majic-ansible-roles Changeset

Changeset - 6b87dd13b24c

Parent rev.

Child rev.

[Not reviewed]

0 7 0

Branko Majic (branko) - 7 years ago 2017-04-09 17:54:20
branko@majic.rs

MAR-96: Synchronised introduction in index.rst and about.rst. Added information about distribution compatibility, along with mention in introductory text.Switched to classic theme for documentation to get rid of documentation build warnings. Updated backup_client role so it can work with both Debian 8 and Debian 9. Changes between distro versions include: calling correct GnuPG binary, using correct GnuPG key ID format, installation additional dependencies, using correct Duply settings. Fixed _major_ bug related to additional backup keys (essentially, this never worked correctly due to wrong registered value being used when populating the Duply keyring).

7 files changed with 185 insertions and 7 deletions:

docs/about.rst

docs/conf.py

docs/index.rst

docs/rolereference.rst

134

roles/backup_client/handlers/main.yml

roles/backup_client/tasks/main.yml

roles/backup_client/templates/duply_main_conf.j2

0 comments (0 inline, 0 general)

docs/about.rst

➞

Show inline comments

 servers, web applications etc. The roles are mainly well-suited for smaller
 installations.
 Roles are mainly written for use with *Debian 8 Jessie*, although some support
 *Debian 9 Stretch* as well. You can find out more about distribution
 compatibility in :ref:`rolereference`.
 At the moment, the roles have been written for and tested against **Ansible
 .9.x**.
@@ @@ -25,6 +29,10 @@ are: @@
 * Referencing non-existing handlers does not produce error.
 * Referencing non-existing tags does not produce error.
 The role also utilises the ``dig`` lookup plugin which requires ``dnspython``
 package to be installed. Make sure you have the package available on controller
 machine.
 Why were these roles created?
 -----------------------------

docs/conf.py

➞

Show inline comments

@@ @@ -101,7 +101,7 @@ pygments_style = 'sphinx' @@
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
-html_theme = 'default'
+html_theme = 'classic'
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the

docs/index.rst

➞

Show inline comments

@@ @@ -4,6 +4,17 @@ Majic Ansible Roles documentation @@
 Majic Ansible Roles is a collection of Ansible roles that are used on regular
 basis for deployment and maintenance of Majic infrastructure.
 The roles are kept as a separate project in hope of making them potentially
 useful to wider audience, and for reference purposes.
 Roles cover different aspects of infrastructure, such as mail servers, web
 servers, web applications etc. The roles are mainly well-suited for smaller
 installations.
 Roles are mainly written for use with *Debian 8 Jessie*, although some support
 *Debian 9 Stretch* as well. You can find out more about distribution
 compatibility in :ref:`rolereference`.
 At the moment, the roles have been written for and tested against **Ansible
 .9.x**.

