diff --git a/inventory/host_vars/lewis.yml b/inventory/host_vars/lewis.yml index bcceb9d..f79bf26 100644 --- a/inventory/host_vars/lewis.yml +++ b/inventory/host_vars/lewis.yml @@ -1,10 +1,14 @@ -borg_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTag7YToG5W+H2kEUz40kOH+7cs0Lp3owFFKkmHBiWM root@max" -dataserver_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsLVptkoOwmxs6DnenN8u7Q1Tm/Psh0QdI6vjrTgb6D root@lewis" -user_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRBrKmIKP5BFhLSdntatIgSC0R/D9EEZlak5Yt0DfUe root@lewis" kingston1tb_mount_point: "/mnt/kingston1TB" kingston1tb_uuid: "622a8d81-aa2f-460b-a563-c3cdb6285609" -backup_location: "{{ kingston1tb_mount_point }}/atlas_backup" admin_public_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim" + +hyp_user_ca_public_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHZreEhS/rMHfJB7IenEEfk38zCjmyce+X2AWxzU/N81 User Certificate Authority for *.hyp" + +backup_hosts: + - atlas + +apt_install_packages: + - borgbackup diff --git a/inventory/hosts.yml b/inventory/hosts.yml index a196063..b4a1808 100644 --- a/inventory/hosts.yml +++ b/inventory/hosts.yml @@ -4,4 +4,4 @@ all: hosts: lewis: ansible_user: root - ansible_host: lewis.lan + ansible_host: lewis.hyp diff --git a/lewis.yml b/lewis.yml index e5ab377..706755c 100644 --- a/lewis.yml +++ b/lewis.yml @@ -1,6 +1,83 @@ - name: Setup homeserver hosts: dataserver + + handlers: + - name: restart sshd + systemd: + name: sshd + state: restarted + + tasks: + - name: Copy backup user principals file + copy: + dest: /etc/ssh/backup_principals + content: hypervisor + + - name: Copy hyp user SSH CA public key + copy: + dest: /etc/ssh/hyp_user.pub + content: "{{ hyp_user_ca_public_key }}" + + - name: Copy user certificate sshd config + copy: + src: "sshd_user_certificates.conf" + dest: /etc/ssh/sshd_config.d/user_certificates.conf + notify: restart sshd + + - name: Ensure backup directory exists + file: + path: "{{ kingston1tb_mount_point }}/hosts" + state: directory + + - name: Create backup respositories + command: + cmd: "borg init -e none {{ kingston1tb_mount_point }}/hosts/{{ item }}" + creates: "{{ kingston1tb_mount_point }}/hosts/{{ item }}" + with_items: "{{ backup_hosts }}" + + - name: Create extra disk moint point + file: + path: "{{ kingston1tb_mount_point }}" + state: directory + + - name: Mount extra disk + ansible.posix.mount: + path: "{{ kingston1tb_mount_point }}" + src: "UUID={{ kingston1tb_uuid }}" + fstype: ext4 + passno: 1 + state: present + + - name: Generate host key pair + openssh_keypair: + path: /etc/ssh/ssh_host_ed25519_key + type: ed25519 + comment: "{{ ansible_host }}" + register: host_key + + - name: Check whether host certificate exists + stat: + path: /etc/ssh/ssh_host_ed25519_key-cert.pub + register: cert_stat + + - name: Generate SSH host certificate + command: + cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.hyp '/root/ssh_ca/ssh_ca.sh host hyp_host \"{{ host_key.public_key }}\" {{ ansible_host }}'" + register: host_certificate + delegate_to: localhost + when: not cert_stat.stat.exists + + - name: Place host certificate + copy: + dest: /etc/ssh/ssh_host_ed25519_key-cert.pub + content: "{{ host_certificate.stdout }}" + mode: 0644 + when: not cert_stat.stat.exists + + - name: Enable host certificate + copy: + dest: /etc/ssh/sshd_config.d/sshd_host_certificate.conf + content: "HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub" + roles: - - {role: 'common', tags: 'common'} - - {role: 'system', tags: 'system'} - - {role: 'borg', tags: 'borg'} + - apt diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..43e6eca --- /dev/null +++ b/requirements.yml @@ -0,0 +1,3 @@ +- name: apt + src: https://github.com/sunscrapers/ansible-role-apt.git + scm: git diff --git a/roles/borg/files/backup.timer b/roles/borg/files/backup.timer deleted file mode 100644 index 1f345f7..0000000 --- a/roles/borg/files/backup.timer +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Backup data daily - -[Timer] -OnCalendar=*-*-* 3:00:00 -Persistent=true -RandomizedDelaySec=1h - -[Install] -WantedBy=timers.target diff --git a/roles/borg/tasks/main.yml b/roles/borg/tasks/main.yml deleted file mode 100644 index 796c6e8..0000000 --- a/roles/borg/tasks/main.yml +++ /dev/null @@ -1,47 +0,0 @@ -- name: Install borg - apt: - pkg: - - borgbackup - - borgmatic -- name: Copy borg backup config - template: - src: "{{ role_path }}/templates/backup.yml.j2" - dest: /root/backup.yml -- name: Copy systemd service - template: - src: "{{ role_path }}/templates/backup.service.j2" - dest: "/etc/systemd/system/backup.service" - register: service -- name: Copy systemd timer - copy: - src: "{{ role_path }}/files/backup.timer" - dest: "/etc/systemd/system/backup.timer" - register: timer -- name: Enable timer - systemd: - name: backup.timer - enabled: true - state: started - daemon_reload: "{{ 'yes' if service.changed or timer.changed else 'no' }}" -- name: Create extra disk moint point - file: - path: "{{ kingston1tb_mount_point }}" - state: directory -- name: Mount extra disk - ansible.posix.mount: - path: "{{kingston1tb_mount_point }}" - src: "UUID={{ kingston1tb_uuid }}" - fstype: ext4 - passno: 1 - state: present -- name: Install borg - apt: - name: borgbackup -- name: Add Borg public key - authorized_key: - key: "{{ borg_public_key }}" - user: "{{ ansible_user_id }}" -- name: Create Borg repository - command: - cmd: "borg init -e none {{ backup_location }}" - creates: "{{ backup_location }}" diff --git a/roles/borg/templates/backup.service.j2 b/roles/borg/templates/backup.service.j2 deleted file mode 100644 index 8960c3f..0000000 --- a/roles/borg/templates/backup.service.j2 +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -Description=Backup data using borgmatic - -[Service] -ExecStart=/usr/bin/borgmatic --config /root/backup.yml -Type=oneshot diff --git a/roles/borg/templates/backup.yml.j2 b/roles/borg/templates/backup.yml.j2 deleted file mode 100644 index 92b1bab..0000000 --- a/roles/borg/templates/backup.yml.j2 +++ /dev/null @@ -1,14 +0,0 @@ -location: - source_directories: - - /mnt/atlas - repositories: - - {{ backup_location }} -retention: - keep_daily: 7 - keep_weekly: 4 - keep_monthly: 6 -hooks: - before_everything: - - echo down | ssh backup-control@atlas.lan - after_everything: - - echo up | ssh backup-control@atlas.lan diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml deleted file mode 100644 index 7a8f229..0000000 --- a/roles/common/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: APT upgrade - apt: - autoremove: true - upgrade: yes - state: latest - update_cache: yes - cache_valid_time: 86400 # One day diff --git a/roles/system/files/ssh.conf b/roles/system/files/ssh.conf deleted file mode 100644 index 4a0bccc..0000000 --- a/roles/system/files/ssh.conf +++ /dev/null @@ -1,2 +0,0 @@ -CertificateFile /etc/ssh/ssh_user_ed25519_key-cert.pub -IdentityFile /etc/ssh/ssh_user_ed25519_key diff --git a/roles/system/files/ssh_host_ed25519_key b/roles/system/files/ssh_host_ed25519_key deleted file mode 100644 index 1629458..0000000 --- a/roles/system/files/ssh_host_ed25519_key +++ /dev/null @@ -1,25 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38633038656332643033396338303864343332636434633331366266383235316235313236646361 -6634313931303637616535373966316165656564366437330a393465356237626631303063363061 -62323737343635316139636664663937333233323737376238656566633037613938383737306132 -6237633230623962320a643433323532646261366532346234653332323336653162366433626465 -31386461393535303730333865356364646137386634643630353831383039353763396536313439 -30333335623364306166346232303862633636633066323062313531363234396362653232316261 -36666132623030323332623334323632636639646239363032626364646334643461346662616366 -39656266643937663531656137353031353130366238326535383261333539353439353566313537 -38353632353039643530613766313033313063333331333733613939383731663262623766626266 -64363061306166353633333634363332633461346538316661666364626639366132356434343631 -61373432633863643237386435386633366161393934646562343261386335353638353033343932 -62393633366163613064393966663830646237613265396462376238396639363566363865303861 -36343666326632626166323430303137323236346137346131623636653236353061343633383437 -61396534636166353038626162376335363137636164616631646261366332303135306237356432 -61626261656332666536343039316333303431653931666233363366613166663266663130656633 -39316363326532653665626136393135373863383234326638303466353930653038303433643536 -30666237363230306634333162396562623034386232666465343631306433373764626634613635 -63343965623163356536626162613863373033396565366361353538323933656165653932653937 -34666538353139636366333765363733336134396566613134303530633666326165306131353535 -33653133663166333964326330366530643730363861626261666366383334613661303762636663 -34376531343732346630643466616638323537633665373333346162306361393836326533636630 -61656335306337643930613662613832626530653630343566643661356666313331316438366538 -37333166636639363838303665626137643731626338356662656338393335343239376635303633 -35663237653238313133 diff --git a/roles/system/files/ssh_user_ed25519_key b/roles/system/files/ssh_user_ed25519_key deleted file mode 100644 index 97b033f..0000000 --- a/roles/system/files/ssh_user_ed25519_key +++ /dev/null @@ -1,25 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -35346438336463383831313235653538373964643631303961373865643332623636383161333934 -3531363564313239623935343032376535333962336336350a666439303639363735626562323530 -39613366343331643331663434303531613230373934376537646665633630356462333932613537 -3465383636323934300a343264636565623166646266313764643262343532376336333763363662 -30623133303436373936323534366335663439626633313138366565303037323034613164646663 -31366366346561623039633035373638636464626237353566376666643039626334633863626565 -66356538326464363465623035396534663033646336393265326339346363376666396565346130 -66313634373931323738613863653066313034373361646530666561633463626536633963613236 -31616561316366633865383336363832663066343666356437616332376565326630316538663236 -65383234643439633737336639306232383862366230316262353639313833393138643464393734 -61313463323961623264386334666462623039663138326434643339633165393533386665393839 -34643762643864316331343562366139343432313332356232386139663564323338633139363930 -61346139346430643966346363393331616264396133613362393066363039303164623730356536 -35313138613536626665393239663532663061636433316232393839323732393635316634376464 -39313439656131643436393830356662383537353730373132346639366636613830616562613164 -65623333663763653364616638663833333732356238303130626161653139646563633433353865 -64346235616331363338303265396437623264353066646439643264646665343962373237376131 -30326564623264336365653666616331616138356235323961323134373265646434643065666661 -63616534333631323132663532623135393632333236613162623932316261316165616331396261 -66383862303763313032653565323934303366313765326330303032353937386434656134336433 -30616531323762343539666331336132313530316637393564643530303135366263633531393334 -30346632383139333263326265356133316435636663613130626566333730623739653936366138 -33663165616336363361323631643331346238333635623135623364663234366666393034663132 -64616234633735636164 diff --git a/roles/system/tasks/main.yml b/roles/system/tasks/main.yml deleted file mode 100644 index fcbb58d..0000000 --- a/roles/system/tasks/main.yml +++ /dev/null @@ -1,59 +0,0 @@ -- name: Install sshfs - apt: - name: sshfs -- name: Add admins' authorized keys - authorized_key: - key: "{{ item }}" - user: "{{ ansible_user_id }}" - loop: "{{ admin_public_keys }}" -- name: Copy host public key - copy: - dest: "/etc/ssh/ssh_host_ed25519_key.pub" - content: "{{ dataserver_public_key }}" - mode: 0644 -- name: Copy host private key - copy: - src: "{{ role_path }}/files/ssh_host_ed25519_key" - dest: "/etc/ssh/ssh_host_ed25519_key" - mode: 0600 -- name: Copy user public key - copy: - dest: "/etc/ssh/ssh_user_ed25519_key.pub" - content: "{{ user_public_key }}" - mode: 0644 -- name: Copy user private key - copy: - src: "{{ role_path }}/files/ssh_user_ed25519_key" - dest: "/etc/ssh/ssh_user_ed25519_key" - mode: 0600 -- name: Copy ssh config - copy: - src: "{{ role_path }}/files/ssh.conf" - dest: "/etc/ssh/ssh_config.d/custom.conf" -- name: Check certificate existance - stat: - path: "/etc/ssh/ssh_user_ed25519_key-cert.pub" - register: cert_stat -- name: Generate user certificate - command: - cmd: "ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@atlas.lan '/root/ssh_ca/ssh_ca.sh user \"{{ user_public_key }}\" lewis.lan \"backup\"'" - register: cert - delegate_to: localhost - when: not cert_stat.stat.exists -- name: Place user certificate - copy: - dest: "/etc/ssh/ssh_user_ed25519_key-cert.pub" - content: "{{ cert.stdout }}" - mode: 0600 - when: not cert_stat.stat.exists -- name: Create point mount for atlas data - file: - path: /mnt/atlas - state: directory -- name: Mount atlas data - mount: - src: "backup-share@atlas.lan:" - path: "/mnt/atlas" - state: mounted - fstype: fuse.sshfs - opts: "x-systemd.automount,_netdev,idmap=user,allow_other,reconnect,ro,ServerAliveInterval=15,ServerAliveCountMax=3" diff --git a/sshd_user_certificates.conf b/sshd_user_certificates.conf new file mode 100644 index 0000000..b4b81cc --- /dev/null +++ b/sshd_user_certificates.conf @@ -0,0 +1,3 @@ +Match User root + TrustedUserCAKeys /etc/ssh/hyp_user.pub + AuthorizedPrincipalsFile /etc/ssh/backup_principals