Add playbook to setup gpg key

This commit is contained in:
Adw8 2024-09-27 13:03:36 +05:30 committed by nabarun
parent 3ad7e98e55
commit c89f3b3941
10 changed files with 177 additions and 81 deletions

View File

@ -62,6 +62,7 @@ To get started, follow the [installation](../README.md#installation) guide to se
- Execute the `setup-user.yml` Ansible playbook to create a user with passwordless sudo permissions: - Execute the `setup-user.yml` Ansible playbook to create a user with passwordless sudo permissions:
```bash ```bash
cd ../
ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }' ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }'
``` ```
@ -102,6 +103,7 @@ To get started, follow the [installation](../README.md#installation) guide to se
```bash ```bash
cd vars cd vars
cp dns-vars.example.yml dns-vars.yml cp dns-vars.example.yml dns-vars.yml
cp gpg-vars.example.yml gpg-vars.yml
cp k8s-vars.example.yml k8s-vars.yml cp k8s-vars.example.yml k8s-vars.yml
cp container-vars.example.yml container-vars.yml cp container-vars.example.yml container-vars.yml
cp webapp-vars.example.yml webapp-vars.yml cp webapp-vars.example.yml webapp-vars.yml
@ -116,10 +118,13 @@ To get started, follow the [installation](../README.md#installation) guide to se
cluster_control_ip: "" # eg: 23.111.78.179 cluster_control_ip: "" # eg: 23.111.78.179
do_api_token: "" # eg: dop_v1... do_api_token: "" # eg: dop_v1...
# vars/gpg-vars.yml
gpg_user_name: "" # Full name of the user for the GPG key
gpg_user_email: "" # Email address associated with the GPG key
gpg_passphrase: "" # Passphrase for securing the GPG key
# vars/k8s-vars.yml # vars/k8s-vars.yml
target_host: "deployment_host" target_host: "deployment_host"
gpg_key_id: "" # The sequence obtained in the previous step, eg: 0AFB10B643944C22
vault_passphrase: "" # passphrase for GPG key
org_id: "" # eg: lcn org_id: "" # eg: lcn
location_id: "" # eg: cad location_id: "" # eg: cad
base_domain: "" # eg: laconic base_domain: "" # eg: laconic

View File

@ -10,6 +10,10 @@
- vars/container-vars.yml - vars/container-vars.yml
- vars/k8s-vars.yml - vars/k8s-vars.yml
- vars/dns-vars.yml - vars/dns-vars.yml
- vars/user-vars.yml
become: yes
become_user: "{{username}}"
tasks: tasks:
- name: Ensure gpg-keys directory exists - name: Ensure gpg-keys directory exists
@ -63,7 +67,7 @@
-v /home/{{ ansible_user }}/config:/home/root/config \ -v /home/{{ ansible_user }}/config:/home/root/config \
cerc/webapp-deployer-backend:local laconic-so publish-deployer-to-registry \ cerc/webapp-deployer-backend:local laconic-so publish-deployer-to-registry \
--laconic-config /home/root/config/laconic.yml \ --laconic-config /home/root/config/laconic.yml \
--api-url https://webapp-deployer-api.{{ full_domain }} \ --api-url https://webapp-deployer-api.pwa.{{ full_domain }} \
--public-key-file /home/root/config/webapp-deployer-api.{{ full_domain }}.pgp.pub \ --public-key-file /home/root/config/webapp-deployer-api.{{ full_domain }}.pgp.pub \
--lrn lrn://{{ authority_name }}/deployers/webapp-deployer-api.{{ full_domain }} \ --lrn lrn://{{ authority_name }}/deployers/webapp-deployer-api.{{ full_domain }} \
--min-required-payment 100 --min-required-payment 100

View File

@ -8,6 +8,10 @@
- vars/webapp-vars.yml - vars/webapp-vars.yml
- vars/dns-vars.yml - vars/dns-vars.yml
- vars/k8s-vars.yml - vars/k8s-vars.yml
- vars/user-vars.yml
become: yes
become_user: "{{username}}"
tasks: tasks:
- name: Clone webapp-deployment-status-ui repository - name: Clone webapp-deployment-status-ui repository

View File

@ -8,6 +8,10 @@
- vars/webapp-vars.yml - vars/webapp-vars.yml
- vars/dns-vars.yml - vars/dns-vars.yml
- vars/k8s-vars.yml - vars/k8s-vars.yml
- vars/user-vars.yml
become: yes
become_user: "{{username}}"
tasks: tasks:
- name: Clone the stack repo - name: Clone the stack repo

View File

@ -4,6 +4,12 @@
environment: environment:
PATH: "{{ ansible_env.PATH }}:/home/{{ansible_user}}/bin" PATH: "{{ ansible_env.PATH }}:/home/{{ansible_user}}/bin"
vars_files:
- vars/user-vars.yml
become: yes
become_user: "{{username}}"
tasks: tasks:
- name: Clone the fixturenet-laconicd-stack repo - name: Clone the fixturenet-laconicd-stack repo
command: laconic-so fetch-stack git.vdb.to/cerc-io/fixturenet-laconicd-stack --pull command: laconic-so fetch-stack git.vdb.to/cerc-io/fixturenet-laconicd-stack --pull

View File

@ -1,4 +1,6 @@
- import_playbook: setup-user.yml
- import_playbook: setup-dns.yml - import_playbook: setup-dns.yml
- import_playbook: setup-system.yml
- import_playbook: setup-k8s.yml - import_playbook: setup-k8s.yml
- import_playbook: setup-container-registry.yml - import_playbook: setup-container-registry.yml
