majic-ansible-roles Changeset

Changeset - bfafd526bfc3

Parent rev.

Child rev.

[Not reviewed]

1 4 4

Branko Majic (branko) - 7 years ago 2017-06-11 15:03:43
branko@majic.rs

MAR-108: Updated tests for backup_server role:

- Refactored how the internal parameters for GnuPG binary name and length of
key ID used in Duply configuration is set-up (use defaults/main.yml instead of
set_facts module).
- Added Debian Stretch as supported platform to molecule tests.
- Replaced use of backup_server role for deployment with regular server with SSH
properly set-up.
- Use IP address for backup server instead of hostname for backup_client
configuration.
- Fixed key lookup for known hosts to use public keys (and not private keys).
- Added public keys of server for deployment in client known_hosts file.

9 files changed with 87 insertions and 70 deletions:

roles/backup_client/defaults/main.yml

roles/backup_client/molecule.yml

roles/backup_client/playbook.yml

roles/backup_client/tasks/facts.yml

roles/backup_client/tasks/main.yml

roles/backup_client/tests/data/ssh/server_dsa.pub

roles/backup_client/tests/data/ssh/server_ecdsa.pub

roles/backup_client/tests/data/ssh/server_ed25519.pub

roles/backup_client/tests/data/ssh/server_rsa.pub

0 comments (0 inline, 0 general)

roles/backup_client/defaults/main.yml

➞

Show inline comments

@@ @@ -4,3 +4,20 @@ backup_additional_encryption_keys: [] @@
 backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}"
 backup_server_destination: /duplicity
 backup_server_port: 2222
 # Internal parameters.
 # GnuPG 2 binary in Debian Jessie and Debian Stretch is different. Additionally,
 # Debian Jessie duply configuration expects short keys, while Debian Stretch
 # expects long keys. We set-up parameters for this here in a bit of a workaround
 # way instead of setting facts within the playbook.
 backup_client_gnupg_details:
   jessie:
     binary: gpg2
     cutoff: '{8}'
   stretch:
     binary: gpg
     cutoff: '{0}'
 gnupg_binary: "{{ backup_client_gnupg_details[ansible_distribution_release]['binary'] }}"
 gnupg_key_cutoff: "{{ backup_client_gnupg_details[ansible_distribution_release]['cutoff'] }}"

roles/backup_client/molecule.yml

➞

Show inline comments

@@ @@ -10,6 +10,8 @@ vagrant: @@
   platforms:
     - name: debian-jessie64
       box: debian/contrib-jessie64
     - name: debian-stretch64
       box: debian/stretch64
   providers:
     - name: virtualbox

