baserock_ostree: Add 'releases' repo

This is different from the existing 'cache' repo in that we should
be careful what we push to it, and we should never delete things
from it once they have been made public.

Pushing to the releases repo should be done with ostree-push/receive
rather than BuildStream. I've set up the receive hook on the server.
The upstream repo of ostree-push/receive seems abandoned so I have
been using a fork: https://github.com/ssssam/ostree-push

See also:

  https://listmaster.pepperfish.net/pipermail/baserock-dev-baserock.org/2017-September/013811.html
  https://gitlab.com/baserock/definitions/merge_requests/58

1 files changed, 11 insertions, 1 deletions

diff --git a/baserock_ostree/ostree-access-config.yml b/baserock_ostree/ostree-access-config.yml
index ff8c7def..f23cc5f9 100644
--- a/baserock_ostree/ostree-access-config.yml
+++ b/baserock_ostree/ostree-access-config.yml
@@ -4,7 +4,7 @@
   gather_facts: false
   sudo: yes
   tasks:
-  - name: access for Baserock GitLab CI key
+  - name: authorized SSH keys for ostree (cache) user
     authorized_key:
       user: ostree
       key: '{{ lookup("file", "{{item}}") }}'
@@ -14,3 +14,13 @@
     - keys/jonathanmaw.key.pub
     - keys/pedroalvarez.key.pub
     - keys/samthursfield.key.pub
+
+  - name: authorized SSH keys for ostree-releases user
+    authorized_key:
+      user: ostree-releases
+      key: '{{ lookup("file", "{{item}}") }}'
+    with_items:
+    - keys/baserock-gitlab-ci.key.pub
+    - keys/garyperkins.key.pub
+    - keys/pedroalvarez.key.pub
+    - keys/samthursfield.key.pub