blob: 88737d7f857a102cc461f83c5b6e89a5ec7894f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
# Instance backup configuration for the baserock.org database.
---
- hosts: storyboard
gather_facts: false
become: yes
vars:
FRONTEND_IP: 192.168.222.143
tasks:
- name: backup-snapshot script
copy: src=../backup-snapshot dest=/usr/bin/backup-snapshot mode=755
- name: backup-snapshot config
copy: src=backup-snapshot.conf dest=/etc/backup-snapshot.conf
# We need to give the backup automation 'root' access, because it needs to
# manage system services, LVM volumes, and mounts, and because it needs to
# be able to read private data. The risk of having the backup key
# compromised is mitigated by only allowing it to execute the
# 'backup-snapshot' script, and limiting the hosts it can be used from.
- name: access for backup SSH key
authorized_key:
user: root
key: "{{ lookup('file', '../keys/backup.key.pub') }}"
# Quotes are important in this options, the OpenSSH server will reject
# the entry if the 'from' or 'command' values are not quoted.
key_options: 'from="{{FRONTEND_IP}}",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/bin/backup-snapshot"'
|