lewis/lewis.yml

- name: Setup homeserver
  hosts: dataserver

  handlers:
    - name: restart sshd
      systemd:
        name: sshd
        state: restarted

  tasks:
    - name: Copy backup user principals file
      copy:
        dest: /etc/ssh/backup_principals
        content: hypervisor

    - name: Copy hyp user SSH CA public key
      copy:
        dest: /etc/ssh/hyp_user.pub
        content: "{{ hyp_user_ca_public_key }}"

    - name: Copy user certificate sshd config
      copy:
        src: "sshd_user_certificates.conf"
        dest: /etc/ssh/sshd_config.d/user_certificates.conf
      notify: restart sshd

    - name: Ensure backup directory exists
      file:
        path: "{{ kingston1tb_mount_point }}/hosts"
        state: directory

    - name: Create backup respositories
      command:
        cmd: "borg init -e none {{ kingston1tb_mount_point }}/hosts/{{ item }}"
        creates: "{{ kingston1tb_mount_point }}/hosts/{{ item }}"
      with_items: "{{ backup_hosts }}"

    - name: Create extra disk moint point
      file:
        path: "{{ kingston1tb_mount_point }}"
        state: directory

    - name: Mount extra disk
      ansible.posix.mount:
        path: "{{ kingston1tb_mount_point }}"
        src: "UUID={{ kingston1tb_uuid }}"
        fstype: ext4
        passno: 1
        state: present

    - name: Generate host key pair
      openssh_keypair:
        path: /etc/ssh/ssh_host_ed25519_key
        type: ed25519
        comment: "{{ ansible_host }}"
      register: host_key

    - name: Check whether host certificate exists
      stat:
        path: /etc/ssh/ssh_host_ed25519_key-cert.pub
      register: cert_stat

    - name: Generate SSH host certificate
      command:
        cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"
      register: host_certificate
      delegate_to: localhost
      when: not cert_stat.stat.exists

    - name: Place host certificate
      copy:
        dest: /etc/ssh/ssh_host_ed25519_key-cert.pub
        content: "{{ host_certificate.stdout }}"
        mode: 0644
      when: not cert_stat.stat.exists

    - name: Enable host certificate
      copy:
        dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf
        content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"

  roles:
    - apt
move from homeservers repo 2023-02-25 14:35:35 +00:00			`- name: Setup homeserver`
			`hosts: dataserver`
revert back to push backups 2023-04-25 19:59:11 +00:00
			`handlers:`
			`- name: restart sshd`
			`systemd:`
			`name: sshd`
			`state: restarted`

			`tasks:`
			`- name: Copy backup user principals file`
			`copy:`
			`dest: /etc/ssh/backup_principals`
			`content: hypervisor`

			`- name: Copy hyp user SSH CA public key`
			`copy:`
			`dest: /etc/ssh/hyp_user.pub`
			`content: "{{ hyp_user_ca_public_key }}"`

			`- name: Copy user certificate sshd config`
			`copy:`
			`src: "sshd_user_certificates.conf"`
			`dest: /etc/ssh/sshd_config.d/user_certificates.conf`
			`notify: restart sshd`

			`- name: Ensure backup directory exists`
			`file:`
			`path: "{{ kingston1tb_mount_point }}/hosts"`
			`state: directory`

			`- name: Create backup respositories`
			`command:`
			`cmd: "borg init -e none {{ kingston1tb_mount_point }}/hosts/{{ item }}"`
			`creates: "{{ kingston1tb_mount_point }}/hosts/{{ item }}"`
			`with_items: "{{ backup_hosts }}"`

			`- name: Create extra disk moint point`
			`file:`
			`path: "{{ kingston1tb_mount_point }}"`
			`state: directory`

			`- name: Mount extra disk`
			`ansible.posix.mount:`
			`path: "{{ kingston1tb_mount_point }}"`
			`src: "UUID={{ kingston1tb_uuid }}"`
			`fstype: ext4`
			`passno: 1`
			`state: present`

			`- name: Generate host key pair`
			`openssh_keypair:`
			`path: /etc/ssh/ssh_host_ed25519_key`
			`type: ed25519`
			`comment: "{{ ansible_host }}"`
			`register: host_key`

			`- name: Check whether host certificate exists`
			`stat:`
			`path: /etc/ssh/ssh_host_ed25519_key-cert.pub`
			`register: cert_stat`

			`- name: Generate SSH host certificate`
			`command:`
			`cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'"`
			`register: host_certificate`
			`delegate_to: localhost`
			`when: not cert_stat.stat.exists`

			`- name: Place host certificate`
			`copy:`
			`dest: /etc/ssh/ssh_host_ed25519_key-cert.pub`
			`content: "{{ host_certificate.stdout }}"`
			`mode: 0644`
			`when: not cert_stat.stat.exists`

			`- name: Enable host certificate`
			`copy:`
			`dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf`
			`content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"`

move from homeservers repo 2023-02-25 14:35:35 +00:00			`roles:`
revert back to push backups 2023-04-25 19:59:11 +00:00			`- apt`