Files
@ 36ce706cb123
Branch filter:
Location: majic-ansible-roles/roles/backup_client/molecule/default/prepare.yml
36ce706cb123
3.2 KiB
text/x-yaml
MAR-239: Dropped support for Debian 11 Bullseye from the backup_client role:
- Switch to using Paramiko instead of pexpect backend (therefore
avoiding using the external SSH client binary).
- Switch to using Paramiko instead of pexpect backend (therefore
avoiding using the external SSH client binary).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 | ---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Install python for Ansible
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
become: true
changed_when: false
- hosts: all
become: true
tasks:
- name: Update all caches to avoid errors due to missing remote archives
apt:
update_cache: true
changed_when: false
- hosts: backup-server
become: true
tasks:
- name: Deploy SSH server keys
copy:
content: "{{ lookup('file', item.key) + '\n' }}"
dest: "{{ item.value }}"
owner: root
group: root
mode: 0600
with_dict:
tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
notify:
- Restart ssh
- name: Drop the outdated public keys
file:
path: "{{ item }}"
state: absent
with_items:
- /etc/ssh/ssh_host_rsa_key.pub
- /etc/ssh/ssh_host_ed25519_key.pub
- /etc/ssh/ssh_host_ecdsa_key.pub
- name: Force the use of internal-sftp subsystem for SFTP
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^Subsystem.*sftp"
line: "Subsystem sftp internal-sftp"
state: present
- name: Deploy custom SSH server configuration that chroots users
copy:
src: "tests/data/backup_server-sshd-chroot_backup_users.conf"
dest: "/etc/ssh/sshd_config.d/chroot_backup_users.conf"
owner: root
group: root
mode: 0600
notify:
- Restart ssh
- name: Set-up backup group that will contain all backup users
group:
name: "backup-users"
- name: Set-up backup user groups
group:
name: "{{ item.name }}"
with_items: "{{ backup_users }}"
- name: Set-up backup users
user:
name: "{{ item.name }}"
group: "{{ item.name }}"
groups:
- "backup-users"
with_items: "{{ backup_users }}"
- name: Set-up authorised keys
authorized_key:
user: "{{ item.name }}"
key: "{{ item.key }}"
with_items: "{{ backup_users }}"
- name: Set-up port forwarding
command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
changed_when: false
with_items:
- 2222
- 3333
- name: Change ownership of home directories for SFTP chroot to work
file:
path: "/home/{{ item.name }}"
state: directory
owner: root
group: root
mode: 0755
with_items: "{{ backup_users }}"
- name: Set-up duplicity backup directories
file:
path: "~{{ item.name }}/duplicity"
state: directory
owner: root
group: backup-users
mode: 0770
with_items: "{{ backup_users }}"
handlers:
- name: Restart ssh
service:
name: ssh
state: restarted
vars:
backup_users:
- name: bak-param-mandatory-bookworm
key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
- name: backupuser
key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
|