majic-ansible-roles Changeset

Changeset - 3dca599dbdc9

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 7 years ago 2017-08-08 15:20:18
branko@majic.rs

MAR-114: Updated task syntax for backup roles:

- Updated backup, backup_client, and backup_server.
- Added and removed quoting where it makes sense.
- Switched to using expanded syntax (instead of one-liners).
- Updated ordering of arguments in task definitions.

6 files changed with 192 insertions and 63 deletions:

roles/backup/handlers/main.yml

roles/backup/tasks/main.yml

roles/backup_client/handlers/main.yml

roles/backup_client/tasks/main.yml

roles/backup_server/handlers/main.yml

roles/backup_server/tasks/main.yml

100

0 comments (0 inline, 0 general)

roles/backup/handlers/main.yml

➞

Show inline comments

 ---
 - name: Assemble Duply include patterns
   assemble: dest="/etc/duply/main/include" src="/etc/duply/main/patterns"
             owner=root group=root mode=0600 backup=yes
   assemble:
     dest: "/etc/duply/main/include"
     src: "/etc/duply/main/patterns"
     owner: root
     group: root
     mode: 0600
     backup: yes

roles/backup/tasks/main.yml

➞

Show inline comments

 ---
 - name: Configure backup patterns
   template: src="backup_patterns.j2" dest="/etc/duply/main/patterns/{{ backup_patterns_filename }}"
             owner="root" group="root" mode=0600
   template:
     src: "backup_patterns.j2"
     dest: "/etc/duply/main/patterns/{{ backup_patterns_filename }}"
     owner: root
     group: root
     mode: 0600
   notify:
     - Assemble Duply include patterns
 - name: Explicitly run all handlers
   include: ../handlers/main.yml
   when: "handlers | default(False) | bool() == True"
   tags:
     - handlers

roles/backup_client/handlers/main.yml

➞

Show inline comments

 ---
 - name: Clean-up GnuPG keyring for import of new keys
   shell: rm -f /etc/duply/main/gnupg/*
+  shell: "rm -f /etc/duply/main/gnupg/*"
   tags:
     # [ANSIBLE0007] rm used in place of argument state=absent to file module
     #   This task is invoked only if user is very specific about requiring to

