Files
@ 7316fc631f1c
Branch filter:
Location: majic-ansible-roles/roles/backup_server/tasks/main.yml
7316fc631f1c
4.6 KiB
text/x-yaml
MAR-145: Switch to using Bash process substitution instead of managing a bunch of temporary files.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 | ---
- name: Install backup software
apt:
name:
- duplicity
- duply
state: present
- name: Create directory for storing backups
file:
path: "/srv/backups"
state: directory
owner: root
group: root
mode: 0751
tags:
# [ANSIBLE0009] Octal file permissions must contain leading zero
# Misleading message, linting is complaining here actually because of the
# executable bit without read/write for others (e.g. the "1" in "0751").
- skip_ansible_lint
- name: Create backup client groups
group:
name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
gid: "{{ item.uid | default(omit) }}"
system: true
with_items: "{{ backup_clients }}"
- name: Create backup client users
user:
name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
groups: "backup"
uid: "{{ item.uid | default(omit) }}"
system: true
createhome: false
state: present
home: "/srv/backups/{{ item.server }}"
with_items: "{{ backup_clients }}"
- name: Create home directories for backup client users
file:
path: "/srv/backups/{{ item.server }}"
state: directory
owner: root
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: 0750
with_items: "{{ backup_clients }}"
- name: Create duplicity directories for backup client users
file:
path: "/srv/backups/{{ item.server }}/duplicity"
state: directory
owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: 0770
with_items: "{{ backup_clients }}"
- name: Create SSH directory for backup client users
file:
path: "/srv/backups/{{ item.server }}/.ssh"
state: directory
owner: root
group: root
mode: 0751
with_items: "{{ backup_clients }}"
tags:
# [ANSIBLE0009] Octal file permissions must contain leading zero
# Misleading message, linting is complaining here actually because of the
# executable bit without read/write for others (e.g. the "1" in "0751").
- skip_ansible_lint
- name: Populate authorized keys for backup client users
authorized_key:
user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
key: "{{ item.public_key }}"
manage_dir: false
state: present
with_items: "{{ backup_clients }}"
- name: Set-up authorized_keys file permissions for backup client users
file:
path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"
state: file
owner: root
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: 0640
with_items: "{{ backup_clients }}"
- name: Deny the backup group login via regular SSH
lineinfile:
dest: "/etc/ssh/sshd_config"
state: present
line: "DenyGroups backup"
notify:
- Restart SSH
- name: Set-up directory for the backup OpenSSH server instance
file:
path: "/etc/ssh-backup/"
state: directory
owner: root
group: root
mode: 0700
- name: Deploy configuration file for the backup OpenSSH server instance service
copy:
src: "ssh-backup.default"
dest: "/etc/default/ssh-backup"
owner: root
group: root
mode: 0644
notify:
- Restart backup SSH server
- name: Deploy configuration file for the backup OpenSSH server instance
copy:
src: "backup-sshd_config-{{ ansible_distribution_release }}"
dest: "/etc/ssh-backup/sshd_config"
owner: root
group: root
mode: 0600
notify:
- Restart backup SSH server
- name: Deploy the private keys for backup OpenSSH server instance
template:
src: "ssh_host_key.j2"
dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"
owner: root
group: root
mode: 0600
with_dict: "{{ backup_host_ssh_private_keys }}"
notify:
- Restart backup SSH server
no_log: true
- name: Deploy backup OpenSSH server systemd service file
copy:
src: "ssh-backup.service"
dest: "/etc/systemd/system/ssh-backup.service"
owner: root
group: root
mode: 0644
notify:
- Reload systemd
- Restart backup SSH server
- name: Start and enable OpenSSH backup service
service:
name: "ssh-backup"
state: started
enabled: true
- name: Deploy firewall configuration for backup server
template:
src: "ferm_backup.conf.j2"
dest: "/etc/ferm/conf.d/40-backup.conf"
owner: root
group: root
mode: 0640
notify:
- Restart ferm
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "run_handlers | default(False) | bool() == True"
tags:
- handlers
|