majic-ansible-roles Changeset

Changeset - 9f0a023d7371

Parent rev.

Child rev.

[Not reviewed]

0 6 1

Branko Majic (branko) - 5 months ago 2023-11-26 23:55:53
branko@majic.rs

MAR-189: Added support for Debian 11 Bullseye to backup_client role:

- Duplicity on Buster and Bullseye uses different Python version (2 vs
3), install the correct Python pexpect package.
- Switch the helper backup server to using Bullseye, and tweak its
SSHD configuration accordingly.

7 files changed with 63 insertions and 97 deletions:

roles/backup_client/defaults/main.yml

roles/backup_client/molecule/default/molecule.yml

roles/backup_client/molecule/default/prepare.yml

roles/backup_client/molecule/default/tests/data/backup_server-sshd-chroot_backup_users.conf

roles/backup_client/molecule/default/tests/data/backup_server_custom-sshd_config

roles/backup_client/molecule/default/tests/test_default.py

roles/backup_client/tasks/main.yml

0 comments (0 inline, 0 general)

roles/backup_client/defaults/main.yml

➞

Show inline comments

@@ @@ -4,3 +4,8 @@ backup_additional_encryption_keys: [] @@
 backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}"
 backup_server_destination: /duplicity
 backup_server_port: 2222
 # Internal parameters.
 backup_client_pexpect_package:
   buster: python-pexpect
   bullseye: python3-pexpect

roles/backup_client/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -18,7 +18,7 @@ lint: @@
 # stupid legacy design decisions!
 platforms:
   - name: backup-server
-    box: debian/contrib-buster64
+    box: debian/bullseye64
     memory: 512
     cpus: 1
     interfaces:
@@ @@ -51,6 +51,30 @@ platforms: @@
         network_name: private_network
         type: static
   - name: param-mandatory-bullseye
     groups:
       - parameters-mandatory
     box: debian/bullseye64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.30
         network_name: private_network
         type: static
   - name: param-optional-bullseye
     groups:
       - parameters-optional
     box: debian/bullseye64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.31
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   config_options:

roles/backup_client/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -36,10 +36,26 @@ @@
       notify:
         - Restart ssh
     - name: Drop the outdated public keys
       file:
         path: "{{ item }}"
         state: absent
       with_items:
         - /etc/ssh/ssh_host_rsa_key.pub
         - /etc/ssh/ssh_host_ed25519_key.pub
         - /etc/ssh/ssh_host_ecdsa_key.pub
     - name: Force the use of internal-sftp subsystem fro SFTP
       lineinfile:
         path: /etc/ssh/sshd_config
         regexp: "^Subsystem.*sftp"
         line: "Subsystem sftp internal-sftp"
         state: present
     - name: Deploy custom SSH server configuration that chroots users
       copy:
         src: "tests/data/backup_server_custom-sshd_config"
         dest: "/etc/ssh/sshd_config"
         src: "tests/data/backup_server-sshd-chroot_backup_users.conf"
         dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf"
         owner: root
         group: root
         mode: 0600
@@ @@ -86,7 +102,7 @@ @@
       with_items:
         - /home/backupuser
         - /home/bak-param-mandatory-buster
-        - /home/bak-param-mandatory-buster
+        - /home/bak-param-mandatory-bullseye
     - name: Set-up duplicity backup directories
       file:
@@ @@ -118,5 +134,7 @@ @@
     backup_users:
       - name: bak-param-mandatory-buster
         key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
       - name: bak-param-mandatory-bullseye
         key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
       - name: backupuser
         key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/backup_client/molecule/default/tests/data/backup_server-sshd-chroot_backup_users.conf

➞

Show inline comments

		new file 100644
		Match Group backup-users
		ChrootDirectory %h
		\ No newline at end of file

roles/backup_client/molecule/default/tests/data/backup_server_custom-sshd_config

➞

Show inline comments

 # Package generated configuration file
 # See the sshd_config(5) manpage for details
 # What ports, IPs and protocols we listen for
 Port 22
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
 ServerKeyBits 1024
 # Logging
 SyslogFacility AUTH
 LogLevel INFO
 # Authentication:
 LoginGraceTime 120
 PermitRootLogin without-password
 StrictModes yes
 RSAAuthentication yes
 PubkeyAuthentication yes
 #AuthorizedKeysFile	%h/.ssh/authorized_keys
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
 # similar for protocol version 2
 HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 # To enable empty passwords, change to yes (NOT RECOMMENDED)
 PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no
 # Change to no to disable tunnelled clear text passwords
 #PasswordAuthentication yes
 # Kerberos options
 #KerberosAuthentication no
 #KerberosGetAFSToken no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 X11Forwarding yes
 X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes
 #UseLogin no
 #MaxStartups 10:30:60
 #Banner /etc/issue.net
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 Subsystem sftp internal-sftp
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 UseDNS no
 PasswordAuthentication no
 Match Group backup-users
   ChrootDirectory %h
@@ \ No newline at end of file @@
   ChrootDirectory %h

roles/backup_client/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -12,7 +12,14 @@ def test_installed_packages(host): @@
     Tests if the necessary packages are installed.
     """
     assert host.package('python-pexpect').is_installed
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "buster":
         expected_package_name = "python-pexpect"
     else:
         expected_package_name = "python3-pexpect"
     assert host.package(expected_package_name).is_installed
     assert host.package('duply').is_installed
     assert host.package('duplicity').is_installed

roles/backup_client/tasks/main.yml

➞

Show inline comments

@@ @@ -5,7 +5,7 @@ @@
 # possible to switch to Paramiko backend.
 - name: Install pexpect for pexpect+sftp Duplicity backend
   apt:
-    name: "python-pexpect"
+    name: "{{ backup_client_pexpect_package[ansible_distribution_release] }}"
     state: present
 - name: Install backup software

0 comments (0 inline, 0 general)