diff --git a/.ansible-lint b/.ansible-lint
new file mode 100644
index 0000000000000000000000000000000000000000..f18a6472898d714ef85310cdbe01e39500977528
--- /dev/null
+++ b/.ansible-lint
@@ -0,0 +1,84 @@
+---
+# based on documentation available at
+# https://ansible-lint.readthedocs.io/en/latest/configuring/
+
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option will be parsed relative to the CWD of execution.
+exclude_paths:
+ - .cache/ # implicit unless exclude_paths is defined in config
+ - .git/
+ - .githooks/
+ - backups/
+# parseable: true
+# quiet: true
+# verbosity: 1
+
+# Mock modules or roles in order to pass ansible-playbook --syntax-check
+# mock_modules:
+# - zuul_return
+# # note the foo.bar is invalid as being neither a module or a collection
+# - fake_namespace.fake_collection.fake_module
+# - fake_namespace.fake_collection.fake_module.fake_submodule
+# mock_roles:
+# - mocked_role
+# - author.role_name # old standalone galaxy role
+# - fake_namespace.fake_collection.fake_role # role within a collection
+
+# Enable checking of loop variable prefixes in roles
+loop_var_prefix: "{role}_"
+
+use_default_rules: true
+# Load custom rules from this specific folder
+# rulesdir:
+# - ./rule/directory/
+
+# This makes linter to fully ignore rules/tags listed below
+skip_list:
+ - skip_this_tag
+ - git-latest
+
+# Any rule that has the 'opt-in' tag will not be loaded unless its 'id' is
+# mentioned in the enable_list:
+enable_list:
+ - empty-string-compare # opt-in
+ - no-log-password # opt-in
+ - no-same-owner # opt-in
+ # add yaml here if you want to avoid ignoring yaml checks when yamllint
+ # library is missing. Normally its absence just skips using that rule.
+ - yaml
+# Report only a subset of tags and fully ignore any others
+# tags:
+# - var-spacing
+
+# This makes the linter display but not fail for rules/tags listed below:
+warn_list:
+ - skip_this_tag
+ - git-latest
+ - experimental # experimental is included in the implicit list
+ # - role-name
+
+# Offline mode disables installation of requirements.yml
+offline: false
+
+# Define required Ansible's variables to satisfy syntax check
+# extra_vars:
+# foo: bar
+# multiline_string_variable: |
+# line1
+# line2
+# complex_variable: ":{;\t$()"
+
+# Uncomment to enforce action validation with tasks, usually is not
+# needed as Ansible syntax check also covers it.
+# skip_action_validation: false
+
+# List of additional kind:pattern to be added at the top of the default
+# match list, first match determines the file kind.
+kinds:
+ # - playbook: "**/examples/*.{yml,yaml}"
+ # - galaxy: "**/folder/galaxy.yml"
+ # - tasks: "**/tasks/*.yml"
+ # - vars: "**/vars/*.yml"
+ # - meta: "**/meta/main.yml"
+ - yaml: "**/*.yaml-too"
diff --git a/.config/molecule/config.yml b/.config/molecule/config.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ece7ff6dd671a6a55ec8f7e9e498c0310e52d4cc
--- /dev/null
+++ b/.config/molecule/config.yml
@@ -0,0 +1,2 @@
+---
+prerun: false
diff --git a/.gitignore b/.gitignore
index c6bb39d95cb238218d5cdc9be44c6ae6ba768e16..ed783329d62a4c1e481a467fe674eb420a2b81dd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -51,6 +51,8 @@ Thumbs.db
*.retry
*.vault
+inventory.*
+inv.*
# Vim #
#######
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..35eb914ef1faa1659ded6931b4592791404317ba
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,33 @@
+---
+# A pipeline is composed of independent jobs that run scripts, grouped into stages.
+# Stages run in sequential order, but jobs within stages run in parallel.
+#
+# For more information, see: https://docs.gitlab.com/ee/ci/yaml/index.html#stages
+
+stages: # List of stages for jobs, and their order of execution
+ - test
+
+default:
+ before_script:
+ - source /opt/molecule/bin/activate
+ - ansible --version
+ - molecule --version
+
+test-job:
+ stage: test
+ tags:
+ - "shell"
+ script:
+ # make sure that Ansible Vaults are present and can be decrypted
+ - echo "${VAULT_LZA_BACKUP_PROXY}" > ../lza_backup_proxy.pass
+ - export ANSIBLE_VAULT_IDENTITY_LIST="../lza_backup_proxy.pass"
+ - rm -rf ../ansible_vaults/
+ - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
+ # run Molecule tests
+ - molecule syntax --scenario-name default
+ - molecule lint --scenario-name default
+ - molecule create --scenario-name default
+ - molecule converge --scenario-name default
+ - molecule idempotence --scenario-name default
+ # - molecule verify --scenario-name default
+ - molecule destroy --scenario-name default
diff --git a/ansible.cfg b/ansible.cfg
index 841e765c80b5154611ff800372d516444a47b068..9b809d3ea8ce7b2d9fe806c813e73ac8ec89bee5 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,7 +1,8 @@
[defaults]
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
-vault_identity_list = ../lza_install_common.pass, ../lza_server_hardening.pass, ../slub_osquery.pass, ../lza_backup_proxy.pass
+# vault_identity_list = ../lza_install_common.pass, ../lza_server_hardening.pass, ../slub_osquery.pass, ../lza_backup_proxy.pass
+vault_identity_list = ../lza_backup_proxy.pass
# Path to default inventory file
# Administrators can override this by using the "-i <inventoryfile>" CLI
diff --git a/handlers/main.yml b/handlers/main.yml
index caea2eb88da75a0fa519abfc6b27633b7fcec9f5..4cf3e084ae6c31fd73e9a4b4062cc25cf305adb8 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,5 +1,5 @@
---
- name: restart dsmcad
- systemd:
+ ansible.builtin.systemd:
name: "dsmcad.service"
state: restarted
diff --git a/meta/main.yml b/meta/main.yml
index 7fd92e228684b276336411d5aeb1f0ee3c165031..48dce70fe4d0941bf92f2814a499d63bf5b8cac8 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,57 +1,32 @@
+---
galaxy_info:
author: Jörg Sachse
- description: IT administrator
- company: SLUBArchiv.digital
-
- # If the issue tracker for your role is not on github, uncomment the
- # next line and provide a value
- # issue_tracker_url: http://example.com/issue/tracker
-
- # Choose a valid license ID from https://spdx.org - some suggested licenses:
- # - BSD-3-Clause (default)
- # - MIT
- # - GPL-2.0-or-later
- # - GPL-3.0-only
- # - Apache-2.0
- # - CC-BY-4.0
- license: license (GPL-2.0-or-later, MIT, etc)
-
- min_ansible_version: 2.2
-
- # If this a Container Enabled role, provide the minimum Ansible Container version.
- # min_ansible_container_version:
-
- #
- # Provide a list of supported platforms, and for each platform a list of versions.
- # If you don't wish to enumerate all versions for a particular platform, use 'all'.
- # To view available platforms and versions (or releases), visit:
- # https://galaxy.ansible.com/api/v1/platforms/
- #
- # platforms:
- # - name: Fedora
- # versions:
- # - all
- # - 25
- # - name: SomePlatform
- # versions:
- # - all
- # - 1.0
- # - 7
- # - 99.99
- platforms:
- - name: Debian
- versions:
- - 10
- - 11
-
+ company: SLUB Dresden
+ description: This role can be used to install a backup proxy server that can be used to gather backups from servers and route them to the IBM Spectrum Protect Server.
galaxy_tags: []
- # List tags for your role here, one per line. A tag is a keyword that describes
- # and categorizes the role. Users find roles by searching for tags. Be sure to
- # remove the '[]' above, if you add tags to this list.
+ # List tags for your role here, one per line. A tag is a keyword that describes and categorizes the role. Users find roles by searching for tags. Be sure to remove the '[]' above, if you
+ # add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
-
+ # issue_tracker_url: "https://example.com/"
+ # If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker
+ license: GPLv3
+ # Some suggested licenses: - BSD
+ # (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY
+ min_ansible_version: "2.5"
+ # If this a Container Enabled role, provide the minimum Ansible Container version. min_ansible_container_version: Optionally specify the branch Galaxy will use when accessing the GitHub repo
+ # for this role. During role install, if no tags are available, Galaxy will use this branch. During import Galaxy will access files on this branch. If Travis integration is configured, only
+ # notifications for this branch will be accepted. Otherwise, in all cases, the repo's default branch (usually master) will be used. github_branch:
+ namespace: "slub"
+ # Provide a list of supported platforms, and for each platform a list of versions. If you don't wish to enumerate all versions for a particular platform, use 'all'. To view available
+ # platforms and versions (or releases), visit: https://galaxy.ansible.com/api/v1/platforms/
+ #
+ # platforms: - name: Fedora
+ # versions: - all - 25 - name: SomePlatform versions: - all - 1.0 - 7 - 99.99
+ platforms:
+ - name: Debian
+ versions:
+ - "buster"
+ - "bullseye"
dependencies: []
- # List your role dependencies here, one per line. Be sure to remove the '[]' above,
- # if you add dependencies to this list.
diff --git a/molecule/default b/molecule/default
new file mode 120000
index 0000000000000000000000000000000000000000..3841ab1f6fbdfc4b16f9491b776a826e19fa583c
--- /dev/null
+++ b/molecule/default
@@ -0,0 +1 @@
+./virtualbox
\ No newline at end of file
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
deleted file mode 100644
index 0be27a1b2cfb85a010c3ed6c192b8860d6558e7a..0000000000000000000000000000000000000000
--- a/molecule/default/converge.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: Converge
- hosts: all
- tasks:
- - name: "Include ansible_lza_backup_proxy"
- include_role:
- name: "ansible_lza_backup_proxy"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
deleted file mode 100644
index 69bc10b424bbd44df63d860f82a474f2b713e065..0000000000000000000000000000000000000000
--- a/molecule/default/molecule.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-dependency:
- name: galaxy
-driver:
- name: vagrant
-platforms:
- - name: instance
-provisioner:
- name: ansible
-verifier:
- name: ansible
diff --git a/molecule/default/INSTALL.rst b/molecule/resources/playbooks/INSTALL.rst
similarity index 100%
rename from molecule/default/INSTALL.rst
rename to molecule/resources/playbooks/INSTALL.rst
diff --git a/molecule/resources/playbooks/README.md b/molecule/resources/playbooks/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..0c91883011699e3b0ec08bad9bcc19d201ef6331
--- /dev/null
+++ b/molecule/resources/playbooks/README.md
@@ -0,0 +1,3 @@
+This drectory contains shared playbooks and a shared Dockerfile.
+
+Visit https://molecule.readthedocs.io/en/latest/examples.html#sharing-across-scenarios for details on sharing playbooks, tests etc. across multiple scenarios.
diff --git a/molecule/resources/playbooks/converge.yml b/molecule/resources/playbooks/converge.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9a224399492b099e4ead81c62cccdd9510155892
--- /dev/null
+++ b/molecule/resources/playbooks/converge.yml
@@ -0,0 +1,17 @@
+---
+- name: Converge
+ hosts: all
+ pre_tasks:
+ - name: update apt cache
+ ansible.builtin.apt:
+ update_cache: true
+ upgrade: dist
+ become: true
+ when: ansible_os_family == "Debian"
+ - name: update yum cache
+ ansible.builtin.yum:
+ update_cache: true
+ become: true
+ when: ansible_os_family == "RedHat"
+ roles:
+ - {role: "ansible_lza_backup_proxy", become: true}
diff --git a/molecule/resources/playbooks/prepare.yml b/molecule/resources/playbooks/prepare.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a20ecff01683308e1b648dd4fbb9ff4703258b76
--- /dev/null
+++ b/molecule/resources/playbooks/prepare.yml
@@ -0,0 +1,22 @@
+---
+- name: Prepare
+ hosts: "*"
+ tasks:
+ - name: install GPG
+ ansible.builtin.apt:
+ name: "gnupg"
+ state: latest
+ update_cache: true
+ become: true
+ - name: add GPG key for SLUB Debian repository
+ ansible.builtin.apt_key:
+ url: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
+ state: present
+ become: true
+ - name: add repo URL to sources.list
+ ansible.builtin.apt_repository:
+ repo: "deb https://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main"
+ state: present
+ update_cache: true
+ mode: "0644"
+ become: true
diff --git a/molecule/default/verify.yml b/molecule/resources/playbooks/verify.yml
similarity index 85%
rename from molecule/default/verify.yml
rename to molecule/resources/playbooks/verify.yml
index 79044cd067d65d465136e1d68a529f32b58e0d38..e707420ab5c87edfa59c7805ce4534ff1b387177 100644
--- a/molecule/default/verify.yml
+++ b/molecule/resources/playbooks/verify.yml
@@ -6,5 +6,5 @@
gather_facts: false
tasks:
- name: Example assertion
- assert:
+ ansible.builtin.assert:
that: true
diff --git a/molecule/virtualbox/molecule.yml b/molecule/virtualbox/molecule.yml
new file mode 100644
index 0000000000000000000000000000000000000000..62d3860d016d50054311138b6b6a2c68ad19945e
--- /dev/null
+++ b/molecule/virtualbox/molecule.yml
@@ -0,0 +1,41 @@
+---
+dependency:
+ name: galaxy
+ enabled: false
+driver:
+ name: vagrant
+lint: |
+ set -e
+ yamllint .
+ ansible-lint -x no-loop-var-prefix,command-instead-of-module,package-latest
+platforms:
+ # Check out the documentation at
+ # https://github.com/ansible-community/molecule-vagrant#documentation
+ # for more platform parameters.
+ - name: vm-runner
+ box: debian/bullseye64
+ memory: 1024
+ # List of raw Vagrant `config` options.
+ # provider_raw_config_args:
+ # - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+ # Dictionary of `config` options.
+ config_options:
+ ssh.keep_alive: yes
+ ssh.remote_user: "'lza'"
+provisioner:
+ name: ansible
+ log: true
+ config_options:
+ defaults:
+ # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
+ # vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
+ vault_identity_list: "../lza_backup_proxy.pass"
+ vvv: false
+ playbooks:
+ # create: ../resources/playbooks/create.yml
+ # destroy: ../resources/playbooks/destroy.yml
+ converge: ../resources/playbooks/converge.yml
+ prepare: ../resources/playbooks/prepare.yml
+ verify: ../resources/playbooks/verify.yml
+verifier:
+ name: ansible
diff --git a/tasks/configure_nfs_mounts.yml b/tasks/configure_nfs_mounts.yml
index bd1ffd389fe1a104fc784914007a77da9eaa4b4e..c6c0aebbf2795b6b7c30e36c17b274ff4fa18597 100644
--- a/tasks/configure_nfs_mounts.yml
+++ b/tasks/configure_nfs_mounts.yml
@@ -1,6 +1,6 @@
---
- name: Mounts für SubApp-Shares & Logs
- mount:
+ ansible.posix.mount:
path: "{{ item.path }}"
src: "{{ item.src }}"
state: "{{ item.state | default('mounted') }}"
diff --git a/tasks/configure_ssh_keys.yml b/tasks/configure_ssh_keys.yml
index 38050bba21d255ca8466c524521bbc84acdbde03..f02522112d11cb52fad2f786c7c2c33e30c2dce3 100644
--- a/tasks/configure_ssh_keys.yml
+++ b/tasks/configure_ssh_keys.yml
@@ -1,11 +1,17 @@
---
+- name: mkdir ~/.ssh/
+ ansible.builtin.file:
+ path: "~/.ssh/"
+ state: directory
+ mode: "0600"
+
- name: copy deploykey files to managed servers
- copy:
+ ansible.builtin.copy:
src: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
dest: "~/.ssh/{{ item }}"
owner: "root"
group: "root"
- mode: 0400
+ mode: "0400"
loop:
- "id_ed25519_deploykey"
- "id_ed25519_deploykey.pub"
diff --git a/tasks/install_ibmsp_client.yml b/tasks/install_ibmsp_client.yml
index 204c50e210907a5b0c17c3928ca40aec7f508a0a..fdae0fb108f49952c7d01082a24bd3384a4e5b81 100644
--- a/tasks/install_ibmsp_client.yml
+++ b/tasks/install_ibmsp_client.yml
@@ -1,6 +1,6 @@
---
- name: IBMSP-Client Pakete installieren
- apt:
+ ansible.builtin.apt:
name: [
# GSKit Packages
'gskcrypt64',
@@ -20,7 +20,7 @@
state: latest
- name: link IBMSP Client kernel modules
- file:
+ ansible.builtin.file:
src: "/usr/local/ibm/gsk8_64/lib64/{{ item }}"
path: "/usr/lib/{{ item }}"
state: link
@@ -40,9 +40,10 @@
- "libgsk8valn_64.so"
- name: write IBMSP config files
- template:
+ ansible.builtin.template:
src: "opt/tivoli/tsm/client/ba/bin/{{ item }}.j2"
dest: "/opt/tivoli/tsm/client/ba/bin/{{ item }}"
+ mode: "0644"
loop:
- "dsm.opt"
- "dsm.sys"
@@ -53,16 +54,17 @@
# - dsmc CLI arg ducumentation can be found at:
# https://publib.boulder.ibm.com/tividd/td/TSMC/GC32-0789-01/en_US/HTML/ans5000016.htm#HDRCMD6036
- name: write password file
- command:
+ ansible.builtin.command:
#use: dsmc set password <Old PW> <New PW>
cmd: "dsmc set password {{ ansible_hostname }} {{ ansible_hostname }}"
creates: "/etc/adsm/TSM.sth"
register: dsmc_result
failed_when: (dsmc_result.rc != 0) and (dsmc_result.rc != 8)
notify: restart dsmcad
+ tags: [molecule-notest]
- name: Start dsmcad service. This service triggers regular checks for backup schedules on the IBMSP server.
- systemd:
+ ansible.builtin.systemd:
name: "dsmcad.service"
state: started
@@ -70,22 +72,22 @@
- name: install check-backup scripts
block:
- name: install Git (required by Ansible builtin Git module)
- apt:
+ ansible.builtin.apt:
name: "git"
state: latest
- name: install logrotate (required by check-backup script)
- apt:
+ ansible.builtin.apt:
name: "logrotate"
state: latest
- name: check out check-backup Git repo
- git:
+ ansible.builtin.git:
repo: "git@git.slub-dresden.de:slub-referat-2-3/check-backup.git"
dest: "/tmp/check-backup/"
key_file: "~/.ssh/id_ed25519_deploykey"
accept_hostkey: true
force: true
- name: copy binaries and config to the system
- copy:
+ ansible.builtin.copy:
src: "/tmp/check-backup/Linux{{ item.name }}"
dest: "{{ item.name }}"
mode: "{{ item.mode }}"
@@ -98,7 +100,7 @@
- name: "/usr/local/bin/check-backup.sh"
mode: "0555"
- name: template script config
- template:
+ ansible.builtin.template:
src: "etc/check-backup.cfg.j2"
dest: "/etc/check-backup.cfg"
owner: "root"
diff --git a/tasks/main.yml b/tasks/main.yml
index f7331bdda64dc418dbbccec39c6032db989db2f2..c8eacb9ebcbb2d2d066ee13a0ac9a9dd69bcdd88 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,14 +1,15 @@
---
# tasks file for ansible_lza_backup_proxy
-- include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
+- name: include var files
+ ansible.builtin.include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
loop:
- "ibmsp.vault"
- "nfs_mounts.vault"
tags: [always]
-- import_tasks: "configure_ssh_keys.yml"
+- ansible.builtin.import_tasks: "configure_ssh_keys.yml"
tags: [ssh, deploykey]
-- import_tasks: "install_ibmsp_client.yml"
+- ansible.builtin.import_tasks: "install_ibmsp_client.yml"
tags: [ibmsp, tsm, backup]
-- import_tasks: "configure_nfs_mounts.yml"
+- ansible.builtin.import_tasks: "configure_nfs_mounts.yml"
tags: [nfs]