Add SSH keys for users, create ansible/README.md

ansible/README.md

@@ -0,0 +1,32 @@
+# OpenFest Infra -- Ansible Playbooks
+
+## General Variables
+
+### Global/Group
+
+| Name            | Description                                     |
+|-----------------|-------------------------------------------------|
+| global_ssh_keys | Keys of people authorized to access _all_ hosts |
+
+### Host
+
+| Name               | Description                                                   |
+|--------------------|---------------------------------------------------------------|
+| ssh_keys['root']   | Users authorized to run commands as root                      |
+| ssh_keys[username] | Authorized keys for a specific user                           |
+| ssh_keys['*']      | Authorized keys for all non-root users provisioned by ansible |
+
+## Secret and not-so-secret Variables (grouped by service)
+
+### Keycloak
+
+| Name                      | Description                                                          |
+|---------------------------|----------------------------------------------------------------------|
+| keycloak_hostname         | Passed as the [Public URL](https://www.keycloak.org/server/hostname) |
+| keycloak_db_password      | PostgreSQL DB Password                                               |
+| keycloak_db_ansible_host  | PostgreSQL DB Host (in inventory), for provisioning the database     |
+| keycloak_podman_user_name | Owner of the keycloak container                                      |
+| keycloak_podman_user_home | `{{ keycloak_podman_user_name }}`'s home directory                   |
+| keycloak_data_dir         | Used for the volumes / bind mounts                                   |
+| keycloak_listen_address   | Where to bind on the host (for using a reverse proxy)                |
+

ansible/roles/auth-server/tasks/keycloak.yml

@@ -12,6 +12,9 @@
     postgres_username: keycloak
     postgres_database: keycloak
     postgres_password: "{{ keycloak_db_password }}" #TODO: change for a password manager
+  args:
+    apply:
+      delegate_to: "{{ keycloak_db_ansible_host | default(omit) }}"
 
 - name: Set up container user
   include_role:

ansible/roles/common/tasks/root_sshkeys.yml

@@ -1,8 +1,8 @@
 ---
 
-- name: add ssh keys to root
+- name: Add public keys for root
   ansible.posix.authorized_key:
     user: root
     key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}"
     state: present # Note: we don't remove other/existing keys
-  with_items: "{{ ssh_root_keys }}"
+  with_items: "{{ global_ssh_keys + (ssh_keys['root'] | default([])) }}"

ansible/roles/container-user/tasks/main.yml

@@ -16,6 +16,14 @@
     uid: "{{ podman_user_uid | default(omit) }}"
     state: present
 
+- name: Add public keys for user '{{ podman_user_name }}'
+  ansible.posix.authorized_key:
+    user: "{{ podman_user_name }}"
+    key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}"
+    state: present # Note: we don't remove other/existing keys
+  with_items: "{{ global_ssh_keys + (ssh_keys[podman_user_name] | default([])) + (ssh_keys['*'] | default([])) }}"
+
+
 - name: Create unit files dir
   ansible.builtin.file:
     path: ~/.config/containers/systemd