From d2d6ba2276c22e1a9903e7033779732a531ee903 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de>
Date: Fri, 20 Aug 2021 11:00:17 +0200
Subject: [PATCH] initial commit
---
.gitattributes | 6 +
.githooks/pre-commit | 127 ++++++++++++++++++
.gitignore | 86 ++++++++++++
.travis.yml | 29 ++++
.yamllint | 33 +++++
README.md | 82 ++++++++++-
ansible.cfg | 40 ++++++
defaults/main.yml | 2 +
handlers/main.yml | 5 +
meta/main.yml | 57 ++++++++
molecule/default/INSTALL.rst | 23 ++++
molecule/default/converge.yml | 7 +
molecule/default/molecule.yml | 11 ++
molecule/default/verify.yml | 10 ++
setup_gitconfig.sh | 13 ++
site.yml | 30 +++++
tasks/configure_nfs_mounts.yml | 10 ++
tasks/configure_ssh_keys.yml | 11 ++
tasks/install_ibmsp_client.yml | 106 +++++++++++++++
tasks/main.yml | 14 ++
templates/etc/check-backup.cfg.j2 | 53 ++++++++
.../opt/tivoli/tsm/client/ba/bin/dsm.opt.j2 | 18 +++
.../opt/tivoli/tsm/client/ba/bin/dsm.sys.j2 | 37 +++++
tests/inventory | 2 +
tests/test.yml | 5 +
vars/main.yml | 2 +
26 files changed, 818 insertions(+), 1 deletion(-)
create mode 100644 .gitattributes
create mode 100755 .githooks/pre-commit
create mode 100644 .gitignore
create mode 100644 .travis.yml
create mode 100644 .yamllint
create mode 100644 ansible.cfg
create mode 100644 defaults/main.yml
create mode 100644 handlers/main.yml
create mode 100644 meta/main.yml
create mode 100644 molecule/default/INSTALL.rst
create mode 100644 molecule/default/converge.yml
create mode 100644 molecule/default/molecule.yml
create mode 100644 molecule/default/verify.yml
create mode 100755 setup_gitconfig.sh
create mode 100644 site.yml
create mode 100644 tasks/configure_nfs_mounts.yml
create mode 100644 tasks/configure_ssh_keys.yml
create mode 100644 tasks/install_ibmsp_client.yml
create mode 100644 tasks/main.yml
create mode 100644 templates/etc/check-backup.cfg.j2
create mode 100644 templates/opt/tivoli/tsm/client/ba/bin/dsm.opt.j2
create mode 100644 templates/opt/tivoli/tsm/client/ba/bin/dsm.sys.j2
create mode 100644 tests/inventory
create mode 100644 tests/test.yml
create mode 100644 vars/main.yml
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..20595a1
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,6 @@
+# CRLF vs. LF:
+* text=auto
+
+# make 'git diff' use ansible-vault for vault files, so you can see decrypted
+# content if you have the password
+*.vault diff=ansible-vault merge=binary
diff --git a/.githooks/pre-commit b/.githooks/pre-commit
new file mode 100755
index 0000000..b5975f0
--- /dev/null
+++ b/.githooks/pre-commit
@@ -0,0 +1,127 @@
+#!/usr/bin/env bash
+#
+# An example hook script to verify what is about to be committed.
+# Called by "git commit" with no arguments. The hook should
+# exit with non-zero status after issuing an appropriate message if
+# it wants to stop the commit.
+#
+# To enable this hook, rename this file to "pre-commit".
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+ against=HEAD
+else
+ # Initial commit: diff against an empty tree object
+ against=$(git hash-object -t tree /dev/null)
+fi
+
+# If you want to allow non-ASCII filenames set this variable to true.
+allownonascii=$(git config --bool hooks.allownonascii)
+
+# Redirect output to stderr.
+exec 1>&2
+
+# Cross platform projects tend to avoid non-ASCII filenames; prevent
+# them from being added to the repository. We exploit the fact that the
+# printable range starts at the space character and ends with tilde.
