diff options
| author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2017-07-13 13:21:03 +0100 |
|---|---|---|
| committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2017-07-13 16:57:36 +0100 |
| commit | 6cd4fe45c028d2fee4253c9a2006184249e824d7 (patch) | |
| tree | 9c55be997d52e4c4f156d7438c4cf3c66824109b | |
| parent | 3c981269ffd0796930572f38b2358b13c8243d6b (diff) | |
| download | infrastructure-6cd4fe45c028d2fee4253c9a2006184249e824d7.tar.gz | |
baserock_ostree: Enable write access
So far this is limited to the existing Baserock ops team, and a new
key that I will try to install into our GitLab CI configuration so
that build runners can push artifacts.
We don't to hand out access too widely because we currently don't do
any verification that the submitted artifacts actually corresponds to
the cache key that it's supposed to. This is fine as long as access
is limited to autobuilders that we control and trusted developers.
| -rw-r--r-- | README.mdwn | 1 | ||||
| -rw-r--r-- | baserock_ostree/instance-config.yml | 19 | ||||
| -rw-r--r-- | baserock_ostree/keys/baserock-gitlab-ci.key.pub | 1 | ||||
| -rw-r--r-- | baserock_ostree/keys/garyperkins.key.pub | 1 | ||||
| -rw-r--r-- | baserock_ostree/keys/pedroalvarez.key.pub | 1 | ||||
| -rw-r--r-- | baserock_ostree/keys/samthursfield.key.pub | 1 | ||||
| -rw-r--r-- | baserock_ostree/ostree-access-config.yml | 15 |
7 files changed, 37 insertions, 2 deletions
diff --git a/README.mdwn b/README.mdwn index aba8f036..5a85066d 100644 --- a/README.mdwn +++ b/README.mdwn @@ -748,6 +748,7 @@ To deploy this system to production: ansible-playbook -i hosts baserock_ostree/image-config.yml ansible-playbook -i hosts baserock_ostree/instance-config.yml + ansible-playbook -i hosts baserock_ostree/ostree-access-config.yml Creating new repos ------------------ diff --git a/baserock_ostree/instance-config.yml b/baserock_ostree/instance-config.yml index 6afe49f5..5286c61b 100644 --- a/baserock_ostree/instance-config.yml +++ b/baserock_ostree/instance-config.yml @@ -1,6 +1,8 @@ # Instance configuration for Baserock OStree cache server. # # Tested against Fedora 25 base image. +# +# See also: https://buildstream.gitlab.io/buildstream/artifacts.html --- - hosts: ostree gather_facts: false @@ -8,12 +10,15 @@ tasks: - include: ../tasks/create-data-volume.yml lv_name=ostree lv_size=290g mountpoint=/srv + - name: ostree user + user: name=ostree + - name: data directory - file: mode=0755 owner=lighttpd group=lighttpd path=/srv/ostree/ state=directory + file: mode=0755 owner=ostree group=ostree path=/srv/ostree/ state=directory - name: cache repository command: ostree init --repo=/srv/ostree/cache --mode=archive-z2 - sudo_user: lighttpd + sudo_user: ostree args: creates: /srv/ostree/cache/config @@ -24,3 +29,13 @@ - name: restart lighttpd server service: name=lighttpd enabled=yes state=restarted + + - name: sshd configuration for ostree user -- header + lineinfile: state="present" line="Match user ostree" path=/etc/ssh/sshd_config + - name: sshd configuration for ostree user -- force command + lineinfile: state="present" line=" ForceCommand bst-artifact-receive --verbose /srv/ostree/cache" insertafter="Match user ostree" path=/etc/ssh/sshd_config + - name: sshd configuration for ostree user -- disable password auth + lineinfile: state="present" line=" PasswordAuthentication no" insertafter="Match user ostree" path=/etc/ssh/sshd_config + + - name: restart sshd server + service: name=sshd enabled=yes state=restarted diff --git a/baserock_ostree/keys/baserock-gitlab-ci.key.pub b/baserock_ostree/keys/baserock-gitlab-ci.key.pub new file mode 100644 index 00000000..8b1da165 --- /dev/null +++ b/baserock_ostree/keys/baserock-gitlab-ci.