diff --git a/roles/backup_client/playbook.yml b/roles/backup_client/playbook.yml index f6d7d10a65e9f0e4fca5b834ed10ac1a83769af1..4ce25411af62e405d940ce0136fe0377e541249d 100644 --- a/roles/backup_client/playbook.yml +++ b/roles/backup_client/playbook.yml @@ -7,67 +7,79 @@ apt: update_cache: yes -- hosts: backup-server - roles: - - role: backup_server - backup_host_ssh_private_keys: - dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}" - rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}" - ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" - ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" - backup_clients: - - server: parameters-mandatory - ip: 10.31.127.20 - public_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}" - - server: parameters-mandatory - uid: 5001 - ip: 10.31.127.21 - public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" - -# Set-up custom user and port for testing optional parameters. - hosts: backup-server tasks: - - name: Set-up backup group - group: - name: backupuser - - name: Set-up backup user - user: - name: backupuser - group: backupuser - - name: Set-up firewall configuration for port forwarding - copy: - content: "domain (ip ip6) table nat chain PREROUTING { proto tcp dport 3333 REDIRECT to-ports 2222; }" - dest: /etc/ferm/conf.d/50-redirect_3333.conf - owner: root - group: root - mode: 0640 - notify: - - Reload firewall - - name: Set-up firewall configuration to accept incoming connections to port 3333 + + - name: Deploy SSH server keys copy: - content: "domain (ip ip6) table filter chain INPUT { proto tcp dport 3333 ACCEPT; }" - dest: /etc/ferm/conf.d/55-accept_3333.conf + content: "{{ lookup('file', item.key) + '\n' }}" + dest: "{{ item.value }}" owner: root group: root - mode: 0640 + mode: 0600 + with_dict: + tests/data/ssh/server_dsa: /etc/ssh/ssh_host_dsa_key + tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key + tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key + tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key notify: - - Reload firewall + - Restart ssh + + - name: Set-up backup user groups + group: + name: "{{ item.name }}" + with_items: "{{ backup_users }}" + + - name: Set-up backup users + user: + name: "{{ item.name }}" + group: "{{ item.name }}" + with_items: "{{ backup_users }}" + + - name: Set-up authorised keys + authorized_key: + user: "{{ item.name }}" + key: "{{ item.key }}" + with_items: "{{ backup_users }}" + + - name: Set-up port forwarding + command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22" + changed_when: False + with_items: + - 2222 + - 3333 + + - name: Set-up directory for parameters-mandatory backups + file: + path: /duplicity + state: directory + owner: bak-parameters-mandatory + group: bak-parameters-mandatory + mode: 0700 + handlers: - - name: Reload firewall + - name: Restart ssh service: - name: ferm + name: ssh state: restarted + vars: + backup_users: + - name: bak-parameters-mandatory + key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}" + - name: backupuser + key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" + - hosts: parameters-mandatory roles: - role: backup_client backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}" - backup_server: backup-server + backup_server: 10.31.127.10 backup_server_host_ssh_public_keys: - - "{{ lookup('file', 'tests/data/ssh/server_dsa') }}" - - "{{ lookup('file', 'tests/data/ssh/server_rsa') }}" - - "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" - - "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" + - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}" backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory' ) }}" - hosts: parameters-optional @@ -79,12 +91,12 @@ - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}" backup_client_username: backupuser backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}" - backup_server: backup-server + backup_server: 10.31.127.10 backup_server_destination: "/home/backupuser" backup_server_host_ssh_public_keys: - - "{{ lookup('file', 'tests/data/ssh/server_dsa') }}" - - "{{ lookup('file', 'tests/data/ssh/server_rsa') }}" - - "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" - - "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" + - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}" backup_server_port: 3333 backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"