majic-ansible-roles Files · roles/backup

Files @ c10934519e18
Branch filter:
Location: majic-ansible-roles/roles/backup_server/tasks/main.yml

c10934519e18 4.4 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-218: Switch to using fully-qualified collection names for all tasks:

- Ensures there is no ambiguity when invoking a module.
---

- name: Install backup software
  ansible.builtin.apt:
    name:
      - duplicity
      - duply
    state: present

- name: Create directory for storing backups
  ansible.builtin.file:
    path: "/srv/backups"
    state: directory
    owner: root
    group: root
    mode: "0751"

- name: Create backup client groups
  ansible.builtin.group:
    name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    gid: "{{ item.uid | default(omit) }}"
    system: true
  with_items: "{{ backup_clients }}"

- name: Create backup client users
  ansible.builtin.user:
    name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    groups: "backup"
    uid: "{{ item.uid | default(omit) }}"
    system: true
    createhome: false
    state: present
    home: "/srv/backups/{{ item.server }}"
  with_items: "{{ backup_clients }}"

- name: Create home directories for backup client users
  ansible.builtin.file:
    path: "/srv/backups/{{ item.server }}"
    state: directory
    owner: root
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: "0750"
  with_items: "{{ backup_clients }}"

- name: Create duplicity directories for backup client users
  ansible.builtin.file:
    path: "/srv/backups/{{ item.server }}/duplicity"
    state: directory
    owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: "0770"
  with_items: "{{ backup_clients }}"

- name: Create SSH directory for backup client users
  ansible.builtin.file:
    path: "/srv/backups/{{ item.server }}/.ssh"
    state: directory
    owner: root
    group: root
    mode: "0751"
  with_items: "{{ backup_clients }}"

- name: Populate authorized keys for backup client users
  ansible.posix.authorized_key:
    user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    key: "{{ item.public_key }}"
    manage_dir: false
    state: present
  with_items: "{{ backup_clients }}"

- name: Set-up authorized_keys file permissions for backup client users
  ansible.builtin.file:
    path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys"
    state: file
    owner: root
    group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}"
    mode: "0640"
  with_items: "{{ backup_clients }}"

- name: Deny the backup group login via regular SSH
  ansible.builtin.lineinfile:
    dest: "/etc/ssh/sshd_config"
    state: present
    line: "DenyGroups backup"
  notify:
    - Restart SSH

- name: Set-up directory for the backup OpenSSH server instance
  ansible.builtin.file:
    path: "/etc/ssh-backup/"
    state: directory
    owner: root
    group: root
    mode: "0700"

- name: Deploy configuration file for the backup OpenSSH server instance service
  ansible.builtin.copy:
    src: "ssh-backup.default"
    dest: "/etc/default/ssh-backup"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart backup SSH server

- name: Deploy configuration file for the backup OpenSSH server instance
  ansible.builtin.copy:
    src: "backup-sshd_config"
    dest: "/etc/ssh-backup/sshd_config"
    owner: root
    group: root
    mode: "0600"
  notify:
    - Restart backup SSH server

- name: Deploy the private keys for backup OpenSSH server instance
  ansible.builtin.template:
    src: "ssh_host_key.j2"
    dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"
    owner: root
    group: root
    mode: "0600"
  with_dict: "{{ backup_host_ssh_private_keys }}"
  notify:
    - Restart backup SSH server
  no_log: true

- name: Deploy backup OpenSSH server systemd service file
  ansible.builtin.copy:
    src: "ssh-backup.service"
    dest: "/etc/systemd/system/ssh-backup.service"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Reload systemd
    - Restart backup SSH server

- name: Start and enable OpenSSH backup service
  ansible.builtin.service:
    name: "ssh-backup"
    state: started
    enabled: true

- name: Deploy firewall configuration for backup server
  ansible.builtin.template:
    src: "ferm_backup.conf.j2"
    dest: "/etc/ferm/conf.d/40-backup.conf"
    owner: root
    group: root
    mode: "0640"
  notify:
    - Restart ferm

- name: Explicitly run all handlers
  ansible.builtin.include_tasks: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers