From 252351524308fdc928cbb8f87f97adacabe712a2 Mon Sep 17 00:00:00 2001 From: Albert Stefanov Date: Fri, 16 Feb 2024 22:34:58 +0200 Subject: [PATCH] Add SSH keys for users, create ansible/README.md --- ansible/README.md | 32 ++++++++++++++++++++ ansible/roles/auth-server/tasks/keycloak.yml | 3 ++ ansible/roles/common/tasks/root_sshkeys.yml | 4 +-- ansible/roles/container-user/tasks/main.yml | 8 +++++ 4 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 ansible/README.md diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 0000000..4337f86 --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,32 @@ +# OpenFest Infra -- Ansible Playbooks + +## General Variables + +### Global/Group + +| Name | Description | +|-----------------|-------------------------------------------------| +| global_ssh_keys | Keys of people authorized to access _all_ hosts | + +### Host + +| Name | Description | +|--------------------|---------------------------------------------------------------| +| ssh_keys['root'] | Users authorized to run commands as root | +| ssh_keys[username] | Authorized keys for a specific user | +| ssh_keys['*'] | Authorized keys for all non-root users provisioned by ansible | + +## Secret and not-so-secret Variables (grouped by service) + +### Keycloak + +| Name | Description | +|---------------------------|----------------------------------------------------------------------| +| keycloak_hostname | Passed as the [Public URL](https://www.keycloak.org/server/hostname) | +| keycloak_db_password | PostgreSQL DB Password | +| keycloak_db_ansible_host | PostgreSQL DB Host (in inventory), for provisioning the database | +| keycloak_podman_user_name | Owner of the keycloak container | +| keycloak_podman_user_home | `{{ keycloak_podman_user_name }}`'s home directory | +| keycloak_data_dir | Used for the volumes / bind mounts | +| keycloak_listen_address | Where to bind on the host (for using a reverse proxy) | + diff --git a/ansible/roles/auth-server/tasks/keycloak.yml b/ansible/roles/auth-server/tasks/keycloak.yml index 8f4a23f..4c65dba 100644 --- a/ansible/roles/auth-server/tasks/keycloak.yml +++ b/ansible/roles/auth-server/tasks/keycloak.yml @@ -12,6 +12,9 @@ postgres_username: keycloak postgres_database: keycloak postgres_password: "{{ keycloak_db_password }}" #TODO: change for a password manager + args: + apply: + delegate_to: "{{ keycloak_db_ansible_host | default(omit) }}" - name: Set up container user include_role: diff --git a/ansible/roles/common/tasks/root_sshkeys.yml b/ansible/roles/common/tasks/root_sshkeys.yml index f840b9e..3b3430f 100644 --- a/ansible/roles/common/tasks/root_sshkeys.yml +++ b/ansible/roles/common/tasks/root_sshkeys.yml @@ -1,8 +1,8 @@ --- -- name: add ssh keys to root +- name: Add public keys for root ansible.posix.authorized_key: user: root key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}" state: present # Note: we don't remove other/existing keys - with_items: "{{ ssh_root_keys }}" + with_items: "{{ global_ssh_keys + (ssh_keys['root'] | default([])) }}" diff --git a/ansible/roles/container-user/tasks/main.yml b/ansible/roles/container-user/tasks/main.yml index 2f1368c..5cd38e5 100644 --- a/ansible/roles/container-user/tasks/main.yml +++ b/ansible/roles/container-user/tasks/main.yml @@ -16,6 +16,14 @@ uid: "{{ podman_user_uid | default(omit) }}" state: present +- name: Add public keys for user '{{ podman_user_name }}' + ansible.posix.authorized_key: + user: "{{ podman_user_name }}" + key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}" + state: present # Note: we don't remove other/existing keys + with_items: "{{ global_ssh_keys + (ssh_keys[podman_user_name] | default([])) + (ssh_keys['*'] | default([])) }}" + + - name: Create unit files dir ansible.builtin.file: path: ~/.config/containers/systemd