roles/backup_client/tasks/main.yml

➞

Show inline comments

 ---
 - name: Install pexpect for pexpect+sftp Duplicity backend (mainly needed on Stretch)
   apt: name="python-pexpect" state=installed
   apt:
     name: "python-pexpect"
     state: installed
 - name: Install backup software
   apt: name="{{ item }}" state=installed
   apt:
     name: "{{ item }}"
     state: installed
   with_items:
     - duplicity
     - duply
 - name: Set-up Duply directories
   file: path="{{ item }}" state=directory owner=root group=root mode=0700
   file:
     path: "{{ item }}"
     state: directory
     owner: root
     group: root
     mode: 0700
   with_items:
     - "/etc/duply"
     - "/etc/duply/main"
@@ @@ -21,16 +30,24 @@ @@
     - "/var/cache/duply/main"
 - name: Deploy GnuPG private keys
   copy: content="{{ backup_encryption_key }}" dest="/etc/duply/main/private_keys.asc"
         owner=root group=root mode=0600
   copy:
     content: "{{ backup_encryption_key }}"
     dest: "/etc/duply/main/private_keys.asc"
     owner: root
     group: root
     mode: 0600
   notify:
     - Clean-up GnuPG keyring for import of new keys
     - Import private keys
     - Import public keys
 - name: Deploy GnuPG public keys
   copy: content="{{ backup_additional_encryption_keys | join('\n') }}" dest="/etc/duply/main/public_keys.asc"
         owner=root group=root mode=0600
   copy:
     content: "{{ backup_additional_encryption_keys | join('\n') }}"
     dest: "/etc/duply/main/public_keys.asc"
     owner: root
     group: root
     mode: 0600
   notify:
     - Clean-up GnuPG keyring for import of new keys
     - Import private keys
@@ @@ -44,39 +61,69 @@ @@
 - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
   shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/public_keys.asc | grep keyid: | sed -e 's/.*: //' | sort -u | sed -re 's/^.{{gnupg_key_cutoff}}//' | tr '\n' ',' | sed -e 's/,$//'"
   register: backup_additional_encryption_keys_ids
   when: backup_additional_encryption_keys
   register: backup_additional_encryption_keys_ids
   changed_when: False
   failed_when: backup_additional_encryption_keys_ids.stdout == ""
 - name: Deploy private SSH key for logging-in into backup server
   copy: content="{{ backup_ssh_key }}" dest="/etc/duply/main/ssh/identity"
         owner="root" group="root" mode="0600"
   copy:
     content: "{{ backup_ssh_key }}"
     dest: "/etc/duply/main/ssh/identity"
     owner: root
     group: root
     mode: 0600
   no_log: True
 - name: Deploy custom known_hosts for backup purposes
   template: src="known_hosts.j2" dest="/etc/duply/main/ssh/known_hosts"
             owner="root" group="root" mode="0600"
   template:
     src: "known_hosts.j2"
     dest: "/etc/duply/main/ssh/known_hosts"
     owner: root
     group: root
     mode: 0600
 - name: Deploy Duply configuration file
   template: src="duply_main_conf.j2" dest="/etc/duply/main/conf"
             owner=root group=root mode=0600
   template:
     src: "duply_main_conf.j2"
     dest: "/etc/duply/main/conf"
     owner: root
     group: root
     mode: 0600
 - name: Deploy base exclude pattern (exclude all by default)
   copy: content="- **" dest="/etc/duply/main/exclude"
         owner="root" group="root" mode="0600"
   copy:
     content: "- **"
     dest: "/etc/duply/main/exclude"
     owner: root
     group: root
     mode: 0600
 - name: Set-up directory for storing pre-backup scripts
   file: path="/etc/duply/main/pre.d/" state=directory
         owner="root" group="root" mode="0700"
   file:
     path: "/etc/duply/main/pre.d/"
     state: directory
     owner: root
     group: root
     mode: 0700
 - name: Set-up script for running all pre-backup scripts
   copy: src="duply_pre" dest="/etc/duply/main/pre"
         owner="root" group="root" mode="0700"
   copy:
     src: "duply_pre"
     dest: "/etc/duply/main/pre"
     owner: root
     group: root
     mode: 0700
 - name: Deploy crontab entry for running backups
   cron: name=backup cron_file=backup hour=2 minute=0 job="/usr/bin/duply main backup"
         state=present user=root
   cron:
     name: backup
     cron_file: backup
     hour: 2
     minute: 0
     job: "/usr/bin/duply main backup"
     state: present
     user: root
 - name: Ensure the file with include patterns exists (but do not overwrite)
   copy:

roles/backup_server/handlers/main.yml

➞

Show inline comments

 ---
 - name: Restart backup SSH server
   service: name=ssh-backup state=restarted
   service:
     name: ssh-backup
     state: restarted

