diff --git a/docs/about.rst b/docs/about.rst index 04987c383b974bd1023297523bf45c9f7bc719c8..81976f0d1aeebe8cae7cb6718b02a9b9ce66409c 100644 --- a/docs/about.rst +++ b/docs/about.rst @@ -11,6 +11,10 @@ Roles cover different aspects of infrastructure, such as mail servers, web servers, web applications etc. The roles are mainly well-suited for smaller installations. +Roles are mainly written for use with *Debian 8 Jessie*, although some support +*Debian 9 Stretch* as well. You can find out more about distribution +compatibility in :ref:`rolereference`. + At the moment, the roles have been written for and tested against **Ansible 1.9.x**. @@ -25,6 +29,10 @@ are: * Referencing non-existing handlers does not produce error. * Referencing non-existing tags does not produce error. +The role also utilises the ``dig`` lookup plugin which requires ``dnspython`` +package to be installed. Make sure you have the package available on controller +machine. + Why were these roles created? ----------------------------- diff --git a/docs/conf.py b/docs/conf.py index f80942dcc33dd4b36c94a4fde11a674a861af702..f2df7095ee74b2390af0f8a5ed763d814e9ce01f 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -101,7 +101,7 @@ pygments_style = 'sphinx' # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. -html_theme = 'default' +html_theme = 'classic' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the diff --git a/docs/index.rst b/docs/index.rst index 4b7085525f75b8ea5ea5c1312b50794761ce1ce1..63f4974d493063877f66734e703e15023dc227af 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -4,6 +4,17 @@ Majic Ansible Roles documentation Majic Ansible Roles is a collection of Ansible roles that are used on regular basis for deployment and maintenance of Majic infrastructure. +The roles are kept as a separate project in hope of making them potentially +useful to wider audience, and for reference purposes. + +Roles cover different aspects of infrastructure, such as mail servers, web +servers, web applications etc. The roles are mainly well-suited for smaller +installations. + +Roles are mainly written for use with *Debian 8 Jessie*, although some support +*Debian 9 Stretch* as well. You can find out more about distribution +compatibility in :ref:`rolereference`. + At the moment, the roles have been written for and tested against **Ansible 1.9.x**. diff --git a/docs/rolereference.rst b/docs/rolereference.rst index db7c13e9b04f9727fb5325fab65820aef8718b75..7322c43e6afe42f68feb17a71130961359e0be39 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -140,6 +140,15 @@ Parameters the local hardware clock is set to UTC. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -203,6 +212,15 @@ Parameters operating system user ``ansible``. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -378,6 +396,15 @@ Parameters *only*. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -452,6 +479,14 @@ Parameters Value for configuration option. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -655,6 +690,14 @@ Parameters ciphers. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -818,6 +861,14 @@ Parameters directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1041,6 +1092,14 @@ Parameters ``192.168.1.0/24``, ``myhost.example.com`` etc). +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1138,6 +1197,15 @@ Parameters ``/etc/ssl/certs/smtp_relay_truststore.pem`` +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -1221,6 +1289,14 @@ Parameters ciphers. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1409,6 +1485,14 @@ Parameters is configured via ``~/.forward`` configuration file. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1664,6 +1748,14 @@ Parameters ``code`` sub-directory. I.e. don't use full paths. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1731,6 +1823,14 @@ Parameters Password for the *root* database user. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1787,6 +1887,14 @@ Parameters Password for the database user. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1890,6 +1998,14 @@ Parameters ssh-keygen -f backup_server_ecdsa_key -N '' -t ecdsa +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -2011,6 +2127,15 @@ Parameters SSH private key for logging-in into the backup server. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -2074,6 +2199,15 @@ Parameters backed-up. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ diff --git a/roles/backup_client/handlers/main.yml b/roles/backup_client/handlers/main.yml index e102db6af3fe4987ee203f13b5173aefd3be996b..4bf7fc718b688e9b1cbb0d7db4d30efdf586c2f4 100644 --- a/roles/backup_client/handlers/main.yml +++ b/roles/backup_client/handlers/main.yml @@ -4,8 +4,8 @@ shell: rm -f /etc/duply/main/gnupg/* - name: Import private keys - command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc + command: "{{ gnupg_binary }} --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc" - name: Import public keys - command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc + command: "{{ gnupg_binary }} --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc" when: backup_additional_encryption_keys diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml index 6720bf4e2ac3343d5611749f9d717e470875f6bd..ae6873aaade016e0610bf99eee131c05a6444b5f 100644 --- a/roles/backup_client/tasks/main.yml +++ b/roles/backup_client/tasks/main.yml @@ -1,5 +1,22 @@ --- +# Determine how to invoke the GnuPG binary based on Debian version. +- set_fact: gnupg_binary="gpg2" + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'" +- set_fact: gnupg_binary="gpg" + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'" + +# Determine cut-off for the GnuPG key ID (long vs short) based on Debian +# version. +- set_fact: gnupg_key_cutoff="{8}" + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'" +- set_fact: gnupg_key_cutoff="{0}" + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'" + +- name: Install pexpect for pexpect+sftp Duplicity backend (only on Stretch) + apt: name="python-pexpect" state=installed + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'" + - name: Install backup software apt: name="{{ item }}" state=installed with_items: @@ -34,13 +51,13 @@ - Import public keys - name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format) - shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{8}//'" + shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{{gnupg_key_cutoff}}//'" register: backup_encryption_key_id changed_when: False failed_when: backup_encryption_key_id.stdout == "" - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format) - shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{8}//' | tr '\n' ',' | sed -e 's/,$//'" + shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/public_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{{gnupg_key_cutoff}}//' | tr '\n' ',' | sed -e 's/,$//'" register: backup_additional_encryption_keys_ids when: backup_additional_encryption_keys changed_when: False diff --git a/roles/backup_client/templates/duply_main_conf.j2 b/roles/backup_client/templates/duply_main_conf.j2 index f7169b7f4d79ff164dd15d5ababb12fa5c8c37c8..4df0b4eb23eaa282bdf4e03cc79fc03b22997dfe 100644 --- a/roles/backup_client/templates/duply_main_conf.j2 +++ b/roles/backup_client/templates/duply_main_conf.j2 @@ -3,13 +3,17 @@ GPG_KEYS_ENC='{{ backup_encryption_key_id.stdout }}{% if backup_additional_encryption_keys %},{{ backup_additional_encryption_keys_ids.stdout }}{% endif %}' # GnuPG key used for signing. -GPG_KEY_SIGN='{{backup_encryption_key_id.stdout }}' +GPG_KEY_SIGN='{{ backup_encryption_key_id.stdout }}' # Trust all keys available in the GnuPG keyring. GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always" # Destination where the backups are stored at. +{% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %} +TARGET='pexpect+sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}//{{ backup_server_destination }}' +{% else %} TARGET='sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}//{{ backup_server_destination }}' +{% endif %} # Base directory to backup (root). File selection is done via include/exclude # patterns. @@ -47,7 +51,11 @@ DUPL_PARAMS="$DUPL_PARAMS --use-agent" # ssh-options. Use dedicated known hosts and identity file when connecting over # SFTP. Using -oLogLevel=ERROR makes output a bit less verbose. This is mainly # to avoid output from sftp telling us it added IP address to known_hosts. +{% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %} +DUPL_PARAMS="$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'" +{% else %} DUPL_PARAMS="$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'" +{% endif %} # By default we exclude everything, and then include only specific patterns. -DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include" \ No newline at end of file +DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include"