blob: d04e809b9ace28269f27e58e1b10b625531a1c50 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
# Instance backup configuration for the baserock.org database.
---
- hosts: database-mariadb
gather_facts: false
sudo: yes
vars:
FRONTEND_IP: 192.168.222.143
tasks:
- name: pyyaml for Python 2
dnf: PyYAML state=latest
- name: backup-snapshot script
copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755
- name: backup-snapshot config
copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf
# We need to give the backup automation 'root' access, because it needs to
# manage system services, LVM volumes, and mounts, and because it needs to
# be able to read private data. The risk of having the backup key
# compromised is mitigated by only allowing it to execute the
# 'backup-snapshot' script, and limiting the hosts it can be used from.
- name: access for backup SSH key
authorized_key:
user: root
key: "{{ lookup('file', '../keys/backup.key.pub') }}"
# Quotes are important in this options, the OpenSSH server will reject
# the entry if the 'from' or 'command' values are not quoted.
key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"'
|
