Files
@ 814be5def61d
Branch filter:
Location: majic-ansible-roles/roles/backup_server/tasks/main.yml
814be5def61d
4.1 KiB
text/x-yaml
MAR-189: Added support for Debian 11 Bullseye to xmpp_server role:
- Roll-out LDAP client configuration since Bullseye does not come with
a stock one at /etc/ldap/ldap.conf that sets the trust anchor
correctly for validating LDAP server certificates.
- Drop the backports pinning in case of Bullseye (for now let's try to
keep the Buster and Bullseye at same versions for simplicity).
- Drop installation of Python apt bindings (no longer used).
- Tests for Buster and Bullseye need to be split-up a bit due to some
differences around backports etc.
- Roll-out LDAP client configuration since Bullseye does not come with
a stock one at /etc/ldap/ldap.conf that sets the trust anchor
correctly for validating LDAP server certificates.
- Drop the backports pinning in case of Bullseye (for now let's try to
keep the Buster and Bullseye at same versions for simplicity).
- Drop installation of Python apt bindings (no longer used).
- Tests for Buster and Bullseye need to be split-up a bit due to some
differences around backports etc.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 | ---
- name: Install backup software
apt:
name:
- duplicity
- duply
state: present
- name: Create directory for storing backups
file:
path: "/srv/backups"
state: directory
owner: root
group: root
mode: 0751
- name: Create backup client groups
group:
name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
gid: "{{ item.uid | default(omit) }}"
system: true
with_items: "{{ backup_clients }}"
- name: Create backup client users
user:
name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
groups: "backup"
uid: "{{ item.uid | default(omit) }}"
system: true
createhome: false
state: present
home: "/srv/backups/{{ item.server }}"
with_items: "{{ backup_clients }}"
- name: Create home directories for backup client users
file:
path: "/srv/backups/{{ item.server }}"
state: directory
owner: root
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: 0750
with_items: "{{ backup_clients }}"
- name: Create duplicity directories for backup client users
file:
path: "/srv/backups/{{ item.server }}/duplicity"
state: directory
owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: 0770
with_items: "{{ backup_clients }}"
- name: Create SSH directory for backup client users
file:
path: "/srv/backups/{{ item.server }}/.ssh"
state: directory
owner: root
group: root
mode: 0751
with_items: "{{ backup_clients }}"
- name: Populate authorized keys for backup client users
authorized_key:
user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
key: "{{ item.public_key }}"
manage_dir: false
state: present
with_items: "{{ backup_clients }}"
- name: Set-up authorized_keys file permissions for backup client users
file:
path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"
state: file
owner: root
group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
mode: 0640
with_items: "{{ backup_clients }}"
- name: Deny the backup group login via regular SSH
lineinfile:
dest: "/etc/ssh/sshd_config"
state: present
line: "DenyGroups backup"
notify:
- Restart SSH
- name: Set-up directory for the backup OpenSSH server instance
file:
path: "/etc/ssh-backup/"
state: directory
owner: root
group: root
mode: 0700
- name: Deploy configuration file for the backup OpenSSH server instance service
copy:
src: "ssh-backup.default"
dest: "/etc/default/ssh-backup"
owner: root
group: root
mode: 0644
notify:
- Restart backup SSH server
- name: Deploy configuration file for the backup OpenSSH server instance
copy:
src: "backup-sshd_config"
dest: "/etc/ssh-backup/sshd_config"
owner: root
group: root
mode: 0600
notify:
- Restart backup SSH server
- name: Deploy the private keys for backup OpenSSH server instance
template:
src: "ssh_host_key.j2"
dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"
owner: root
group: root
mode: 0600
with_dict: "{{ backup_host_ssh_private_keys }}"
notify:
- Restart backup SSH server
no_log: true
- name: Deploy backup OpenSSH server systemd service file
copy:
src: "ssh-backup.service"
dest: "/etc/systemd/system/ssh-backup.service"
owner: root
group: root
mode: 0644
notify:
- Reload systemd
- Restart backup SSH server
- name: Start and enable OpenSSH backup service
service:
name: "ssh-backup"
state: started
enabled: true
- name: Deploy firewall configuration for backup server
template:
src: "ferm_backup.conf.j2"
dest: "/etc/ferm/conf.d/40-backup.conf"
owner: root
group: root
mode: 0640
notify:
- Restart ferm
- name: Explicitly run all handlers
include: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|