roles/backup_client/playbook.yml

➞

Show inline comments

@@ @@ -7,67 +7,79 @@ @@
       apt:
         update_cache: yes
 - hosts: backup-server
   roles:
     - role: backup_server
       backup_host_ssh_private_keys:
         dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
         rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
         ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
         ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
       backup_clients:
         - server: parameters-mandatory
           ip: 10.31.127.20
           public_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
         - server: parameters-mandatory
           uid: 5001
           ip: 10.31.127.21
           public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
 # Set-up custom user and port for testing optional parameters.
 - hosts: backup-server
   tasks:
     - name: Set-up backup group
       group:
         name: backupuser
     - name: Set-up backup user
       user:
         name: backupuser
         group: backupuser
     - name: Set-up firewall configuration for port forwarding
       copy:
         content: "domain (ip ip6) table nat chain PREROUTING { proto tcp dport 3333 REDIRECT to-ports 2222; }"
         dest: /etc/ferm/conf.d/50-redirect_3333.conf
         owner: root
         group: root
         mode: 0640
       notify:
         - Reload firewall
     - name: Set-up firewall configuration to accept incoming connections to port 3333
     - name: Deploy SSH server keys
       copy:
         content: "domain (ip ip6) table filter chain INPUT { proto tcp dport 3333 ACCEPT; }"
         dest: /etc/ferm/conf.d/55-accept_3333.conf
         content: "{{ lookup('file', item.key) + '\n' }}"
         dest: "{{ item.value }}"
         owner: root
         group: root
         mode: 0640
         mode: 0600
       with_dict:
         tests/data/ssh/server_dsa: /etc/ssh/ssh_host_dsa_key
         tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
         tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
         tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
       notify:
         - Reload firewall
         - Restart ssh
     - name: Set-up backup user groups
       group:
         name: "{{ item.name }}"
       with_items: "{{ backup_users }}"
     - name: Set-up backup users
       user:
         name: "{{ item.name }}"
         group: "{{ item.name }}"
       with_items: "{{ backup_users }}"
     - name: Set-up authorised keys
       authorized_key:
         user: "{{ item.name }}"
         key: "{{ item.key }}"
       with_items: "{{ backup_users }}"
     - name: Set-up port forwarding
       command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
       changed_when: False
       with_items:
         - 2222
         - 3333
     - name: Set-up directory for parameters-mandatory backups
       file:
         path: /duplicity
         state: directory
         owner: bak-parameters-mandatory
         group: bak-parameters-mandatory
         mode: 0700
   handlers:
-    - name: Reload firewall
+    - name: Restart ssh
       service:
-        name: ferm
+        name: ssh
         state: restarted
   vars:
     backup_users:
       - name: bak-parameters-mandatory
         key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
       - name: backupuser
         key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
 - hosts: parameters-mandatory
   roles:
     - role: backup_client
       backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}"
-      backup_server: backup-server
+      backup_server: 10.31.127.10
       backup_server_host_ssh_public_keys:
         - "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
       backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory' ) }}"
 - hosts: parameters-optional
@@ @@ -79,12 +91,12 @@ @@
         - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}"
       backup_client_username: backupuser
       backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
-      backup_server: backup-server
+      backup_server: 10.31.127.10
       backup_server_destination: "/home/backupuser"
       backup_server_host_ssh_public_keys:
         - "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
         - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
       backup_server_port: 3333
       backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"

roles/backup_client/tasks/facts.yml

➞

Show inline comments

deleted file

roles/backup_client/tasks/main.yml

➞

Show inline comments

 ---
 - include: facts.yml
   tags:
     - handlers
 - name: Install pexpect for pexpect+sftp Duplicity backend (only on Stretch)
   apt: name="python-pexpect" state=installed
   when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
@@ @@ -87,4 +83,4 @@ @@
   include: ../handlers/main.yml
   when: "handlers | default(False) | bool() == True"
   tags:
     - handlers
@@ \ No newline at end of file @@
     - handlers

roles/backup_client/tests/data/ssh/server_dsa.pub

➞

Show inline comments

new file 100644

ssh-dss AAAAB3NzaC1kc3MAAACBALf+gfHQnAMOR4N/IjCZlniejPcAkdB6/E8YwiG26aKeRo3x2Q2budFWqJMtbtfcz0++hVAO2LvYYk2uVMe2WoVwWSZGQA4fcGUrs5B4CHTpOl/lHuu3GixNshCz+8ueQDqs/NYp/BdUcU4yIxvUII6+3hB/bkRz8LpczYJKJqVlAAAAFQD6yuMkAdrYcViFtbTciGEytGtBvwAAAIBFUdmJVFPPQd8NynBAkk+eKMUQFR2CcYgD1w/BfT0UP85hL/mYX1Eaiy+U3ylN6g8+RNalQX0IymIYMisXSRPF1gElVpbuCF9VV49c03q/9LfRogV1tRpZeEz9JK5xbBviEnI+kKP8o1ivmIjAVln72lnKdH+t4njma5CBpG9zJQAAAIAYAG/Udg4i/2q8Iemqs5TuP48ge1CxQcyFw4vVl2zr85MPZ24rBf+ZPGy1CsEBpJqHQ5agftMYR9CRcxlqAP44JpIPcSq1NsL59HnXDsdCe/IJjO4JmL1HL+VIcWkXgj0MxGds8hck+HC5lX7jGAKjZBea8ksBZD/Ma2WvYKXpgg==

roles/backup_client/tests/data/ssh/server_ecdsa.pub

➞

Show inline comments

		new file 100644
		ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=

roles/backup_client/tests/data/ssh/server_ed25519.pub

➞

Show inline comments

		new file 100644
		ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6

roles/backup_client/tests/data/ssh/server_rsa.pub

➞

Show inline comments

new file 100644

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ

0 comments (0 inline, 0 general)