From 6cd4fe45c028d2fee4253c9a2006184249e824d7 Mon Sep 17 00:00:00 2001
From: Sam Thursfield <sam.thursfield@codethink.co.uk>
Date: Thu, 13 Jul 2017 13:21:03 +0100
Subject: baserock_ostree: Enable write access

So far this is limited to the existing Baserock ops team, and a new
key that I will try to install into our GitLab CI configuration so
that build runners can push artifacts.

We don't to hand out access too widely because we currently don't do
any verification that the submitted artifacts actually corresponds to
the cache key that it's supposed to. This is fine as long as access
is limited to autobuilders that we control and trusted developers.
---
 baserock_ostree/ostree-access-config.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 baserock_ostree/ostree-access-config.yml

(limited to 'baserock_ostree/ostree-access-config.yml')

diff --git a/baserock_ostree/ostree-access-config.yml b/baserock_ostree/ostree-access-config.yml
new file mode 100644
index 00000000..92560cb9
--- /dev/null
+++ b/baserock_ostree/ostree-access-config.yml
@@ -0,0 +1,15 @@
+# Access configuration for Baserock OStree cache server.
+---
+- hosts: ostree
+  gather_facts: false
+  sudo: yes
+  tasks:
+  - name: access for Baserock GitLab CI key
+    authorized_key:
+      user: ostree
+      key: '{{ lookup("file", "{{item}}") }}'
+    with_items:
+    - keys/baserock-gitlab-ci.key.pub
+    - keys/garyperkins.key.pub
+    - keys/pedroalvarez.key.pub
+    - keys/samthursfield.key.pub
-- 
cgit v1.2.1