Cron backups

tedezed · tedezed · commit 8e61a064eb21 · 2020-07-22T17:51:23.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -4,4 +4,5 @@
 vagrant_ansible_inventory
 inventory-blk
 .create_hosts.sh
-tools/build_variable_domain
+tools/build_variable_domain
+.custom_cache
diff --git a/Makefile b/Makefile
@@ -1,26 +1,35 @@
-SHELL := /bin/bash
+SHELL:=/bin/bash
+INVENTORY_DIR:=inventory
+#INVENTORY_DIR:=inventory-blk
 
-up:
+vagrant_up:
 	#export VAGRANTFILE_API_VERSION="2"
 	#export VAGRANT_DISABLE_VBOXSYMLINKCREATE=1
 	vboxmanage list vms
 	vagrant up
 
-destroy:
+vagrant_destroy:
 	rm -rf ~/.ssh/known_hosts
-	rm -rf .vagrant/provisioners/ansible/inventory && vagrant destroy -f
+	rm -rf .vagrant/provisioners/ansible/${INVENTORY_DIR} && vagrant destroy -f
 	rm -rf .vagrant/
 	rm -rf ubuntu-*
 
 domain:
 	source tools/generated_domain.sh
 
-ansible: domain
-	ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i inventory/local/hosts.ini --become --become-user=root ansible.yml --extra-vars "$(shell cat tools/build_variable_domain)" -vvv --limit all
+install: domain
+	sed -i 's/_setup: false/_setup: true/' ${INVENTORY_DIR}/local/group_vars/all/all.yml
+	sed -i 's/_uninstall: true/_uninstall: false/' ${INVENTORY_DIR}/local/group_vars/all/all.yml
+	ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ${INVENTORY_DIR}/local/hosts.ini --become --become-user=root ansible.yml --extra-vars "$(shell cat tools/build_variable_domain)" -v --limit all
 
-deploy: up ansible
+uninstall: domain
+	sed -i 's/_setup: true/_setup: false/' ${INVENTORY_DIR}/local/group_vars/all/all.yml
+	sed -i 's/_uninstall: false/_uninstall: true/' ${INVENTORY_DIR}/local/group_vars/all/all.yml
+	ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -i ${INVENTORY_DIR}/local/hosts.ini --become --become-user=root ansible.yml --extra-vars "$(shell cat tools/build_variable_domain)" -v --limit all
 
-upgrade_vagrant:
-	rm -rf .vagrant/provisioners/ansible/inventory
+vagrant_deploy: vagrant_up install
+
+vagrant_upgrade:
+	rm -rf .vagrant/provisioners/ansible/${INVENTORY_DIR}
 	./tools/upgrade_vagrant.bash
 	rm -rf *.deb && rm -rf *.deb\.*
diff --git a/inventory/local/group_vars/all/all.yml b/inventory/local/group_vars/all/all.yml
@@ -1,24 +1,18 @@
 ---
-main_setup: true
-bind9_setup: true
-ldap_setup: true
-kerberos_setup: true
-sssd_setup: true
+main_setup: false
+bind9_setup: false
+ldap_setup: false
+kerberos_setup: false
+sssd_setup: false
 
-main_uninstall: false
-bind9_uninstall: false
-ldap_uninstall: false
-kerberos_uninstall: false
-sssd_uninstall: false
+main_uninstall: true
+bind9_uninstall: true
+ldap_uninstall: true
+kerberos_uninstall: true
+sssd_uninstall: true
 
 domain: '{{ domainbase }}'
 openldap_org: '{{ organization }}'
 openldap_base: '{{ openldap_base }}'
 sudoers: "SUDOers"
 
