--- - name: Install backup software ansible.builtin.apt: name: - duplicity - duply state: present - name: Create directory for storing backups ansible.builtin.file: path: "/srv/backups" state: directory owner: root group: root mode: "0751" - name: Create backup client groups ansible.builtin.group: name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" gid: "{{ item.uid | default(omit) }}" system: true with_items: "{{ backup_clients }}" - name: Create backup client users ansible.builtin.user: name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" groups: "backup" uid: "{{ item.uid | default(omit) }}" system: true createhome: false state: present home: "/srv/backups/{{ item.server }}" with_items: "{{ backup_clients }}" - name: Create home directories for backup client users ansible.builtin.file: path: "/srv/backups/{{ item.server }}" state: directory owner: root group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode: "0750" with_items: "{{ backup_clients }}" - name: Create duplicity directories for backup client users ansible.builtin.file: path: "/srv/backups/{{ item.server }}/duplicity" state: directory owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode: "0770" with_items: "{{ backup_clients }}" - name: Create SSH directory for backup client users ansible.builtin.file: path: "/srv/backups/{{ item.server }}/.ssh" state: directory owner: root group: root mode: "0751" with_items: "{{ backup_clients }}" - name: Populate authorized keys for backup client users ansible.posix.authorized_key: user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" key: "{{ item.public_key }}" manage_dir: false state: present with_items: "{{ backup_clients }}" - name: Set-up authorized_keys file permissions for backup client users ansible.builtin.file: path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys" state: file owner: root group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode: "0640" with_items: "{{ backup_clients }}" - name: Deny the backup group login via regular SSH ansible.builtin.lineinfile: dest: "/etc/ssh/sshd_config" state: present line: "DenyGroups backup" notify: - Restart SSH - name: Set-up directory for the backup OpenSSH server instance ansible.builtin.file: path: "/etc/ssh-backup/" state: directory owner: root group: root mode: "0700" - name: Deploy configuration file for the backup OpenSSH server instance service ansible.builtin.copy: src: "ssh-backup.default" dest: "/etc/default/ssh-backup" owner: root group: root mode: "0644" notify: - Restart backup SSH server - name: Deploy configuration file for the backup OpenSSH server instance ansible.builtin.copy: src: "backup-sshd_config" dest: "/etc/ssh-backup/sshd_config" owner: root group: root mode: "0600" notify: - Restart backup SSH server - name: Deploy the private keys for backup OpenSSH server instance ansible.builtin.template: src: "ssh_host_key.j2" dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key" owner: root group: root mode: "0600" with_dict: "{{ backup_host_ssh_private_keys }}" notify: - Restart backup SSH server no_log: true - name: Deploy backup OpenSSH server systemd service file ansible.builtin.copy: src: "ssh-backup.service" dest: "/etc/systemd/system/ssh-backup.service" owner: root group: root mode: "0644" notify: - Reload systemd - Restart backup SSH server - name: Start and enable OpenSSH backup service ansible.builtin.service: name: "ssh-backup" state: started enabled: true - name: Deploy firewall configuration for backup server ansible.builtin.template: src: "ferm_backup.conf.j2" dest: "/etc/ferm/conf.d/40-backup.conf" owner: root group: root mode: "0640" notify: - Restart ferm - name: Explicitly run all handlers ansible.builtin.include_tasks: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers