1 files changed, 17 insertions, 2 deletions

diff --git a/baserock_ostree/instance-config.yml b/baserock_ostree/instance-config.yml
index 6afe49f5..5286c61b 100644
--- a/baserock_ostree/instance-config.yml
+++ b/baserock_ostree/instance-config.yml
@@ -1,6 +1,8 @@
 # Instance configuration for Baserock OStree cache server.
 #
 # Tested against Fedora 25 base image.
+#
+# See also: https://buildstream.gitlab.io/buildstream/artifacts.html
 ---
 - hosts: ostree
   gather_facts: false
@@ -8,12 +10,15 @@
   tasks:
   - include: ../tasks/create-data-volume.yml lv_name=ostree lv_size=290g mountpoint=/srv
 
+  - name: ostree user
+    user: name=ostree
+
   - name: data directory
-    file: mode=0755 owner=lighttpd group=lighttpd path=/srv/ostree/ state=directory
+    file: mode=0755 owner=ostree group=ostree path=/srv/ostree/ state=directory
 
   - name: cache repository
     command: ostree init --repo=/srv/ostree/cache --mode=archive-z2
-    sudo_user: lighttpd
+    sudo_user: ostree
     args:
       creates: /srv/ostree/cache/config
 
@@ -24,3 +29,13 @@
 
   - name: restart lighttpd server
     service: name=lighttpd enabled=yes state=restarted
+
+  - name: sshd configuration for ostree user -- header
+    lineinfile: state="present" line="Match user ostree" path=/etc/ssh/sshd_config
+  - name: sshd configuration for ostree user -- force command
+    lineinfile: state="present" line="    ForceCommand bst-artifact-receive --verbose /srv/ostree/cache" insertafter="Match user ostree" path=/etc/ssh/sshd_config
+  - name: sshd configuration for ostree user -- disable password auth
+    lineinfile: state="present" line="    PasswordAuthentication no" insertafter="Match user ostree" path=/etc/ssh/sshd_config
+
+  - name: restart sshd server
+    service: name=sshd enabled=yes state=restarted