summaryrefslogtreecommitdiff
path: root/baserock_frontend/instance-backup-config.yml
diff options
context:
space:
mode:
Diffstat (limited to 'baserock_frontend/instance-backup-config.yml')
-rw-r--r--baserock_frontend/instance-backup-config.yml29
1 files changed, 29 insertions, 0 deletions
diff --git a/baserock_frontend/instance-backup-config.yml b/baserock_frontend/instance-backup-config.yml
new file mode 100644
index 00000000..e17cf586
--- /dev/null
+++ b/baserock_frontend/instance-backup-config.yml
@@ -0,0 +1,29 @@
+# Instance backup configuration for the baserock.org frontend system.
+#
+# We don't need to back anything up from this system, but the backup
+# SSH key needs access to it in order to SSH to the other systems on the
+# internal network.
+---
+- hosts: frontend-haproxy
+ gather_facts: false
+ sudo: yes
+ vars:
+ # The 'backup' key cannot be used to SSH into the 'frontend' machine except
+ # from these IPs.
+ #
+ # 82.70.136.246 is Codethink's Zen Internet line.
+ # 86.134.108.84 is a BT Internet IP currently in use by Codethink.
+ #
+ # The backup SSH private key is the main secret needed to connect as the
+ # backup user. This IP restriction is just for a bit of extra safety.
+ PERMITTED_BACKUP_HOSTS: 82.70.136.246/32,86.134.108.84/32
+ tasks:
+ - name: backup user
+ user:
+ name: backup
+
+ - name: authorize backup public key
+ authorized_key:
+ user: backup
+ key: "{{ lookup('file', '../keys/backup.key.pub') }}"
+ key_options: 'from="{{ PERMITTED_BACKUP_HOSTS }}",no-agent-forwarding,no-X11-forwarding'
View Lorry Controller Status