From 79b4b43e57d033ba6900b42e51d64aeb87679d45 Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 25 Jul 2020 15:06:58 +0200 Subject: [PATCH] Add backup configuration (client and server) and some other updates --- .../group_vars/backup_server.yml | 3 + playbook_backup_deploy.yml | 8 +++ playbook_backup_server_deploy.yml | 4 -- playbook_general_deploy.yml | 2 - ...ver_deploy.yml => playbook_ldap_deploy.yml | 0 ...er_deploy.yml => playbook_munin_deploy.yml | 5 ++ roles/backup_client/README.md | 70 +++++++++++++++++++ roles/backup_client/defaults/main.yml | 33 +++++++++ roles/backup_client/handlers/main.yml | 11 +++ roles/backup_client/meta/main.yml | 26 +++++++ roles/backup_client/tasks/aliases.yml | 8 +++ roles/backup_client/tasks/crontask.yml | 12 ++++ roles/backup_client/tasks/main.yml | 18 +++++ roles/backup_client/tasks/package.yml | 13 ++++ roles/backup_client/tasks/script.yml | 10 +++ roles/backup_client/tasks/server.yml | 30 ++++++++ roles/backup_client/tasks/user_backup.yml | 6 ++ roles/backup_client/templates/backup.sh.j2 | 21 ++++++ roles/backup_client/vars/Debian.yml | 4 ++ roles/backup_client/vars/Gentoo.yml | 4 ++ roles/backup_client/vars/RedHat.yml | 4 ++ roles/backup_server/tasks/aliases.yml | 1 + roles/postfix/tasks/main.yml | 1 + 23 files changed, 288 insertions(+), 6 deletions(-) create mode 100644 playbook_backup_deploy.yml delete mode 100644 playbook_backup_server_deploy.yml rename playbook_ldap_server_deploy.yml => playbook_ldap_deploy.yml (100%) rename playbook_munin_server_deploy.yml => playbook_munin_deploy.yml (68%) create mode 100644 roles/backup_client/README.md create mode 100644 roles/backup_client/defaults/main.yml create mode 100644 roles/backup_client/handlers/main.yml create mode 100644 roles/backup_client/meta/main.yml create mode 100644 roles/backup_client/tasks/aliases.yml create mode 100644 roles/backup_client/tasks/crontask.yml create mode 100644 roles/backup_client/tasks/main.yml create mode 100644 roles/backup_client/tasks/package.yml create mode 100644 roles/backup_client/tasks/script.yml create mode 100644 roles/backup_client/tasks/server.yml create mode 100644 roles/backup_client/tasks/user_backup.yml create mode 100644 roles/backup_client/templates/backup.sh.j2 create mode 100644 roles/backup_client/vars/Debian.yml create mode 100644 roles/backup_client/vars/Gentoo.yml create mode 100644 roles/backup_client/vars/RedHat.yml diff --git a/inventory_template/group_vars/backup_server.yml b/inventory_template/group_vars/backup_server.yml index f565f02..4732d4a 100644 --- a/inventory_template/group_vars/backup_server.yml +++ b/inventory_template/group_vars/backup_server.yml @@ -6,3 +6,6 @@ public_key_backup_user_host: "{{ vault_public_key_backup_user_host }}" git_repositories: - https://git.example.org/user/template-repository.git - git@git.example.org:user/template-repository.git + +# Destination backup folder +backup_folder: "/data" diff --git a/playbook_backup_deploy.yml b/playbook_backup_deploy.yml new file mode 100644 index 0000000..329a2ea --- /dev/null +++ b/playbook_backup_deploy.yml @@ -0,0 +1,8 @@ +--- +- hosts: all,!backup_server + roles: + - backup_client + +- hosts: backup_server + roles: + - backup_server diff --git a/playbook_backup_server_deploy.yml b/playbook_backup_server_deploy.yml deleted file mode 100644 index e8f0095..0000000 --- a/playbook_backup_server_deploy.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- hosts: backup_server - roles: - - backup_server diff --git a/playbook_general_deploy.yml b/playbook_general_deploy.yml index 39a7aae..6f71dff 100644 --- a/playbook_general_deploy.yml +++ b/playbook_general_deploy.yml @@ -9,6 +9,4 @@ - client_tools - users_sudo - client_iptables - - munin-node - - munin-async - postfix diff --git a/playbook_ldap_server_deploy.yml b/playbook_ldap_deploy.yml similarity index 100% rename from playbook_ldap_server_deploy.yml rename to playbook_ldap_deploy.yml diff --git a/playbook_munin_server_deploy.yml b/playbook_munin_deploy.yml similarity index 68% rename from playbook_munin_server_deploy.yml rename to playbook_munin_deploy.yml index bf4b456..d7627bc 100644 --- a/playbook_munin_server_deploy.yml +++ b/playbook_munin_deploy.yml @@ -1,4 +1,9 @@ --- +- hosts: all + roles: + - munin-node + - munin-async + - hosts: munin_server roles: - geerlingguy.munin diff --git a/roles/backup_client/README.md b/roles/backup_client/README.md new file mode 100644 index 0000000..9bcc650 --- /dev/null +++ b/roles/backup_client/README.md @@ -0,0 +1,70 @@ +Ansible Role: backup_client +========= + +This role set up a GNU/Linux backup client. + +Requirements +------------ + +You need a valid postfix configuration on your host (to send email reports). + +Role Variables +-------------- + +All variables and default values are defined in `defaults/main.yml` : + + # Name of the cron service and cron package (depends on your OS, can be cron, cronie, crond...) + cron_client_service_name: cron + cron_client_package: cron + + # Name of the Borkbackup package + borgbackup_package: borgbackup + + # Backup client folders to backup (separated with a space) + backup_client_folders_to_backup: "" + + # Folder to deploy backup client scripts + backup_scripts_folder: "/usr/local/sbin" + + # Backup client user and home directory + backup_client_user: "root" + backup_client_user_home: "/root" + + # Crontask backup client scheduling + backup_client_cron_weekday: "*" + backup_client_cron_hour: "1" + backup_client_cron_minute: "30" + + # Alias config file + aliases_config_file: "/etc/aliases" + + # User or email to send client backup scripts report + backup_client_mail_target: "root" + + # Compression parameters + backup_client_compression_param: "lzma,9" + +**NOTE :** this role will only configure backup client on host if `backup_client_folders_to_backup` is not empty. + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: all + roles: + - backup_client + +License +------- + +BSD + +Author Information +------------------ + +This role was created in 2020 by Nemo. + diff --git a/roles/backup_client/defaults/main.yml b/roles/backup_client/defaults/main.yml new file mode 100644 index 0000000..758effb --- /dev/null +++ b/roles/backup_client/defaults/main.yml @@ -0,0 +1,33 @@ +--- +# defaults file for backup_client + +# Name of the Cron service and cron package (depends on your OS, can be cron, cronie, crond...) +cron_client_service_name: cron +cron_client_package: cron + +# Name of the Borkbackup package +borgbackup_package: borgbackup + +# Backup client folders to backup (separated with a space) +backup_client_folders_to_backup: "" + +# Folder to deploy backup client scripts +backup_client_scripts_folder: "/usr/local/sbin" + +# Backup client user and home directory +backup_client_user: "root" +backup_client_user_home: "/root" + +# Crontask backup client scheduling +backup_client_cron_weekday: "*" +backup_client_cron_hour: "1" +backup_client_cron_minute: "30" + +# Alias config file +aliases_config_file: "/etc/aliases" + +# User or email to send client backup scripts report +backup_client_mail_target: "root" + +# Compression parameters +backup_client_compression_param: "lzma,9" diff --git a/roles/backup_client/handlers/main.yml b/roles/backup_client/handlers/main.yml new file mode 100644 index 0000000..7edb02e --- /dev/null +++ b/roles/backup_client/handlers/main.yml @@ -0,0 +1,11 @@ +--- +# handlers file for backup_client + +- name: "restart cron" + service: + name: "{{ cron_service_name }}" + enabled: yes + state: restarted + +- name: update aliases + command: postalias {{ aliases_config_file }} diff --git a/roles/backup_client/meta/main.yml b/roles/backup_client/meta/main.yml new file mode 100644 index 0000000..eaea248 --- /dev/null +++ b/roles/backup_client/meta/main.yml @@ -0,0 +1,26 @@ +galaxy_info: + author: nemo + description: Set up backup