diff options
-rw-r--r-- | README.mdwn | 1 | ||||
-rw-r--r-- | baserock_ostree/instance-config.yml | 19 | ||||
-rw-r--r-- | baserock_ostree/keys/baserock-gitlab-ci.key.pub | 1 | ||||
-rw-r--r-- | baserock_ostree/keys/garyperkins.key.pub | 1 | ||||
-rw-r--r-- | baserock_ostree/keys/pedroalvarez.key.pub | 1 | ||||
-rw-r--r-- | baserock_ostree/keys/samthursfield.key.pub | 1 | ||||
-rw-r--r-- | baserock_ostree/ostree-access-config.yml | 15 |
7 files changed, 37 insertions, 2 deletions
diff --git a/README.mdwn b/README.mdwn index aba8f036..5a85066d 100644 --- a/README.mdwn +++ b/README.mdwn @@ -748,6 +748,7 @@ To deploy this system to production: ansible-playbook -i hosts baserock_ostree/image-config.yml ansible-playbook -i hosts baserock_ostree/instance-config.yml + ansible-playbook -i hosts baserock_ostree/ostree-access-config.yml Creating new repos ------------------ diff --git a/baserock_ostree/instance-config.yml b/baserock_ostree/instance-config.yml index 6afe49f5..5286c61b 100644 --- a/baserock_ostree/instance-config.yml +++ b/baserock_ostree/instance-config.yml @@ -1,6 +1,8 @@ # Instance configuration for Baserock OStree cache server. # # Tested against Fedora 25 base image. +# +# See also: https://buildstream.gitlab.io/buildstream/artifacts.html --- - hosts: ostree gather_facts: false @@ -8,12 +10,15 @@ tasks: - include: ../tasks/create-data-volume.yml lv_name=ostree lv_size=290g mountpoint=/srv + - name: ostree user + user: name=ostree + - name: data directory - file: mode=0755 owner=lighttpd group=lighttpd path=/srv/ostree/ state=directory + file: mode=0755 owner=ostree group=ostree path=/srv/ostree/ state=directory - name: cache repository command: ostree init --repo=/srv/ostree/cache --mode=archive-z2 - sudo_user: lighttpd + sudo_user: ostree args: creates: /srv/ostree/cache/config @@ -24,3 +29,13 @@ - name: restart lighttpd server service: name=lighttpd enabled=yes state=restarted + + - name: sshd configuration for ostree user -- header + lineinfile: state="present" line="Match user ostree" path=/etc/ssh/sshd_config + - name: sshd configuration for ostree user -- force command + lineinfile: state="present" line=" ForceCommand bst-artifact-receive --verbose /srv/ostree/cache" insertafter="Match user ostree" path=/etc/ssh/sshd_config + - name: sshd configuration for ostree user -- disable password auth + lineinfile: state="present" line=" PasswordAuthentication no" insertafter="Match user ostree" path=/etc/ssh/sshd_config + + - name: restart sshd server + service: name=sshd enabled=yes state=restarted diff --git a/baserock_ostree/keys/baserock-gitlab-ci.key.pub b/baserock_ostree/keys/baserock-gitlab-ci.key.pub new file mode 100644 index 00000000..8b1da165 --- /dev/null +++ b/baserock_ostree/keys/baserock-gitlab-ci.