- name: Assemble Duply include patterns

  assemble:

    dest: "/etc/duply/main/include"

    src: "/etc/duply/main/patterns"

    owner: root

    group: root

    backup: true

- name: Configure backup patterns

  template:

    src: "backup_patterns.j2"

    dest: "/etc/duply/main/patterns/{{ backup_patterns_filename }}"

    owner: root

    group: root

  notify:

    - Assemble Duply include patterns

- name: Explicitly run all handlers

  include_tasks: ../handlers/main.yml

  when: "run_handlers | default(False) | bool()"

- name: Create keyring directory

  file:

    path: "/etc/duply/main/gnupg"

    state: directory

    owner: root

    group: root

- name: Import private keys  # noqa no-changed-when

  # [no-changed-when] Commands should not change things if nothing needs doing

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

    - name: Deploy pre-backup script

      copy:

        src: tests/data/10-test-pre-backup.sh

        dest: /etc/duply/main/pre.d/10-test-pre-backup.sh

        owner: root

        group: root

    - name: Deploy SSH server keys

      copy:

        content: "{{ lookup('file', item.key) + '\n' }}"

        dest: "{{ item.value }}"

        owner: root

        group: root

      with_dict:

        tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key

        tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key

        tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key

      notify:

        - Restart ssh

    - name: Deploy custom SSH server configuration that chroots users

      copy:

        src: "tests/data/backup_server-sshd-chroot_backup_users.conf"

        dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf"

        owner: root

        group: root

      notify:

        - Restart ssh

    - name: Set-up backup group that will contain all backup users

      group:

        name: "backup-users"

    - name: Change ownership of home directories for SFTP chroot to work

      file:

        path: "/home/{{ item.name }}"

        state: directory

        owner: root

        group: root

      with_items: "{{ backup_users }}"

    - name: Set-up duplicity backup directories

      file:

        path: "~{{ item.name }}/duplicity"

        state: directory

        owner: root

        group: backup-users

      with_items: "{{ backup_users }}"

  handlers:

    - name: Restart ssh

      service:

        name: ssh

- name: Set-up Duply directories

  file:

    path: "{{ item }}"

    state: directory

    owner: root

    group: root

  with_items:

    - "/etc/duply"

    - "/etc/duply/main"

    - "/etc/duply/main/patterns"

    - "/etc/duply/main/gnupg"

    - "/etc/duply/main/ssh"

- name: Deploy GnuPG private keys

  copy:

    content: "{{ backup_encryption_key }}"

    dest: "/etc/duply/main/private_keys.asc"

    owner: root

    group: root

  notify:

    - Remove current keyring

    - Create keyring directory

    - Import private keys

    - Import public keys

- name: Deploy GnuPG public keys

  copy:

    content: "{{ backup_additional_encryption_keys | join('\n') }}"

    dest: "/etc/duply/main/public_keys.asc"

    owner: root

    group: root

  notify:

    - Remove current keyring

    - Create keyring directory

    - Import private keys

    - Import public keys

- name: Deploy private SSH key for logging-in into backup server

  copy:

    content: "{{ backup_ssh_key }}"

    dest: "/etc/duply/main/ssh/identity"

    owner: root

    group: root

  no_log: true

- name: Deploy custom known_hosts for backup purposes

  template:

    src: "known_hosts.j2"

    dest: "/etc/duply/main/ssh/known_hosts"

    owner: root

    group: root

- name: Deploy Duply configuration file

  template:

    src: "duply_main_conf.j2"

    dest: "/etc/duply/main/conf"

    owner: root

    group: root

- name: Deploy base exclude pattern (exclude all by default)

  copy:

    content: "- **"

    dest: "/etc/duply/main/exclude"

    owner: root

    group: root

- name: Set-up directory for storing pre-backup scripts

  file:

    path: "/etc/duply/main/pre.d/"

    state: directory

    owner: root

    group: root

- name: Set-up script for running all pre-backup scripts

  copy:

    src: "duply_pre"

    dest: "/etc/duply/main/pre"

    owner: root

    group: root

- name: Deploy crontab entry for running backups

  cron:

    name: backup

    cron_file: backup

    hour: "2"

  copy:

    content: ""

    dest: /etc/duply/main/include

    force: false

    group: root

    owner: root

- name: Explicitly run all handlers

  include_tasks: ../handlers/main.yml

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

- name: Create directory for storing backups

  file:

    path: "/srv/backups"

    state: directory

    owner: root

    group: root

- name: Create backup client groups

  group:

    name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"

    gid: "{{ item.uid | default(omit) }}"

    system: true

- name: Create home directories for backup client users

  file:

    path: "/srv/backups/{{ item.server }}"

    state: directory

    owner: root

    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"

  with_items: "{{ backup_clients }}"

