majic-ansible-roles Changeset

Changeset - 3686169e9565

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 8 years ago 2016-01-05 15:57:23
branko@majic.rs

MAR-44: Set-up crontab to run backups at 02:00 every day in backup client role. Updated role reference documentation for backup client role. Updated test site set-up instructions. Updated testsite configuration for backup client/server to use domain parameters. Enabled backup client role for the web server.

6 files changed with 85 insertions and 19 deletions:

docs/rolereference.rst

docs/testsite.rst

roles/backup_client/tasks/main.yml

testsite/group_vars/backup.yml

testsite/group_vars/web.yml

testsite/playbooks/web.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1430,6 +1430,7 @@ The role implements the following: @@
   locally-available keyring, deploys them to the server, and imports them.
 * Deploys private SSH key for logging-in into the backup server over SFTP.
 * Deploys ``known_hosts`` file for SFTP fingerprint verification.
 * Sets-up crontab task that runs backups every day at 02:00 in the morning.
 Duply is configured as follows:
@@ @@ -1444,6 +1445,11 @@ Duply is configured as follows: @@
   directory ``/etc/duply/main/patterns/``. It is recommended to name such a file
   after the role name. Include pattern file is assembled from these snippets and
   stored in location ``/etc/duply/main/include``.
 * Backups are encrypted with specified encryption keys. If signing key has been
   provided, it will be used for signing the backups.
 * Maximum age for old backups is set to 6 months.
 * Maximum age for full backups is set to 1 month.
 * Volume size is set to 1GB.
 Parameters

docs/testsite.rst

➞

Show inline comments

   .. code-block:: shell
     mkdir ssh
     ssh-keygen -f ssh/backup_server_dsa_key -N '' -t dsa
     ssh-keygen -f ssh/backup_server_rsa_key -N '' -t rsa
     ssh-keygen -f ssh/backup_server_ed25519_key -N '' -t ed25519
     ssh-keygen -f ssh/web.example.com -N ''
     ssh-keygen -f ssh/backup.example.com -N ''
 . Generate the preseed files:
 . Set-up a local GnuPG keyring that will contain the necessary encryption and
    signing keys for the backup clients::
      mkdir ./backup_keyring
      chmod 700 ./backup_keyring
      cat << EOF | gpg2 --homedir ./backup_keyring --batch --gen-key
      # Signing keys first.
      Key-Type:RSA
      Key-Length:1024
      Name-Real:ldap.example.com
      Expire-Date:0
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:mail.example.com
      Expire-Date:0
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:web.example.com
      Expire-Date:0
      %commit
      Key-Type:RSA
      Key-Length:1024
      Name-Real:xmpp.example.com
      Expire-Date:0
      %commit
      # This is the actual encryption key that will be used.
      Key-Type:RSA
      Key-Length:1024
      Name-Real:backup.example.com
      Expire-Date:0
      %commit
      EOF
 . Generate the preseed files:
   .. code-block:: shell
     ansible-playbook playbooks/preseed.yml
+     ansible-playbook playbooks/preseed.yml
-. Install all servers using the generated preseed files.
+. Install all servers using the generated preseed files.
 . Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to
    remove old entries if you are redoing the process). You can easily obtain all
    the necessary fingerprints with command (don't forget to modify domain if you
    need to):
 . Add the SSH host fingerprints to your ``known_hosts`` file (don't forget to
     remove old entries if you are redoing the process). You can easily obtain all
     the necessary fingerprints with command (don't forget to modify domain if you
     need to):
    .. code-block:: shell
+    .. code-block:: shell
       ssh-keyscan -t ed25519 mail.example.com ldap.example.com xmpp.example.com web.example.com $(resolveip -s mail.example.com) $(resolveip -s ldap.example.com) $(resolveip -s xmpp.example.com) $(resolveip -s web.example.com)
-. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic
+. Invoke the ``bootstrap.yml`` playbook in order to set-up some basic
     environment for Ansible runs on all servers:
   .. code-block:: shell
+    .. code-block:: shell
     ansible-playbook playbooks/bootstrap.yml
+       ansible-playbook playbooks/bootstrap.yml
-. Finally, apply configuration on all servers:
+. Finally, apply configuration on all servers:
   .. code-block:: shell
+    .. code-block:: shell
     ansible-playbook playbooks/site.yml
+       ansible-playbook playbooks/site.yml
 The playbooks and configurations for test site make a couple of assumptions:

roles/backup_client/tasks/main.yml

➞

Show inline comments

@@ @@ -79,3 +79,7 @@ @@
 - name: Assemble Duply include patterns
   assemble: src="/etc/duply/main/patterns" dest="/etc/duply/main/include"
             owner="root" group="root" mode="600"
 - name: Deploy crontab entry for running backups
   cron: name=backup cron_file=backup hour=2 minute=0 job="/usr/bin/duply main backup"
         state=present user=root
@@ \ No newline at end of file @@

testsite/group_vars/backup.yml

➞

Show inline comments

@@ @@ -8,12 +8,12 @@ smtp_relay_host: mail.{{ testsite_domain }} @@
 smtp_relay_truststore: /etc/ssl/certs/ca.pem
 backup_clients:
-  - server: web.example.com
+  - server: web.{{ testsite_domain }}
     uid: 3000
-    public_key: "{{ lookup('file', inventory_dir + '/ssh/web.example.com.pub') }}"
+    public_key: "{{ lookup('file', inventory_dir + '/ssh/web.' + testsite_domain + '.pub') }}"
     ip: 10.32.64.18
   - server: mail.example.com
     public_key: "{{ lookup('file', inventory_dir + '/ssh/mail.example.com.pub') }}"
   - server: mail.{{ testsite_domain }}
     public_key: "{{ lookup('file', inventory_dir + '/ssh/mail.' + testsite_domain + '.pub') }}"
     ip: 10.32.64.15
 backup_host_ssh_private_keys:

testsite/group_vars/web.yml

➞

Show inline comments

 web_default_title: "Welcome to Example Inc."
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
 db_root_password: "root"
@@ \ No newline at end of file @@
 db_root_password: "root"
 backup_encryption_keys:
   - "backup.{{ testsite_domain }}"
 backup_signing_key: "web.{{ testsite_domain }}"
 backup_server: "backup.{{ testsite_domain }}"
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_dsa_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key.pub') }}"
   - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ecdsa_key.pub') }}"
 backup_ssh_key: "{{ lookup('file', inventory_dir + '/ssh/web.' + testsite_domain) }}"

testsite/playbooks/web.yml

➞

Show inline comments

@@ @@ -11,3 +11,4 @@ @@
     - web_server
     - phpinfo
     - wsgihello
     - backup_client
@@ \ No newline at end of file @@

0 comments (0 inline, 0 general)