Add playbook to setup gpg key
This commit is contained in:
parent
ee1ad839c4
commit
3c22e3e569
@ -62,6 +62,7 @@ To get started, follow the [installation](../README.md#installation) guide to se
|
|||||||
- Execute the `setup-user.yml` Ansible playbook to create a user with passwordless sudo permissions:
|
- Execute the `setup-user.yml` Ansible playbook to create a user with passwordless sudo permissions:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
cd ../
|
||||||
ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }'
|
ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }'
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -102,6 +103,7 @@ To get started, follow the [installation](../README.md#installation) guide to se
|
|||||||
```bash
|
```bash
|
||||||
cd vars
|
cd vars
|
||||||
cp dns-vars.example.yml dns-vars.yml
|
cp dns-vars.example.yml dns-vars.yml
|
||||||
|
cp gpg-vars.example.yml gpg-vars.yml
|
||||||
cp k8s-vars.example.yml k8s-vars.yml
|
cp k8s-vars.example.yml k8s-vars.yml
|
||||||
cp container-vars.example.yml container-vars.yml
|
cp container-vars.example.yml container-vars.yml
|
||||||
cp webapp-vars.example.yml webapp-vars.yml
|
cp webapp-vars.example.yml webapp-vars.yml
|
||||||
@ -116,10 +118,13 @@ To get started, follow the [installation](../README.md#installation) guide to se
|
|||||||
cluster_control_ip: "" # eg: 23.111.78.179
|
cluster_control_ip: "" # eg: 23.111.78.179
|
||||||
do_api_token: "" # eg: dop_v1...
|
do_api_token: "" # eg: dop_v1...
|
||||||
|
|
||||||
|
# vars/gpg-vars.yml
|
||||||
|
gpg_user_name: "" # Full name of the user for the GPG key
|
||||||
|
gpg_user_email: "" # Email address associated with the GPG key
|
||||||
|
gpg_passphrase: "" # Passphrase for securing the GPG key
|
||||||
|
|
||||||
# vars/k8s-vars.yml
|
# vars/k8s-vars.yml
|
||||||
target_host: "deployment_host"
|
target_host: "deployment_host"
|
||||||
gpg_key_id: "" # The sequence obtained in the previous step, eg: 0AFB10B643944C22
|
|
||||||
vault_passphrase: "" # passphrase for GPG key
|
|
||||||
org_id: "" # eg: lcn
|
org_id: "" # eg: lcn
|
||||||
location_id: "" # eg: cad
|
location_id: "" # eg: cad
|
||||||
base_domain: "" # eg: laconic
|
base_domain: "" # eg: laconic
|
||||||
|
@ -10,6 +10,10 @@
|
|||||||
- vars/container-vars.yml
|
- vars/container-vars.yml
|
||||||
- vars/k8s-vars.yml
|
- vars/k8s-vars.yml
|
||||||
- vars/dns-vars.yml
|
- vars/dns-vars.yml
|
||||||
|
- vars/user-vars.yml
|
||||||
|
|
||||||
|
become: yes
|
||||||
|
become_user: "{{username}}"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Ensure gpg-keys directory exists
|
- name: Ensure gpg-keys directory exists
|
||||||
@ -63,7 +67,7 @@
|
|||||||
-v /home/{{ ansible_user }}/config:/home/root/config \
|
-v /home/{{ ansible_user }}/config:/home/root/config \
|
||||||
cerc/webapp-deployer-backend:local laconic-so publish-deployer-to-registry \
|
cerc/webapp-deployer-backend:local laconic-so publish-deployer-to-registry \
|
||||||
--laconic-config /home/root/config/laconic.yml \
|
--laconic-config /home/root/config/laconic.yml \
|
||||||
--api-url https://webapp-deployer-api.{{ full_domain }} \
|
--api-url https://webapp-deployer-api.pwa.{{ full_domain }} \
|
||||||
--public-key-file /home/root/config/webapp-deployer-api.{{ full_domain }}.pgp.pub \
