diff options
| author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
|---|---|---|
| committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
| commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
| tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/archive_server/tasks | |
| download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip | |
initial commit
Diffstat (limited to 'roles/archive_server/tasks')
| -rw-r--r-- | roles/archive_server/tasks/freeipa.yml | 51 | ||||
| -rw-r--r-- | roles/archive_server/tasks/main.yml | 79 |
2 files changed, 130 insertions, 0 deletions
diff --git a/roles/archive_server/tasks/freeipa.yml b/roles/archive_server/tasks/freeipa.yml new file mode 100644 index 0000000..f0920f3 --- /dev/null +++ b/roles/archive_server/tasks/freeipa.yml @@ -0,0 +1,51 @@ +- name: create freeipa user + ipauser: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ archive_user }}' + loginshell: /bin/bash + homedir: '{{ archive_home }}' + givenname: archive + sn: Service Account + state: present + run_once: True + +- name: create archive-clients hostgroup + ipahostgroup: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ archive_clients_hbac_hostgroup }}' + description: Archive Clients + state: present + run_once: True + +- name: create HBAC rule for ssh + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: archive_ssh_to_archive_clients + description: Allow archive user to ssh to archive clients + user: + - '{{ archive_user }}' + hostgroup: + - '{{ archive_clients_hbac_hostgroup }}' + hbacsvc: sshd + run_once: True + +- name: retrieve user keytab + include_role: + name: freeipa_keytab + vars: + keytab_principal: '{{ archive_user }}' + keytab_path: '{{ archive_keytab }}' + +- name: configure gssproxy for kerberized nfs + include_role: + name: gssproxy_client + vars: + gssproxy_name: archiver + gssproxy_section: service/archiver + gssproxy_keytab: /etc/krb5.keytab + gssproxy_client_keytab: '{{ archive_keytab }}' + gssproxy_cred_usage: initiate + gssproxy_euid: '{{ archive_user }}' diff --git a/roles/archive_server/tasks/main.yml b/roles/archive_server/tasks/main.yml new file mode 100644 index 0000000..d1bed55 --- /dev/null +++ b/roles/archive_server/tasks/main.yml @@ -0,0 +1,79 @@ +- import_tasks: freeipa.yml + +- name: install rsync + dnf: + name: rsync + state: present + +- name: create home directory + file: + path: '{{ archive_home }}' + owner: '{{ archive_user }}' + group: '{{ archive_user }}' + mode: 0700 + state: directory + +- name: create ssh directory + file: + path: '{{ archive_home }}/.ssh' + owner: '{{ archive_user }}' + group: '{{ archive_user }}' + mode: 0700 + state: directory + +- name: copy ssh privkey + copy: + content: '{{ archive_ssh_privkey }}' + dest: "{{ archive_home }}/.ssh/id_{{ archive_ssh_pubkey | regex_replace('^ssh-(\\w+).*', '\\1') }}" + owner: '{{ archive_user }}' + group: '{{ archive_user }}' + mode: 0600 + +- name: generate archiver script + template: + src: '{{ archive_script_path[1:] }}.j2' + dest: '{{ archive_script_path }}' + mode: 0555 + +- name: create plugin directory + file: + path: '{{ archive_plugin_dir }}' + state: directory + +- name: copy plugins + copy: + src: '{{ item.src }}' + dest: '{{ archive_plugin_dir }}/{{ item.path }}' + mode: 0555 + loop: "{{ lookup('filetree', archive_plugin_dir[1:], wantlist=True) }}" + when: item.state == 'file' + +- name: generate configuration + template: + src: '{{ archive_config_path[1:] }}.j2' + dest: '{{ archive_config_path }}' + owner: '{{ archive_user }}' + group: '{{ archive_user }}' + mode: 0440 + +- name: create SELinux policy to avoid logspam + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: ssh_gssproxy + selinux_policy_te: '{{ archive_selinux_policy_te }}' + tags: selinux + +- name: create systemd timer + include_role: + name: systemd_timer + vars: + timer_name: archiver + timer_description: Remote file archiver + timer_after: nss-user-lookup.target network-online.target gssproxy.service + timer_on_calendar: '{{ archive_on_calendar }}' + timer_user: '{{ archive_user }}' + timer_exec: '{{ archive_script_path }}' + timer_persistent: no |