diff --git a/roles/backup_client/defaults/main.yml b/roles/backup_client/defaults/main.yml index 350a361d734f23639f116d51064070e3d7cf0ff9..3c30b0bdb095bbc8b23f36e2a7127ed435d3f751 100644 --- a/roles/backup_client/defaults/main.yml +++ b/roles/backup_client/defaults/main.yml @@ -4,3 +4,8 @@ backup_additional_encryption_keys: [] backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}" backup_server_destination: /duplicity backup_server_port: 2222 + +# Internal parameters. +backup_client_pexpect_package: + buster: python-pexpect + bullseye: python3-pexpect diff --git a/roles/backup_client/molecule/default/molecule.yml b/roles/backup_client/molecule/default/molecule.yml index f8b634c7e83ae702c1aa5c4568dcec01ca948d72..111e8a9b533b85acca56f3dcc47517e80a8c18e4 100644 --- a/roles/backup_client/molecule/default/molecule.yml +++ b/roles/backup_client/molecule/default/molecule.yml @@ -18,7 +18,7 @@ lint: # stupid legacy design decisions! platforms: - name: backup-server - box: debian/contrib-buster64 + box: debian/bullseye64 memory: 512 cpus: 1 interfaces: @@ -51,6 +51,30 @@ platforms: network_name: private_network type: static + - name: param-mandatory-bullseye + groups: + - parameters-mandatory + box: debian/bullseye64 + memory: 256 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.30 + network_name: private_network + type: static + + - name: param-optional-bullseye + groups: + - parameters-optional + box: debian/bullseye64 + memory: 256 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.31 + network_name: private_network + type: static + provisioner: name: ansible config_options: diff --git a/roles/backup_client/molecule/default/prepare.yml b/roles/backup_client/molecule/default/prepare.yml index 8bf085c6f7df3a7fdb8133d90fa225d7a19ceb9a..c779fe1fd9523abe1f8210e29f3dfdba4a66c0fa 100644 --- a/roles/backup_client/molecule/default/prepare.yml +++ b/roles/backup_client/molecule/default/prepare.yml @@ -36,10 +36,26 @@ notify: - Restart ssh + - name: Drop the outdated public keys + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/ssh/ssh_host_rsa_key.pub + - /etc/ssh/ssh_host_ed25519_key.pub + - /etc/ssh/ssh_host_ecdsa_key.pub + + - name: Force the use of internal-sftp subsystem fro SFTP + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^Subsystem.*sftp" + line: "Subsystem sftp internal-sftp" + state: present + - name: Deploy custom SSH server configuration that chroots users copy: - src: "tests/data/backup_server_custom-sshd_config" - dest: "/etc/ssh/sshd_config" + src: "tests/data/backup_server-sshd-chroot_backup_users.conf" + dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf" owner: root group: root mode: 0600 @@ -86,7 +102,7 @@ with_items: - /home/backupuser - /home/bak-param-mandatory-buster - - /home/bak-param-mandatory-buster + - /home/bak-param-mandatory-bullseye - name: Set-up duplicity backup directories file: @@ -118,5 +134,7 @@ backup_users: - name: bak-param-mandatory-buster key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}" + - name: bak-param-mandatory-bullseye + key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}" - name: backupuser key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" diff --git a/roles/backup_client/molecule/default/tests/data/backup_server-sshd-chroot_backup_users.conf b/roles/backup_client/molecule/default/tests/data/backup_server-sshd-chroot_backup_users.conf new file mode 100644 index 0000000000000000000000000000000000000000..79817466198078b94dce3607c3ea9c7491f0ff09 --- /dev/null +++ b/roles/backup_client/molecule/default/tests/data/backup_server-sshd-chroot_backup_users.conf @@ -0,0 +1,2 @@ +Match Group backup-users + ChrootDirectory %h \ No newline at end of file diff --git a/roles/backup_client/molecule/default/tests/data/backup_server_custom-sshd_config b/roles/backup_client/molecule/default/tests/data/backup_server_custom-sshd_config index debf91313a8d0a39237994c41e9f6d7d49b4eef2..d7a5dc5ae8cea87d160ce5db5f80f1389e4adf79 100644 --- a/roles/backup_client/molecule/default/tests/data/backup_server_custom-sshd_config +++ b/roles/backup_client/molecule/default/tests/data/backup_server_custom-sshd_config @@ -1,92 +1,2 @@ -# Package generated configuration file -# See the sshd_config(5) manpage for details - -# What ports, IPs and protocols we listen for -Port 22 -# Use these options to restrict which interfaces/protocols sshd will bind to -#ListenAddress :: -#ListenAddress 0.0.0.0 -Protocol 2 -# HostKeys for protocol version 2 -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ecdsa_key -HostKey /etc/ssh/ssh_host_ed25519_key -#Privilege Separation is turned on for security -UsePrivilegeSeparation yes - -# Lifetime and size of ephemeral version 1 server key -KeyRegenerationInterval 3600 -ServerKeyBits 1024 - -# Logging -SyslogFacility AUTH -LogLevel INFO - -# Authentication: -LoginGraceTime 120 -PermitRootLogin without-password -StrictModes yes - -RSAAuthentication yes -PubkeyAuthentication yes -#AuthorizedKeysFile %h/.ssh/authorized_keys - -# Don't read the user's ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no -# similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# To enable empty passwords, change to yes (NOT RECOMMENDED) -PermitEmptyPasswords no - -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no - -# Change to no to disable tunnelled clear text passwords -#PasswordAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosGetAFSToken no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -X11Forwarding yes -X11DisplayOffset 10 -PrintMotd no -PrintLastLog yes -TCPKeepAlive yes -#UseLogin no - -#MaxStartups 10:30:60 -#Banner /etc/issue.net - -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - -Subsystem sftp internal-sftp - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes -UseDNS no -PasswordAuthentication no - Match Group backup-users - ChrootDirectory %h \ No newline at end of file + ChrootDirectory %h diff --git a/roles/backup_client/molecule/default/tests/test_default.py b/roles/backup_client/molecule/default/tests/test_default.py index 28e2e8d79c6b640ec290a54eedb0c26128f1b670..4e867af66c3d6c19e4e01c38f347f860c2f4dea3 100644 --- a/roles/backup_client/molecule/default/tests/test_default.py +++ b/roles/backup_client/molecule/default/tests/test_default.py @@ -12,7 +12,14 @@ def test_installed_packages(host): Tests if the necessary packages are installed. """ - assert host.package('python-pexpect').is_installed + distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] + + if distribution_release == "buster": + expected_package_name = "python-pexpect" + else: + expected_package_name = "python3-pexpect" + + assert host.package(expected_package_name).is_installed assert host.package('duply').is_installed assert host.package('duplicity').is_installed diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml index e3cf02096b2823ed70506c416b74d459924966b1..5bfe3f6fd2d383227fc975711e8eead1290c3088 100644 --- a/roles/backup_client/tasks/main.yml +++ b/roles/backup_client/tasks/main.yml @@ -5,7 +5,7 @@ # possible to switch to Paramiko backend. - name: Install pexpect for pexpect+sftp Duplicity backend apt: - name: "python-pexpect" + name: "{{ backup_client_pexpect_package[ansible_distribution_release] }}" state: present - name: Install backup software