-# In virtualbox: 0 is internal, 1 private and 2 public IP
-# For more information see the Vagrantfile
-#num_interface: 1
-
-# In normal machine: 0 == eth0
-num_interface: 0
diff --git a/roles/bind9/files/bind_backup b/roles/bind9/files/bind_backup
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+DAYS_DELETE="10"
+DATE_NOW=$(date +%d-%m-%Y)
+BACKUP_PATH=/mnt/backups/bind
+
+mkdir -p ${BACKUP_PATH}
+cd ${BACKUP_PATH}
+
+tar -czf bind_etc_${DATE_NOW}.tar.gz /etc/bind
+
+find ${BACKUP_PATH} -mtime  +$DAYS_DELETE -iname "*.tar.gz" -exec rm -f {} \;
diff --git a/roles/bind9/files/logrotate_bind_backup b/roles/bind9/files/logrotate_bind_backup
@@ -0,0 +1,7 @@
+/var/logs/bind_backup.log {
+    rotate 3
+    monthly
+    compress
+    missingok
+    notifempty
+}
diff --git a/roles/bind9/tasks/install_bind9.yml b/roles/bind9/tasks/install_bind9.yml
@@ -39,3 +39,21 @@
     name: bind9
     state: restarted
     enabled: yes
+
+- name: Copy script backup and logrotate
+  copy: 
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: "{{ role_path }}/files/bind_backup", dest: "/usr/local/bin/bind_backup", mode: "0755" }
+    - { src: "{{ role_path }}/files/logrotate_bind_backup", dest: "/etc/logrotate.d/logrotate_bind_backup", mode: "0655" }
+
+- name: Configure cron for bind_backup
+  cron:
+    name: "ansible_bind_backup"
+    user: root
+    cron_file: "ansible_bind_backup"
+    minute: "0"
+    hour: "1"
+    job: "/usr/local/bin/bind_backup >> /var/logs/bind_backup.log"
diff --git a/roles/bind9/tasks/uninstall_bind9.yml b/roles/bind9/tasks/uninstall_bind9.yml
@@ -7,7 +7,16 @@
     state: absent
     update_cache: yes
 
-- name: Recursively remove directory
+- name: Remove extra dirs and files
   file:
-    path: /etc/bind
-    state: absent
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/bind
+    - /etc/logrotate.d/logrotate_bind_backup
+
+- name : Delete cron for bind_backup
+  cron :
+    name  : ansible_bind_backup
+    cron_file: ansible_bind_backup
+    state : absent
diff --git a/roles/bind9/templates/db.template.j2 b/roles/bind9/templates/db.template.j2
@@ -18,7 +18,7 @@ $TTL    604800
 {% if (group !='bind9') %}
 {{ group }} 			IN  CNAME 		{{ groups[group][0] }}
 {% else %}
-{{ group }} 			IN  A 		{{ hostvars[groups['bind9'][0]].ansible_all_ipv4_addresses[num_interface] }}
+{{ group }} 			IN  A 		{{ hostvars[groups['bind9'][0]].ansible_host }}
 {% endif %}
 {% endif %}
 {% endfor %}
diff --git a/roles/bind9/templates/hosts.j2 b/roles/bind9/templates/hosts.j2
@@ -1,2 +1,2 @@
 127.0.0.1 localhost bind9 {{ groups['bind9'][0] }}
-{{ hostvars[groups['bind9'][0]].ansible_all_ipv4_addresses[num_interface] }} bind9.{{ domain }} bind9
+{{ hostvars[groups['bind9'][0]].ansible_host }} bind9.{{ domain }} bind9
diff --git a/roles/bind9/templates/named.conf.options.j2 b/roles/bind9/templates/named.conf.options.j2
@@ -2,7 +2,7 @@ options {
         directory "/var/cache/bind";
         auth-nxdomain no;    # conform to RFC1035
      	// listen-on-v6 { any; };
-        listen-on port 53 { localhost; {{ hostvars[groups['bind9'][0]].ansible_all_ipv4_addresses[num_interface] }}; };
+        listen-on port 53 { localhost; {{ hostvars[groups['bind9'][0]].ansible_host }}; };
         allow-query { localhost; any; };
         forwarders { 8.8.8.8; };
         recursion yes;
diff --git a/roles/bind9/templates/resolv.conf.j2 b/roles/bind9/templates/resolv.conf.j2
@@ -1,4 +1,4 @@
 domain {{ domain }}
 search bind9.{{ domain }}
-nameserver {{ hostvars[groups['bind9'][0]].ansible_all_ipv4_addresses[num_interface] }}
+nameserver {{ hostvars[groups['bind9'][0]].ansible_host }}
 
diff --git a/roles/common/tasks/main_install.yml b/roles/common/tasks/main_install.yml
@@ -2,7 +2,7 @@
 - name: Interface IP
   debug:
     msg: 
-      - "Interface IP: {{ hostvars[groups['bind9'][0]].ansible_all_ipv4_addresses[num_interface] }}"
+      - "Interface IP: {{ hostvars[groups['bind9'][0]].ansible_host }}"
 
