diff --git a/service-provider-setup/README.md b/service-provider-setup/README.md index bd6be04..c3050a5 100644 --- a/service-provider-setup/README.md +++ b/service-provider-setup/README.md @@ -62,6 +62,7 @@ To get started, follow the [installation](../README.md#installation) guide to se - Execute the `setup-user.yml` Ansible playbook to create a user with passwordless sudo permissions: ```bash + cd ../ ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }' ``` @@ -102,6 +103,7 @@ To get started, follow the [installation](../README.md#installation) guide to se ```bash cd vars cp dns-vars.example.yml dns-vars.yml + cp gpg-vars.example.yml gpg-vars.yml cp k8s-vars.example.yml k8s-vars.yml cp container-vars.example.yml container-vars.yml cp webapp-vars.example.yml webapp-vars.yml @@ -116,10 +118,13 @@ To get started, follow the [installation](../README.md#installation) guide to se cluster_control_ip: "" # eg: 23.111.78.179 do_api_token: "" # eg: dop_v1... + # vars/gpg-vars.yml + gpg_user_name: "" # Full name of the user for the GPG key + gpg_user_email: "" # Email address associated with the GPG key + gpg_passphrase: "" # Passphrase for securing the GPG key + # vars/k8s-vars.yml target_host: "deployment_host" - gpg_key_id: "" # The sequence obtained in the previous step, eg: 0AFB10B643944C22 - vault_passphrase: "" # passphrase for GPG key org_id: "" # eg: lcn location_id: "" # eg: cad base_domain: "" # eg: laconic diff --git a/service-provider-setup/deploy-backend.yml b/service-provider-setup/deploy-backend.yml index 679328a..dae513d 100644 --- a/service-provider-setup/deploy-backend.yml +++ b/service-provider-setup/deploy-backend.yml @@ -10,6 +10,10 @@ - vars/container-vars.yml - vars/k8s-vars.yml - vars/dns-vars.yml + - vars/user-vars.yml + + become: yes + become_user: "{{username}}" tasks: - name: Ensure gpg-keys directory exists @@ -63,7 +67,7 @@ -v /home/{{ ansible_user }}/config:/home/root/config \ cerc/webapp-deployer-backend:local laconic-so publish-deployer-to-registry \ --laconic-config /home/root/config/laconic.yml \ - --api-url https://webapp-deployer-api.{{ full_domain }} \ + --api-url https://webapp-deployer-api.pwa.{{ full_domain }} \ --public-key-file /home/root/config/webapp-deployer-api.{{ full_domain }}.pgp.pub \ --lrn lrn://{{ authority_name }}/deployers/webapp-deployer-api.{{ full_domain }} \ --min-required-payment 100 diff --git a/service-provider-setup/deploy-frontend.yml b/service-provider-setup/deploy-frontend.yml index 59a8318..e45fbf4 100644 --- a/service-provider-setup/deploy-frontend.yml +++ b/service-provider-setup/deploy-frontend.yml @@ -8,6 +8,10 @@ - vars/webapp-vars.yml - vars/dns-vars.yml - vars/k8s-vars.yml + - vars/user-vars.yml + + become: yes + become_user: "{{username}}" tasks: - name: Clone webapp-deployment-status-ui repository diff --git a/service-provider-setup/run-laconic-console.yml b/service-provider-setup/run-laconic-console.yml index 43655e7..d28e617 100644 --- a/service-provider-setup/run-laconic-console.yml +++ b/service-provider-setup/run-laconic-console.yml @@ -8,6 +8,10 @@ - vars/webapp-vars.yml - vars/dns-vars.yml - vars/k8s-vars.yml + - vars/user-vars.yml + + become: yes + become_user: "{{username}}" tasks: - name: Clone the stack repo diff --git a/service-provider-setup/run-laconicd.yml b/service-provider-setup/run-laconicd.yml index a148ca9..71ddf42 100644 --- a/service-provider-setup/run-laconicd.yml +++ b/service-provider-setup/run-laconicd.yml @@ -4,6 +4,12 @@ environment: PATH: "{{ ansible_env.PATH }}:/home/{{ansible_user}}/bin" + vars_files: + - vars/user-vars.yml + + become: yes + become_user: "{{username}}" + tasks: - name: Clone the fixturenet-laconicd-stack repo command: laconic-so fetch-stack git.vdb.to/cerc-io/fixturenet-laconicd-stack --pull diff --git a/service-provider-setup/service-provider-setup.yml b/service-provider-setup/service-provider-setup.yml index a50564d..5af93ab 100644 --- a/service-provider-setup/service-provider-setup.yml +++ b/service-provider-setup/service-provider-setup.yml @@ -1,4 +1,6 @@ +- import_playbook: setup-user.yml - import_playbook: setup-dns.yml +- import_playbook: setup-system.yml - import_playbook: setup-k8s.yml - import_playbook: setup-container-registry.yml - import_playbook: run-laconicd.yml diff --git a/service-provider-setup/setup-container-registry.yml b/service-provider-setup/setup-container-registry.yml index 7b227e3..3786e91 100644 --- a/service-provider-setup/setup-container-registry.yml +++ b/service-provider-setup/setup-container-registry.yml @@ -8,7 +8,11 @@ - vars/k8s-vars.yml - vars/container-vars.yml - vars/dns-vars.yml + - vars/user-vars.yml + become: yes + become_user: "{{username}}" + tasks: - name: Generate spec file for the container-registry stack template: diff --git a/service-provider-setup/setup-k8s.yml b/service-provider-setup/setup-k8s.yml index ba15ed6..56a60ce 100644 --- a/service-provider-setup/setup-k8s.yml +++ b/service-provider-setup/setup-k8s.yml @@ -9,8 +9,13 @@ VAULT_KEY: "{{ vault_passphrase }}" vars_files: - - vars/k8s-vars.yml - vars/dns-vars.yml + - vars/gpg-vars.yml + - vars/k8s-vars.yml + - vars/user-vars.yml + + become: yes + become_user: "{{username}}" tasks: - name: Install Python and pip diff --git a/service-provider-setup/setup-system.yml b/service-provider-setup/setup-system.yml new file mode 100644 index 0000000..b45a8e7 --- /dev/null +++ b/service-provider-setup/setup-system.yml @@ -0,0 +1,138 @@ +- name: Setup system for the service provider setup + hosts: "{{ target_host }}" + + environment: + GNUPGHOME: /home/{{ ansible_user }}/.gnupg + + vars_files: + - vars/k8s-vars.yml + - vars/dns-vars.yml + - vars/gpg-vars.yml + - vars/user-vars.yml + + become: yes + become_user: "{{username}}" + + tasks: + - name: Install required packages + apt: + name: + - doas + - zsh + - tmux + - git + - jq + - acl + - curl + - wget + - netcat-traditional + - fping + - rsync + - htop + - iotop + - iftop + - tar + - less + - firewalld + - sshguard + - wireguard + - iproute2 + - iperf3 + - zfsutils-linux + - net-tools + - ca-certificates + - gnupg + - sshpass + - apache2-utils + state: latest + update_cache: true + become: yes + + - name: Set unique hostname + hostname: + name: "{{ inventory_hostname }}" + when: ansible_hostname != inventory_hostname + + - name: Verify status of firewalld and enable sshguard + systemd: + name: "{{ item }}" + enabled: yes + state: started + loop: + - firewalld + - sshguard + ignore_errors: yes + + - name: Disable and remove snapd + block: + - name: Disable snapd services + systemd: + name: "{{ item }}" + enabled: no + state: stopped + loop: + - snapd.service + - snapd.socket + - snapd.seeded + - snapd.snap-repair.timer + ignore_errors: yes + + - name: Purge snapd + apt: + name: snapd + state: absent + + - name: Remove snap directories + file: + path: "{{ item }}" + state: absent + loop: + - "{{ ansible_env.HOME }}/snap" + - /snap + - /var/snap + - /var/lib/snapd + become: yes + ignore_errors: yes + + - name: Ensure GPG directory exists + file: + path: "{{ ansible_env.HOME }}/.gnupg" + state: directory + mode: '0700' + + - name: Create GPG key parameters file + copy: + dest: /tmp/gpg_key_params.txt + content: | + Key-Type: RSA + Key-Length: 4096 + Subkey-Type: RSA + Name-Real: {{ gpg_user_name }} + Name-Email: {{ gpg_user_email }} + Expire-Date: 0 + Passphrase: {{ gpg_passphrase }} + %no-protection + %commit + mode: '0600' + + - name: Generate GPG key using the parameter file + command: gpg --batch --gen-key /tmp/gpg_key_params.txt + become_user: "{{ ansible_user }}" + register: gpg_keygen_output + ignore_errors: yes + + - name: Show GPG key generation output + debug: + var: gpg_keygen_output.stdout + + - name: Fetch the Key ID of the most recently created GPG key + shell: gpg --list-secret-keys --keyid-format=long | grep 'sec' | tail -n 1 | awk -F'/' '{print $2}' | awk '{print $1}' + register: gpg_key_output + + - name: Set the GPG key ID to a variable + set_fact: + sec_key_id: "{{ gpg_key_output.stdout }}" + + - name: Show GPG Key ID + debug: + msg: "GPG Key ID: {{ sec_key_id }}" diff --git a/service-provider-setup/setup-user.yml b/service-provider-setup/setup-user.yml index 7597c0c..52533ea 100644 --- a/service-provider-setup/setup-user.yml +++ b/service-provider-setup/setup-user.yml @@ -6,82 +6,6 @@ - vars/user-vars.yml tasks: - - name: Set unique hostname - hostname: - name: "{{ inventory_hostname }}" - when: ansible_hostname != inventory_hostname - - # TODO: Move installation to k8s playbook - - name: Install additional packages - apt: - name: - - doas - - zsh - - tmux - - git - - jq - - acl - - curl - - wget - - netcat-traditional - - fping - - rsync - - htop - - iotop - - iftop - - tar - - less - - firewalld - - sshguard - - wireguard - - iproute2 - - iperf3 - - zfsutils-linux - - net-tools - - ca-certificates - - gnupg - - sshpass - state: latest - update_cache: true - - - name: Verify status of firewalld and enable sshguard - systemd: - name: "{{ item }}" - enabled: yes - state: started - loop: - - firewalld - - sshguard - - - name: Disable and remove snapd - block: - - name: Disable snapd services - systemd: - name: "{{ item }}" - enabled: no - state: stopped - loop: - - snapd.service - - snapd.socket - - snapd.seeded - - snapd.snap-repair.timer - - - name: Purge snapd - apt: - name: snapd - state: absent - - - name: Remove snap directories - file: - path: "{{ item }}" - state: absent - loop: - - "{{ ansible_env.HOME }}/snap" - - /snap - - /var/snap - - /var/lib/snapd - become: yes - - name: Create a user user: name: "{{ username }}" @@ -97,7 +21,7 @@ - name: Ensure .ssh directory exists for user file: - path: /home/"{{ username }}"/.ssh + path: /home/{{ username }}/.ssh state: directory owner: "{{ username }}" group: "{{ username }}"