majic-ansible-roles Changeset

Changeset - 3498d77cad32

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 8 years ago 2015-12-22 13:08:19
branko@majic.rs

MAR-44: Use a number of convenient default values for certain parameters for backup_client role. Make sure signing key is not configured/deployed if not defined. Make the target for backup storage a bit more flexible/configurable. Extract the 8-character hex key ID for configuing the duplicity signing key in backup client role. Updated handling of key deployment/import to make it a bit more robust.

4 files changed with 33 insertions and 10 deletions:

roles/backup_client/defaults/main.yml

roles/backup_client/handlers/main.yml

roles/backup_client/tasks/main.yml

roles/backup_client/templates/duply_main_conf.j2

0 comments (0 inline, 0 general)

roles/backup_client/defaults/main.yml

➞

Show inline comments

 ---
 backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}"
@@ \ No newline at end of file @@
 backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}"
 backup_encryption_keys:
   - "{{ ansible_fqdn }}"
 backup_gnupg_keyring: "{{ inventory_dir }}/backup_keyring"
 backup_server_destination: //duplicity
 backup_server_port: 2222
@@ \ No newline at end of file @@

roles/backup_client/handlers/main.yml

➞

Show inline comments

@@ @@ -9,3 +9,4 @@ @@
 - name: Import signing private keys
   command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_signing_key.asc
   when: backup_signing_key is defined

roles/backup_client/tasks/main.yml

➞

Show inline comments

@@ @@ -17,10 +17,6 @@ @@
     - "/var/cache/duply"
     - "/var/cache/duply/main"
 - name: Deploy Duply configuration file
   template: src="duply_main_conf.j2" dest="/etc/duply/main/conf"
             owner=root group=root mode=600
 - name: Extract encryption keys
   local_action: command gpg2 --homedir "{{ backup_gnupg_keyring }}" --armor --export "{{ backup_encryption_keys | join(',') }}"
   become: no
@@ @@ -30,23 +26,38 @@ @@
 - name: Extract signing key
   local_action: command gpg2 --homedir "{{ backup_gnupg_keyring }}" --armor --export-secret-key "{{ backup_signing_key }}"
   become: no
-  when: backup_signing_key != "disabled"
+  when: backup_signing_key is defined
   register: signing_key
   changed_when: False
 - name: Extract signing key ID (duplicity accepts 8-char hex code only)
   local_action: shell gpg2 --homedir "{{ backup_gnupg_keyring }}" --with-colons --list-secret-keys "{{ backup_signing_key }}" | grep '^sec' | sort -n -k 6 -t ":"  | cut -f 5 -d ':' | grep -o '[A-F0-9]\{8\}$'
   become: no
   when: backup_signing_key is defined
   register: signing_key_id
   changed_when: False
 - name: Deploy GnuPG public keys for encryption
   copy: content="{{ encryption_keys.stdout }}" dest="/etc/duply/main/public_encryption_keys.asc"
         owner=root group=root mode=600
   register: new_enc_key
   notify:
     - Import signing private keys
     - Import encryption public keys
 - name: Deploy GnuPG private keys for signing
   copy: content="{{ signing_key.stdout }}" dest="/etc/duply/main/private_signing_key.asc"
         owner=root group=root mode=600
   no_log: True
   when: backup_signing_key != "disabled"
   when: backup_signing_key is defined
   register: new_sign_key
   notify:
     - Import signing private keys
     - Import encryption public keys
 - name: Clean-up GnuPG keyring for import of new keys
   shell: rm -f /etc/duply/main/gnupg/*
   when: new_enc_key.changed or new_sign_key.changed
 - name: Deploy private SSH key for logging-in into backup server
   copy: content="{{ backup_ssh_key }}" dest="/etc/duply/main/ssh/identity"
@@ @@ -57,6 +68,10 @@ @@
   template: src="known_hosts.j2" dest="/etc/duply/main/ssh/known_hosts"
             owner="root" group="root" mode="600"
 - name: Deploy Duply configuration file
   template: src="duply_main_conf.j2" dest="/etc/duply/main/conf"
             owner=root group=root mode=600
 - name: Deploy base exclude pattern (exclude all by default)
   copy: content="- **" dest="/etc/duply/main/exclude"
         owner="root" group="root" mode="600"

roles/backup_client/templates/duply_main_conf.j2

➞

Show inline comments

@@ @@ -2,15 +2,17 @@ @@
 # not available locally.
 GPG_KEYS_ENC='{{ backup_encryption_keys | join(',') }}'
 {% if backup_signing_key is defined -%}
 # GnuPG keys that should be used for signing. Normally the signing key should be
 #available locally.
 GPG_KEY_SIGN='{{ backup_signing_key }}'
 # available locally.
 GPG_KEY_SIGN='{{ signing_key_id.stdout }}'
 {% endif -%}
 # Trust all keys available in the GnuPG keyring.
 GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always"
 # Destination where the backups are stored at.
-TARGET='sftp://{{ backup_client_username }}@{{ backup_server }}:2222//duplicity'
+TARGET='sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}//{{ backup_server_destination }}'
 # Base directory to backup (root). File selection is done via include/exclude
 # patterns.

0 comments (0 inline, 0 general)