You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
191 lines
5.5 KiB
YAML
191 lines
5.5 KiB
YAML
---
|
|
- hosts: yuno.sealcode.org:rpi
|
|
tasks:
|
|
- set_fact: RPI_NAME=kuba-rpi
|
|
- set_fact: SERVER_NAME=sealcode-yuno
|
|
- set_fact: SERVER_FQDN=yuno.sealcode.org
|
|
- set_fact: OVPN_IP_PREFIX=10.8.11
|
|
- set_fact: RPI_BACKUP_DIR=/mnt/hdd/Backups
|
|
|
|
- hosts: yuno.sealcode.org
|
|
become: yes
|
|
become_user: root
|
|
# become_method: su
|
|
|
|
vars:
|
|
TO_INSTALL:
|
|
- openvpn
|
|
- restic
|
|
- ufw
|
|
|
|
tasks:
|
|
# - include_vars: secrets.yml
|
|
|
|
- name: install required packages
|
|
apt: state=present pkg={{ TO_INSTALL }}
|
|
|
|
- name: create ovpn key
|
|
ansible.builtin.command: "openvpn --genkey --secret {{RPI_NAME}}.key"
|
|
args:
|
|
chdir: /etc/openvpn/server
|
|
creates: /etc/openvpn/server/{{RPI_NAME}}.key
|
|
|
|
- name: Copy /etc/openvpn/server/{{RPI_NAME}}.key to /tmp/{{RPI_NAME}}.key
|
|
ansible.builtin.fetch:
|
|
src: /etc/openvpn/server/{{RPI_NAME}}.key
|
|
dest: /tmp/{{RPI_NAME}}.key
|
|
flat: yes
|
|
|
|
- name: Create ovpn config
|
|
ansible.builtin.template:
|
|
src: "ovpn-server.conf.j2"
|
|
dest: /etc/openvpn/server/{{RPI_NAME}}.conf
|
|
|
|
- name: open ovpn port (tcp)
|
|
ufw: rule=allow port=1194 proto=tcp
|
|
|
|
- name: open ovpn port (udp)
|
|
ufw: rule=allow port=1194 proto=udp
|
|
|
|
- name: start ovpn server
|
|
ansible.builtin.service:
|
|
name: openvpn-server@{{RPI_NAME}}
|
|
state: restarted
|
|
enabled: yes
|
|
|
|
- name: rpi in /etc/hosts
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/hosts
|
|
regexp: "rpi$"
|
|
line: "{{OVPN_IP_PREFIX}}.2 {{RPI_NAME}}"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
|
|
- name: generate ssh key
|
|
ansible.builtin.command: 'ssh-keygen -t ed25519 -b 4096 -C "{{RPI_NAME}}-backup" -f /root/.ssh/{{RPI_NAME}}-backup -N ""'
|
|
args:
|
|
creates: "/root/.ssh/{{RPI_NAME}}-backup"
|
|
|
|
- name: Create ssh config for rpi
|
|
blockinfile:
|
|
path: /root/.ssh/config
|
|
backup: yes
|
|
create: yes
|
|
marker: "#{{RPI_NAME}}"
|
|
block: |
|
|
Host {{RPI_NAME}}
|
|
User {{SERVER_NAME}}-backup
|
|
IdentityFile /root/.ssh/{{RPI_NAME}}-backup
|
|
|
|
- name: download the public key of the server
|
|
ansible.builtin.fetch:
|
|
src: /root/.ssh/{{RPI_NAME}}-backup.pub
|
|
dest: /tmp/{{RPI_NAME}}-backup.pub
|
|
flat: yes
|
|
- name: create backup password
|
|
ansible.builtin.command: dd if=/dev/urandom of=/backup-pwd bs=1 count=52
|
|
args:
|
|
creates: /backup-pwd
|
|
|
|
- shell: base64 < /backup-pwd
|
|
register: shell_result
|
|
|
|
- debug: msg="{{shell_result.stdout_lines}}"
|
|
|
|
- name: Remind to backup the key
|
|
pause:
|
|
