Files
@ 17cf34f73ca6
Branch filter:
Location: majic-ansible-roles/roles/backup_client/playbook.yml
17cf34f73ca6
3.7 KiB
text/x-yaml
MAR-28: Implemented additional tests for mail_server role:
- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.
- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 | ---
- hosts: all
tasks:
- name: Update all caches to avoid errors due to missing remote archives
apt:
update_cache: yes
- hosts: backup-server
tasks:
- name: Deploy SSH server keys
copy:
content: "{{ lookup('file', item.key) + '\n' }}"
dest: "{{ item.value }}"
owner: root
group: root
mode: 0600
with_dict:
tests/data/ssh/server_dsa: /etc/ssh/ssh_host_dsa_key
tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
notify:
- Restart ssh
- name: Set-up backup user groups
group:
name: "{{ item.name }}"
with_items: "{{ backup_users }}"
- name: Set-up backup users
user:
name: "{{ item.name }}"
group: "{{ item.name }}"
with_items: "{{ backup_users }}"
- name: Set-up authorised keys
authorized_key:
user: "{{ item.name }}"
key: "{{ item.key }}"
with_items: "{{ backup_users }}"
- name: Set-up port forwarding
command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
changed_when: False
with_items:
- 2222
- 3333
- name: Set-up directory for parameters-mandatory backups
file:
path: /duplicity
state: directory
owner: bak-parameters-mandatory
group: bak-parameters-mandatory
mode: 0700
handlers:
- name: Restart ssh
service:
name: ssh
state: restarted
vars:
backup_users:
- name: bak-parameters-mandatory
key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
- name: backupuser
key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
- hosts: parameters-mandatory
roles:
- role: backup_client
backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}"
backup_server: 10.31.127.10
backup_server_host_ssh_public_keys:
- "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
- "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
- "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
- "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory' ) }}"
- hosts: parameters-optional
roles:
- role: backup_client
backup_additional_encryption_keys:
- "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_1.asc') }}"
- "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_2.asc') }}"
- "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}"
backup_client_username: backupuser
backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
backup_server: 10.31.127.10
backup_server_destination: "/home/backupuser"
backup_server_host_ssh_public_keys:
- "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
- "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
- "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
- "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
backup_server_port: 3333
backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"
# Deploy a dummy pre-backup script for testing purposes.
- hosts: parameters-mandatory,parameters-optional
tasks:
- name: Deploy pre-backup script
copy:
src: tests/data/10-test-pre-backup.sh
dest: /etc/duply/main/pre.d/10-test-pre-backup.sh
owner: root
group: root
mode: 0700
|