|
--public-key-file /home/root/config/webapp-deployer-api.{{ full_domain }}.pgp.pub \
|
||||||
--lrn lrn://{{ authority_name }}/deployers/webapp-deployer-api.{{ full_domain }} \
|
--lrn lrn://{{ authority_name }}/deployers/webapp-deployer-api.{{ full_domain }} \
|
||||||
--min-required-payment 100
|
--min-required-payment 100
|
||||||
|
@ -8,6 +8,10 @@
|
|||||||
- vars/webapp-vars.yml
|
- vars/webapp-vars.yml
|
||||||
- vars/dns-vars.yml
|
- vars/dns-vars.yml
|
||||||
- vars/k8s-vars.yml
|
- vars/k8s-vars.yml
|
||||||
|
- vars/user-vars.yml
|
||||||
|
|
||||||
|
become: yes
|
||||||
|
become_user: "{{username}}"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Clone webapp-deployment-status-ui repository
|
- name: Clone webapp-deployment-status-ui repository
|
||||||
|
@ -8,6 +8,10 @@
|
|||||||
- vars/webapp-vars.yml
|
- vars/webapp-vars.yml
|
||||||
- vars/dns-vars.yml
|
- vars/dns-vars.yml
|
||||||
- vars/k8s-vars.yml
|
- vars/k8s-vars.yml
|
||||||
|
- vars/user-vars.yml
|
||||||
|
|
||||||
|
become: yes
|
||||||
|
become_user: "{{username}}"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Clone the stack repo
|
- name: Clone the stack repo
|
||||||
|
@ -4,6 +4,12 @@
|
|||||||
environment:
|
environment:
|
||||||
PATH: "{{ ansible_env.PATH }}:/home/{{ansible_user}}/bin"
|
PATH: "{{ ansible_env.PATH }}:/home/{{ansible_user}}/bin"
|
||||||
|
|
||||||
|
vars_files:
|
||||||
|
- vars/user-vars.yml
|
||||||
|
|
||||||
|
become: yes
|
||||||
|
become_user: "{{username}}"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Clone the fixturenet-laconicd-stack repo
|
- name: Clone the fixturenet-laconicd-stack repo
|
||||||
command: laconic-so fetch-stack git.vdb.to/cerc-io/fixturenet-laconicd-stack --pull
|
command: laconic-so fetch-stack git.vdb.to/cerc-io/fixturenet-laconicd-stack --pull
|
||||||
|
@ -1,4 +1,6 @@
|
|||||||
|
- import_playbook: setup-user.yml
|
||||||
- import_playbook: setup-dns.yml
|
- import_playbook: setup-dns.yml
|
||||||
|
- import_playbook: setup-system.yml
|
||||||
- import_playbook: setup-k8s.yml
|
- import_playbook: setup-k8s.yml
|
||||||
- import_playbook: setup-container-registry.yml
|
- import_playbook: setup-container-registry.yml
|
||||||
- import_playbook: run-laconicd.yml
|
- import_playbook: run-laconicd.yml
|
||||||
|
@ -8,6 +8,10 @@
|
|||||||
- vars/k8s-vars.yml
|
- vars/k8s-vars.yml
|
||||||
- vars/container-vars.yml
|
- vars/container-vars.yml
|
||||||
- vars/dns-vars.yml
|
- vars/dns-vars.yml
|
||||||
|
- vars/user-vars.yml
|
||||||
|
|
||||||
|
become: yes
|
||||||
|
become_user: "{{username}}"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Generate spec file for the container-registry stack
|
- name: Generate spec file for the container-registry stack
|
||||||
|
@ -9,8 +9,13 @@
|
|||||||
VAULT_KEY: "{{ vault_passphrase }}"
|
VAULT_KEY: "{{ vault_passphrase }}"
|
||||||
|
|
||||||
vars_files:
|
vars_files:
|
||||||
- vars/k8s-vars.yml
|
|
||||||
- vars/dns-vars.yml
|
- vars/dns-vars.yml
|
||||||
|
- vars/gpg-vars.yml
|
||||||
|
- vars/k8s-vars.yml
|
||||||
|
- vars/user-vars.yml
|
||||||
|
|
||||||
|
become: yes
|
||||||
|
become_user: "{{username}}"
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Install Python and pip
|
- name: Install Python and pip