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbOQYG8xCjqv+1FptkXQLd6SwNam8zT/PsIQBa+Dgdu0z2Bbd96HUKqmWB/QJv5pp2HaDDIW6Q9bU5PCCu5gfmJhO0/fG7T6Wp0UMElMNxKQCE65gdrN7m3aMJkHwdj26JpRl0YsymgPggD+iQ8mGgNsEjTxuSyFRMYt82SB0fAhFvjIPEQOVqwoqnNj/TOnj3t8xwlSwhyuZXtt+v92KikS/kcNldsHulG6hde9AuK9o1+KfwFDbC6auLnJEO6mOC1FmQRsEROyG0I9gK5N/ngRc9RIRLWEQ9e3Dpgn8sjCGH8gXoskJvtg8MMcIEe1HA0II9IiFMtentHrxvhzasedveSf5IsKMveOcX0w8pB4jjFN+Fy/XP2zGskR9AYVGMMYf1aX5/z9haoK8+/gG5+At7SfP3QtPJdRG9CJxFYuQxbkgyyfzJCkfzf45XnZjdr3UR+yKP5t7zUlnlVEIDK5PvwDu0V5NxN0Irf0Q+SspG2lluBDgOw++xAaUTrGuS3rgAQ/Xlr2s3kesxF5bx1d7Xpv8XuGCiqzIK/2Wk5FGPXZ3iQjdb2FbKxvCO+9bDeEyzj4NG/rALRvj+4PbmSKpITf7VFJoUHd5VccGnugex0cusQXSIuUFwzvVrNAkHl5TcCRHWS+tbvqLPrLmI75fgw1MixfZTr7v8C6guQw== baserock-gitlab-ci diff --git a/baserock_ostree/keys/garyperkins.key.pub b/baserock_ostree/keys/garyperkins.key.pub new file mode 100644 index 00000000..978d3d70 --- /dev/null +++ b/baserock_ostree/keys/garyperkins.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQvRqmYpSVpff0MJq9aigjNQX22PdMkDiXpcV7EbDWdE3QLk7D818dljMKy2SvmgiEO7e/5jn8K7b9Dr88GF4dM/Oxc2k2yP9fzMoW+cE/drHBH+zDb9Zw1xa+t1AcMtl0XAEZft/hvpgx+Tp2XaEv6t7O9Ogxw1ahKtbkgDprhrnC9cVctu3VJhu8amY4BYZC9hRZUa02pCQl1i0klYq7E61zF8I25hS6HP0fbD/O+hAt5N3VqmkN+4QmCP8kkXSmyjKOurnXcGKPWonpOyB3cwVk3DO7krsw2qIIVoe/9PIK112oHNJxM01UUF+ZiPGEWawQfHRNG8Y03KQJanaf gary@garyp diff --git a/baserock_ostree/keys/pedroalvarez.key.pub b/baserock_ostree/keys/pedroalvarez.key.pub new file mode 100644 index 00000000..dfa0bfdb --- /dev/null +++ b/baserock_ostree/keys/pedroalvarez.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPuirtOH8D/6iNAb3DE079FcTmDlDgusVBJ2FC0O/FHSxwAgNwHhUbCxHAcO/N+HICSvDmjp16Ki0ti2ZxfworG88shPiMOGQfuJaRv1X15AV7NsO80Llsqy/x8X+WdA5iwpUyKM011vv/pS/DhSCHJFJ/vQFgox12HQSKZuzGIOupCiZfHES5t5oEPAcoQYCC0hO4ZevyeO0ZixrOGf/iyXHyb2BoQJAehixt28YOfdaW7Z29SssCGf7QvtADYg+vF5Tazln51vp1M+fo1oF0aa/VLN3gYuf+BI6x6sEc4N/ZQaCR5+oBP3/gIVlIwOOftzC9G+l6PBOS4368nZTv pedro.alvarez@codethink.co.uk diff --git a/baserock_ostree/keys/samthursfield.key.pub b/baserock_ostree/keys/samthursfield.key.pub new file mode 100644 index 00000000..d1146790 --- /dev/null +++ b/baserock_ostree/keys/samthursfield.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxgvojf+FclsNxUAcyEqwxle4KQEvtg+9GFz0NMtmIUJpN/O9ZXIMn5HwZGoitLa4VcwYk2CgXk6Iu5S9hwJrKk1WqHsJNoUXBfrNikb0UBAFChS6VyzoZANj6YPs8pb+zrtuok3xVgdEr8kufVvALQj1Wn5DtebkzfQzmeNW1Ym2HCyjD8Pc2sCcfV6o0Mj970cD7rGxaWA/mx/za6sdPkQI3m7bKClGh9k04HwzuIwHzA8s2OpccSd0xYOhoH7BrwyS9AEtzHJdlzSMDsmcehaz7WFE0oRAX+n/C5imtN0Zw7LRY/tJ8CcDGE9G2F8PATMu3LnFMNQYgwESZM3W8w== sam@candylion diff --git a/baserock_ostree/ostree-access-config.yml b/baserock_ostree/ostree-access-config.yml new file mode 100644 index 00000000..92560cb9 --- /dev/null +++ b/baserock_ostree/ostree-access-config.yml @@ -0,0 +1,15 @@ +# Access configuration for Baserock OStree cache server. +--- +- hosts: ostree + gather_facts: false + sudo: yes + tasks: + - name: access for Baserock GitLab CI key + authorized_key: + user: ostree + key: '{{ lookup("file", "{{item}}") }}' + with_items: + - keys/baserock-gitlab-ci.key.pub + - keys/garyperkins.key.pub + - keys/pedroalvarez.key.pub + - keys/samthursfield.key.pub |