ansible-freeipa/roles/ipabackup/tasks/restore.yml

---
# tasks file for ipabackup

### VARIABLES

- name: Import variables specific to distribution
  ansible.builtin.include_vars: "{{ item }}"
  with_first_found:
    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}.yml"
    # os_family is used as a fallback for distros which are not currently
    # supported, but are based on a supported distro family. For example,
    # Oracle, Rocky, Alma and Alibaba linux, which are all "RedHat" based.
    - "vars/{{ ansible_facts['os_family'] }}-{{ ansible_facts['distribution_version'] }}.yml"
    - "vars/{{ ansible_facts['os_family'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
    - "vars/{{ ansible_facts['os_family'] }}.yml"
    # If neither distro nor family is supported, try a default configuration.
    - "{{ role_path }}/vars/default.yml"

### GET SERVICES FROM BACKUP

- name: Stat backup on server
  ansible.builtin.stat:
    path: "{{ ipabackup_dir }}/{{ ipabackup_item }}"
  register: result_backup_stat

- name: Fail on missing backup directory
  ansible.builtin.fail:
    msg: "Unable to find backup {{ ipabackup_item }}"
  when: result_backup_stat.stat.isdir is not defined

- name: Stat header file in backup "{{ ipabackup_item }}"
  ansible.builtin.stat:
    path: "{{ ipabackup_dir }}/{{ ipabackup_item }}/header"
  register: result_backup_header_stat

- name: Fail on missing header file in backup
  ansible.builtin.fail:
    msg: "Unable to find backup {{ ipabackup_item }} header file"
  when: result_backup_header_stat.stat.isreg is not defined

- name: Get services from backup
  ansible.builtin.shell: >
    grep "^services = " "{{ ipabackup_dir }}/{{ ipabackup_item }}/header" | cut -d"=" -f2 | tr -d '[:space:]'
  register: result_services_grep

- name: Set ipabackup_services
  ansible.builtin.set_fact:
    ipabackup_services: "{{ result_services_grep.stdout.split(',') }}"
    ipabackup_service_dns: DNS
    ipabackup_service_adtrust: ADTRUST
    ipabackup_service_ntp: NTP

### INSTALL PACKAGES

- name: Package installation
  when: ipabackup_install_packages | bool
  block:
  - name: Ensure that IPA server packages are installed
    ansible.builtin.package:
      name: "{{ ipaserver_packages }}"
      state: present

  - name: Ensure that IPA server packages for dns are installed
    ansible.builtin.package:
      name: "{{ ipaserver_packages_dns }}"
      state: present
    when: ipabackup_service_dns in ipabackup_services

  - name: Ensure that IPA server packages for adtrust are installed
    ansible.builtin.package:
      name: "{{ ipaserver_packages_adtrust }}"
      state: present
    when: ipabackup_service_adtrust in ipabackup_services

  - name: Ensure that firewalld packages are installed
    ansible.builtin.package:
      name: "{{ ipaserver_packages_firewalld }}"
      state: present
    when: ipabackup_setup_firewalld | bool

### START FIREWALLD

- name: Firewall configuration
  when: ipabackup_setup_firewalld | bool
  block:
  - name: Ensure that firewalld is running
    ansible.builtin.systemd:
      name: firewalld
      enabled: yes
      state: started

  - name: Firewalld - Verify zones
    when: ipabackup_firewalld_zone is defined
    block:
    - name: Firewalld - Verify runtime zone from ipabackup_firewalld_zone
      ansible.builtin.shell: >
        firewall-cmd
        --info-zone="{{ ipabackup_firewalld_zone }}"
        >/dev/null

    - name: Firewalld - Verify permanent zone from ipabackup_firewalld_zone
      ansible.builtin.shell: >
        firewall-cmd
        --permanent
        --info-zone="{{ ipabackup_firewalld_zone }}"
        >/dev/null

### RESTORE

- name: Restore backup
  no_log: True
  ansible.builtin.shell: >
    ipa-restore
    {{ ipabackup_item }}
    --unattended
    {{ "--password=" + ipabackup_password if ipabackup_password is defined else "" }}
    {{ "--data" if ipabackup_data | bool else "" }}
    {{ "--online" if ipabackup_online | bool else "" }}
    {{ "--instance=" + ipabackup_instance if ipabackup_instance is defined else "" }}
    {{ "--backend=" + ipabackup_backend if ipabackup_backend is defined else "" }}
    {{ "--no-logs" if ipabackup_no_logs | bool else "" }}
    {{ "--log-file=" + ipabackup_log_file if ipabackup_log_file is defined else "" }}
  register: result_iparestore
  ignore_errors: yes

- name: Report error for restore operation
  ansible.builtin.debug:
    msg: "{{ result_iparestore.stderr }}"
  when: result_iparestore is failed
  failed_when: yes

### CONFIGURE FIREWALLD

- name: Configure firewalld
  ansible.builtin.command: >
    firewall-cmd
    --permanent
    {{ "--zone=" + ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }}
    --add-service=freeipa-ldap
    --add-service=freeipa-ldaps
    {{ "--add-service=freeipa-trust" if ipabackup_service_adtrust in ipabackup_services else "" }}
    {{ "--add-service=dns" if ipabackup_service_dns in ipabackup_services else "" }}
    {{ "--add-service=ntp" if ipabackup_service_ntp in ipabackup_services else "" }}
  when: ipabackup_setup_firewalld | bool

- name: Configure firewalld runtime
  ansible.builtin.command: >
    firewall-cmd
    {{ "--zone=" + ipabackup_firewalld_zone if ipabackup_firewalld_zone is defined else "" }}
    --add-service=freeipa-ldap
    --add-service=freeipa-ldaps
    {{ "--add-service=freeipa-trust" if ipabackup_service_adtrust in ipabackup_services else "" }}
    {{ "--add-service=dns" if ipabackup_service_dns in ipabackup_services else "" }}
    {{ "--add-service=ntp" if ipabackup_service_ntp in ipabackup_services else "" }}
  when: ipabackup_setup_firewalld | bool