|
||||||
|
138
service-provider-setup/setup-system.yml
Normal file
138
service-provider-setup/setup-system.yml
Normal file
@ -0,0 +1,138 @@
|
|||||||
|
- name: Setup system for the service provider setup
|
||||||
|
hosts: "{{ target_host }}"
|
||||||
|
|
||||||
|
environment:
|
||||||
|
GNUPGHOME: /home/{{ ansible_user }}/.gnupg
|
||||||
|
|
||||||
|
vars_files:
|
||||||
|
- vars/k8s-vars.yml
|
||||||
|
- vars/dns-vars.yml
|
||||||
|
- vars/gpg-vars.yml
|
||||||
|
- vars/user-vars.yml
|
||||||
|
|
||||||
|
become: yes
|
||||||
|
become_user: "{{username}}"
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Install required packages
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- doas
|
||||||
|
- zsh
|
||||||
|
- tmux
|
||||||
|
- git
|
||||||
|
- jq
|
||||||
|
- acl
|
||||||
|
- curl
|
||||||
|
- wget
|
||||||
|
- netcat-traditional
|
||||||
|
- fping
|
||||||
|
- rsync
|
||||||
|
- htop
|
||||||
|
- iotop
|
||||||
|
- iftop
|
||||||
|
- tar
|
||||||
|
- less
|
||||||
|
- firewalld
|
||||||
|
- sshguard
|
||||||
|
- wireguard
|
||||||
|
- iproute2
|
||||||
|
- iperf3
|
||||||
|
- zfsutils-linux
|
||||||
|
- net-tools
|
||||||
|
- ca-certificates
|
||||||
|
- gnupg
|
||||||
|
- sshpass
|
||||||
|
- apache2-utils
|
||||||
|
state: latest
|
||||||
|
update_cache: true
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: Set unique hostname
|
||||||
|
hostname:
|
||||||
|
name: "{{ inventory_hostname }}"
|
||||||
|
when: ansible_hostname != inventory_hostname
|
||||||
|
|
||||||
|
- name: Verify status of firewalld and enable sshguard
|
||||||
|
systemd:
|
||||||
|
name: "{{ item }}"
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
loop:
|
||||||
|
- firewalld
|
||||||
|
- sshguard
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Disable and remove snapd
|
||||||
|
block:
|
||||||
|
- name: Disable snapd services
|
||||||
|
systemd:
|
||||||
|
name: "{{ item }}"
|
||||||
|
enabled: no
|
||||||
|
state: stopped
|
||||||
|
loop:
|
||||||
|
- snapd.service
|
||||||
|
- snapd.socket
|
||||||
|
- snapd.seeded
|
||||||
|
- snapd.snap-repair.timer
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Purge snapd
|
||||||
|
apt:
|
||||||
|
name: snapd
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Remove snap directories
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: absent
|
||||||
|
loop:
|
||||||
|
- "{{ ansible_env.HOME }}/snap"
|
||||||
|
- /snap
|
||||||
|
- /var/snap
|
||||||
|
- /var/lib/snapd
|
||||||
|
become: yes
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Ensure GPG directory exists
|
||||||
|
file:
|
||||||
|
path: "{{ ansible_env.HOME }}/.gnupg"
|
||||||
|
state: directory
|
||||||
|
mode: '0700'
|
||||||
|
|
||||||
|
- name: Create GPG key parameters file
|
||||||
|
copy:
|
||||||
|
dest: /tmp/gpg_key_params.txt
|
||||||
|
content: |
|
||||||
|
Key-Type: RSA
|
||||||
|
Key-Length: 4096
|
||||||
|
Subkey-Type: RSA
|
||||||
|
Name-Real: {{ gpg_user_name }}
|
||||||
|
Name-Email: {{ gpg_user_email }}
|
||||||
|
Expire-Date: 0
|
||||||
|
Passphrase: {{ gpg_passphrase }}
|
||||||
|
%no-protection
|
||||||
|
%commit
|
||||||
|
mode: '0600'
|
||||||
|
|
||||||
|
- name: Generate GPG key using the parameter file
|
||||||
|
command: gpg --batch --gen-key /tmp/gpg_key_params.txt
|