roles/backup_server/tasks/main.yml

➞

Show inline comments

 ---
 - name: Install backup software
   apt: name="{{ item }}" state=installed
   apt:
     name: "{{ item }}"
     state: installed
   with_items:
     - duplicity
     - duply
 - name: Create directory for storing backups
   file: path="/srv/backups" state=directory
         owner="root" group="root" mode=0751
   file:
     path: "/srv/backups"
     state: directory
     owner: root
     group: root
     mode: 0751
   tags:
     # [ANSIBLE0009] Octal file permissions must contain leading zero
     #   Misleading message, linting is complaining here actually because of the
     #   executable bit without read/write for others (e.g. the "1" in "0751").
     - skip_ansible_lint
 - name: Create backup client groups
   group: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
          gid="{{ item.uid | default(omit) }}" system="yes"
   group:
     name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
     gid: "{{ item.uid | default(omit) }}"
     system: yes
   with_items: "{{ backup_clients }}"
 - name: Create backup client users
   user: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         groups="backup"
         uid="{{ item.uid | default(omit) }}"
         system=yes createhome=no state=present home="/srv/backups/{{ item.server }}"
   user:
     name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
     group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
     groups: "backup"
     uid: "{{ item.uid | default(omit) }}"
     system: yes
     createhome: no
     state: present
     home: "/srv/backups/{{ item.server }}"
   with_items: "{{ backup_clients }}"
 - name: Create home directories for backup client users
   file: path="/srv/backups/{{ item.server }}" state=directory
         owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode=0750
   file:
     path: "/srv/backups/{{ item.server }}"
     state: directory
     owner: root
     group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
     mode: 0750
   with_items: "{{ backup_clients }}"
 - name: Create duplicity directories for backup client users
   file: path="/srv/backups/{{ item.server }}/duplicity" state=directory
         owner="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         mode=0770
   file:
     path: "/srv/backups/{{ item.server }}/duplicity"
     state: directory
     owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
     group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
     mode: 0770
   with_items: "{{ backup_clients }}"
 - name: Create SSH directory for backup client users
   file: path="/srv/backups/{{ item.server }}/.ssh" state=directory
         owner="root" group="root" mode=0751
   file:
     path: "/srv/backups/{{ item.server }}/.ssh"
     state: directory
     owner: root
     group: root
     mode: 0751
   with_items: "{{ backup_clients }}"
   tags:
     # [ANSIBLE0009] Octal file permissions must contain leading zero
     #   Misleading message, linting is complaining here actually because of the
     #   executable bit without read/write for others (e.g. the "1" in "0751").
     - skip_ansible_lint
 - name: Populate authorized keys for backup client users
   authorized_key: user="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
                   key="{{ item.public_key }}" manage_dir="no" state="present"
   authorized_key:
     user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
     key: "{{ item.public_key }}"
     manage_dir: no
     state: present
   with_items: "{{ backup_clients }}"
 - name: Set-up authorized_keys file permissions for backup client users
   file: path="/srv/backups/{{ item.server }}/.ssh/authorized_keys" state=file
         owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         mode=0640
   file:
     path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"
     state: file
     owner: root
     group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
     mode: 0640
   with_items: "{{ backup_clients }}"
 - name: Deny the backup group login via regular SSH
   lineinfile: dest="/etc/ssh/sshd_config" state=present line="DenyGroups backup"
   lineinfile:
     dest: "/etc/ssh/sshd_config"
     state: present
     line: "DenyGroups backup"
   notify:
     - Restart SSH
 - name: Set-up directory for the backup OpenSSH server instance
   file: path="/etc/ssh-backup/" state=directory
         owner="root" group="root" mode="0700"
   file:
     path: "/etc/ssh-backup/"
     state: directory
     owner: root
     group: root
     mode: 0700
 - name: Deploy configuration file for the backup OpenSSH server instance service
   copy: src="ssh-backup.default" dest="/etc/default/ssh-backup"
         owner="root" group="root" mode="0644"
   copy:
     src: "ssh-backup.default"
     dest: "/etc/default/ssh-backup"
     owner: root
     group: root
     mode: 0644
   notify:
     - Restart backup SSH server
 - name: Deploy configuration file for the backup OpenSSH server instance
   copy: src="backup-sshd_config" dest="/etc/ssh-backup/sshd_config"
         owner="root" group="root" mode="0600"
   copy:
     src: "backup-sshd_config"
     dest: "/etc/ssh-backup/sshd_config"
     owner: root
     group: root
     mode: 0600
   notify:
     - Restart backup SSH server
@@ @@ -80,22 +133,34 @@ @@
     group: root
     mode: 0600
   with_dict: "{{ backup_host_ssh_private_keys }}"
   no_log: True
   notify:
     - Restart backup SSH server
   no_log: True
 - name: Deploy backup OpenSSH server systemd service file
   copy: src="ssh-backup.service" dest="/etc/systemd/system/ssh-backup.service"
         owner=root group=root mode=0644
   copy:
     src: "ssh-backup.service"
     dest: "/etc/systemd/system/ssh-backup.service"
     owner: root
     group: root
     mode: 0644
   notify:
     - Reload systemd
     - Restart backup SSH server
 - name: Start and enable OpenSSH backup service
   service: name="ssh-backup" state="started" enabled="yes"
   service:
     name: "ssh-backup"
     state: started
     enabled: yes
 - name: Deploy firewall configuration for backup server
   template: src="ferm_backup.conf.j2" dest="/etc/ferm/conf.d/40-backup.conf" owner=root group=root mode=0640
   template:
     src: "ferm_backup.conf.j2"
     dest: "/etc/ferm/conf.d/40-backup.conf"
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart ferm

0 comments (0 inline, 0 general)