 - name: Create /etc/resolv.conf
   template:
diff --git a/roles/common/templates/resolv.conf.j2 b/roles/common/templates/resolv.conf.j2
@@ -1,4 +1,4 @@
 domain {{ domain }}
 search bind9.{{ domain }}
-nameserver {{ hostvars[groups['bind9'][0]].ansible_all_ipv4_addresses[num_interface] }}
+nameserver {{ hostvars[groups['bind9'][0]].ansible_host }}
 
diff --git a/roles/kerberos/defaults/main.yml b/roles/kerberos/defaults/main.yml
@@ -5,6 +5,9 @@ kdc_port: 88
 kdc_conf_path: /etc/krb5kdc/kdc.conf
 kadm5_acl_path: /etc/krb5kdc/kadm5.acl
 
+ticket_lifetime: 72h
+renew_lifetime: 120d
+
 # Passwd policy
 maxlife: "3 months"
 minlife: "1 months"
diff --git a/roles/kerberos/files/kerberos_backup b/roles/kerberos/files/kerberos_backup
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+DAYS_DELETE="10"
+DATE_NOW=$(date +%d-%m-%Y)
+BACKUP_PATH=/mnt/backups/kerberos
+
+mkdir -p ${BACKUP_PATH}
+cd ${BACKUP_PATH}
+
+/usr/sbin/kdb5_util dump kdb5_${DATE_NOW}.dump
+
+cp /etc/krb5.conf /etc/krb5_${DATE_NOW}.conf
+cp /etc/krb5.keytab /etc/krb5_${DATE_NOW}.conf
+
+tar -czf krb5kdc_etc_${DATE_NOW}.tar.gz /etc/krb5kdc
+tar -czf krb5kdc_var_${DATE_NOW}.tar.gz /var/lib/krb5kdc
+
+find ${BACKUP_PATH} -mtime  +$DAYS_DELETE -iname "*.dump" -exec rm -f {} \;
+find ${BACKUP_PATH} -mtime  +$DAYS_DELETE -iname "*.conf" -exec rm -f {} \;
+find ${BACKUP_PATH} -mtime  +$DAYS_DELETE -iname "*.tar.gz" -exec rm -f {} \;
diff --git a/roles/kerberos/files/logrotate_kerberos_backup b/roles/kerberos/files/logrotate_kerberos_backup
@@ -0,0 +1,7 @@
+/var/logs/kerberos_backup.log {
+    rotate 3
+    monthly
+    compress
+    missingok
+    notifempty
+}
diff --git a/roles/kerberos/tasks/install_kerberos.yml b/roles/kerberos/tasks/install_kerberos.yml
@@ -53,8 +53,21 @@
 - name: Create default password policy
   shell: kadmin.local -q "add_policy -maxlife \"{{ maxlife }}\" -minlife \"{{ minlife }}\" -minlength {{ minlength }} -minclasses {{ minclasses }} -history {{ history }} -maxfailure {{ maxfailure }} -failurecountinterval \"{{ failurecountinterval }}\" -lockoutduration \"{{ lockoutduration }}\" {{ policy_name }}"
 
-- name: Copy blksmanager
-  copy:
-    src: "{{ role_path }}/files/blksmanager"
-    dest: /usr/local/bin/blksmanager
-    mode: 0755
+- name: Copy blksmanager, script backup and logrotate
+  copy: 
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: "{{ role_path }}/files/blksmanager", dest: "/usr/local/bin/blksmanager", mode: "0755" }
+    - { src: "{{ role_path }}/files/kerberos_backup", dest: "/usr/local/bin/kerberos_backup", mode: "0755" }
+    - { src: "{{ role_path }}/files/logrotate_kerberos_backup", dest: "/etc/logrotate.d/logrotate_kerberos_backup", mode: "0655" }
+
+- name: Configure cron for kerberos_backup
+  cron:
+    name: ansible_kerberos_backup
+    user: root
+    cron_file: ansible_kerberos_backup
+    minute: "0"
+    hour: "2"
+    job: "/usr/local/bin/kerberos_backup >> /var/logs/kerberos_backup.log"
diff --git a/roles/kerberos/tasks/uninstall_kerberos.yml b/roles/kerberos/tasks/uninstall_kerberos.yml
@@ -15,13 +15,17 @@
     - ldap-utils
     - krb5-user
 
-  
-- name: Recursively remove directory
+- name: Remove extra dirs and files
   file:
-    path: /etc/krb5kdc
+    path: "{{ item }}"
     state: absent
+  with_items:
+    - /etc/krb5kdc
+    - /usr/local/bin/blksmanager
+    - /etc/logrotate.d/logrotate_kerberos_backup
 
