You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

191 lines
5.5 KiB
YAML

---
- hosts: yuno.sealcode.org:rpi
tasks:
- set_fact: RPI_NAME=kuba-rpi
- set_fact: SERVER_NAME=sealcode-yuno
- set_fact: SERVER_FQDN=yuno.sealcode.org
- set_fact: OVPN_IP_PREFIX=10.8.11
- set_fact: RPI_BACKUP_DIR=/mnt/hdd/Backups
- hosts: yuno.sealcode.org
become: yes
become_user: root
# become_method: su
vars:
TO_INSTALL:
- openvpn
- restic
- ufw
tasks:
# - include_vars: secrets.yml
- name: install required packages
apt: state=present pkg={{ TO_INSTALL }}
- name: create ovpn key
ansible.builtin.command: "openvpn --genkey --secret {{RPI_NAME}}.key"
args:
chdir: /etc/openvpn/server
creates: /etc/openvpn/server/{{RPI_NAME}}.key
- name: Copy /etc/openvpn/server/{{RPI_NAME}}.key to /tmp/{{RPI_NAME}}.key
ansible.builtin.fetch:
src: /etc/openvpn/server/{{RPI_NAME}}.key
dest: /tmp/{{RPI_NAME}}.key
flat: yes
- name: Create ovpn config
ansible.builtin.template:
src: "ovpn-server.conf.j2"
dest: /etc/openvpn/server/{{RPI_NAME}}.conf
- name: open ovpn port (tcp)
ufw: rule=allow port=1194 proto=tcp
- name: open ovpn port (udp)
ufw: rule=allow port=1194 proto=udp
- name: start ovpn server
ansible.builtin.service:
name: openvpn-server@{{RPI_NAME}}
state: restarted
enabled: yes
- name: rpi in /etc/hosts
ansible.builtin.lineinfile:
path: /etc/hosts
regexp: "rpi$"
line: "{{OVPN_IP_PREFIX}}.2 {{RPI_NAME}}"
owner: root
group: root
mode: "0644"
- name: generate ssh key
ansible.builtin.command: 'ssh-keygen -t ed25519 -b 4096 -C "{{RPI_NAME}}-backup" -f /root/.ssh/{{RPI_NAME}}-backup -N ""'
args:
creates: "/root/.ssh/{{RPI_NAME}}-backup"
- name: Create ssh config for rpi
blockinfile:
path: /root/.ssh/config
backup: yes
create: yes
marker: "#{{RPI_NAME}}"
block: |
Host {{RPI_NAME}}
User {{SERVER_NAME}}-backup
IdentityFile /root/.ssh/{{RPI_NAME}}-backup
- name: download the public key of the server
ansible.builtin.fetch:
src: /root/.ssh/{{RPI_NAME}}-backup.pub
dest: /tmp/{{RPI_NAME}}-backup.pub
flat: yes
- name: create backup password
ansible.builtin.command: dd if=/dev/urandom of=/backup-pwd bs=1 count=52
args:
creates: /backup-pwd
- shell: base64 < /backup-pwd
register: shell_result
- debug: msg="{{shell_result.stdout_lines}}"
- name: Remind to backup the key
pause:
prompt: ZAPISZ TEN KLUCZ W MANADŻERZE HASEŁ ☝ i wciśnij ENTER
- hosts: rpi
become: yes
become_user: root
tasks:
- name: Upload /tmp/{{RPI_NAME}}.key to rpi:/etc/openvpn/client/{{SERVER_NAME}}.key
ansible.builtin.copy:
src: /tmp/{{RPI_NAME}}.key
dest: /etc/openvpn/client/{{SERVER_NAME}}.key
- name: Create ovpn config
ansible.builtin.template:
src: "ovpn-client.conf.j2"
dest: /etc/openvpn/client/{{SERVER_NAME}}.conf
- name: start ovpn client
ansible.builtin.service:
name: openvpn-client@{{SERVER_NAME}}
state: restarted
enabled: yes
- name: generate disposable user password
shell: dd if=/dev/urandom count=100 | md5sum
register: user_password
- name: Add the backup user
ansible.builtin.user:
name: "{{SERVER_NAME}}-backup"
password: "{{user_password.stdout | password_hash('sha512')}}"
- name: set permissions on backup dir
file:
path: "{{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup"
owner: root
group: root
mode: 0755
state: directory
- name: set permissions on backup data dir
file:
path: "{{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup/data"
owner: "{{SERVER_NAME}}-backup"
group: "{{SERVER_NAME}}-backup"
mode: 0755
state: directory
- name: auth the backup user with the public key
ansible.builtin.lineinfile:
path: /home/{{SERVER_NAME}}-backup/.ssh/authorized_keys
line: "{{lookup('file', '/tmp/{{RPI_NAME}}-backup.pub')}}"
owner: "{{SERVER_NAME}}-backup"
group: "{{SERVER_NAME}}-backup"
mode: "0600"
create: yes
- name: Create ssh config for the backup user
blockinfile:
path: /etc/ssh/sshd_config
backup: yes
create: yes
marker: "#{{SERVER_NAME}}"
block: |
Match User {{SERVER_NAME}}-backup
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory {{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
- name: restart sshd
ansible.builtin.service:
name: ssh
state: restarted
enabled: yes
- hosts: yuno.sealcode.org
become: yes
become_user: root
tasks:
- name: initiate restic reposiotory
command: restic init --password-file=/backup-pwd -r sftp:{{SERVER_NAME}}-backup@{{RPI_NAME}}:data
run_once: true
- name: Create the backup script
ansible.builtin.template:
src: "backup.sh.j2"
dest: /root/backup.sh
mode: u+rwx
backup: yes
- name: setup CRON
ansible.builtin.cron:
name: "nightly backup for {{SERVER_NAME}}_{{RPI_NAME}}"
minute: 15
hour: 4
job: "/root/backup.sh"