---

- name: Create

  hosts: localhost

  connection: local

  gather_facts: False

  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"

  vars:

    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

    molecule_instance_config: "{{ lookup('env', 'MOLECULE_INSTANCE_CONFIG') }}"

    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"

  tasks:

    - name: Create molecule instance(s)

      molecule_vagrant:

        instance_name: "{{ item.name }}"

        instance_interfaces: "{{ item.interfaces | default(omit) }}"

        instance_raw_config_args: "{{ item.instance_raw_config_args | default(omit) }}"

        platform_box: "{{ item.box }}"

        platform_box_version: "{{ item.box_version | default(omit) }}"

        platform_box_url: "{{ item.box_url | default(omit) }}"

        provider_name: "{{ molecule_yml.driver.provider.name }}"

        provider_memory: "{{ item.memory | default(omit) }}"

        provider_cpus: "{{ item.cpus | default(omit) }}"

        provider_raw_config_args: "{{ item.raw_config_args | default(omit) }}"

        state: up

      register: server

      with_items: "{{ molecule_yml.platforms }}"

    # Mandatory configuration for Molecule to function.

    - name: Populate instance config dict

      set_fact:

        instance_conf_dict: {

          'instance': "{{ item.Host }}",

          'address': "{{ item.HostName }}",

          'user': "{{ item.User }}",

          'port': "{{ item.Port }}",

          'identity_file': "{{ item.IdentityFile }}", }

      with_items: "{{ server.results }}"

      register: instance_config_dict

      when: server.changed | bool

    - name: Convert instance config dict to a list

      set_fact:

        instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"

      when: server.changed | bool

    - name: Dump instance config

      copy:

        # NOTE(retr0h): Workaround for Ansible 2.2.

        #               https://github.com/ansible/ansible/issues/20885

        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"

        dest: "{{ molecule_instance_config }}"

      when: server.changed | bool

---

- name: Destroy

  hosts: localhost

  connection: local

  gather_facts: False

  no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}"

  vars:

    molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}"

    molecule_instance_config: "{{ lookup('env',' MOLECULE_INSTANCE_CONFIG') }}"

    molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}"

  tasks:

    - name: Destroy molecule instance(s)

      molecule_vagrant:

        instance_name: "{{ item.name }}"

        platform_box: "{{ item.box }}"

        provider_name: "{{ molecule_yml.driver.provider.name }}"

        force_stop: "{{ item.force_stop | default(True) }}"

        state: destroy

      register: server

      with_items: "{{ molecule_yml.platforms }}"

    # Mandatory configuration for Molecule to function.

    - name: Populate instance config

      set_fact:

        instance_conf: {}

    - name: Dump instance config

      copy:

        # NOTE(retr0h): Workaround for Ansible 2.2.

        #               https://github.com/ansible/ansible/issues/20885

        content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"

        dest: "{{ molecule_instance_config }}"

      when: server.changed | bool

---

dependency: {}

driver:

  name: vagrant

  provider:

    name: virtualbox

lint:

  name: yamllint

# NOTE: Hostnames are shortened because default values for backup

# usernames are calculated by appending hostname to the "bak-" string,

# which will easily exceed the maximum username length of 32. Yay

# stupid legacy design decisions!

platforms:

  - name: backup-server

    box: debian/contrib-jessie64

    memory: 512

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.10

        network_name: private_network

        type: static

  - name: parameters-mandatory-j64

    groups:

      - parameters-mandatory

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.20

        network_name: private_network

        type: static

  - name: parameters-optional-j64

    groups:

      - parameters-optional

    box: debian/contrib-jessie64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.21

        network_name: private_network

        type: static

  - name: parameters-mandatory-s64

    groups:

      - parameters-mandatory

    box: debian/contrib-stretch64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.30

        network_name: private_network

        type: static

  - name: parameters-optional-s64

    groups:

      - parameters-optional

    box: debian/contrib-stretch64

    memory: 256

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.31

        network_name: private_network

        type: static

provisioner:

  name: ansible

  config_options:

    ssh_connection:

      pipelining: "True"

  lint:

    name: ansible-lint

scenario:

  name: default

verifier:

  name: testinfra

  lint:

    name: flake8

---

- hosts: parameters-mandatory

  become: yes

  roles:

    - role: backup_client

      backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}"

      backup_server: 10.31.127.10

      backup_server_host_ssh_public_keys:

        - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"

        - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

        - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

      backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory' ) }}"

- hosts: parameters-optional

  become: yes

  roles:

    - role: backup_client

      backup_additional_encryption_keys:

        - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_1.asc') }}"

        - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_2.asc') }}"

        - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}"

      backup_client_username: backupuser

      backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

      backup_server: 10.31.127.10

      backup_server_destination: "/duplicity/{{ inventory_hostname }}"

      backup_server_host_ssh_public_keys:

        - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"

        - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

        - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

      backup_server_port: 3333

      backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"

# Deploy a dummy pre-backup script for testing purposes.

- hosts: parameters-mandatory,parameters-optional

  become: yes

  tasks:

    - name: Deploy pre-backup script

      copy:

        src: tests/data/10-test-pre-backup.sh

        dest: /etc/duply/main/pre.d/10-test-pre-backup.sh

        owner: root

        group: root

        mode: 0700

---

- name: Prepare

  hosts: all

  gather_facts: False

  tasks:

    - name: Install python for Ansible

      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)

      become: True

      changed_when: False

- hosts: all

  become: yes

  tasks:

    - name: Update all caches to avoid errors due to missing remote archives

      apt:

        update_cache: yes

      changed_when: False

- hosts: backup-server

  become: yes

  tasks:

    - name: Deploy SSH server keys

      copy:

        content: "{{ lookup('file', item.key) + '\n' }}"

        dest: "{{ item.value }}"

        owner: root

        group: root

        mode: 0600

      with_dict:

        tests/data/ssh/server_dsa: /etc/ssh/ssh_host_dsa_key

        tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key

        tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key

        tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key

      notify:

        - Restart ssh

    - name: Deploy custom SSH server configuration that chroots users

      copy:

        src: "tests/data/backup_server_custom-sshd_config"

        dest: "/etc/ssh/sshd_config"

        owner: root

        group: root

        mode: 0600

      notify:

        - Restart ssh

    - name: Set-up backup group that will contain all backup users

      group:

        name: "backup-users"

    - name: Set-up backup user groups

      group:

        name: "{{ item.name }}"

      with_items: "{{ backup_users }}"

    - name: Set-up backup users

      user:

        name: "{{ item.name }}"

        group: "{{ item.name }}"

        groups:

          - "backup-users"

      with_items: "{{ backup_users }}"

    - name: Set-up authorised keys

      authorized_key:

        user: "{{ item.name }}"

        key: "{{ item.key }}"

      with_items: "{{ backup_users }}"

    - name: Set-up port forwarding

      command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"

      changed_when: False

      with_items:

        - 2222

        - 3333

    - name: Change ownership of home directories for SFTP chroot to work

      file:

        path: "{{ item }}"

        state: directory

        owner: root

        group: root

        mode: 0755

      with_items:

        - /home/backupuser

        - /home/bak-parameters-mandatory-s64

        - /home/bak-parameters-mandatory-j64

    - name: Set-up duplicity backup directories

      file:

        path: "~{{ item.name }}/duplicity"

        state: directory

        owner: root

        group: backup-users

        mode: 0770

      with_items: "{{ backup_users }}"

    - name: Set-up directories for parameters-optional backups

      file:

        path: "~backupuser/duplicity/{{ item }}"

        state: directory

        owner: backupuser

        group: backupuser

        mode: 0700

      with_items:

        - "parameters-optional-s64"

        - "parameters-optional-j64"

  handlers:

    - name: Restart ssh

      service:

        name: ssh

        state: restarted

  vars:

    backup_users:

      - name: bak-parameters-mandatory-j64

        key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"

      - name: bak-parameters-mandatory-s64

        key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"

      - name: backupuser

        key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

# Package generated configuration file

# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for

Port 22

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 1024

# Logging

SyslogFacility AUTH

LogLevel INFO

# Authentication:

LoginGraceTime 120

PermitRootLogin without-password

StrictModes yes

RSAAuthentication yes

PubkeyAuthentication yes

#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords

#PasswordAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no

#MaxStartups 10:30:60

#Banner /etc/issue.net

# Allow client to pass locale environment variables

AcceptEnv LANG LC_*

Subsystem sftp internal-sftp

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

UseDNS no

PasswordAuthentication no

Match Group backup-users

  ChrootDirectory %h

    '.molecule/ansible_inventory.yml').get_hosts('all')

def test_installed_packages(host):

    assert host.package('python-pexpect').is_installed

    assert host.package('duply').is_installed

    assert host.package('duplicity').is_installed

def test_duply_directories(host):

    with host.sudo():

            directory = host.file(directory_path)

def test_gnupg_private_keys_file(host):

    with host.sudo():

        gnupg_private_keys = host.file('/etc/duply/main/private_keys.asc')

def test_gnupg_public_keys_file(host):

    with host.sudo():

        gnupg_public_keys = host.file('/etc/duply/main/public_keys.asc')

def test_private_ssh_key_file(host):

    with host.sudo():

        ssh_key = host.file('/etc/duply/main/ssh/identity')

def test_known_hosts(host):

    with host.sudo():

        known_hosts = host.file('/etc/duply/main/ssh/known_hosts')

def test_duply_configuration(host):

    with host.sudo():

        duply_configuration = host.file('/etc/duply/main/conf')

def test_exclude_file(host):

    with host.sudo():

        exclude = host.file('/etc/duply/main/exclude')

def test_pre_backup_script_directory(host):

    with host.sudo():

        pre_backup_dir = host.file('/etc/duply/main/pre.d')

def test_pre_backup_script(host):

    with host.sudo():

        pre_backup_script = host.file('/etc/duply/main/pre')

def test_cron_entry(host):

    cron = host.file('/etc/cron.d/backup')

def test_duply_include_file(host):

    with host.sudo():

        include = host.file('/etc/duply/main/include')

def test_backup_and_restore(host):

    with host.sudo():

        host.ansible("file", "path=/var/lib/pre-backup-test state=absent")

        backup_run = host.run('duply main backup')

        assert host.file('/var/lib/pre-backup-test').is_file

        host.ansible("file", "path=/root/restore state=absent")

        restore_run = host.run('duply main restore /root/restore')

        assert host.file('/root/restore').is_directory

    '.molecule/ansible_inventory.yml').get_hosts('parameters-mandatory')

def test_gnupg_private_keys_file_content(host):

    with host.sudo():

        gnupg_private_keys = host.file('/etc/duply/main/private_keys.asc')