-- name: Remove blksmanager
-  file:
-    path: /usr/local/bin/blksmanager
-    state: absent
+- name : Delete cron for kerberos_backup
+  cron :
+    name  : ansible_kerberos_backup
+    cron_file: ansible_kerberos_backup
+    state : absent
diff --git a/roles/kerberos/templates/krb5.conf.j2 b/roles/kerberos/templates/krb5.conf.j2
@@ -7,8 +7,8 @@
  default_realm = {{ realm_name|upper() }}
  dns_lookup_realm = false
  dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
+ ticket_lifetime =  {{ ticket_lifetime }}
+ renew_lifetime = {{ renew_lifetime }}
  forwardable = true
 
 [realms]
diff --git a/roles/ldap/files/ldap_backup b/roles/ldap/files/ldap_backup
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+DAYS_DELETE="10"
+DATE_NOW=$(date +%d-%m-%Y)
+BACKUP_PATH=/mnt/backups/ldap
+
+mkdir -p ${BACKUP_PATH}
+cd ${BACKUP_PATH}
+
+/usr/sbin/slapcat -n 0 > config_${DATE_NOW}.ldif
+/usr/sbin/slapcat -n 1 > domain_${DATE_NOW}.ldif
+
+tar -czf ldap_etc_${DATE_NOW}.tar.gz /etc/ldap
+tar -czf ldap_var_${DATE_NOW}.tar.gz /var/lib/ldap
+
+find ${BACKUP_PATH} -mtime  +$DAYS_DELETE -iname "*.ldif" -exec rm -f {} \;
+find ${BACKUP_PATH} -mtime  +$DAYS_DELETE -iname "*.tar.gz" -exec rm -f {} \;
diff --git a/roles/ldap/files/logrotate_ldap_backup b/roles/ldap/files/logrotate_ldap_backup
@@ -0,0 +1,7 @@
+/var/logs/ldap_backup.log {
+    rotate 3
+    monthly
+    compress
+    missingok
+    notifempty
+}
diff --git a/roles/ldap/tasks/config_openldap.yml b/roles/ldap/tasks/config_openldap.yml
@@ -85,7 +85,7 @@
   with_items:
     - slapdconf add-module memberof
     - slapdconf add-overlay {{ openldap_base }} memberof
-  when: active_memberof|failed
+  when: active_memberof.failed
 
 - name: Check install module ldap refint
   shell: slapdconf list-modules | grep 'refint'
@@ -97,4 +97,4 @@
   with_items:
     - slapdconf add-module refint
     - slapdconf add-overlay {{ openldap_base }} refint olcRefintConfig 'olcRefintAttribute:memberof member manager owner'
-  when: active_refint|failed
+  when: active_refint.failed
diff --git a/roles/ldap/tasks/install_openldap.yml b/roles/ldap/tasks/install_openldap.yml
@@ -37,19 +37,38 @@
   tags:
     - install_packages_ldap
 
-- debug:
+- name: Debug install_ldap_packages
+  debug:
     msg: '{{install_ldap_packages}}'
 
 - name: Validating correct install
   apt:
     name: "{{ openldap_packages }}"
-    update_cache: yes
+    update_cache: "yes"
     state: present
   environment:
       SUDO_FORCE_REMOVE: "yes"
-  when: install_ldap_packages|failed
+  when: install_ldap_packages.failed
   tags:
     - repairs_packages_ldap
 
 - include: config_openldap.yml
-- include: read_only_openldap.yml
+- include: read_only_openldap.yml
+
+- name: Copy script backup and logrotate
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: "{{ role_path }}/files/ldap_backup", dest: "/usr/local/bin/ldap_backup", mode: "0755" }
+    - { src: "{{ role_path }}/files/logrotate_ldap_backup", dest: "/etc/logrotate.d/logrotate_ldap_backup", mode: "0655" }
+
+- name: Configure cron for ldap_backup
+  cron:
+    name: ansible_ldap_backup
+    user: root
+    cron_file: ansible_ldap_backup
+    minute: "30"
+    hour: "1"
+    job: "/usr/local/bin/ldap_backup >> /var/logs/ldap_backup.log"
diff --git a/roles/ldap/tasks/uninstall_openldap.yml b/roles/ldap/tasks/uninstall_openldap.yml
diff --git a/roles/sssd/templates/base.j2 b/roles/sssd/templates/base.j2
diff --git a/tools/generated_domain.sh b/tools/generated_domain.sh

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`127.0.0.1 localhost bind9 {{ groups['bind9'][0] }}`
`2`		`-{{ hostvars[groups['bind9'][0]].ansible_all_ipv4_addresses[num_interface] }} bind9.{{ domain }} bind9`
	`2`	`+{{ hostvars[groups['bind9'][0]].ansible_host }} bind9.{{ domain }} bind9`