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbOQYG8xCjqv+1FptkXQLd6SwNam8zT/PsIQBa+Dgdu0z2Bbd96HUKqmWB/QJv5pp2HaDDIW6Q9bU5PCCu5gfmJhO0/fG7T6Wp0UMElMNxKQCE65gdrN7m3aMJkHwdj26JpRl0YsymgPggD+iQ8mGgNsEjTxuSyFRMYt82SB0fAhFvjIPEQOVqwoqnNj/TOnj3t8xwlSwhyuZXtt+v92KikS/kcNldsHulG6hde9AuK9o1+KfwFDbC6auLnJEO6mOC1FmQRsEROyG0I9gK5N/ngRc9RIRLWEQ9e3Dpgn8sjCGH8gXoskJvtg8MMcIEe1HA0II9IiFMtentHrxvhzasedveSf5IsKMveOcX0w8pB4jjFN+Fy/XP2zGskR9AYVGMMYf1aX5/z9haoK8+/gG5+At7SfP3QtPJdRG9CJxFYuQxbkgyyfzJCkfzf45XnZjdr3UR+yKP5t7zUlnlVEIDK5PvwDu0V5NxN0Irf0Q+SspG2lluBDgOw++xAaUTrGuS3rgAQ/Xlr2s3kesxF5bx1d7Xpv8XuGCiqzIK/2Wk5FGPXZ3iQjdb2FbKxvCO+9bDeEyzj4NG/rALRvj+4PbmSKpITf7VFJoUHd5VccGnugex0cusQXSIuUFwzvVrNAkHl5TcCRHWS+tbvqLPrLmI75fgw1MixfZTr7v8C6guQw== baserock-gitlab-ci diff --git a/baserock_ostree/keys/garyperkins.key.pub b/baserock_ostree/keys/garyperkins.key.pub new file mode 100644 index 00000000..978d3d70 --- /dev/null +++ b/baserock_ostree/keys/garyperkins.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQvRqmYpSVpff0MJq9aigjNQX22PdMkDiXpcV7EbDWdE3QLk7D818dljMKy2SvmgiEO7e/5jn8K7b9Dr88GF4dM/Oxc2k2yP9fzMoW+cE/drHBH+zDb9Zw1xa+t1AcMtl0XAEZft/hvpgx+Tp2XaEv6t7O9Ogxw1ahKtbkgDprhrnC9cVctu3VJhu8amY4BYZC9hRZUa02pCQl1i0klYq7E61zF8I25hS6HP0fbD/O+hAt5N3VqmkN+4QmCP8kkXSmyjKOurnXcGKPWonpOyB3cwVk3DO7krsw2qIIVoe/9PIK112oHNJxM01UUF+ZiPGEWawQfHRNG8Y03KQJanaf gary@garyp diff --git a/baserock_ostree/keys/pedroalvarez.key.pub b/baserock_ostree/keys/pedroalvarez.key.pub new file mode 100644 index 00000000..dfa0bfdb --- /dev/null +++ b/baserock_ostree/keys/pedroalvarez.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPuirtOH8D/6iNAb3DE079FcTmDlDgusVBJ2FC0O/FHSxwAgNwHhUbCxHAcO/N+HICSvDmjp16Ki0ti2ZxfworG88shPiMOGQfuJaRv1X15AV7NsO80Llsqy/x8X+WdA5iwpUyKM011vv/pS/DhSCHJFJ/vQFgox12HQSKZuzGIOupCiZfHES5t5oEPAcoQYCC0hO4ZevyeO0ZixrOGf/iyXHyb2BoQJAehixt28YOfdaW7Z29SssCGf7QvtADYg+vF5Tazln51vp1M+fo1oF0aa/VLN3gYuf+BI6x6sEc4N/ZQaCR5+oBP3/gIVlIwOOftzC9G+l6PBOS4368nZTv pedro.alvarez@codethink.co.uk diff --git a/baserock_ostree/keys/samthursfield.key.pub b/baserock_ostree/keys/samthursfield.key.pub new file mode 100644 index 00000000..d1146790 --- /dev/null +++ b/baserock_ostree/keys/samthursfield.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxgvojf+FclsNxUAcyEqwxle4KQEvtg+9GFz0NMtmIUJpN/O9ZXIMn5HwZGoitLa4VcwYk2CgXk6Iu5S9hwJrKk1WqHsJNoUXBfrNikb0UBAFChS6VyzoZANj6YPs8pb+zrtuok3xVgdEr8kufVvALQj1Wn5DtebkzfQzmeNW1Ym2HCyjD8Pc2sCcfV6o0Mj970cD7rGxaWA/mx/za6sdPkQI3m7bKClGh9k04HwzuIwHzA8s2OpccSd0xYOhoH7BrwyS9AEtzHJdlzSMDsmcehaz7WFE0oRAX+n/C5imtN0Zw7LRY/tJ8CcDGE9G2F8PATMu3LnFMNQYgwESZM3W8w== sam@candylion diff --git a/baserock_ostree/ostree-access-config.yml b/baserock_ostree/ostree-access-config.yml new file mode 100644 index 00000000..92560cb9 --- /dev/null +++ b/baserock_ostree/ostree-access-config.yml @@ -0,0 +1,15 @@ +# Access configuration for Baserock OStree cache server. +--- +- hosts: ostree + gather_facts: false + sudo: yes + tasks: + - name: access for Baserock GitLab CI key + authorized_key: + user: ostree + key: '{{ lookup("file", "{{item}}") }}' + with_items: + - keys/baserock-gitlab-ci.key.pub + - keys/garyperkins.key.pub + - keys/pedroalvarez.key.pub + - keys/samthursfield.key.pub |