--- - name: Install backup software apt: name: - duplicity - duply state: present - name: Create directory for storing backups file: path: "/srv/backups" state: directory owner: root group: root mode: 0751 - name: Create backup client groups group: name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" gid: "{{ item.uid | default(omit) }}" system: true with_items: "{{ backup_clients }}" - name: Create backup client users user: name: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" groups: "backup" uid: "{{ item.uid | default(omit) }}" system: true createhome: false state: present home: "/srv/backups/{{ item.server }}" with_items: "{{ backup_clients }}" - name: Create home directories for backup client users file: path: "/srv/backups/{{ item.server }}" state: directory owner: root group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode: 0750 with_items: "{{ backup_clients }}" - name: Create duplicity directories for backup client users file: path: "/srv/backups/{{ item.server }}/duplicity" state: directory owner: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode: 0770 with_items: "{{ backup_clients }}" - name: Create SSH directory for backup client users file: path: "/srv/backups/{{ item.server }}/.ssh" state: directory owner: root group: root mode: 0751 with_items: "{{ backup_clients }}" - name: Populate authorized keys for backup client users authorized_key: user: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" key: "{{ item.public_key }}" manage_dir: false state: present with_items: "{{ backup_clients }}" - name: Set-up authorized_keys file permissions for backup client users file: path: "/srv/backups/{{ item.server }}/.ssh/authorized_keys" state: file owner: root group: "{{ item.server | replace('.', '_') | regex_replace('^', 'bak-') }}" mode: 0640 with_items: "{{ backup_clients }}" - name: Deny the backup group login via regular SSH lineinfile: dest: "/etc/ssh/sshd_config" state: present line: "DenyGroups backup" notify: - Restart SSH - name: Set-up directory for the backup OpenSSH server instance file: path: "/etc/ssh-backup/" state: directory owner: root group: root mode: 0700 - name: Deploy configuration file for the backup OpenSSH server instance service copy: src: "ssh-backup.default" dest: "/etc/default/ssh-backup" owner: root group: root mode: 0644 notify: - Restart backup SSH server - name: Deploy configuration file for the backup OpenSSH server instance copy: src: "backup-sshd_config" dest: "/etc/ssh-backup/sshd_config" owner: root group: root mode: 0600 notify: - Restart backup SSH server - name: Deploy the private keys for backup OpenSSH server instance template: src: "ssh_host_key.j2" dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key" owner: root group: root mode: 0600 with_dict: "{{ backup_host_ssh_private_keys }}" notify: - Restart backup SSH server no_log: true - name: Deploy backup OpenSSH server systemd service file copy: src: "ssh-backup.service" dest: "/etc/systemd/system/ssh-backup.service" owner: root group: root mode: 0644 notify: - Reload systemd - Restart backup SSH server - name: Start and enable OpenSSH backup service service: name: "ssh-backup" state: started enabled: true - name: Deploy firewall configuration for backup server template: src: "ferm_backup.conf.j2" dest: "/etc/ferm/conf.d/40-backup.conf" owner: root group: root mode: 0640 notify: - Restart ferm - name: Explicitly run all handlers include: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers