# Instance backup configuration for the baserock.org Gerrit system.
---
- hosts: gerrit
  gather_facts: false
  vars:
    FRONTEND_IP: 192.168.222.143
  tasks:
    - name: backup-snapshot script
      copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755

    - name: backup-snapshot config
      copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf

    # Would be good to limit this to 'backup' user.
    - name: passwordless sudo
      lineinfile: dest=/etc/sudoers state=present line='%wheel ALL=(ALL) NOPASSWD:ALL' validate='visudo -cf %s'

    # We need to give the backup automation 'root' access, because it needs to
    # manage system services, LVM volumes, and mounts, and because it needs to
    # be able to read private data. The risk of having the backup key
    # compromised is mitigated by only allowing it to execute the
    # 'backup-snapshot' script, and limiting the hosts it can be used from.
    - name: access for backup SSH key
      authorized_key:
        user: root
        key: "{{ lookup('file', '../keys/backup.key.pub') }}"
        # Quotes are important in this options, the OpenSSH server will reject
        # the entry if the 'from' or 'command' values are not quoted.
        key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"'