diff --git a/service-provider-setup/README.md b/service-provider-setup/README.md index a3b8145..77fd87a 100644 --- a/service-provider-setup/README.md +++ b/service-provider-setup/README.md @@ -39,7 +39,27 @@ To get started, follow the [installation](../README.md#installation) guide to se # } ``` -- Execute the `setup-user.yml` Ansible playbook to create a user `dev` with sudo permissions: +- Setup `user-vars.yml` using the example file + + ```bash + cd vars + cp user-vars.example.yml user-vars.yml + ``` + +- Edit the following vars: + + ```bash + # name of the user you want to setup on the target host + username: "" + + # password of the user you want to setup on the target host + password: "" + + # path to the ssh key on your machine + path_to_ssh_key: " + ``` + +- Execute the `setup-user.yml` Ansible playbook to create a user with passwordless sudo permissions: ```bash ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }' diff --git a/service-provider-setup/setup-k8s.yml b/service-provider-setup/setup-k8s.yml index bfec933..ca799f8 100644 --- a/service-provider-setup/setup-k8s.yml +++ b/service-provider-setup/setup-k8s.yml @@ -59,12 +59,16 @@ ignore_errors: yes - name: Sign a dummy string using gpg-key - shell: echo "This is a dummy string." | gpg --batch --yes --passphrase "{{ vault_passphrase }}" --pinentry-mode loopback --sign - + shell: echo "This is a dummy string." | gpg --batch --yes --local-user "{{ gpg_key_id }}" --passphrase "{{ vault_passphrase }}" --pinentry-mode loopback --sign - - name: Run vault-rekey.sh shell: bash .vault/vault-rekey.sh args: chdir: "service-provider-template" + register: rekey_result + until: rekey_result.stderr == "" + retries: 5 + delay: 5 - name: Ensure the target directory exists file: @@ -163,13 +167,10 @@ command: ansible-playbook -i hosts site.yml --tags=firewalld,nginx args: chdir: "{{ ansible_env.HOME }}/service-provider-template" - - - name: Install Stack Orchestrator - command: ansible-playbook -i hosts site.yml --tags=so --limit=so --user so - args: - chdir: "{{ ansible_env.HOME }}/service-provider-template" + environment: + ANSIBLE_HOST_KEY_CHECKING: "False" - name: Deploy Kubernetes - command: ansible-playbook -i hosts site.yml --tags=k8s --limit={{ org_id }}_{{ location_id }} --user so + command: ansible-playbook -i hosts site.yml --tags=k8s --limit={{ org_id }}_{{ location_id }} --user {{ ansible_user }} args: chdir: "{{ ansible_env.HOME }}/service-provider-template" diff --git a/service-provider-setup/setup-user.yml b/service-provider-setup/setup-user.yml index ebd3aa4..7597c0c 100644 --- a/service-provider-setup/setup-user.yml +++ b/service-provider-setup/setup-user.yml @@ -2,12 +2,16 @@ hosts: "{{ target_host }}" become: yes + vars_files: + - vars/user-vars.yml + tasks: - name: Set unique hostname hostname: name: "{{ inventory_hostname }}" when: ansible_hostname != inventory_hostname + # TODO: Move installation to k8s playbook - name: Install additional packages apt: name: @@ -78,26 +82,39 @@ - /var/lib/snapd become: yes - # TODO: Make username and password configurable - - name: Create a user `dev` + - name: Create a user user: - name: dev - password: "{{ 'so-service-provider' | password_hash('sha512') }}" - shell: /bin/zsh + name: "{{ username }}" + password: "{{ '{{ password }}' | password_hash('sha512') }}" + shell: /bin/bash state: present - - name: Add dev user to sudoers group + - name: Add user to sudoers group user: - name: dev + name: "{{ username }}" groups: sudo append: yes - - name: Ensure .ssh directory exists for 'dev' user + - name: Ensure .ssh directory exists for user file: - path: /home/dev/.ssh + path: /home/"{{ username }}"/.ssh state: directory - owner: dev - group: dev + owner: "{{ username }}" + group: "{{ username }}" mode: '0700' - # TODO: Add tasks to setup passwordless sudo for the user \ No newline at end of file + - name: Copy SSH public key to authorized_keys + copy: + src: "{{ path_to_ssh_key }}" + dest: /home/{{ username }}/.ssh/authorized_keys + owner: "{{ username }}" + group: "{{ username }}" + mode: '0600' + + - name: Add user to sudoers for passwordless sudo + lineinfile: + path: /etc/sudoers + state: present + regexp: '^{{ username }} ALL=\(ALL\) NOPASSWD:ALL' + line: '{{ username }} ALL=(ALL) NOPASSWD:ALL' + validate: 'visudo -cf %s'