88 lines
3.2 KiB
YAML
88 lines
3.2 KiB
YAML
---
|
|
### BASIC SOFTWARE
|
|
- name: "Install required software on servers"
|
|
become: true
|
|
ansible.builtin.package:
|
|
name: "{{ item }}"
|
|
state: "present"
|
|
with_items:
|
|
- "duplicity" # Obviously needed for backup
|
|
- "sshfs" # TO be able to mount the remote directory
|
|
- "python3-packaging" # ??? For something
|
|
- "acl" # To manage the access control on the backup data
|
|
|
|
### SSH ACCESS (USER/KEYS)
|
|
- name: "Create backup user on servers"
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: "{{ duplicity_server_user }}"
|
|
generate_ssh_key: true # We want to generate an ssh key to be able to configure the access on the clients later
|
|
ssh_key_type: "ed25519"
|
|
ssh_key_comment: "{{ duplicity_server_user }}@{{ ansible_hostname }} (generated by ansible)"
|
|
register: "duplicity_server_created_user" # Store the return value for the ssh key and home path
|
|
|
|
- name: "Store server ssh key as fact for later usage"
|
|
ansible.builtin.set_fact:
|
|
duplicity_server_user_key: "{{ duplicity_server_created_user['ssh_public_key'] }}"
|
|
|
|
- name: "Fetch sshd fingerprints from clients"
|
|
ansible.builtin.slurp:
|
|
src: "/etc/ssh/ssh_host_ecdsa_key.pub"
|
|
delegate_to: "{{ item }}"
|
|
with_items: "{{ groups['duplicityclient'] | flatten(levels=1) }}"
|
|
changed_when: false
|
|
register: "duplicity_client_host_key"
|
|
|
|
- name: "Register client host keys in server"
|
|
become: true
|
|
become_user: "{{ duplicity_server_user }}"
|
|
ansible.builtin.known_hosts:
|
|
name: "{{ item.item }}"
|
|
key: "{{ item.item }} {{ item.content | b64decode }}"
|
|
with_items: "{{ duplicity_client_host_key.results }}"
|
|
|
|
### GNUPG ENCRYPTION
|
|
- name: "Ensure gnupg config dir"
|
|
become: true
|
|
become_user: "{{ duplicity_server_user }}"
|
|
ansible.builtin.command:
|
|
cmd: "gpg --list-keys"
|
|
creates: "{{ duplicity_server_created_user['home'] }}/.gnupg"
|
|
|
|
- name: "Install encryption key for backups"
|
|
become: true
|
|
become_user: "{{ duplicity_server_user }}"
|
|
de_enbewe.duplicity.gpg_key:
|
|
fpr: "{{ duplicity_server_gnupg_fingerprint }}"
|
|
keyserver: "hkps://keys.openpgp.org"
|
|
trust: 5
|
|
homedir: "{{ duplicity_server_created_user['home'] }}/.gnupg"
|
|
|
|
### BACKUP SCRIPTS
|
|
- name: "Create backup script path"
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: "{{ duplicity_server_created_user['home'] }}/scripts"
|
|
state: "directory"
|
|
owner: "{{ duplicity_server_user }}"
|
|
group: "{{ duplicity_server_user }}"
|
|
mode: "u=rwx,g=rx,o=rx"
|
|
|
|
- name: "Create backup scripts for clients"
|
|
become: true
|
|
become_user: "{{ duplicity_server_user }}"
|
|
ansible.builtin.template:
|
|
src: "backup-script.j2"
|
|
dest: "{{ duplicity_server_created_user['home'] }}/scripts/backup-{{ item }}.sh"
|
|
mode: "u=rwx,g=rx,o=rx"
|
|
with_items: "{{ groups['duplicityclient'] }}"
|
|
|
|
- name: "Register cronjob for clients"
|
|
become: true
|
|
ansible.builtin.cron:
|
|
name: "backup-{{ item }}"
|
|
user: "{{ duplicity_server_user }}"
|
|
job: "{{ duplicity_server_created_user['home'] }}/scripts/backup-{{ item }}.sh"
|
|
minute: "{{ hostvars[item].duplicity_client_backup_minute | default(12) }}"
|
|
hour: "{{ hostvars[item].duplicity_client_backup_hour | default(1) }}"
|
|
with_items: "{{ groups['duplicityclient'] }}"
|