docs/rolereference.rst

➞

Show inline comments

@@ @@ -140,6 +140,15 @@ Parameters @@
   the local hardware clock is set to UTC.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 - Debian 9 (Stretch)
 Examples
 ~~~~~~~~
@@ @@ -203,6 +212,15 @@ Parameters @@
   operating system user ``ansible``.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 - Debian 9 (Stretch)
 Examples
 ~~~~~~~~
@@ @@ -378,6 +396,15 @@ Parameters @@
   *only*.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 - Debian 9 (Stretch)
 Examples
 ~~~~~~~~
@@ @@ -452,6 +479,14 @@ Parameters @@
     Value for configuration option.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -655,6 +690,14 @@ Parameters @@
   ciphers.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -818,6 +861,14 @@ Parameters @@
   directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -1041,6 +1092,14 @@ Parameters @@
   ``192.168.1.0/24``, ``myhost.example.com`` etc).
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -1138,6 +1197,15 @@ Parameters @@
   ``/etc/ssl/certs/smtp_relay_truststore.pem``
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 - Debian 9 (Stretch)
 Examples
 ~~~~~~~~
@@ @@ -1221,6 +1289,14 @@ Parameters @@
   ciphers.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -1409,6 +1485,14 @@ Parameters @@
   is configured via ``~/.forward`` configuration file.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -1664,6 +1748,14 @@ Parameters @@
   ``code`` sub-directory. I.e. don't use full paths.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -1731,6 +1823,14 @@ Parameters @@
   Password for the *root* database user.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -1787,6 +1887,14 @@ Parameters @@
   Password for the database user.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -1890,6 +1998,14 @@ Parameters @@
     ssh-keygen -f backup_server_ecdsa_key -N '' -t ecdsa
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 Examples
 ~~~~~~~~
@@ @@ -2011,6 +2127,15 @@ Parameters @@
   SSH private key for logging-in into the backup server.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 - Debian 9 (Stretch)
 Examples
 ~~~~~~~~
@@ @@ -2074,6 +2199,15 @@ Parameters @@
   backed-up.
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 - Debian 9 (Stretch)
 Examples
 ~~~~~~~~

roles/backup_client/handlers/main.yml

➞

Show inline comments

@@ @@ -4,8 +4,8 @@ @@
   shell: rm -f /etc/duply/main/gnupg/*
 - name: Import private keys
-  command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc
+  command: "{{ gnupg_binary }} --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc"
 - name: Import public keys
-  command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc
+  command: "{{ gnupg_binary }} --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc"
   when: backup_additional_encryption_keys

roles/backup_client/tasks/main.yml

➞

Show inline comments

 ---
 # Determine how to invoke the GnuPG binary based on Debian version.
 - set_fact: gnupg_binary="gpg2"
   when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'"
 - set_fact: gnupg_binary="gpg"
   when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
 # Determine cut-off for the GnuPG key ID (long vs short) based on Debian
 # version.
 - set_fact: gnupg_key_cutoff="{8}"
   when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'"
 - set_fact: gnupg_key_cutoff="{0}"
   when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
 - name: Install pexpect for pexpect+sftp Duplicity backend (only on Stretch)
   apt: name="python-pexpect" state=installed
   when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
 - name: Install backup software
   apt: name="{{ item }}" state=installed
   with_items:
@@ @@ -34,13 +51,13 @@ @@
     - Import public keys
 - name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format)
-  shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{8}//'"
+  shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sed -re 's/^.{{gnupg_key_cutoff}}//'"
   register: backup_encryption_key_id
   changed_when: False
   failed_when: backup_encryption_key_id.stdout == ""
 - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
-  shell: "gpg2 --list-packets /etc/duply/main/private_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{8}//' | tr '\n' ',' | sed -e 's/,$//'"
+  shell: "{{ gnupg_binary }} --list-packets /etc/duply/main/public_keys.asc | grep keyid: | head -n1 | sed -e 's/.*: //' | sort -u | sed -re 's/^.{{gnupg_key_cutoff}}//' | tr '\n' ',' | sed -e 's/,$//'"
   register: backup_additional_encryption_keys_ids
   when: backup_additional_encryption_keys
   changed_when: False

roles/backup_client/templates/duply_main_conf.j2

➞

Show inline comments

@@ @@ -3,13 +3,17 @@ @@
 GPG_KEYS_ENC='{{ backup_encryption_key_id.stdout }}{% if backup_additional_encryption_keys %},{{ backup_additional_encryption_keys_ids.stdout }}{% endif %}'
 # GnuPG key used for signing.
 GPG_KEY_SIGN='{{backup_encryption_key_id.stdout }}'
+GPG_KEY_SIGN='{{ backup_encryption_key_id.stdout }}'
 # Trust all keys available in the GnuPG keyring.
 GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always"
 # Destination where the backups are stored at.
 {% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %}
 TARGET='pexpect+sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}//{{ backup_server_destination }}'
 {% else %}
 TARGET='sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}//{{ backup_server_destination }}'
 {% endif %}
 # Base directory to backup (root). File selection is done via include/exclude
 # patterns.
@@ @@ -47,7 +51,11 @@ DUPL_PARAMS="$DUPL_PARAMS --use-agent" @@
 # ssh-options. Use dedicated known hosts and identity file when connecting over
 # SFTP. Using -oLogLevel=ERROR makes output a bit less verbose. This is mainly
 # to avoid output from sftp telling us it added IP address to known_hosts.
 {% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %}
 DUPL_PARAMS="$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'"
 {% else %}
 DUPL_PARAMS="$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'"
 {% endif %}
 # By default we exclude everything, and then include only specific patterns.
 DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include"
@@ \ No newline at end of file @@
 DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include"

0 comments (0 inline, 0 general)