Files @ 7977a2033d9a
Branch filter:

Location: majic-ansible-roles/roles/backup_server/tasks/main.yml

7977a2033d9a 3.9 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
Noticket: Fixed ldap_permissions module - if no olcAccess rules are defined, assume empty list (otherwise we get key lookup exception).
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
---

- name: Install backup software
  apt: name="{{ item }}" state=installed
  with_items:
    - duplicity
    - duply

- name: Create directory for storing backups
  file: path="/srv/backups" state=directory
        owner="root" group="root" mode=751

- name: Create backup client groups
  group: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
         gid="{{ item.uid | default(omit) }}" system="yes"
  with_items: "{{ backup_clients }}"

- name: Create backup client users
  user: name="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        groups="backup"
        uid="{{ item.uid | default(omit) }}"
        system=yes createhome=no state=present home="/srv/backups/{{ item.server }}"
  with_items: "{{ backup_clients }}"

- name: Create home directories for backup client users
  file: path="/srv/backups/{{ item.server }}" state=directory
        owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode=750
  with_items: "{{ backup_clients }}"

- name: Create duplicity directories for backup client users
  file: path="/srv/backups/{{ item.server }}/duplicity" state=directory
        owner="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        mode=770
  with_items: "{{ backup_clients }}"

- name: Create SSH directory for backup client users
  file: path="/srv/backups/{{ item.server }}/.ssh" state=directory
        owner="root" group="root" mode=751
  with_items: "{{ backup_clients }}"

- name: Populate authorized keys for backup client users
  authorized_key: user="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
                  key="{{ item.public_key }}" manage_dir="no" state="present"
  with_items: "{{ backup_clients }}"

- name: Set-up authorized_keys file permissions for backup client users
  file: path="/srv/backups/{{ item.server }}/.ssh/authorized_keys" state=file
        owner="root" group="{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
        mode=640
  with_items: "{{ backup_clients }}"

- name: Deny the backup group login via regular SSH
  lineinfile: dest="/etc/ssh/sshd_config" state=present line="DenyGroups backup"
  notify:
    - Restart SSH

- name: Set-up directory for the backup OpenSSH server instance
  file: path="/etc/ssh-backup/" state=directory
        owner="root" group="root" mode="700"

- name: Deploy configuration file for the backup OpenSSH server instance service
  copy: src="ssh-backup.default" dest="/etc/default/ssh-backup"
        owner="root" group="root" mode="644"
  notify:
    - Restart backup SSH server

- name: Deploy configuration file for the backup OpenSSH server instance
  copy: src="backup-sshd_config" dest="/etc/ssh-backup/sshd_config"
        owner="root" group="root" mode="600"
  notify:
    - Restart backup SSH server

- name: Deploy the private keys for backup OpenSSH server instance
  copy: content="{{ item.value }}" dest="/etc/ssh-backup/ssh_host_{{ item.key }}_key"
        owner="root" group="root" mode="600"
  with_dict: "{{ backup_host_ssh_private_keys }}"
  no_log: True
  notify:
    - Restart backup SSH server

- name: Deploy backup OpenSSH server systemd service file
  copy: src="ssh-backup.service" dest="/etc/systemd/system/ssh-backup.service"
        owner=root group=root mode=644
  notify:
    - Reload systemd
    - Restart backup SSH server

- name: Start and enable OpenSSH backup service
  service: name="ssh-backup" state="started" enabled="yes"

- name: Deploy firewall configuration for backup server
  template: src="ferm_backup.conf.j2" dest="/etc/ferm/conf.d/40-backup.conf" owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers
This site is powered by Kallithea 0.7.0, which is © 2010–2024 by various authors & licensed under GPLv3.