+if [ "$allownonascii" != "true" ] &&
+ # Note that the use of brackets around a tr range is ok here, (it's
+ # even required, for portability to Solaris 10's /usr/bin/tr), since
+ # the square bracket bytes happen to fall in the designated range.
+ test $(git diff --cached --name-only --diff-filter=A -z $against |
+ LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
+then
+ cat <<\EOF
+Error: Attempt to add a non-ASCII file name.
+
+This can cause problems if you want to work with people on other platforms.
+
+To be portable it is advisable to rename the file.
+
+If you know what you are doing you can disable this check using:
+
+ git config hooks.allownonascii true
+EOF
+ exit 1
+fi
+
+# If there are whitespace errors, print the offending file names and fail.
+# exec git diff-index --check --cached $against --
+
+
+
+################################################################################
+## Everything below this is customized, everything above is from the example. ##
+################################################################################
+
+### PREPARE
+
+# Expand aliases and make alias command work in the bash script.
+shopt -s expand_aliases
+
+REPOPATH="$(git rev-parse --show-toplevel)"
+GREP_CMD='grep -Rn --color'
+GREP_EXCLUDES="--exclude-dir=\.git --exclude-dir=\.githooks --exclude=*\.example"
+
+### YAMLLINT stage
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+YAML_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".yml$")
+if [[ ${YAML_FILES} != "" ]]; then
+ for file in ${YAML_FILES}; do
+ yamllint "${file}"
+ if [[ ${?} -ne 0 ]]; then
+ exit 1
+ fi
+ done
+fi && echo "SUCCESS: Yamllint stage."
+
+### VAULT detection stage
+VAULT_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".vault$")
+if [[ ${VAULT_FILES} != "" ]]; then
+ echo "ERROR: Vaultfiles found:"
+ for file in ${VAULT_FILES}; do
+ echo "- ${file}"
+ done
+ exit 1
+fi
+# https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault-format
+if [[ ${STAGED_FILES} != "" ]]; then
+ for file in ${STAGED_FILES}; do
+ grep -e "\$ANSIBLE_VAULT;[[:digit:]]\.[[:digit:]];AES256" "${file}"
+ [[ ${?} -eq 0 ]] && echo "ERROR: Ansible-Vault in String found in file '${file}'." && exit 1
+ done
+fi
+echo "SUCCESS: Vault detection stage."
+
+### URL detection stage
+${GREP_CMD} ${GREP_EXCLUDES} -e "http[s]*.*git.*SLUB" -e "http[s]*.*git.*slub" -e "git@" "${REPOPATH}"
+if [[ ${?} -eq 0 ]]; then
+ echo "ERROR: found internal URLs."
+ exit 1;
+fi
+echo "SUCCESS: URL detection stage."
+
+### IP address detection stage
+# This is pretty basic regex matching, but it's a start.
+IP_REGEX='[^a-zA-ZäöÜÄÖÜß/\\\-][0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
+${GREP_CMD} ${GREP_EXCLUDES} -e "${IP_REGEX}" "${REPOPATH}" | grep -v "127.0.0"
+if [[ ${?} -eq 0 ]]; then
+ echo "ERROR: found IP address."
+ exit 1;
+fi
+echo "SUCCESS: IP address detection stage."
+
+### SSH-Key detection stage
+${GREP_CMD} ${GREP_EXCLUDES} -e "ssh-[dr]sa " "${REPOPATH}"
+if [[ ${?} -eq 0 ]]; then
+ echo "ERROR: found SSH key."
+ exit 1;
+fi
+echo "SUCCESS: SSH Key detection stage."
+
+
+
+
+### DONE
+# Return explicit 0.
+exit 0;
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c6bb39d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,86 @@
+# Compiled source #
+###################
+*.bin
+*.com
+*.class
+*.dll
+*.exe
+*.o
+*.so
+*.pyc
+__pycache__
+
+# Packages #
+############
+# it's better to unpack these files and commit the raw source
+# git has its own built in compression methods
+*.7z
+*.dmg
+*.gz
+*.iso
+*.jar
+*.rar
+*.tar
+*.zip
+*.tar.gz
+*.tgz
+
+# Logs and databases #
+######################
+*.log
+*.sql
+*.sqlite
+
+# OS generated files #
+######################
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Linux packages #
+##################
+*.deb
+*.rpm
+
+# Ansible specific files #
+##########################
+
+*.retry
+*.vault
+
+# Vim #
+#######
+
+# swap
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-v][a-z]
+[._]sw[a-p]
+ # session
+Session.vim
+# temporary
+.netrwhist
+# auto-generated tag files
+tags
+
+# Vagrant #
+###########
+
+.vagrant/
+*.box
+
+# Temporary/Build/Backup #
+##########################
+
+backups/
+build/
+
+# CONFIDENTIAL #
+################
+
+ssh_host_*
+
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..36bbf62
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+ apt:
+ packages:
+ - python-pip
+
+install:
+ # Install ansible
+ - pip install ansible
+
+ # Check ansible version
+ - ansible --version
+
+ # Create ansible.cfg with correct roles_path
+ - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+ # Basic role syntax check
+ - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+ webhooks: https://galaxy.ansible.com/api/v1/notifications/
\ No newline at end of file
diff --git a/.yamllint b/.yamllint
new file mode 100644
index 0000000..8827676
--- /dev/null
+++ b/.yamllint
@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+ braces:
+ max-spaces-inside: 1
+ level: error
+ brackets:
+ max-spaces-inside: 1
+ level: error
+ colons:
+ max-spaces-after: -1
+ level: error
+ commas:
+ max-spaces-after: -1
+ level: error
+ comments: disable
+ comments-indentation: disable
+ document-start: disable
+ empty-lines:
+ max: 3
+ level: error
+ hyphens:
+ level: error
+ indentation: disable
+ key-duplicates: enable
+ line-length: disable
+ new-line-at-end-of-file: disable
+ new-lines:
+ type: unix
+ trailing-spaces: disable
+ truthy: disable
diff --git a/README.md b/README.md
index 1d9a186..e1baec6 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,82 @@
-# Ansible LZA Backup Proxy
+# Ansible-Role "ansible_lza_backup_proxy"
+## Description
+
+This role provides all necessary post-install tasks to setup an IBM Spectrum Protect proxy server to delegate NFS share backup tasks.
+
+## Prerequisites
+
+To use this role, the following software must be installed on your workstation:
+* ansible
+
+To deploy this role to a managed host, the following software must be installed on the target:
+* Python3
+* SSHd
+
+It is recommended to use Debian VMs as deployed by SLUB's UDA tool with this role. Otherwise you will not have access to the software packages that are located in SLUB's private Debian package repository.
+
+## Quick Start
+
+```
+ ansible-playbook site.yml [-i <INVENTORY_FILE>] [--limit <HOSTNAME>] [-u <USERNAME>] [-b]
+```
+
+## General Ansible usage
+
+Most options already have sensible defaults in `ansible.cfg`. However, you can override these defaults using CLI options/flags if you want to.
+
+To simply run the playbook, just call the `site.yml` playbook like this:
+```
+ ansible-playbook site.yml -u <username>
+```
+
+If you want to limit the execution to a subset of all hosts that are listed in the inventory, use the `-l` or `--limit` option like this:
+```
+ ansible-playbook site.yml -l <hostna*>
+ ansible-playbook site.yml -l <hostname>
+ ansible-playbook site.yml -l <hostname1>:<hostname2>:...
+ ansible-playbook site.yml -l <inventory_group>
+ ansible-playbook site.yml --limit=<hostna*>
+```
+
+If you do not have Vault password files in the directory above the role direcory, you have to give the Vault password before execution:
+```
+ ansible-playbook site.yml --ask-vault-pass
+```
+
+You can use your own inventory file by adding the `-i` or `--inventory=INVENTORY` option:
+```
+ ansible-playbook site.yml -i inventory.yml
+ ansible-playbook site.yml --inventory=inventory.yml
+```
+
+Tasks in this role have been tagged to enable users to only run subsets of tasks. This can be leveraged to decrease run times or run only certain tasks after small changes.
+To list all available tags, use:
+```
+ ansible-playbook site.yml --list-tags
+```
+You can then run only certain tagged tasks by using the `--tags` option:
+```
+ ansible-playbook site.yml -t tag1,tag2,...,tagN
+ ansible-playbook site.yml --tags=tag1,tag2,...,tagN
+```
+
+For more help with ansible-playbook, use the `--help` flag.
+
+## Testing the role
+
+Tests have been implemented using the Molecule framework. The details on using the test suite are described below `molecule/`.
+
+## Variables
+
+Many variables have been "hidden" in encrypted Ansible Vaults. For security reasons, these Vaults are maintained in a separate private internal repository of SLUB's Git. However, in order to better understand the data within the vaults, you can find `\*.vault.example` files below the `vars/` directory.
+
+If you work outside of SLUBArchive and have no access to the vault repository, make sure to put the necessary vaults in the expected paths at `../ansible_vaults/<ROLENAME>/`.
+
+## git configuration
+
+Just run the `setup_gitconfig.sh` script that comes with the repo to correctly setup all necessary local Git configurations.
+
+## Author Information
+
+If you have any comments or find bugs, please contact langzeitarchiv@slub-dresden.de or issue a pull request.
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..841e765
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,40 @@
+[defaults]
+# If set, configures the path to the Vault password file as an alternative to
+# specifying --vault-password-file on the command line.
+vault_identity_list = ../lza_install_common.pass, ../lza_server_hardening.pass, ../slub_osquery.pass, ../lza_backup_proxy.pass
+
+# Path to default inventory file
+# Administrators can override this by using the "-i <inventoryfile>" CLI
+# argument.
+inventory = ../ansible_vaults/inventory.yml
+
+# Remote user name
+# We DELIBERATELY set this to an non-existent non-root username to make sure
+# the role can only be run if an Administrator knows the correct remote_user
+# name and passes it as a CLI argument.
+remote_user = non-root-user
+
+# By default, ansible will use the 'linear' strategy but you may want to try
+# another one
+strategy = free
+
+# Don't like cows? that's unfortunate.
+# Set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
+nocows = 1
+
+# Custom role path that guarantees roles are always found, no matter where a
+# user checks them out.
+roles_path = ../:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
+
+[inventory]
+# Ignore these extensions when parsing a directory as inventory source.
+ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
+
+[ssh_connection]
+# Enabling pipelining reduces the number of SSH operations required to
+# execute a module on the remote server. This can result in a significant
+# performance improvement when enabled, however when using "sudo:" you must
+# first disable 'requiretty' in /etc/sudoers
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+pipelining = True
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..ff19fbb
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+# defaults file for ansible_lza_backup_proxy
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..caea2eb
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart dsmcad
+ systemd:
+ name: "dsmcad.service"
+ state: restarted
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..7fd92e2
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,57 @@
+galaxy_info:
+ author: Jörg Sachse
+ description: IT administrator
+ company: SLUBArchiv.digital
+
+ # If the issue tracker for your role is not on github, uncomment the
+ # next line and provide a value
+ # issue_tracker_url: http://example.com/issue/tracker
+
+ # Choose a valid license ID from https://spdx.org - some suggested licenses:
+ # - BSD-3-Clause (default)
+ # - MIT
+ # - GPL-2.0-or-later
+ # - GPL-3.0-only
+ # - Apache-2.0
+ # - CC-BY-4.0
+ license: license (GPL-2.0-or-later, MIT, etc)
+
+ min_ansible_version: 2.2
+
+ # If this a Container Enabled role, provide the minimum Ansible Container version.
+ # min_ansible_container_version:
+
+ #
+ # Provide a list of supported platforms, and for each platform a list of versions.
+ # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+ # To view available platforms and versions (or releases), visit:
+ # https://galaxy.ansible.com/api/v1/platforms/
+ #
+ # platforms:
+ # - name: Fedora
+ # versions:
+ # - all
+ # - 25
+ # - name: SomePlatform
+ # versions:
+ # - all
+ # - 1.0
+ # - 7
+ # - 99.99
+ platforms:
+ - name: Debian
+ versions:
+ - 10
+ - 11
+
+ galaxy_tags: []
+ # List tags for your role here, one per line. A tag is a keyword that describes
+ # and categorizes the role. Users find roles by searching for tags. Be sure to
+ # remove the '[]' above, if you add tags to this list.
+ #
+ # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+ # Maximum 20 tags per role.
+
+dependencies: []
+ # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+ # if you add dependencies to this list.
diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst
new file mode 100644
index 0000000..0c4bf5c
--- /dev/null
+++ b/molecule/default/INSTALL.rst
@@ -0,0 +1,23 @@
+*********************************
+Vagrant driver installation guide
+*********************************
+
+Requirements
+============
+
+* Vagrant
+* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+ $ pip install 'molecule_vagrant'
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
new file mode 100644
index 0000000..0be27a1
--- /dev/null
+++ b/molecule/default/converge.yml
@@ -0,0 +1,7 @@
+---
+- name: Converge
+ hosts: all
+ tasks:
+ - name: "Include ansible_lza_backup_proxy"
+ include_role:
+ name: "ansible_lza_backup_proxy"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
new file mode 100644
index 0000000..69bc10b
--- /dev/null
+++ b/molecule/default/molecule.yml
@@ -0,0 +1,11 @@
+---
+dependency:
+ name: galaxy
+driver:
+ name: vagrant
+platforms:
+ - name: instance
+provisioner:
+ name: ansible
+verifier:
+ name: ansible
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
new file mode 100644
index 0000000..79044cd
--- /dev/null
+++ b/molecule/default/verify.yml
@@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+ hosts: all
+ gather_facts: false
+ tasks:
+ - name: Example assertion
+ assert:
+ that: true
diff --git a/setup_gitconfig.sh b/setup_gitconfig.sh
new file mode 100755
index 0000000..3e15afe
--- /dev/null
+++ b/setup_gitconfig.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -ex
+
+# Change the path that Git expects the hooks to be in, so we can track the hooks
+# within the repository (as the default `.git/` directory is not tracked).
+git config --local core.hooksPath .githooks/
+
+# To be able to run `git diff` on Ansible Vault files, please set you local
+# `git/config` files as described in (https://stackoverflow.com/a/52863794) for
+# the `~/.gitconfig` file or just blindly follow the instructions there to set
+# it for you Git installation as a whole.
+git config --local core.attributesfile "../.gitattributes"
+git config --local diff.ansible-vault.textconv "ansible-vault view"
diff --git a/site.yml b/site.yml
new file mode 100644
index 0000000..9c12049
--- /dev/null
+++ b/site.yml
@@ -0,0 +1,30 @@
+---
+- hosts: "*"
+ pre_tasks:
+ - name: Verify that the installed version of Ansible meets this playbook's version requirements.
+ assert:
+ that: "ansible_version.full is version_compare('2.2', '>=')"
+ msg: >
+ "You must update Ansible to at least 2.2 to use this playbook."
+ # Collect facts from remote system? Possible values: true, false
+ gather_facts: true
+ # Gather only certain subsects of facts. Ansible supports network, hardware, virtual, facter, ohai as subset.
+ #gather_subset:
+ # - network
+ # - virtual
+ # - hardware
+ # any_error_fatal will mark all the hosts as failed if fails and immediately abort the playbook execution. Possible values: true, false
+ any_errors_fatal: false
+ # max_fail_percentage allows you to abort the play if certain threshold of failures have been reached.