prompt: ZAPISZ TEN KLUCZ W MANADŻERZE HASEŁ ☝ i wciśnij ENTER
|
|
|
|
- hosts: rpi
|
|
become: yes
|
|
become_user: root
|
|
|
|
tasks:
|
|
- name: Upload /tmp/{{RPI_NAME}}.key to rpi:/etc/openvpn/client/{{SERVER_NAME}}.key
|
|
ansible.builtin.copy:
|
|
src: /tmp/{{RPI_NAME}}.key
|
|
dest: /etc/openvpn/client/{{SERVER_NAME}}.key
|
|
- name: Create ovpn config
|
|
ansible.builtin.template:
|
|
src: "ovpn-client.conf.j2"
|
|
dest: /etc/openvpn/client/{{SERVER_NAME}}.conf
|
|
- name: start ovpn client
|
|
ansible.builtin.service:
|
|
name: openvpn-client@{{SERVER_NAME}}
|
|
state: restarted
|
|
enabled: yes
|
|
|
|
- name: generate disposable user password
|
|
shell: dd if=/dev/urandom count=100 | md5sum
|
|
register: user_password
|
|
|
|
- name: Add the backup user
|
|
ansible.builtin.user:
|
|
name: "{{SERVER_NAME}}-backup"
|
|
password: "{{user_password.stdout | password_hash('sha512')}}"
|
|
|
|
- name: set permissions on backup dir
|
|
file:
|
|
path: "{{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
state: directory
|
|
- name: set permissions on backup data dir
|
|
file:
|
|
path: "{{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup/data"
|
|
owner: "{{SERVER_NAME}}-backup"
|
|
group: "{{SERVER_NAME}}-backup"
|
|
mode: 0755
|
|
state: directory
|
|
- name: auth the backup user with the public key
|
|
ansible.builtin.lineinfile:
|
|
path: /home/{{SERVER_NAME}}-backup/.ssh/authorized_keys
|
|
line: "{{lookup('file', '/tmp/{{RPI_NAME}}-backup.pub')}}"
|
|
owner: "{{SERVER_NAME}}-backup"
|
|
group: "{{SERVER_NAME}}-backup"
|
|
mode: "0600"
|
|
create: yes
|
|
- name: Create ssh config for the backup user
|
|
blockinfile:
|
|
path: /etc/ssh/sshd_config
|
|
backup: yes
|
|
create: yes
|
|
marker: "#{{SERVER_NAME}}"
|
|
block: |
|
|
Match User {{SERVER_NAME}}-backup
|
|
ForceCommand internal-sftp
|
|
PasswordAuthentication yes
|
|
ChrootDirectory {{RPI_BACKUP_DIR}}/{{SERVER_NAME}}-backup
|
|
PermitTunnel no
|
|
AllowAgentForwarding no
|
|
AllowTcpForwarding no
|
|
X11Forwarding no
|
|
- name: restart sshd
|
|
ansible.builtin.service:
|
|
name: ssh
|
|
state: restarted
|
|
enabled: yes
|
|
|
|
- hosts: yuno.sealcode.org
|
|
become: yes
|
|
become_user: root
|
|
tasks:
|
|
- name: initiate restic reposiotory
|
|
command: restic init --password-file=/backup-pwd -r sftp:{{SERVER_NAME}}-backup@{{RPI_NAME}}:data
|
|
run_once: true
|
|
- name: Create the backup script
|
|
ansible.builtin.template:
|
|
src: "backup.sh.j2"
|
|
dest: /root/backup.sh
|
|
mode: u+rwx
|
|
backup: yes
|
|
|
|
- name: setup CRON
|
|
ansible.builtin.cron:
|
|
name: "nightly backup for {{SERVER_NAME}}_{{RPI_NAME}}"
|
|
minute: 15
|
|
hour: 4
|
|
job: "/root/backup.sh"
|