diff --git a/roles/backup_server/tasks/main.yml b/roles/backup_server/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..610b56c9f789ff440d8ab594f2064f0f631f5abc --- /dev/null +++ b/roles/backup_server/tasks/main.yml @@ -0,0 +1,96 @@ +--- + +- name: Install backup software + apt: name="{{ item }}" state=installed + with_items: + - duplicity + - duply + +- name: Create directory for storing backups + file: path="/srv/backups" state=directory + owner="root" group="root" mode=751 + +- name: Create backup client groups + group: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" + gid="{{ item.uid | default(omit) }}" system="yes" + with_items: backup_clients + +- name: Create backup client users + user: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" + group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" + groups="backup" + uid="{{ item.uid | default(omit) }}" + system=yes createhome=no state=present home="/srv/backups/{{ item.server }}" + with_items: backup_clients + +- name: Create home directories for backup client users + file: path="/srv/backups/{{ item.server }}" state=directory + owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode=750 + with_items: backup_clients + +- name: Create duplicity directories for backup client users + file: path="/srv/backups/{{ item.server }}/duplicity" state=directory + owner="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" + group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" + mode=770 + with_items: backup_clients + +- name: Create SSH directory for backup client users + file: path="/srv/backups/{{ item.server }}/.ssh" state=directory + owner="root" group="root" mode=751 + with_items: backup_clients + +- name: Populate authorized keys for backup client users + authorized_key: user="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" + key="{{ item.public_key }}" manage_dir="no" state="present" + with_items: backup_clients + +- name: Set-up authorized_keys file permissions for backup client users + file: path="/srv/backups/{{ item.server }}/.ssh/authorized_keys" state=file + owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" + mode=640 + with_items: backup_clients + +- name: Deny the backup group login via regular SSH + lineinfile: dest="/etc/ssh/sshd_config" state=present line="DenyGroups backup" + notify: + - Restart SSH + +- name: Set-up directory for the backup OpenSSH server instance + file: path="/etc/ssh-backup/" state=directory + owner="root" group="root" mode="700" + +- name: Deploy configuration file for the backup OpenSSH server instance service + copy: src="ssh-backup.default" dest="/etc/default/ssh-backup" + owner="root" group="root" mode="644" + notify: + - Restart backup SSH server + +- name: Deploy configuration file for the backup OpenSSH server instance + copy: src="backup-sshd_config" dest="/etc/ssh-backup/sshd_config" + owner="root" group="root" mode="600" + notify: + - Restart backup SSH server + +- name: Deploy the private keys for backup OpenSSH server instance + copy: content="{{ item.value }}" dest="/etc/ssh-backup/ssh_host_{{ item.key }}_key" + owner="root" group="root" mode="600" + with_dict: backup_host_ssh_private_keys + no_log: True + notify: + - Restart backup SSH server + +- name: Deploy backup OpenSSH server systemd service file + copy: src="ssh-backup.service" dest="/etc/systemd/system/ssh-backup.service" + owner=root group=root mode=644 + notify: + - Reload systemd + - Restart backup SSH server + +- name: Start and enable OpenSSH backup service + service: name="ssh-backup" state="started" enabled="yes" + +- name: Deploy firewall configuration for backup server + template: src="ferm_backup.conf.j2" dest="/etc/ferm/conf.d/40-backup.conf" owner=root group=root mode=640 + notify: + - Restart ferm