--- - hosts: remote_server:rpi tasks: - set_fact: RPI_NAME=kuba-rpi - set_fact: SERVER_NAME=my-server - set_fact: SERVER_FQDN=my.example.com - set_fact: OVPN_IP_PREFIX=10.8.10 - set_fact: RPI_BACKUP_DIR=/mnt/hdd/Backups - hosts: remote_server become: yes become_user: root # become_method: su vars: TO_INSTALL: - openvpn - restic - ufw tasks: # - include_vars: secrets.yml - name: install required packages apt: state=present pkg={{ TO_INSTALL }} - name: create ovpn key ansible.builtin.command: "openvpn --genkey --secret {{RPI_NAME}}.key" args: chdir: /etc/openvpn/server creates: /etc/openvpn/server/{{RPI_NAME}}.key - name: Copy /etc/openvpn/server/{{RPI_NAME}}.key to /tmp/{{RPI_NAME}}.key ansible.builtin.fetch: src: /etc/openvpn/server/{{RPI_NAME}}.key dest: /tmp/{{RPI_NAME}}.key flat: yes - name: Create ovpn config ansible.builtin.template: src: "ovpn-server.conf.j2" dest: /etc/openvpn/server/{{RPI_NAME}}.conf - name: open ovpn port (tcp) ufw: rule=allow port=1194 proto=tcp - name: open ovpn port (udp) ufw: rule=allow port=1194 proto=udp - name: start ovpn server ansible.builtin.service: name: openvpn-server@{{RPI_NAME}} state: restarted enabled: yes - name: rpi in /etc/hosts ansible.builtin.lineinfile: path: /etc/hosts regexp: "rpi$" line: "{{OVPN_IP_PREFIX}}.2 {{RPI_NAME}}" owner: root group: root mode: "0644" - name: generate ssh key ansible.builtin.command: 'ssh-keygen -t ed25519 -b 4096 -C "{{RPI_NAME}}-backup" -f /root/.ssh/{{RPI_NAME}}-backup -N ""' args: creates: "/root/.ssh/{{RPI_NAME}}-backup" - name: Create ssh config for rpi blockinfile: path: /root/.ssh/config backup: yes create: yes block: | Host {{RPI_NAME}} User {{SERVER_NAME}}-backup IdentityFile /root/.ssh/{{RPI_NAME}}-backup - name: download the public key of the server ansible.builtin.fetch: src: /root/.ssh/{{RPI_NAME}}-backup.pub dest: /tmp/{{RPI_NAME}}-backup.pub flat: yes - name: create backup password ansible.builtin.command: dd if=/dev/urandom of=/backup-pwd bs=1 count=52 args: creates: /backup-pwd - shell: base64 < /backup-pwd register: shell_result - debug: msg="{{shell_result.stdout_lines}}" - name: Remind to backup the key pause: prompt: ZAPISZ TEN KLUCZ W MANADŻERZE HASEŁ ☝ i wciśnij ENTER # - name: initiate restic reposiotory # command: restic init --password-file=/backup-pwd -r sftp:{{SERVER_NAME}}-backup@{{RPI_NAME}}:data # run_once: true - name: Create the backup script ansible.builtin.template: src: "backup.sh.j2" dest: /root/backup.sh mode: u+rwx backup: yes - name: setup CRON ansible.builtin.cron: name: "nightly backup for {{SERVER_NAME}}_{{RPI_NAME}}" minute: 15 hour: 4 job: "/root/backup.sh" - hosts: rpi become: yes become_user: root tasks: - name: Upload /tmp/{{RPI_NAME}}.key to rpi:/etc/openvpn/client/{{SERVER_NAME}}.key ansible.builtin.copy: src: /tmp/{{RPI_NAME}}.key dest: /etc/openvpn/client/{{SERVER_NAME}}.key - name: Create ovpn config ansible.builtin.template: src: "ovpn-client.conf.j2" dest: /etc/openvpn/client/{{SERVER_NAME}}.conf - name: start ovpn client ansible.builtin.service: name: openvpn-client@{{SERVER_NAME}} state: restarted enabled: yes - name: Add the backup user ansible.builtin.user: name: "{{SERVER_NAME}}-backup" - name: set permissions on backup dir file: path: "{{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup" owner: root group: root mode: 0755 state: directory - name: set permissions on backup data dir file: path: "{{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup/data" owner: "{{SERVER_NAME}}-backup" group: "{{SERVER_NAME}}-backup" mode: 0755 state: directory - name: auth the backup user with the public key ansible.builtin.lineinfile: path: /home/{{SERVER_NAME}}-backup/.ssh/authorized_keys line: "{{lookup('file', '/tmp/{{RPI_NAME}}-backup.pub')}}" owner: "{{SERVER_NAME}}-backup" group: "{{SERVER_NAME}}-backup" mode: "0600" create: yes - name: Create ssh config for the backup user blockinfile: path: /etc/ssh/sshd_config backup: yes create: yes block: | Match User {{SERVER_NAME}}-backup ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory {{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no - name: restart sshd ansible.builtin.service: name: ssh state: restarted enabled: yes