Files
@ cd0056b93cda
Branch filter:
Location: majic-ansible-roles/roles/backup_client/molecule/default/prepare.yml
cd0056b93cda
3.3 KiB
text/x-yaml
MAR-156: Drop use of DSA keys from all backup-related roles. Includes updates to tests for other roles as well.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 | ---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Install python for Ansible
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
become: true
changed_when: false
- hosts: all
become: true
tasks:
- name: Update all caches to avoid errors due to missing remote archives
apt:
update_cache: true
changed_when: false
- hosts: backup-server
become: true
tasks:
- name: Deploy SSH server keys
copy:
content: "{{ lookup('file', item.key) + '\n' }}"
dest: "{{ item.value }}"
owner: root
group: root
mode: 0600
with_dict:
tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
notify:
- Restart ssh
- name: Deploy custom SSH server configuration that chroots users
copy:
src: "tests/data/backup_server_custom-sshd_config"
dest: "/etc/ssh/sshd_config"
owner: root
group: root
mode: 0600
notify:
- Restart ssh
- name: Set-up backup group that will contain all backup users
group:
name: "backup-users"
- name: Set-up backup user groups
group:
name: "{{ item.name }}"
with_items: "{{ backup_users }}"
- name: Set-up backup users
user:
name: "{{ item.name }}"
group: "{{ item.name }}"
groups:
- "backup-users"
with_items: "{{ backup_users }}"
- name: Set-up authorised keys
authorized_key:
user: "{{ item.name }}"
key: "{{ item.key }}"
with_items: "{{ backup_users }}"
- name: Set-up port forwarding
command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
changed_when: false
with_items:
- 2222
- 3333
- name: Change ownership of home directories for SFTP chroot to work
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
with_items:
- /home/backupuser
- /home/bak-parameters-mandatory-s64
- /home/bak-parameters-mandatory-j64
- name: Set-up duplicity backup directories
file:
path: "~{{ item.name }}/duplicity"
state: directory
owner: root
group: backup-users
mode: 0770
with_items: "{{ backup_users }}"
- name: Set-up directories for parameters-optional backups
file:
path: "~backupuser/duplicity/{{ item }}"
state: directory
owner: backupuser
group: backupuser
mode: 0700
with_items:
- "parameters-optional-s64"
- "parameters-optional-j64"
handlers:
- name: Restart ssh
service:
name: ssh
state: restarted
vars:
backup_users:
- name: bak-parameters-mandatory-j64
key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
- name: bak-parameters-mandatory-s64
key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
- name: backupuser
key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
|