- name: Create duplicity directories for backup client users

  file:

    path: "/srv/backups/{{ item.server }}/duplicity"

    state: directory

    owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"

    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"

  with_items: "{{ backup_clients }}"

- name: Create SSH directory for backup client users

  file:

    path: "/srv/backups/{{ item.server }}/.ssh"

    state: directory

    owner: root

    group: root

  with_items: "{{ backup_clients }}"

- name: Populate authorized keys for backup client users

  authorized_key:

    user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"

    key: "{{ item.public_key }}"

- name: Set-up authorized_keys file permissions for backup client users

  file:

    path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"

    state: file

    owner: root

    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"

  with_items: "{{ backup_clients }}"

- name: Deny the backup group login via regular SSH

  lineinfile:

    dest: "/etc/ssh/sshd_config"

    state: present

- name: Set-up directory for the backup OpenSSH server instance

  file:

    path: "/etc/ssh-backup/"

    state: directory

    owner: root

    group: root

- name: Deploy configuration file for the backup OpenSSH server instance service

  copy:

    src: "ssh-backup.default"

    dest: "/etc/default/ssh-backup"

    owner: root

    group: root

  notify:

    - Restart backup SSH server

- name: Deploy configuration file for the backup OpenSSH server instance

  copy:

    src: "backup-sshd_config"

    dest: "/etc/ssh-backup/sshd_config"

    owner: root

    group: root

  notify:

    - Restart backup SSH server

- name: Deploy the private keys for backup OpenSSH server instance

  template:

    src: "ssh_host_key.j2"

    dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"

    owner: root

    group: root

  with_dict: "{{ backup_host_ssh_private_keys }}"

  notify:

    - Restart backup SSH server

  no_log: true

- name: Deploy backup OpenSSH server systemd service file

  copy:

    src: "ssh-backup.service"

    dest: "/etc/systemd/system/ssh-backup.service"

    owner: root

    group: root

  notify:

    - Reload systemd

    - Restart backup SSH server

- name: Start and enable OpenSSH backup service

  service:

- name: Deploy firewall configuration for backup server

  template:

    src: "ferm_backup.conf.j2"

    dest: "/etc/ferm/conf.d/40-backup.conf"

    owner: root

    group: root

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  include_tasks: ../handlers/main.yml

  when: "run_handlers | default(False) | bool()"

    key: "{{ ansible_key }}"

- name: Set-up password-less sudo for the ansible user

  copy:

    src: "ansible_sudo"

    dest: "/etc/sudoers.d/ansible"

    owner: root

    group: root

- name: Revoke rights for Ansible user to log-in as root to server via ssh

  authorized_key:

    user: root

    - name: Set-up directories for testing pip requirements upgrade checks script

      file:

        path: "{{ item }}"

        state: directory

        owner: root

        group: pipreqcheck

      with_items:

        - "/tmp/pip_check_requirements_upgrades"

        - "/tmp/pip_check_requirements_upgrades/with_updates"

        - "/tmp/pip_check_requirements_upgrades/without_updates"

    - name: Deploy files for testing pip requirements upgrade checks script

      copy:

        src: "{{ item }}"

        dest: "/tmp/{{ item }}"

        owner: root

        group: pipreqcheck

      with_items:

        - "pip_check_requirements_upgrades/with_updates/requirements.in"

        - "pip_check_requirements_upgrades/with_updates/requirements.txt"

        - "pip_check_requirements_upgrades/without_updates/requirements.in"

        - "pip_check_requirements_upgrades/without_updates/requirements.txt"

    - name: Deploy firewall configuration file for the web server

      copy:

        src: ferm_http.conf

        dest: /etc/ferm/conf.d/99-http.conf

        owner: root

        group: root

      notify:

        - Restart ferm

  handlers:

    - name: Restart ferm

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        state: present

      with_dict:

        192.168.56.21: parameters-mandatory-bookworm

        192.168.56.22: parameters-optional-bookworm

        fd00::192:168:56:21: parameters-mandatory-bookworm

        fd00::192:168:56:22: parameters-optional-bookworm

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        state: present

      with_dict:

        192.168.56.3: client1

        192.168.56.4: client2

    - name: Load legacy iptables to test their removal

    - name: Create deprecated directory for storing requirements files created using Python 3 (pip requirements upgrade checks)

      file:

        path: "/etc/pip_check_requirements_upgrades-py3"

        state: directory

        owner: root

        group: root

    - name: Create deprecated directory for Python 3 virtual environment (pip requirements upgrade checks)

      file:

        path: "/var/lib/pipreqcheck/virtualenv-py3/"

        state: directory

        owner: root

        group: root

    - name: Create deprecated cronjob file for Python 3 (pip requirements upgrade checks)

      file:

        path: "/etc/cron.d/check_pip_requirements-py3"

        state: touch

        owner: root

        group: root

    - name: Install the deprecated/obsolete NTP-related packages

      apt:

        name:

          - ntp

          - ntpdate

- name: Enable use of proxy for retrieving system packages via apt

  template:

    src: "apt_proxy.j2"

    dest: "/etc/apt/apt.conf.d/00proxy"

    owner: root

    group: root

  when: apt_proxy is defined

- name: Disable use of proxy for retrieving system packages via apt

  file:

    path: "/etc/apt/apt.conf.d/00proxy"

    state: absent

- name: Deploy pam-auth-update configuration file for enabling pam_umask

  copy:

    src: "pam_umask"

    dest: "/usr/share/pam-configs/umask"

    owner: root

    group: root

  register: pam_umask

  notify:

    - Update PAM configuration

- name: Update PAM configuration  # noqa no-handler

  # [no-handler] Tasks that run when changed should likely be handlers

- name: Deploy bash profile configuration for fancier prompts

  template:

    src: "bash_prompt.sh.j2"

    dest: "/etc/profile.d/bash_prompt.sh"

    owner: root

    group: root

- name: Deploy profile configuration that allows for user-specific profile.d files

  copy:

    src: "user_profile_d.sh"

    dest: "/etc/profile.d/z99-user_profile_d.sh"

    owner: root

    group: root

- name: Replace default and skeleton bashrc

  copy:

    src: "{{ item.key }}"

    dest: "{{ item.value }}"

    owner: root

    group: root

  with_dict:

    bashrc: "/etc/bash.bashrc"

    skel_bashrc: "/etc/skel/.bashrc"

- name: Calculate stock checksum for bashrc root account

  stat:

- name: Replace stock bashrc for root account with skeleton one

  copy:

    src: "skel_bashrc"

    dest: "/root/.bashrc"

    owner: root

    group: root

  # Checksums: bookworm

  when: |

    root_bashrc_stat.stat.checksum == "1a422a148ad225aa5ba33f8dafd2b7cfcdbd701f"

- name: Install sudo

  apt:

- name: Disable electric-indent-mode for Emacs by default for all users

  copy:

    src: "01disable-electric-indent-mode.el"

    dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el"

    owner: root

    group: root

  when: "['emacs24', 'emacs24-nox', 'emacs25', 'emacs25-nox', 'emacs', 'emacs-nox'] | intersect(common_packages) | length > 0"

- name: Set-up operating system groups

  group:

    name: "{{ item.name }}"

    gid: "{{ item.gid | default(omit) }}"

- name: Deploy CA certificates

  copy:

    content: "{{ item.value }}"

    dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt"

    owner: root

    group: root

  with_dict: "{{ ca_certificates }}"

  register: deploy_ca_certificates_result

- name: Update CA certificate cache  # noqa no-handler

  # [no-handler] Tasks that run when changed should likely be handlers

  #   CA certificate cache must be updated immediatelly in order for

- name: Deploy the patched ferm binary that disables use of legacy iptables

  copy:

    src: ferm_binary

    dest: /usr/sbin/ferm

    owner: root

    group: root

  notify:

    - Restart ferm

- name: Install ferm (for firewall management)

  apt:

    name: ferm

- name: Configure ferm init script coniguration file

  copy:

    src: "ferm_default"

    dest: "/etc/default/ferm"

    owner: root

    group: root

  notify:

    - Restart ferm

- name: Create directory for storing ferm configuration files

  file:

    dest: "/etc/ferm/conf.d/"

    state: directory

    owner: root

    group: root

- name: Deploy main ferm configuration file

  copy:

    src: "ferm.conf"

    dest: "/etc/ferm/ferm.conf"

    owner: root

    group: root

  notify:

    - Restart ferm

- name: Verify maintenance_allowed_sources parameter

  fail:

    msg: "Items in maintenance_allowed_sources must IPv4/IPv6 addresses or subnets: {{ item }}"

- name: Deploy ferm base rules

  template:

    src: "00-base.conf.j2"

    dest: "/etc/ferm/conf.d/00-base.conf"

    owner: root

    group: root

  notify:

    - Restart ferm

- name: Enable and start ferm

  service:

    name: ferm

- name: Deploy script for flushing legacy iptables rules

  copy:

    src: "legacy_iptables_rules.sh"

    dest: "/usr/local/sbin/drop_legacy_iptables_rules.sh"

    owner: root

    group: root

- name: Drop legacy iptables rules

  command: "/usr/local/sbin/drop_legacy_iptables_rules.sh remove"

  register: legacy_iptables_rules

  changed_when: "'Removed legacy iptables for families' in legacy_iptables_rules.stdout"

  notify:

- name: Deploy script for validating server certificates

  copy:

    src: "check_certificate.sh"

    dest: "/usr/local/bin/check_certificate.sh"

    owner: root

    group: root

- name: Set-up directory for holding configuration for certificate validation script

  file:

    path: "/etc/check_certificate"

    state: "directory"

    owner: root

    group: root

- name: Deploy crontab entry for checking certificates

  cron:

    name: "check_certificate"

    cron_file: "check_certificate"

    hour: "0"

- name: Create directory for Python virtual environment used for installing/running pip-tools

  file:

    path: "{{ item }}"

    state: directory

    owner: pipreqcheck

    group: pipreqcheck

  with_items:

    - "/var/lib/pipreqcheck"

    - "/var/lib/pipreqcheck/virtualenv"

- name: Create Python virtual environment used for installing/running pip-tools

  command: "/usr/bin/virtualenv --python '{{ item.python_path }}' --prompt '{{ item.virtualenv_prompt }}' '{{ item.virtualenv_path }}'"

- name: Create directory for storing pip requirements files

  file:

    path: "{{ item }}"

    state: "directory"

    owner: root

    group: pipreqcheck

  with_items:

    - "/etc/pip_check_requirements_upgrades"

- name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself

  file:

    path: "{{ item }}"

    state: "directory"

    owner: root

    group: pipreqcheck

  with_items:

    - "/etc/pip_check_requirements_upgrades/pipreqcheck"

- name: Deploy .in file for pip requirements in pip-tools virtual environment

  template:

    src: "pipreqcheck_requirements.in.j2"

    dest: "{{ item.path }}"

    owner: root

    group: pipreqcheck

  with_items:

    - path: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"

      requirements: "{{ pip_check_requirements_in }}"

- name: Deploy requirements file for pipreqcheck virtual environment

  template:

    src: "pipreqcheck_requirements.txt.j2"

    dest: "{{ item.file }}"

    owner: root

    group: pipreqcheck

  with_items:

    - file: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"

      requirements: "{{ pip_check_requirements }}"

- name: Install requirements in the pipreqcheck virtual environment

  pip:

- name: Deploy script for checking available upgrades

  copy:

    src: "pip_check_requirements_upgrades.sh"

    dest: "/usr/local/bin/pip_check_requirements_upgrades.sh"

    owner: root

    group: root

- name: Deploy crontab entry for checking pip requirements

  copy:

    src: "cron_check_pip_requirements"

    dest: "/etc/cron.d/check_pip_requirements"

    owner: root

    group: root

- name: Install NTP packages

  apt:

    name:

      - ntpsec

      - ntpsec-ntpdate

- name: Deploy NTP configuration

  template:

    src: "ntp.conf.j2"

    dest: "/etc/ntpsec/ntp.conf"

    owner: root

    group: root

  when: ntp_pools | length > 0

  notify:

    - Restart NTP server

- name: Explicitly run all handlers

  include_tasks: ../handlers/main.yml

- name: Create directory for storing MariaDB database dumps

  file:

    path: "{{ item }}"

    state: directory

    owner: root

    group: root

  with_items:

    - "/srv/backup"

    - "/srv/backup/mariadb"

- name: Deploy script for creating database backup dumps

  template:

    src: "dump_db.sh.j2"