+ max_fail_percentage: 30
+ serial: 30
+ # hide sensitive information in verbose/debugging output from others. Possible values: true, false
+ no_log: false
+ # execution strategy, possible values: debug, linear, serial, free (https://docs.ansible.com/ansible/latest/user_guide/playbooks_strategies.html)
+ strategy: linear
+
+ roles:
+ #- { role: ansible_lza_install_common, become: true }
+ #- { role: ansible_lza_server_hardening, become: true }
+ #- { role: ansible_slub_osquery, become: true }
+ - { role: ansible_lza_backup_proxy, become: true }
diff --git a/tasks/configure_nfs_mounts.yml b/tasks/configure_nfs_mounts.yml
new file mode 100644
index 0000000..bd1ffd3
--- /dev/null
+++ b/tasks/configure_nfs_mounts.yml
@@ -0,0 +1,10 @@
+---
+- name: Mounts für SubApp-Shares & Logs
+ mount:
+ path: "{{ item.path }}"
+ src: "{{ item.src }}"
+ state: "{{ item.state | default('mounted') }}"
+ fstype: "nfs"
+ opts: "ro,{{ item.opts | default( nfs_opts.v3 ) }}"
+ loop: "{{ nfs_shares }}"
+ tags: [notest]
diff --git a/tasks/configure_ssh_keys.yml b/tasks/configure_ssh_keys.yml
new file mode 100644
index 0000000..38050bb
--- /dev/null
+++ b/tasks/configure_ssh_keys.yml
@@ -0,0 +1,11 @@
+---
+- name: copy deploykey files to managed servers
+ copy:
+ src: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
+ dest: "~/.ssh/{{ item }}"
+ owner: "root"
+ group: "root"
+ mode: 0400
+ loop:
+ - "id_ed25519_deploykey"
+ - "id_ed25519_deploykey.pub"
diff --git a/tasks/install_ibmsp_client.yml b/tasks/install_ibmsp_client.yml
new file mode 100644
index 0000000..204c50e
--- /dev/null
+++ b/tasks/install_ibmsp_client.yml
@@ -0,0 +1,106 @@
+---
+- name: IBMSP-Client Pakete installieren
+ apt:
+ name: [
+ # GSKit Packages
+ 'gskcrypt64',
+ 'gskssl64',
+ # TSM API
+ 'tivsm-api64',
+ # TSM API CIT (Common Inventory Technology, für die Berechnung der PVUs notwendig)
+ 'tivsm-apicit',
+ # TSM Backup-Client
+ 'tivsm-ba',
+ # TSM Backup-Client CIT (Common Inventory Technology)
+ 'tivsm-bacit',
+ # TSM ONTAP Bibliothek (Support für NetApp Speicher)
+ 'tivsm-bahdw',
+ #'tivsm-jbb',
+ ]
+ state: latest
+
+- name: link IBMSP Client kernel modules
+ file:
+ src: "/usr/local/ibm/gsk8_64/lib64/{{ item }}"
+ path: "/usr/lib/{{ item }}"
+ state: link
+ loop:
+ - "libgsk8acmeidup_64.so"
+ - "libgsk8cms_64.so"
+ - "libgsk8dbfl_64.so"
+ - "libgsk8drld_64.so"
+ - "libgsk8iccs_64.so"
+ - "libgsk8kicc_64.so"
+ - "libgsk8km2_64.so"
+ - "libgsk8km_64.so"
+ - "libgsk8ldap_64.so"
+ - "libgsk8p11_64.so"
+ - "libgsk8ssl_64.so"
+ - "libgsk8sys_64.so"
+ - "libgsk8valn_64.so"
+
+- name: write IBMSP config files
+ template:
+ src: "opt/tivoli/tsm/client/ba/bin/{{ item }}.j2"
+ dest: "/opt/tivoli/tsm/client/ba/bin/{{ item }}"
+ loop:
+ - "dsm.opt"
+ - "dsm.sys"
+ notify: restart dsmcad
+
+# - based on Michail Angelos Simos' Ansible Role:
+# https://github.com/mikesimos/tsm-client.git
+# - dsmc CLI arg ducumentation can be found at:
+# https://publib.boulder.ibm.com/tividd/td/TSMC/GC32-0789-01/en_US/HTML/ans5000016.htm#HDRCMD6036
+- name: write password file
+ command:
+ #use: dsmc set password <Old PW> <New PW>
+ cmd: "dsmc set password {{ ansible_hostname }} {{ ansible_hostname }}"
+ creates: "/etc/adsm/TSM.sth"
+ register: dsmc_result
+ failed_when: (dsmc_result.rc != 0) and (dsmc_result.rc != 8)
+ notify: restart dsmcad
+
+- name: Start dsmcad service. This service triggers regular checks for backup schedules on the IBMSP server.
+ systemd:
+ name: "dsmcad.service"
+ state: started
+
+# check is run as a logrotage PreCmd, so no Cronjob/Timer is required
+- name: install check-backup scripts
+ block:
+ - name: install Git (required by Ansible builtin Git module)
+ apt:
+ name: "git"
+ state: latest
+ - name: install logrotate (required by check-backup script)
+ apt:
+ name: "logrotate"
+ state: latest
+ - name: check out check-backup Git repo
+ git:
+ repo: "git@git.slub-dresden.de:slub-referat-2-3/check-backup.git"
+ dest: "/tmp/check-backup/"
+ key_file: "~/.ssh/id_ed25519_deploykey"
+ accept_hostkey: true
+ force: true
+ - name: copy binaries and config to the system
+ copy:
+ src: "/tmp/check-backup/Linux{{ item.name }}"
+ dest: "{{ item.name }}"
+ mode: "{{ item.mode }}"
+ remote_src: true
+ loop:
+ - name: "/etc/logrotate.d/dsmcad"
+ mode: "0444"
+ - name: "/usr/share/doc/check-backup.man"
+ mode: "0444"
+ - name: "/usr/local/bin/check-backup.sh"
+ mode: "0555"
+ - name: template script config
+ template:
+ src: "etc/check-backup.cfg.j2"
+ dest: "/etc/check-backup.cfg"
+ owner: "root"
+ group: "root"
+ mode: "0644"
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..f7331bd
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+# tasks file for ansible_lza_backup_proxy
+- include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
+ loop:
+ - "ibmsp.vault"
+ - "nfs_mounts.vault"
+ tags: [always]
+
+- import_tasks: "configure_ssh_keys.yml"
+ tags: [ssh, deploykey]
+- import_tasks: "install_ibmsp_client.yml"
+ tags: [ibmsp, tsm, backup]
+- import_tasks: "configure_nfs_mounts.yml"
+ tags: [nfs]
diff --git a/templates/etc/check-backup.cfg.j2 b/templates/etc/check-backup.cfg.j2
new file mode 100644
index 0000000..be0a8f8
--- /dev/null
+++ b/templates/etc/check-backup.cfg.j2
@@ -0,0 +1,53 @@
+#####################################
+# #
+# CONFIG FILE FOR check-backup.sh #
+# #
+#####################################
+
+### HELP
+
+# Use this file to set custom configurations for check-backup.sh. These settings
+# will overwrite the defaults that are encoded in the script.
+# As check-backup.sh includes this file, you have to use valid Bash syntax.
+
+
+### CONFIGURATION
+
+## DSM Logs
+# search this path to find logs written by TSM Client
+# Default: DSMLOGS_PATH="/var/log/"
+DSMLOGS_PATH="/var/log/"
+# array of log file names
+# Default: DSMLOGS=("dsmsched.log" "dsmerror.log")
+DSMLOGS=("dsmsched.log" "dsmerror.log")
+
+## Log rotation
+# general log directory on the system
+# Default: BACKUP_FOLDER_PATH="/var/log/"
+BACKUP_FOLDER_PATH="/var/log/"
+# save rotated logs to this directory
+# Default: LOG_BACKUP_FOLDER="${BACKUP_FOLDER_PATH}/tsm_logs_archive/"
+LOG_BACKUP_FOLDER="${BACKUP_FOLDER_PATH}/tsm_logs_archive/"
+# save this many generations of rotated logs
+# Default: LOG_RETENTION_COUNT=5
+LOG_RETENTION_COUNT=5
+
+## Error capture
+# Regex to search for error messages
+# Default: REGEX="ANS[0-9]{4}[ES]"
+REGEX="ANS[0-9]{4}[ES]"
+
+## E-Mail settings
+# name of TSM node
+# Default: NODENAME="sdvazubitest"
+NODENAME="{{ ansible_hostname }}"
+# email recipient
+# Default: EMAIL_TO="randy.schoelzel@slub-dresden.de"
+EMAIL_TO="{{ vault_ibmsp_mail_to }}"
+# email carbon copy recipients
+# EMAIL_CC="~c Vorname.Nachname@slub-dresden.de,root@${HOSTNAME}" # example
+# Default: EMAIL_CC=""
+EMAIL_CC="{{ vault_ibmsp_mail_cc }}"
+# email sender
+# Default: EMAIL_FROM="TSM-Backup-PostSchedCmd@${HOSTNAME}"
+EMAIL_FROM="TSM-Backup-PostSchedCmd@${HOSTNAME}"
diff --git a/templates/opt/tivoli/tsm/client/ba/bin/dsm.opt.j2 b/templates/opt/tivoli/tsm/client/ba/bin/dsm.opt.j2
new file mode 100644
index 0000000..a9b8d63
--- /dev/null
+++ b/templates/opt/tivoli/tsm/client/ba/bin/dsm.opt.j2
@@ -0,0 +1,18 @@
+************************************************************************
+* Tivoli Storage Manager *
+* *
+* Sample Client User Options file for UNIX (dsm.opt.smp) *
+************************************************************************
+
+* This file contains an option you can use to specify the TSM
+* server to contact if more than one is defined in your client
+* system options file (dsm.sys). Copy dsm.opt.smp to dsm.opt.
+* If you enter a server name for the option below, remove the
+* leading asterisk (*).
+
+************************************************************************
+
+* Servername A server name defined in the dsm.sys file
+* Servername sdvtsm1_backup
+Servername {{ servername }}
+
diff --git a/templates/opt/tivoli/tsm/client/ba/bin/dsm.sys.j2 b/templates/opt/tivoli/tsm/client/ba/bin/dsm.sys.j2
new file mode 100644
index 0000000..1f073eb
--- /dev/null
+++ b/templates/opt/tivoli/tsm/client/ba/bin/dsm.sys.j2
@@ -0,0 +1,37 @@
+************************************************************************
+* Tivoli Storage Manager *
+* *
+* Sample Client System Options file for UNIX (dsm.sys.smp) *
+************************************************************************
+
+* This file contains the minimum options required to get started
+* using TSM. Copy dsm.sys.smp to dsm.sys. In the dsm.sys file,
+* enter the appropriate values for each option listed below and
+* remove the leading asterisk (*) for each one.
+
+* If your client node communicates with multiple TSM servers, be
+* sure to add a stanza, beginning with the SERVERNAME option, for
+* each additional server.
+
+************************************************************************
+
+Servername {{ servername }}
+ COMMMethod {{ comm_method }}
+ TCPPort {{ tcp_port }}
+ TCPServeraddress {{ tcp_serveraddress }}
+ nodename {{ ansible_hostname }}
+ passwordaccess {{ passwordaccess }}
+ managedservices {{ managedservices }}
+
+ Domain {{ domain }}
+
+ exclude.fs /dev/shm
+ exclude.dir /dev
+ exclude.dir /proc
+ exclude.dir /tmp
+ exclude.dir /var/log/.../*
+
+ schedlogname {{ schedlogname }}
+ schedlogretention {{ schedlogretention }}
+ errorlogname {{ errorlogname }}
+ errorlogretention {{ errorlogretention }}
diff --git a/tests/inventory b/tests/inventory
new file mode 100644
index 0000000..878877b
--- /dev/null
+++ b/tests/inventory
@@ -0,0 +1,2 @@
+localhost
+
diff --git a/tests/test.yml b/tests/test.yml
new file mode 100644
index 0000000..88618ae
--- /dev/null
+++ b/tests/test.yml
@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+ remote_user: root
+ roles:
+ - ansible_lza_backup_proxy
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..aaac862
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,2 @@
+---
+# vars file for ansible_lza_backup_proxy
--
GitLab