add backup control user to start/stop virtual machines

configure/atlas.yml

@@ -92,13 +92,27 @@
       src: dmz.conf
       dest: /etc/network/interfaces.d/dmz.conf
     notify: enable interfaces
-  - name: Add backup user
+  - name: Add backup share user
     user:
       name: "{{ backup_share_user }}"
       create_home: false
       password: '!'
       shell: /sbin/nologin
       system: true
+  - name: Add backup control user
+    user:
+      name: "{{ backup_control_user }}"
+      password: '!'
+      shell: /usr/bin/sh
+      system: true
+      groups: "libvirt"
+  - name: Copy control script
+    copy:
+      src: "backup_control.sh"
+      dest: "/home/{{ backup_control_user }}/control.sh"
+      owner: "{{ backup_control_user }}"
+      group: "{{ backup_control_user }}"
+      mode: u=rx,g=rx,o=rx
   - name: Add backup user principals file
     copy:
       dest: "/etc/ssh/backup_principals"

configure/backup_control.sh

@@ -0,0 +1,15 @@
+VIRSH="virsh --connect qemu:///system"
+read -p "" option
+case "$option" in
+	up)
+		for i in $($VIRSH list --all --name --autostart); do $VIRSH start "$i"; done
+		;;
+	down)
+		for i in $($VIRSH list --state-running --name --autostart); do
+			$VIRSH shutdown "$i"
+			until $VIRSH domstate "$i" | grep shut; do
+				sleep 0.5
+			done
+		done
+		;;
+esac

configure/sshd.conf.j2

@@ -6,3 +6,9 @@ Match User {{ backup_share_user }}
 	ForceCommand internal-sftp
 	AllowTcpForwarding no
 	X11Forwarding no
+
+Match User {{ backup_control_user }}
+	AuthorizedPrincipalsFile /etc/ssh/backup_principals
+	ForceCommand /home/{{ backup_control_user }}/control.sh
+	AllowTcpForwarding no
+	X11Forwarding no