- import_playbook: run-laconicd.yml - import_playbook: run-laconicd.yml

View File

@ -8,6 +8,10 @@
- vars/k8s-vars.yml - vars/k8s-vars.yml
- vars/container-vars.yml - vars/container-vars.yml
- vars/dns-vars.yml - vars/dns-vars.yml
- vars/user-vars.yml
become: yes
become_user: "{{username}}"
tasks: tasks:
- name: Generate spec file for the container-registry stack - name: Generate spec file for the container-registry stack

View File

@ -9,8 +9,13 @@
VAULT_KEY: "{{ vault_passphrase }}" VAULT_KEY: "{{ vault_passphrase }}"
vars_files: vars_files:
- vars/k8s-vars.yml
- vars/dns-vars.yml - vars/dns-vars.yml
- vars/gpg-vars.yml
- vars/k8s-vars.yml
- vars/user-vars.yml
become: yes
become_user: "{{username}}"
tasks: tasks:
- name: Install Python and pip - name: Install Python and pip

View File

@ -0,0 +1,138 @@
- name: Setup system for the service provider setup
hosts: "{{ target_host }}"
environment:
GNUPGHOME: /home/{{ ansible_user }}/.gnupg
vars_files:
- vars/k8s-vars.yml
- vars/dns-vars.yml
- vars/gpg-vars.yml
- vars/user-vars.yml
become: yes
become_user: "{{username}}"
tasks:
- name: Install required packages
apt:
name:
- doas
- zsh
- tmux
- git
- jq
- acl
- curl
- wget
- netcat-traditional
- fping
- rsync
- htop
- iotop
- iftop
- tar
- less
- firewalld
- sshguard
- wireguard
- iproute2
- iperf3
- zfsutils-linux
- net-tools
- ca-certificates
- gnupg
- sshpass
- apache2-utils
state: latest
update_cache: true
become: yes
- name: Set unique hostname
hostname:
name: "{{ inventory_hostname }}"
when: ansible_hostname != inventory_hostname
- name: Verify status of firewalld and enable sshguard
systemd:
name: "{{ item }}"
enabled: yes
state: started
loop:
- firewalld
- sshguard
ignore_errors: yes
- name: Disable and remove snapd
block:
- name: Disable snapd services
systemd:
name: "{{ item }}"
enabled: no
state: stopped
loop:
- snapd.service
- snapd.socket
- snapd.seeded
- snapd.snap-repair.timer
ignore_errors: yes
- name: Purge snapd
apt:
name: snapd
state: absent
- name: Remove snap directories
file:
path: "{{ item }}"
state: absent
loop:
- "{{ ansible_env.HOME }}/snap"
- /snap
- /var/snap
- /var/lib/snapd
become: yes
ignore_errors: yes
- name: Ensure GPG directory exists
file:
path: "{{ ansible_env.HOME }}/.gnupg"
state: directory
mode: '0700'
- name: Create GPG key parameters file
copy:
dest: /tmp/gpg_key_params.txt
content: |
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Name-Real: {{ gpg_user_name }}
Name-Email: {{ gpg_user_email }}
Expire-Date: 0
Passphrase: {{ gpg_passphrase }}
%no-protection
%commit
mode: '0600'
- name: Generate GPG key using the parameter file
command: gpg --batch --gen-key /tmp/gpg_key_params.txt
become_user: "{{ ansible_user }}"
register: gpg_keygen_output
ignore_errors: yes
- name: Show GPG key generation output
debug:
var: gpg_keygen_output.stdout
- name: Fetch the Key ID of the most recently created GPG key
shell: gpg --list-secret-keys --keyid-format=long | grep 'sec' | tail -n 1 | awk -F'/' '{print $2}' | awk '{print $1}'
register: gpg_key_output
- name: Set the GPG key ID to a variable
set_fact:
sec_key_id: "{{ gpg_key_output.stdout }}"
- name: Show GPG Key ID
debug:
msg: "GPG Key ID: {{ sec_key_id }}"

View File

@ -6,82 +6,6 @@
- vars/user-vars.yml - vars/user-vars.yml
tasks: tasks:
- name: Set unique hostname
hostname:
name: "{{ inventory_hostname }}"
when: ansible_hostname != inventory_hostname
# TODO: Move installation to k8s playbook
- name: Install additional packages
apt:
name:
- doas
- zsh
- tmux
- git
- jq
- acl
- curl
- wget
- netcat-traditional
- fping
- rsync
- htop
- iotop
- iftop
- tar
- less
- firewalld
- sshguard
- wireguard
- iproute2
- iperf3
- zfsutils-linux
- net-tools
- ca-certificates
- gnupg
- sshpass
state: latest
update_cache: true
- name: Verify status of firewalld and enable sshguard
systemd:
name: "{{ item }}"
enabled: yes
state: started
loop:
- firewalld
- sshguard
- name: Disable and remove snapd
block:
- name: Disable snapd services
systemd:
name: "{{ item }}"
enabled: no
state: stopped
loop:
- snapd.service
- snapd.socket
- snapd.seeded
- snapd.snap-repair.timer
- name: Purge snapd
apt:
name: snapd
state: absent
- name: Remove snap directories
file:
path: "{{ item }}"
state: absent
loop:
- "{{ ansible_env.HOME }}/snap"
- /snap
- /var/snap
- /var/lib/snapd
become: yes
- name: Create a user - name: Create a user
user: user:
name: "{{ username }}" name: "{{ username }}"
@ -97,7 +21,7 @@
- name: Ensure .ssh directory exists for user - name: Ensure .ssh directory exists for user
file: file:
path: /home/"{{ username }}"/.ssh path: /home/{{ username }}/.ssh
state: directory state: directory
owner: "{{ username }}" owner: "{{ username }}"
group: "{{ username }}" group: "{{ username }}"