Decouple users from podman
This commit is contained in:
parent
dc997a359e
commit
df6b81bd6b
1
ansible/host_vars/infrahost/firewall.yml.example
Normal file
1
ansible/host_vars/infrahost/firewall.yml.example
Normal file
@ -0,0 +1 @@
|
||||
firewall:
|
5
ansible/host_vars/infrahost/users.yml.example
Normal file
5
ansible/host_vars/infrahost/users.yml.example
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
|
||||
users:
|
||||
auth:
|
||||
matrix:
|
@ -3,7 +3,7 @@
|
||||
- name: Check parameters
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- keycloak.podman.user is defined
|
||||
- keycloak.podman_user is defined
|
||||
- keycloak.db.password is defined
|
||||
|
||||
- name: Create PostgreSQL database
|
||||
@ -21,9 +21,7 @@
|
||||
ansible.builtin.include_role:
|
||||
name: container-user
|
||||
vars:
|
||||
user: "{{ keycloak.podman.user }}"
|
||||
home: "{{ keycloak.podman.home | default(omit) }}"
|
||||
uid: "{{ keycloak.podman.uid | default(omit) }}"
|
||||
user: "{{ keycloak.podman_user }}"
|
||||
|
||||
- name: Create data directories
|
||||
ansible.builtin.file:
|
||||
@ -39,7 +37,7 @@
|
||||
dest: ~/.config/containers/systemd/sso-keycloak.container
|
||||
mode: "644"
|
||||
become: true
|
||||
become_user: "{{ keycloak.podman.user }}"
|
||||
become_user: "{{ keycloak.podman_user }}"
|
||||
|
||||
- name: Set up podman secrets
|
||||
containers.podman.podman_secret:
|
||||
@ -60,7 +58,7 @@
|
||||
no_log: true
|
||||
|
||||
become: true
|
||||
become_user: "{{ keycloak.podman.user }}"
|
||||
become_user: "{{ keycloak.podman_user }}"
|
||||
|
||||
# Note: enabled in the unit file
|
||||
- name: Start Keycloak
|
||||
@ -70,7 +68,7 @@
|
||||
daemon_reload: true
|
||||
state: started
|
||||
become: true
|
||||
become_user: "{{ keycloak.podman.user }}"
|
||||
become_user: "{{ keycloak.podman_user }}"
|
||||
|
||||
- name: Set up reverse proxy
|
||||
ansible.builtin.include_tasks: tasks/create_vhost.yml
|
||||
|
@ -11,3 +11,13 @@
|
||||
- name: Setup firewall
|
||||
ansible.builtin.include_tasks: firewall.yml
|
||||
when: firewall is defined
|
||||
|
||||
- name: Provision users
|
||||
ansible.builtin.include_role:
|
||||
name: user
|
||||
vars:
|
||||
user: "{{ user_item.key }}" # noqa:var-naming[no-role-prefix]
|
||||
loop_control:
|
||||
loop_var: user_item
|
||||
with_items:
|
||||
- "{{ users | dict2items }}"
|
||||
|
@ -10,19 +10,8 @@
|
||||
name: container-host
|
||||
|
||||
- name: Create user
|
||||
ansible.builtin.user:
|
||||
name: "{{ user }}"
|
||||
home: "{{ home | default(omit) }}"
|
||||
uid: "{{ uid | default(omit) }}"
|
||||
state: present
|
||||
|
||||
- name: Add public keys for user '{{ user }}'
|
||||
ansible.posix.authorized_key:
|
||||
user: "{{ user }}"
|
||||
key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}"
|
||||
state: present # Note: we don't remove other/existing keys
|
||||
with_items: "{{ global_ssh_keys + (ssh_keys[user] | default([])) + (ssh_keys['*'] | default([])) }}"
|
||||
|
||||
ansible.builtin.include_role:
|
||||
name: user
|
||||
|
||||
- name: Create unit files dir
|
||||
ansible.builtin.file:
|
||||
|
23
ansible/roles/user/tasks/main.yml
Normal file
23
ansible/roles/user/tasks/main.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
|
||||
- name: Check if required parameters are set
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- user is defined
|
||||
|
||||
- name: Create user
|
||||
ansible.builtin.user:
|
||||
name: "{{ user }}"
|
||||
home: "{{ users[user].home | default(omit) }}"
|
||||
uid: "{{ users[user].uid | default(omit) }}"
|
||||
state: present
|
||||
|
||||
- name: Add public keys for user '{{ user }}'
|
||||
ansible.posix.authorized_key:
|
||||
user: "{{ user }}"
|
||||
key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}"
|
||||
state: present # Note: we don't remove other/existing keys
|
||||
with_items: >-
|
||||
{{ global_ssh_keys +
|
||||
(ssh_keys[user] | default([])) +
|
||||
(ssh_keys['*'] | default([])) }}
|
Loading…
Reference in New Issue
Block a user