Deploys ``known_hosts`` file for SFTP fingerprint verification. +* Sets-up crontab task that runs backups every day at 02:00 in the morning. Duply is configured as follows: @@ -1444,6 +1445,11 @@ Duply is configured as follows: directory ``/etc/duply/main/patterns/``. It is recommended to name such a file after the role name. Include pattern file is assembled from these snippets and stored in location ``/etc/duply/main/include``. +* Backups are encrypted with specified encryption keys. If signing key has been + provided, it will be used for signing the backups. +* Maximum age for old backups is set to 6 months. +* Maximum age for full backups is set to 1 month. +* Volume size is set to 1GB. Parameters diff --git a/docs/testsite.rst b/docs/testsite.rst index 8506974b8c9bd5af6e3b053ff73e064e698666d8..d12dbc7d343dd8874d14b6b10e10f3bdda27cf5b 100644 --- a/docs/testsite.rst +++ b/docs/testsite.rst @@ -114,6 +114,7 @@ In order to deploy the test site, the following steps would normally be taken: .. code-block:: shell + mkdir ssh ssh-keygen -f ssh/backup_server_dsa_key -N '' -t dsa ssh-keygen -f ssh/backup_server_rsa_key -N '' -t rsa ssh-keygen -f ssh/backup_server_ed25519_key -N '' -t ed25519 @@ -124,35 +125,74 @@ In order to deploy the test site, the following steps would normally be taken: ssh-keygen -f ssh/web.example.com -N '' ssh-keygen -f ssh/backup.example.com -N '' -7. Generate the preseed files: +7. Set-up a local GnuPG keyring that will contain the necessary encryption and + signing keys for the backup clients:: + + mkdir ./backup_keyring + chmod 700 ./backup_keyring + cat << EOF | gpg2 --homedir ./backup_keyring --batch --gen-key + # Signing keys first. + Key-Type:RSA + Key-Length:1024 + Name-Real:ldap.example.com + Expire-Date:0 + %commit + + Key-Type:RSA + Key-Length:1024 + Name-Real:mail.example.com + Expire-Date:0 + %commit + + Key-Type:RSA + Key-Length:1024 + Name-Real:web.example.com + Expire-Date:0 + %commit + + Key-Type:RSA + Key-Length:1024 + Name-Real:xmpp.example.com + Expire-Date:0 + %commit + + # This is the actual encryption key that will be used. + Key-Type:RSA + Key-Length:1024 + Name-Real:backup.example.com + Expire-Date:0 + %commit + EOF + +8. Generate the preseed files: .. code-block:: shell - ansible-playbook playbooks/preseed.yml + ansible-playbook playbooks/preseed.yml -8. Install all servers using the generated preseed files. +9. Install all servers using the generated preseed files. -9. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to - remove old entries if you are redoing the process). You can easily obtain all - the necessary fingerprints with command (don't forget to modify domain if you - need to): +10. Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to + remove old entries if you are redoing the process). You can easily obtain all + the necessary fingerprints with command (don't forget to modify domain if you + need to): - .. code-block:: shell + .. code-block:: shell ssh-keyscan -t ed25519 mail.example.com ldap.example.com xmpp.example.com web.example.com $(resolveip -s mail.example.com) $(resolveip -s ldap.example.com) $(resolveip -s xmpp.example.com) $(resolveip -s web.example.com) -10. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic +11. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic environment for Ansible runs on all servers: - .. code-block:: shell + .. code-block:: shell - ansible-playbook playbooks/bootstrap.yml + ansible-playbook playbooks/bootstrap.yml -11. Finally, apply configuration on all servers: +12. Finally, apply configuration on all servers: - .. code-block:: shell + .. code-block:: shell - ansible-playbook playbooks/site.yml + ansible-playbook playbooks/site.yml The playbooks and configurations for test site make a couple of assumptions: diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml index e33444e600ca497325a5fc668c11c87865de86bc..627146b37f6178b0277cf38fc9e9be173d971499 100644 --- a/roles/backup_client/tasks/main.yml +++ b/roles/backup_client/tasks/main.yml @@ -79,3 +79,7 @@ - name: Assemble Duply include patterns assemble: src="/etc/duply/main/patterns" dest="/etc/duply/main/include" owner="root" group="root" mode="600" + +- name: Deploy crontab entry for running backups + cron: name=backup cron_file=backup hour=2 minute=0 job="/usr/bin/duply main backup" + state=present user=root \ No newline at end of file diff --git a/testsite/group_vars/backup.yml b/testsite/group_vars/backup.yml index 6aed8d737ead10ff1dba14cf28194c8f9de48e9f..b5d4305b5d46ed4a1a7d9f29d8a81cf7f6712b0d 100644 --- a/testsite/group_vars/backup.yml +++ b/testsite/group_vars/backup.yml @@ -8,12 +8,12 @@ smtp_relay_host: mail.{{ testsite_domain }} smtp_relay_truststore: /etc/ssl/certs/ca.pem backup_clients: - - server: web.example.com + - server: web.{{ testsite_domain }} uid: 3000 - public_key: "{{ lookup('file', inventory_dir + '/ssh/web.example.com.pub') }}" + public_key: "{{ lookup('file', inventory_dir + '/ssh/web.' + testsite_domain + '.pub') }}" ip: 10.32.64.18 - - server: mail.example.com - public_key: "{{ lookup('file', inventory_dir + '/ssh/mail.example.com.pub') }}" + - server: mail.{{ testsite_domain }} + public_key: "{{ lookup('file', inventory_dir + '/ssh/mail.' + testsite_domain + '.pub') }}" ip: 10.32.64.15 backup_host_ssh_private_keys: diff --git a/testsite/group_vars/web.yml b/testsite/group_vars/web.yml index 05c38234cf7e21b6e1861152fa9405b3511cfe20..b3fbbd56ddb285a608be4ee248e046756cfb4623 100644 --- a/testsite/group_vars/web.yml +++ b/testsite/group_vars/web.yml @@ -13,4 +13,19 @@ https_tls_certificate: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https. web_default_title: "Welcome to Example Inc." web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL." -db_root_password: "root" \ No newline at end of file +db_root_password: "root" + +backup_encryption_keys: + - "backup.{{ testsite_domain }}" + +backup_signing_key: "web.{{ testsite_domain }}" + +backup_server: "backup.{{ testsite_domain }}" + +backup_server_host_ssh_public_keys: + - "{{ lookup('file', inventory_dir + '/ssh/backup_server_dsa_key.pub') }}" + - "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key.pub') }}" + - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key.pub') }}" + - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ecdsa_key.pub') }}" + +backup_ssh_key: "{{ lookup('file', inventory_dir + '/ssh/web.' + testsite_domain) }}" diff --git a/testsite/playbooks/web.yml b/testsite/playbooks/web.yml index 81707e5422051e95fee8953ea49e93baac4c1883..60f713bbc1af1e394be8731b7a49b8614e03f754 100644 --- a/testsite/playbooks/web.yml +++ b/testsite/playbooks/web.yml @@ -11,3 +11,4 @@ - web_server - phpinfo - wsgihello + - backup_client \ No newline at end of file