||||||
|
become_user: "{{ ansible_user }}"
|
||||||
|
register: gpg_keygen_output
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Show GPG key generation output
|
||||||
|
debug:
|
||||||
|
var: gpg_keygen_output.stdout
|
||||||
|
|
||||||
|
- name: Fetch the Key ID of the most recently created GPG key
|
||||||
|
shell: gpg --list-secret-keys --keyid-format=long | grep 'sec' | tail -n 1 | awk -F'/' '{print $2}' | awk '{print $1}'
|
||||||
|
register: gpg_key_output
|
||||||
|
|
||||||
|
- name: Set the GPG key ID to a variable
|
||||||
|
set_fact:
|
||||||
|
sec_key_id: "{{ gpg_key_output.stdout }}"
|
||||||
|
|
||||||
|
- name: Show GPG Key ID
|
||||||
|
debug:
|
||||||
|
msg: "GPG Key ID: {{ sec_key_id }}"
|
@ -6,82 +6,6 @@
|
|||||||
- vars/user-vars.yml
|
- vars/user-vars.yml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Set unique hostname
|
|
||||||
hostname:
|
|
||||||
name: "{{ inventory_hostname }}"
|
|
||||||
when: ansible_hostname != inventory_hostname
|
|
||||||
|
|
||||||
# TODO: Move installation to k8s playbook
|
|
||||||
- name: Install additional packages
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- doas
|
|
||||||
- zsh
|
|
||||||
- tmux
|
|
||||||
- git
|
|
||||||
- jq
|
|
||||||
- acl
|
|
||||||
- curl
|
|
||||||
- wget
|
|
||||||
- netcat-traditional
|
|
||||||
- fping
|
|
||||||
- rsync
|
|
||||||
- htop
|
|
||||||
- iotop
|
|
||||||
- iftop
|
|
||||||
- tar
|
|
||||||
- less
|
|
||||||
- firewalld
|
|
||||||
- sshguard
|
|
||||||
- wireguard
|
|
||||||
- iproute2
|
|
||||||
- iperf3
|
|
||||||
- zfsutils-linux
|
|
||||||
- net-tools
|
|
||||||
- ca-certificates
|
|
||||||
- gnupg
|
|
||||||
- sshpass
|
|
||||||
state: latest
|
|
||||||
update_cache: true
|
|
||||||
|
|
||||||
- name: Verify status of firewalld and enable sshguard
|
|
||||||
systemd:
|
|
||||||
name: "{{ item }}"
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
loop:
|
|
||||||
- firewalld
|
|
||||||
- sshguard
|
|
||||||
|
|
||||||
- name: Disable and remove snapd
|
|
||||||
block:
|
|
||||||
- name: Disable snapd services
|
|
||||||
systemd:
|
|
||||||
name: "{{ item }}"
|
|
||||||
enabled: no
|
|
||||||
state: stopped
|
|
||||||
loop:
|
|
||||||
- snapd.service
|
|
||||||
- snapd.socket
|
|
||||||
- snapd.seeded
|
|
||||||
- snapd.snap-repair.timer
|
|
||||||
|
|
||||||
- name: Purge snapd
|
|
||||||
apt:
|
|
||||||
name: snapd
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: Remove snap directories
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: absent
|
|
||||||
loop:
|
|
||||||
- "{{ ansible_env.HOME }}/snap"
|
|
||||||
- /snap
|
|
||||||
- /var/snap
|
|
||||||
- /var/lib/snapd
|
|
||||||
become: yes
|
|
||||||
|
|
||||||
- name: Create a user
|
- name: Create a user
|
||||||
user:
|
user:
|
||||||
name: "{{ username }}"
|
name: "{{ username }}"
|
||||||
@ -97,7 +21,7 @@
|
|||||||
|
|
||||||
- name: Ensure .ssh directory exists for user
|
- name: Ensure .ssh directory exists for user
|
||||||
file:
|
file:
|
||||||
path: /home/"{{ username }}"/.ssh
|
path: /home/{{ username }}/.ssh
|
||||||
state: directory
|
state: directory
|
||||||
owner: "{{ username }}"
|
owner: "{{ username }}"
|
||||||
group: "{{ username }}"
|
group: "{{ username }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user