Changeset - 4b964a31bd96
[Not reviewed]
0 4 0
Branko Majic (branko) - 7 years ago 2017-04-09 15:10:00
MAR-95: Separated configuration for backing-up the /root and /home directories in the common role. This should allow user to have better fine-grained control over what gets backed-up in the home directory. Updated role reference documentation. Updated the testsite variable configuration so the new setting can be tested.
4 files changed with 16 insertions and 4 deletions:
0 comments (0 inline, 0 general)
Show inline comments
@@ -259,52 +259,52 @@ The role implements the following:
* Installs ``ferm`` (for iptables management), configuring a basic firewall
  which allows ICMP echo requests (PING), incoming connection on TCP port 22
  (SSH), and also introduces rate-limitting for incoming ICMP echo request
  pacakges and (new) TCP connections. The rate-limitting is based on the source
  IP address, using the ``iptables hashlimit`` module.


Role dependencies

Depends on the following roles:

* **backup_client**



If the backup for this role has been enabled, the following paths are backed-up:

  Log files from the system.

  Home directory for regular users.
  Home directory for regular users (this can be changed via role parameters).

  Root user's home directory.
  Root user's home directory (this can be changed via role parameters).

  Operating system user passwords.

  Local user's mails.

  Local user's cronjobs.



**apt_proxy** (string, optional, ``None``)
  URI of a caching proxy that should be used when retrieving the packages via

**os_users** (list, optional, ``[]``)
  A list of operating system users that should be set-up on a server. Each item
  is a dictionary with the following options describing the user parameters:

  **name** (string, mandatory)
    Name of the operating system user that should be created. User's default
@@ -325,48 +325,52 @@ Parameters
  **password** (string, optional, ``!`` - no password)
    Encrypted password that should be set for the user.

**os_groups** (list, optional, ``[]``)
  A list of operating system groups that should be set-up on a server. Each item
  is a dictionary with the following options describing the group parameters:

  **name** (string, mandatory)
    Name of the operating system group that should be created.

  **gid** (number, optional, ``whatever OS picks``)
    GID for the operating system group.

**common_packages** (list, optional, ``[]``)
  List of additional operating system packages that should be installed on the
  server. Each element of the list should be a simple string denoting the name
  of the package.

**ca_certificates** (list, optional, ``{}``)
  Dictionary containing the CA certificates to deploy. Keys are base filenames
  (**without extension**) to be used when placing a certificate file in
  directory ``/usr/local/share/ca-certificates/``, while values are
  corresponding content to be placed in the file.

**extra_backup_patterns** (list, optional, ``[ "/home", "/root" ]]``)
  List of additional globbing patterns defining additional files or directories
  that should be backed-up.

**incoming_connection_limit** (string, optional, ``3/second``)
  Rate at which the incoming ICMP echo-request packages and new TCP connections
  will be accepted at. The value should be specified in the same format as value
  for the ``iptables hashlimit`` option ``--hashlimit-upto``.

**incoming_connection_limit_burst** (string, optional, ``9``)
  Initial burst of packages that should be accepted when the client with
  distinct source IP address connects to the server for the first time (usually
  higher than ``incoming_connection_limit``), even if it would go above the
  specified connection limit.

**prompt_colour** (string, optional, ``none``)
  Colour for showing the Bash prompt. Supported values are:

  ``black``, ``red``, ``green``, ``brown``, ``blue``, ``purple``, ``cyan``,
  ``light_gray``, ``dark_gray``, ``light_red``, ``light_green``, ``yellow``,
  ``light_blue``, ``light_purple``, ``light_cyan``, ``white``, ``none``.

  You should probably *not* use the ``black`` colour. Setting affects Bash
  shells *only*. Setting the value to ``none`` uses default terminal colour.

**prompt_id** (string, optional, ``NONE``)
  Optional identifier appended to regular Bash prompt, useful for visually
  identifying distinct environments. For example, if set to ``test``, resulting
Show inline comments

enable_backup: False
common_packages: []
os_users: []
os_groups: []
ca_certificates: {}
incoming_connection_limit: 3/second
incoming_connection_limit_burst: 9
prompt_colour: none
prompt_id: null
  - "/root"
  - "/home"

# Internal use only.
  black: "0;30"
  red: "0;31"
  green: "0;32"
  brown: "0;33"
  blue: "0;34"
  purple: "0;35"
  cyan: "0;36"
  light_gray: "0;37"
  dark_gray: "1;30"
  light_red: "1;31"
  light_green: "1;32"
  yellow: "1;33"
  light_blue: "1;34"
  light_purple: "1;35"
  light_cyan: "1;36"
  white: "1;37"
  none: "0"
\ No newline at end of file
Show inline comments

  - role: backup
    when: enable_backup
    backup_patterns_filename: common
      - "/root"
      - "/home"
      - "/var/log"
      - "/etc/shadow"
      - "/var/mail"
      - "/var/spool/cron"
  - role: backup
    when: enable_backup
    backup_patterns_filename: common_extra
    backup_patterns: "{{ extra_backup_patterns }}"
Show inline comments
@@ -15,24 +15,27 @@ local_mail_aliases:

imap_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_imap.pem') }}"
imap_tls_key: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_imap.key') }}"
smtp_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_smtp.pem') }}"
smtp_tls_key: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_smtp.key') }}"
imap_folder_separator: /

mail_postmaster: postmaster@{{ testsite_domain }}

  - ldap.{{ testsite_domain }}
  - xmpp.{{ testsite_domain }}
  - web.{{ testsite_domain }}

imap_max_user_connections_per_ip: 50

  - TLSv1.2
  - TLSv1.1


  - "/root"
\ No newline at end of file
0 comments (0 inline, 0 general)