majic-ansible-roles Files · roles/backup

Files @ 17cf34f73ca6

Branch filter:

Location: majic-ansible-roles/roles/backup_client/playbook.yml

17cf34f73ca6 3.7 KiB text/x-yaml Show Annotation Show as Raw Download as Raw

branko

MAR-28: Implemented additional tests for mail_server role:

- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.

---

- hosts: all
  tasks:

    - name: Update all caches to avoid errors due to missing remote archives
      apt:
        update_cache: yes

- hosts: backup-server
  tasks:

    - name: Deploy SSH server keys
      copy:
        content: "{{ lookup('file', item.key) + '\n' }}"
        dest: "{{ item.value }}"
        owner: root
        group: root
        mode: 0600
      with_dict:
        tests/data/ssh/server_dsa: /etc/ssh/ssh_host_dsa_key
        tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
        tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
        tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
      notify:
        - Restart ssh

    - name: Set-up backup user groups
      group:
        name: "{{ item.name }}"
      with_items: "{{ backup_users }}"

    - name: Set-up backup users
      user:
        name: "{{ item.name }}"
        group: "{{ item.name }}"
      with_items: "{{ backup_users }}"

    - name: Set-up authorised keys
      authorized_key:
        user: "{{ item.name }}"
        key: "{{ item.key }}"
      with_items: "{{ backup_users }}"

    - name: Set-up port forwarding
      command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
      changed_when: False
      with_items:
        - 2222
        - 3333

    - name: Set-up directory for parameters-mandatory backups
      file:
        path: /duplicity
        state: directory
        owner: bak-parameters-mandatory
        group: bak-parameters-mandatory
        mode: 0700

  handlers:
    - name: Restart ssh
      service:
        name: ssh
        state: restarted

  vars:
    backup_users:
      - name: bak-parameters-mandatory
        key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
      - name: backupuser
        key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

- hosts: parameters-mandatory
  roles:
    - role: backup_client
      backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}"
      backup_server: 10.31.127.10
      backup_server_host_ssh_public_keys:
        - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
      backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory' ) }}"

- hosts: parameters-optional
  roles:
    - role: backup_client
      backup_additional_encryption_keys:
        - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_1.asc') }}"
        - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_2.asc') }}"
        - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}"
      backup_client_username: backupuser
      backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
      backup_server: 10.31.127.10
      backup_server_destination: "/home/backupuser"
      backup_server_host_ssh_public_keys:
        - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
      backup_server_port: 3333
      backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"


# Deploy a dummy pre-backup script for testing purposes.
- hosts: parameters-mandatory,parameters-optional
  tasks:

    - name: Deploy pre-backup script
      copy:
        src: tests/data/10-test-pre-backup.sh
        dest: /etc/duply/main/pre.d/10-test-pre-backup.sh
        owner: root
        group: root
        mode: 0700