From 6b87dd13b24c55ea0a85256f60144b8e5efde3a5 2017-04-09 17:54:20 From: Branko Majic Date: 2017-04-09 17:54:20 Subject: [PATCH] MAR-96: Synchronised introduction in index.rst and about.rst. Added information about distribution compatibility, along with mention in introductory text.Switched to classic theme for documentation to get rid of documentation build warnings. Updated backup_client role so it can work with both Debian 8 and Debian 9. Changes between distro versions include: calling correct GnuPG binary, using correct GnuPG key ID format, installation additional dependencies, using correct Duply settings. Fixed _major_ bug related to additional backup keys (essentially, this never worked correctly due to wrong registered value being used when populating the Duply keyring). --- diff --git a/docs/about.rst b/docs/about.rst index 04987c383b974bd1023297523bf45c9f7bc719c8..81976f0d1aeebe8cae7cb6718b02a9b9ce66409c 100644 --- a/docs/about.rst +++ b/docs/about.rst @@ -11,6 +11,10 @@ Roles cover different aspects of infrastructure, such as mail servers, web servers, web applications etc. The roles are mainly well-suited for smaller installations. +Roles are mainly written for use with *Debian 8 Jessie*, although some support +*Debian 9 Stretch* as well. You can find out more about distribution +compatibility in :ref:`rolereference`. + At the moment, the roles have been written for and tested against **Ansible 1.9.x**. @@ -25,6 +29,10 @@ are: * Referencing non-existing handlers does not produce error. * Referencing non-existing tags does not produce error. +The role also utilises the ``dig`` lookup plugin which requires ``dnspython`` +package to be installed. Make sure you have the package available on controller +machine. + Why were these roles created? ----------------------------- diff --git a/docs/conf.py b/docs/conf.py index f80942dcc33dd4b36c94a4fde11a674a861af702..f2df7095ee74b2390af0f8a5ed763d814e9ce01f 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -101,7 +101,7 @@ pygments_style = 'sphinx' # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. -html_theme = 'default' +html_theme = 'classic' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the diff --git a/docs/index.rst b/docs/index.rst index 4b7085525f75b8ea5ea5c1312b50794761ce1ce1..63f4974d493063877f66734e703e15023dc227af 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -4,6 +4,17 @@ Majic Ansible Roles documentation Majic Ansible Roles is a collection of Ansible roles that are used on regular basis for deployment and maintenance of Majic infrastructure. +The roles are kept as a separate project in hope of making them potentially +useful to wider audience, and for reference purposes. + +Roles cover different aspects of infrastructure, such as mail servers, web +servers, web applications etc. The roles are mainly well-suited for smaller +installations. + +Roles are mainly written for use with *Debian 8 Jessie*, although some support +*Debian 9 Stretch* as well. You can find out more about distribution +compatibility in :ref:`rolereference`. + At the moment, the roles have been written for and tested against **Ansible 1.9.x**. diff --git a/docs/rolereference.rst b/docs/rolereference.rst index db7c13e9b04f9727fb5325fab65820aef8718b75..7322c43e6afe42f68feb17a71130961359e0be39 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -140,6 +140,15 @@ Parameters the local hardware clock is set to UTC. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -203,6 +212,15 @@ Parameters operating system user ``ansible``. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -378,6 +396,15 @@ Parameters *only*. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -452,6 +479,14 @@ Parameters Value for configuration option. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -655,6 +690,14 @@ Parameters ciphers. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -818,6 +861,14 @@ Parameters directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1041,6 +1092,14 @@ Parameters ``192.168.1.0/24``, ``myhost.example.com`` etc). +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1138,6 +1197,15 @@ Parameters ``/etc/ssl/certs/smtp_relay_truststore.pem`` +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -1221,6 +1289,14 @@ Parameters ciphers. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1409,6 +1485,14 @@ Parameters is configured via ``~/.forward`` configuration file. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1664,6 +1748,14 @@ Parameters ``code`` sub-directory. I.e. don't use full paths. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1731,6 +1823,14 @@ Parameters Password for the *root* database user. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1787,6 +1887,14 @@ Parameters Password for the database user. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -1890,6 +1998,14 @@ Parameters ssh-keygen -f backup_server_ecdsa_key -N '' -t ecdsa +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) + + Examples ~~~~~~~~ @@ -2011,6 +2127,15 @@ Parameters SSH private key for logging-in into the backup server. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ @@ -2074,6 +2199,15 @@ Parameters backed-up. +Distribution compatibility +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Role is compatible with the following distributions: + +- Debian 8 (Jessie) +- Debian 9 (Stretch) + + Examples ~~~~~~~~ diff --git a/roles/backup_client/handlers/main.yml b/roles/backup_client/handlers/main.yml index e102db6af3fe4987ee203f13b5173aefd3be996b..4bf7fc718b688e9b1cbb0d7db4d30efdf586c2f4 100644 --- a/roles/backup_client/handlers/main.yml +++ b/roles/backup_client/handlers/main.yml @@ -4,8 +4,8 @@ shell: rm -f /etc/duply/main/gnupg/* - name: Import private keys - command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc + command: "{{ gnupg_binary }} --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc" - name: Import public keys - command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc + command: "{{ gnupg_binary }} --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc" when: backup_additional_encryption_keys diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml index 6720bf4e2ac3343d5611749f9d717e470875f6bd..ae6873aaade016e0610bf99eee131c05a6444b5f 100644 --- a/roles/backup_client/tasks/main.yml +++ b/roles/backup_client/tasks/main.yml @@ -1,5 +1,22 @@ --- +# Determine how to invoke the GnuPG binary based on Debian version. +- set_fact: gnupg_binary="gpg2" + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'" +- set_fact: gnupg_binary="gpg" + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'" + +# Determine cut-off for the GnuPG key ID (long vs short) based on Debian +# version. +- set_fact: gnupg_key_cutoff="{8}" + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'" +- set_fact: gnupg_key_cutoff="{0}" + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'" + +- name: Install pexpect for pexpect+sftp Duplicity backend (only on Stretch) + apt: name="python-pexpect" state=installed + when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'" + - name: Install backup software apt: name="{{ item }}" state=installed with_items: @@ -34,13 +51,13 @@ - Import public keys - name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format) - shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{8}//'" + shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{{gnupg_key_cutoff}}//'" register: backup_encryption_key_id changed_when: False failed_when: backup_encryption_key_id.stdout == "" - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format) - shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{8}//' | tr '\n' ',' | sed -e 's/,$//'" + shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/public_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{{gnupg_key_cutoff}}//' | tr '\n' ',' | sed -e 's/,$//'" register: backup_additional_encryption_keys_ids when: backup_additional_encryption_keys changed_when: False diff --git a/roles/backup_client/templates/duply_main_conf.j2 b/roles/backup_client/templates/duply_main_conf.j2 index f7169b7f4d79ff164dd15d5ababb12fa5c8c37c8..4df0b4eb23eaa282bdf4e03cc79fc03b22997dfe 100644 --- a/roles/backup_client/templates/duply_main_conf.j2 +++ b/roles/backup_client/templates/duply_main_conf.j2 @@ -3,13 +3,17 @@ GPG_KEYS_ENC='{{ backup_encryption_key_id.stdout }}{% if backup_additional_encryption_keys %},{{ backup_additional_encryption_keys_ids.stdout }}{% endif %}' # GnuPG key used for signing. -GPG_KEY_SIGN='{{backup_encryption_key_id.stdout }}' +GPG_KEY_SIGN='{{ backup_encryption_key_id.stdout }}' # Trust all keys available in the GnuPG keyring. GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always" # Destination where the backups are stored at. +{% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %} +TARGET='pexpect+sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}//{{ backup_server_destination }}' +{% else %} TARGET='sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}//{{ backup_server_destination }}' +{% endif %} # Base directory to backup (root). File selection is done via include/exclude # patterns. @@ -47,7 +51,11 @@ DUPL_PARAMS="$DUPL_PARAMS --use-agent" # ssh-options. Use dedicated known hosts and identity file when connecting over # SFTP. Using -oLogLevel=ERROR makes output a bit less verbose. This is mainly # to avoid output from sftp telling us it added IP address to known_hosts. +{% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %} +DUPL_PARAMS="$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'" +{% else %} DUPL_PARAMS="$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'" +{% endif %} # By default we exclude everything, and then include only specific patterns. -DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include" \ No newline at end of file +DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include"