client for GNU/Linux. + company: Wirebrass + + license: license (BSD) + + min_ansible_version: 2.4 + + platforms: + - name: Debian + versions: + - stretch + - buster + - name: Gentoo + versions: + - all + + galaxy_tags: + - backup + - borgbackup + - system + - server + - auto + +dependencies: [] diff --git a/roles/backup_client/tasks/aliases.yml b/roles/backup_client/tasks/aliases.yml new file mode 100644 index 0000000..e1c1e37 --- /dev/null +++ b/roles/backup_client/tasks/aliases.yml @@ -0,0 +1,8 @@ +--- +- name: Update mail aliases. + lineinfile: + dest: "{{ aliases_config_file }}" + line: "{{ backup_client_user }}: {{ backup_client_mail_target }}" + regexp: "^{{ backup_client_user }}:" + when: backup_client_mail_target != backup_client_user and backup_client_folders_to_backup != "" + notify: update aliases diff --git a/roles/backup_client/tasks/crontask.yml b/roles/backup_client/tasks/crontask.yml new file mode 100644 index 0000000..6cbae74 --- /dev/null +++ b/roles/backup_client/tasks/crontask.yml @@ -0,0 +1,12 @@ +--- +- name: Backup client crontask configured + cron: + name: "Backup client" + user: "{{ backup_client_user }}" + weekday: "{{ backup_client_cron_weekday }}" + hour: "{{ backup_client_cron_hour }}" + minute: "{{ backup_client_cron_minute }}" + job: "{{ backup_client_scripts_folder }}/backup.sh" + when: backup_client_folders_to_backup != "" + notify: restart cron + diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml new file mode 100644 index 0000000..756be3c --- /dev/null +++ b/roles/backup_client/tasks/main.yml @@ -0,0 +1,18 @@ +--- +# Main tasks file for backup_server + +- name: Include OS-specific variables. + include_vars: "{{ ansible_os_family }}.yml" + +- import_tasks: user_backup.yml + when: backup_client_folders_to_backup != "" +- import_tasks: package.yml + when: backup_client_folders_to_backup != "" +- import_tasks: script.yml + when: backup_client_folders_to_backup != "" +- import_tasks: crontask.yml + when: backup_client_folders_to_backup != "" +- import_tasks: aliases.yml + when: backup_client_folders_to_backup != "" +- import_tasks: server.yml + when: "'backup_server' not in group_names and backup_client_folders_to_backup != \"\"" diff --git a/roles/backup_client/tasks/package.yml b/roles/backup_client/tasks/package.yml new file mode 100644 index 0000000..1cf5aa4 --- /dev/null +++ b/roles/backup_client/tasks/package.yml @@ -0,0 +1,13 @@ +--- +- name: Cron installed + package: + name: "{{ cron_package }}" + state: present + when: backup_client_folders_to_backup != "" + notify: restart cron + +- name: BorgBackup installed + package: + name: "{{ borgbackup_package }}" + state: present + when: backup_client_folders_to_backup != "" diff --git a/roles/backup_client/tasks/script.yml b/roles/backup_client/tasks/script.yml new file mode 100644 index 0000000..150d259 --- /dev/null +++ b/roles/backup_client/tasks/script.yml @@ -0,0 +1,10 @@ +--- +- name: Deploy client backup script + template: + src: backup.sh.j2 + dest: "{{ backup_client_scripts_folder }}/backup.sh" + owner: "{{ backup_client_user }}" + group: "{{ backup_client_user }}" + mode: '0740' + when: backup_client_folders_to_backup != "" + diff --git a/roles/backup_client/tasks/server.yml b/roles/backup_client/tasks/server.yml new file mode 100644 index 0000000..804c004 --- /dev/null +++ b/roles/backup_client/tasks/server.yml @@ -0,0 +1,30 @@ +--- +- name: "Read backup SSH pubkey and register" + slurp: + src: "{{ backup_client_user_home }}/.ssh/id_rsa.pub" + register: ssh_backup_pubkey + +- name: "Backup user created on backup server" + user: + name: "backup-{{ inventory_hostname_short }}" + create_home: yes + delegate_to: "{{ item }}" + loop: "{{ groups['backup_server'] }}" + +- name: "Backup directory created on backup server" + file: + path: "{{ hostvars[item]['backup_folder'] }}/{{ inventory_hostname_short }}" + owner: "backup-{{ inventory_hostname_short }}" + group: "backup-{{ inventory_hostname_short }}" + mode: "0700" + state: directory + delegate_to: "{{ item }}" + loop: "{{ groups['backup_server'] }}" + +- name: "Authorized key defined for backup user on backup server" + authorized_key: + user: "backup-{{ inventory_hostname_short }}" + state: present + key: "{{ ssh_backup_pubkey['content'] | b64decode }}" + delegate_to: "{{ item }}" + loop: "{{ groups['backup_server'] }}" diff --git a/roles/backup_client/tasks/user_backup.yml b/roles/backup_client/tasks/user_backup.yml new file mode 100644 index 0000000..0114a5c --- /dev/null +++ b/roles/backup_client/tasks/user_backup.yml @@ -0,0 +1,6 @@ +--- +- name: "Client backup user created" + user: + name: "{{ backup_client_user }}" + generate_ssh_key: yes + when: backup_client_folders_to_backup != "" diff --git a/roles/backup_client/templates/backup.sh.j2 b/roles/backup_client/templates/backup.sh.j2 new file mode 100644 index 0000000..f94f5aa --- /dev/null +++ b/roles/backup_client/templates/backup.sh.j2 @@ -0,0 +1,21 @@ +#!/bin/bash +{% for backup_serv in groups['backup_server'] %} + +# Check if {{ backup_serv }} is a known host +grep {{ backup_serv }} ~/.ssh/known_hosts &> /dev/null +if [ ! $? -eq 0 ]; then + ssh-keygen -F {{ backup_serv }} || ssh-keyscan {{ backup_serv }} >>~/.ssh/known_hosts +fi + +borg list backup-$(hostname -s)@{{ backup_serv }}:{{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s) &>/dev/null + +if [ $? -ne 0 ] +then + ssh backup-$(hostname -s)@{{ backup_serv }} mkdir -p {{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s) -m 0700 + export BORG_PASSPHRASE="" + borg init --encryption=repokey backup-$(hostname -s)@{{ backup_serv }}:{{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s) +fi + +borg prune -v backup-$(hostname -s)@{{ backup_serv }}:{{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s) --keep-daily=7 --keep-weekly=4 --keep-monthly=1 +borg create --info --stats --compression {{ backup_client_compression_param }} backup-$(hostname -s)@{{ backup_serv }}:{{ hostvars[backup_serv]['backup_folder'] }}/$(hostname -s)::$(date +%F) $(find {{ backup_client_folders_to_backup }} -maxdepth 1 -type d | grep -Ev '^/$|^/tmp|^/lost\+found|^/run|^/proc|^/dev|^/sys' | tr '\n' ' ') +{% endfor %} diff --git a/roles/backup_client/vars/Debian.yml b/roles/backup_client/vars/Debian.yml new file mode 100644 index 0000000..0a7e0cf --- /dev/null +++ b/roles/backup_client/vars/Debian.yml @@ -0,0 +1,4 @@ +--- +cron_service_name: cron +cron_package: cron +aliases_config_file: /etc/aliases diff --git a/roles/backup_client/vars/Gentoo.yml b/roles/backup_client/vars/Gentoo.yml new file mode 100644 index 0000000..dffe71e --- /dev/null +++ b/roles/backup_client/vars/Gentoo.yml @@ -0,0 +1,4 @@ +--- +cron_service_name: cronie +cron_package: cronie +aliases_config_file: /etc/mail/aliases diff --git a/roles/backup_client/vars/RedHat.yml b/roles/backup_client/vars/RedHat.yml new file mode 100644 index 0000000..0c6e1bc --- /dev/null +++ b/roles/backup_client/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- +cron_service_name: crond +cron_package: cronie +aliases_config_file: /etc/aliases diff --git a/roles/backup_server/tasks/aliases.yml b/roles/backup_server/tasks/aliases.yml index 50460fa..aa2a319 100644 --- a/roles/backup_server/tasks/aliases.yml +++ b/roles/backup_server/tasks/aliases.yml @@ -4,4 +4,5 @@ dest: "{{ aliases_config_file }}" line: "{{ backup_user_git }}: {{ backup_git_mail_target }}" regexp: "^{{ backup_user_git }}:" + when: backup_user_git != backup_git_mail_target notify: update aliases diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml index 3a74021..35395fa 100644 --- a/roles/postfix/tasks/main.yml +++ b/roles/postfix/tasks/main.yml @@ -12,6 +12,7 @@ dest: "{{ aliases_config_file }}" line: "root: {{ alias_email }}" regexp: "^root:" + when: alias_email != "root" notify: update aliases - name: Update Postfix configuration.