diff options
Diffstat (limited to 'baserock_gerrit/instance-backup-config.yml')
-rw-r--r-- | baserock_gerrit/instance-backup-config.yml | 29 |
1 files changed, 0 insertions, 29 deletions
diff --git a/baserock_gerrit/instance-backup-config.yml b/baserock_gerrit/instance-backup-config.yml deleted file mode 100644 index cc647285..00000000 --- a/baserock_gerrit/instance-backup-config.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Instance backup configuration for the baserock.org Gerrit system. ---- -- hosts: gerrit - gather_facts: false - vars: - FRONTEND_IP: 192.168.222.143 - tasks: - - name: backup-snapshot script - copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755 - - - name: backup-snapshot config - copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf - - # Would be good to limit this to 'backup' user. - - name: passwordless sudo - lineinfile: dest=/etc/sudoers state=present line='%wheel ALL=(ALL) NOPASSWD:ALL' validate='visudo -cf %s' - - # We need to give the backup automation 'root' access, because it needs to - # manage system services, LVM volumes, and mounts, and because it needs to - # be able to read private data. The risk of having the backup key - # compromised is mitigated by only allowing it to execute the - # 'backup-snapshot' script, and limiting the hosts it can be used from. - - name: access for backup SSH key - authorized_key: - user: root - key: "{{ lookup('file', '../keys/backup.key.pub') }}" - # Quotes are important in this options, the OpenSSH server will reject - # the entry if the 'from' or 'command' values are not quoted. - key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"' |