diff options
Diffstat (limited to 'baserock_frontend/instance-backup-config.yml')
-rw-r--r-- | baserock_frontend/instance-backup-config.yml | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/baserock_frontend/instance-backup-config.yml b/baserock_frontend/instance-backup-config.yml new file mode 100644 index 00000000..e17cf586 --- /dev/null +++ b/baserock_frontend/instance-backup-config.yml @@ -0,0 +1,29 @@ +# Instance backup configuration for the baserock.org frontend system. +# +# We don't need to back anything up from this system, but the backup +# SSH key needs access to it in order to SSH to the other systems on the +# internal network. +--- +- hosts: frontend-haproxy + gather_facts: false + sudo: yes + vars: + # The 'backup' key cannot be used to SSH into the 'frontend' machine except + # from these IPs. + # + # 82.70.136.246 is Codethink's Zen Internet line. + # 86.134.108.84 is a BT Internet IP currently in use by Codethink. + # + # The backup SSH private key is the main secret needed to connect as the + # backup user. This IP restriction is just for a bit of extra safety. + PERMITTED_BACKUP_HOSTS: 82.70.136.246/32,86.134.108.84/32 + tasks: + - name: backup user + user: + name: backup + + - name: authorize backup public key + authorized_key: + user: backup + key: "{{ lookup('file', '../keys/backup.key.pub') }}" + key_options: 'from="{{ PERMITTED_BACKUP_HOSTS }}",no-agent-forwarding,no-X11-forwarding' |