diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index 7039d39..c806944 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -64,6 +64,8 @@ awx_credential_machine_hetzner_name: hetzner-ansible-ssh gitlab_ansible_user_name: "gitlabci" +backupuser_user_name: backupuser + # used for root-access by hetzner on server creation (@see cloud console/security/ssh-keys) hetzner_ssh_keys: - "claus.paetow@netgo.de" @@ -99,15 +101,14 @@ sudo_group: "{{ sudo_groups | replace('.','-') }}" # whitelist for outdated user detection - they wont't be deleted at all -default_plattform_users: +default_users: - 'nobody' - 'elastic' - 'postgres' - 'administrator' - '{{ admin_user }}' - - '{{ backupuser_username }}' -smardigo_plattform_users: +default_plattform_users: - 'claus.paetow' - 'friedrich.goerz' - 'peter.heise' @@ -115,6 +116,8 @@ smardigo_plattform_users: - '{{ awx_ansible_user_name }}' - '{{ gitlab_ansible_user_name }}' +smardigo_plattform_users: "{{ default_plattform_users + custom_plattform_users | default([]) }}" + ip_whitelist_admins: - "79.215.10.239/32" # sven - "212.86.56.112/32" # peter @@ -197,9 +200,6 @@ blackbox_http_2xx_additional_targets: [] prometheus_federation_enabled: true kubernetes_prometheus_endpoint: "{{ stage }}-kube-prometheus.{{ domain }}" -backupuser_username: backupuser -backupuser_ssh_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAFRYAy3PqimYUWcO4Q9pdTvDQTsq7hKjWYoQEsJICnRRv+W+5d2lJvC3gqMpmWy9XxtrYePkVHCgIvfJSas9Jv7n7eeYoeWLWJq0nRSKg6EKFCH9y3v8tGPJQQf7wogOhHwr6m79c+lpNVUsVR+QOf76+47ZuwnuEBzK6xbDkmwyt7SPrJ59IFxOlmtz2HgVlTLczLalMygM4qlXqIt+lwuuFz4CsGcr4TwMKp9Uk6SCP3OV12oLnUUUOA3r72qmE4+JeUN6VNbXoBXEANfXm5kbM8w+dFhulCi1fQZCssB8PStA7Cs0gVqL6DYNUKRZaFL8e77hljGkPlOQDxOsBexPuceSDmmr6s5qT1wA6bnEFoeWbLlxixGlFA+1Q/LqWsYzoOZiTHDoaXvsc4VizlPp4Fn0OgJefPjuzBsWOyf0ob5oucfnmCAvEh/k+ioq0bIQDcliAM1UezitblHQgGHhqnKPMi664i0ULLiExARe4IV3KJiaG++RJyzUL5HNz3Qru+K5/pdj2jffluYTC4w+6ZYfjWEZS/DAumExv9T97kFOsapHCQJwTBa368Ch6uKkPCZO8p/ra3xTIUh/PibHaVCadgX2NR9q6jdiQtmc0SOyNJlMlPZD/Q1NrjXJ18ASny7gCBFItMyMtinVx9xQxQ+PFLB8oNYERw1ejIw== storage-server-smardigo' - current_date_time: "{{ lookup('pipe','date +%Y-%m-%d_%H:%M') }}" hcloud_firewall_objects: diff --git a/group_vars/maria/plain.yml b/group_vars/maria/plain.yml index 7cedd84..1c5a543 100644 --- a/group_vars/maria/plain.yml +++ b/group_vars/maria/plain.yml @@ -10,3 +10,6 @@ mysql_users: [] docker_enabled: false traefik_enabled: false filebeat_enabled: false + +custom_plattform_users: + - '{{ backupuser_user_name }}' diff --git a/group_vars/postgres/plain.yml b/group_vars/postgres/plain.yml index b182227..d804c1e 100644 --- a/group_vars/postgres/plain.yml +++ b/group_vars/postgres/plain.yml @@ -8,3 +8,6 @@ postgres_acls: [] docker_enabled: false traefik_enabled: false filebeat_enabled: false + +custom_plattform_users: + - '{{ backupuser_user_name }}' diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1459b16..d303953 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -59,7 +59,7 @@ - name: "Remove outdated users" user: name={{ item }} state=absent remove=yes with_items: "{{ current_users.stdout_lines }}" - when: not ((item in default_plattform_users) or (item in smardigo_plattform_users)) + when: not ((item in default_users) or (item in smardigo_plattform_users)) tags: - users @@ -97,25 +97,6 @@ tags: - users -- name: "Create stuff for backups on database servers" - block: - - name: "Create system user for remote_backup" - become: yes - ansible.builtin.user: - name: '{{ backupuser_username }}' - comment: "user for backup" - shell: /bin/bash - - - name: "Add SSH pub key to auth_keys" - authorized_key: - user: '{{ backupuser_username }}' - key: '{{ backupuser_ssh_pubkey }}' - when: - - inventory_hostname in groups['postgres'] or - inventory_hostname in groups['maria'] - tags: - - users - - name: "Ensure docker configuration directory exists" file: path: '/home/{{ item }}/.docker/' diff --git a/roles/maria/tasks/_create_backup.yml b/roles/maria/tasks/_create_backup.yml index 941985b..47cbb17 100644 --- a/roles/maria/tasks/_create_backup.yml +++ b/roles/maria/tasks/_create_backup.yml @@ -46,8 +46,8 @@ become: yes ansible.builtin.file: path: '{{ backup_dest_dir }}' - owner: '{{ backupuser_username }}' - group: '{{ backupuser_username }}' + owner: '{{ backupuser_user_name }}' + group: '{{ backupuser_user_name }}' recurse: yes - name: "Remove {{ my_cnf_file }} file" diff --git a/roles/postgres/tasks/_create_backup.yml b/roles/postgres/tasks/_create_backup.yml index 00330d5..d936dd7 100644 --- a/roles/postgres/tasks/_create_backup.yml +++ b/roles/postgres/tasks/_create_backup.yml @@ -42,6 +42,6 @@ become: yes ansible.builtin.file: path: '{{ backup_dest_dir }}' - owner: '{{ backupuser_username }}' - group: '{{ backupuser_username }}' + owner: '{{ backupuser_user_name }}' + group: '{{ backupuser_user_name }}' recurse: yes diff --git a/users/backupuser/ssh.pub b/users/backupuser/ssh.pub new file mode 100644 index 0000000..bdd90be --- /dev/null +++ b/users/backupuser/ssh.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAFRYAy3PqimYUWcO4Q9pdTvDQTsq7hKjWYoQEsJICnRRv+W+5d2lJvC3gqMpmWy9XxtrYePkVHCgIvfJSas9Jv7n7eeYoeWLWJq0nRSKg6EKFCH9y3v8tGPJQQf7wogOhHwr6m79c+lpNVUsVR+QOf76+47ZuwnuEBzK6xbDkmwyt7SPrJ59IFxOlmtz2HgVlTLczLalMygM4qlXqIt+lwuuFz4CsGcr4TwMKp9Uk6SCP3OV12oLnUUUOA3r72qmE4+JeUN6VNbXoBXEANfXm5kbM8w+dFhulCi1fQZCssB8PStA7Cs0gVqL6DYNUKRZaFL8e77hljGkPlOQDxOsBexPuceSDmmr6s5qT1wA6bnEFoeWbLlxixGlFA+1Q/LqWsYzoOZiTHDoaXvsc4VizlPp4Fn0OgJefPjuzBsWOyf0ob5oucfnmCAvEh/k+ioq0bIQDcliAM1UezitblHQgGHhqnKPMi664i0ULLiExARe4IV3KJiaG++RJyzUL5HNz3Qru+K5/pdj2jffluYTC4w+6ZYfjWEZS/DAumExv9T97kFOsapHCQJwTBa368Ch6uKkPCZO8p/ra3xTIUh/PibHaVCadgX2NR9q6jdiQtmc0SOyNJlMlPZD/Q1NrjXJ18ASny7gCBFItMyMtinVx9xQxQ+PFLB8oNYERw1ejIw== backupuser@netgo.de