majic-ansible-roles Changeset

Changeset - d61d01c00362

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 8 years ago 2016-01-10 00:06:59
branko@majic.rs

MAR-44: Redesigned usage of GnuPG keys used by the backup_client role. Now one must provide encryption key, signing key (both have to be private, and will be transfered to host), and can optionally provide additional public keys to use for encryption. Updated example.

6 files changed with 54 insertions and 45 deletions:

docs/rolereference.rst

roles/backup_client/defaults/main.yml

roles/backup_client/handlers/main.yml

roles/backup_client/tasks/main.yml

roles/backup_client/templates/duply_main_conf.j2

testsite/group_vars/all.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1525,13 +1525,22 @@ Duply is configured as follows: @@
 Parameters
 ~~~~~~~~~~
 **backup_additional_encryption_keys** (list, optional, ``[]``)
   List of additional identifiers of encryption keys used for backup
   operation. Listed encryption keys must be present in the backup keyring - only
   the public key is used. These additional keys are useful in cases where the
   backups should be decryptable with some master key in addition to
   server-specific key.
 **backup_client_username** (string, optional, ``bak-{{ ansible_fqdn | replace('.', '_') }}``)
   Username for connecting to the backup server via SFTP.
 **backup_encryption_keys** (list, mandatory)
   List of key identifiers for encryption keys used for backup operation. Listed
   encryption keys must be part of the backup keyring. It is sufficient (and
   recommended) to include only the public keys.
 **backup_encryption_key** (string, optional, ``{{ ansible_fqdn }}``)
   Identifier of encryption key used for the backup operations. Specified key
   must be present in the backup keyring, both private and public
   counterpart. This is normally host-specified encryption key that is
   distributed to destination server and that can be also used for the restore
   operations (for data decryption).
 **backup_gnupg_keyring** (string, optional, ``{{ inventory_dir }}/backup_keyring``)
   Path to the directory on *controller* machine (where Ansible is executed)
 .. code-block:: yaml
   - role: backup_client
     backup_encryption_keys:
       - "my_secret_key"
     backup_additional_encryption_keys: "my_key"
     backup_client_username: "user"
     backup_encryption_key: "host_enc_key"
     backup_gnupg_keyring: "/home/admin/.gnupg"
     backup_server: "backup.example.com"
     backup_server_destination: "//example/host"
     backup_server_host_ssh_public_keys:
       - "{{ lookup('file', inventory_dir + '/ssh/backup_server_dsa_key.pub') }}"
       - "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key.pub') }}"
       - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key.pub') }}"
       - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ecdsa_key.pub') }}"
       - "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key.pub') }}"
       - "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key.pub') }}"
     backup_server_port: 22
     backup_signing_key: "host_enc_key"
     backup_ssh_key: "{{ lookup('file', inventory_dir + '/ssh/web.example.com') }}"

roles/backup_client/defaults/main.yml

➞

Show inline comments

 ---
 backup_additional_encryption_keys: []
 backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}"
 backup_encryption_keys:
   - "{{ ansible_fqdn }}"
 backup_encryption_key: "{{ ansible_fqdn }}"
 backup_gnupg_keyring: "{{ inventory_dir }}/backup_keyring"
 backup_server_destination: //duplicity
 backup_server_port: 2222
@@ \ No newline at end of file @@
 backup_server_port: 2222
 backup_signing_key: ""

roles/backup_client/handlers/main.yml

➞

Show inline comments

@@ @@ -4,9 +4,12 @@ @@
   assemble: dest="/etc/duply/main/include" src="/etc/duply/main/patterns"
             owner=root group=root mode=600 backup=yes
 - name: Import encryption public keys
   command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_encryption_keys.asc
 - name: Clean-up GnuPG keyring for import of new keys
   shell: rm -f /etc/duply/main/gnupg/*
 - name: Import signing private keys
   command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_signing_key.asc
   when: backup_signing_key is defined
 - name: Import private keys
   command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc
 - name: Import public keys
   command: gpg2 --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc
   when: backup_additional_encryption_keys

roles/backup_client/tasks/main.yml

➞

Show inline comments

@@ @@ -17,20 +17,18 @@ @@
     - "/var/cache/duply"
     - "/var/cache/duply/main"
 - name: Extract encryption keys
   local_action: "command gpg2 --homedir '{{ backup_gnupg_keyring }}' --armor --export {{ backup_encryption_keys | join(' ') }}"
 - name: Extract private keys used for encryption and signing
   local_action: "command gpg2 --homedir '{{ backup_gnupg_keyring }}' --armor --export-secret-keys {{ backup_encryption_key }} {{ backup_signing_key }}"
   become: no
   register: encryption_keys
   tags:
     - debug
   register: private_keys
   changed_when: False
 - name: Extract signing key
   local_action: command gpg2 --homedir "{{ backup_gnupg_keyring }}" --armor --export-secret-key "{{ backup_signing_key }}"
 - name: Extract public keys used for encryption only
   local_action: "command gpg2 --homedir '{{ backup_gnupg_keyring }}' --armor --export {{ backup_additional_encryption_keys | join(' ') }}"
   become: no
   when: backup_signing_key is defined
   register: signing_key
   register: public_keys
   changed_when: False
   when: backup_additional_encryption_keys
 - name: Extract signing key ID (duplicity accepts 8-char hex code only)
   local_action: shell gpg2 --homedir "{{ backup_gnupg_keyring }}" --with-colons --list-secret-keys "{{ backup_signing_key }}" | grep '^sec' | sort -n -k 6 -t ":"  | cut -f 5 -d ':' | grep -o '[A-F0-9]\{8\}$'
@@ @@ -39,27 +37,21 @@ @@
   register: signing_key_id
   changed_when: False
 - name: Deploy GnuPG public keys for encryption
   copy: content="{{ encryption_keys.stdout }}" dest="/etc/duply/main/public_encryption_keys.asc"
 - name: Deploy GnuPG private keys
   copy: content="{{ private_keys.stdout }}" dest="/etc/duply/main/private_keys.asc"
         owner=root group=root mode=600
   register: new_enc_key
   notify:
     - Import signing private keys
     - Import encryption public keys
     - Clean-up GnuPG keyring for import of new keys
     - Import private keys
     - Import public keys
 - name: Deploy GnuPG private keys for signing
   copy: content="{{ signing_key.stdout }}" dest="/etc/duply/main/private_signing_key.asc"
 - name: Deploy GnuPG public keys
   copy: content="{{ public_keys.stdout | default("") }}" dest="/etc/duply/main/public_keys.asc"
         owner=root group=root mode=600
   no_log: True
   when: backup_signing_key is defined
   register: new_sign_key
   notify:
     - Import signing private keys
     - Import encryption public keys
 - name: Clean-up GnuPG keyring for import of new keys
   shell: rm -f /etc/duply/main/gnupg/*
   when: new_enc_key.changed or new_sign_key.changed
     - Clean-up GnuPG keyring for import of new keys
     - Import private keys
     - Import public keys
 - name: Deploy private SSH key for logging-in into backup server
   copy: content="{{ backup_ssh_key }}" dest="/etc/duply/main/ssh/identity"

roles/backup_client/templates/duply_main_conf.j2

➞

Show inline comments

 # GnuPG keys that should be used for encryption. Normally the encryption key is
 # not available locally.
-GPG_KEYS_ENC='{{ backup_encryption_keys | join(',') }}'
+GPG_KEYS_ENC='{{ backup_encryption_key}}{% if backup_additional_encryption_keys %},{{ backup_additional_encryption_keys | join(',') }}{% endif %}'
 {% if backup_signing_key is defined -%}
 # GnuPG keys that should be used for signing. Normally the signing key should be
@@ @@ -43,8 +43,7 @@ TEMP_DIR="/tmp" @@
 ARCH_DIR="/var/cache/duply/main/"
 # Use the GnuPG agent for passwords prompts. Since we deploy the signing key
 # without any encryption, this effectively means no prompts (and encryption key
 # should not be available on backup client machines).
 # without any encryption, this effectively means no prompts.
 DUPL_PARAMS="$DUPL_PARAMS --use-agent"
 # Use the pexepct backend for Duplicity so we can pass in all the

testsite/group_vars/all.yml

➞

Show inline comments

@@ @@ -65,7 +65,7 @@ ldap_client_config: @@
 # Enable and configure backups
 enable_backup: yes
-backup_encryption_keys:
+backup_additional_encryption_keys:
   - "backup.{{ testsite_domain }}"
 backup_signing_key: "{{ ansible_fqdn }}"

0 comments (0 inline, 0 general)