Add playbook to setup gpg key
This commit is contained in:
parent
3ad7e98e55
commit
c89f3b3941
@ -62,6 +62,7 @@ To get started, follow the [installation](../README.md#installation) guide to se
|
||||
- Execute the `setup-user.yml` Ansible playbook to create a user with passwordless sudo permissions:
|
||||
|
||||
```bash
|
||||
cd ../
|
||||
ansible-playbook setup-user.yml -i hosts.ini --extra-vars='{ "target_host": "deployment_host" }'
|
||||
```
|
||||
|
||||
@ -102,6 +103,7 @@ To get started, follow the [installation](../README.md#installation) guide to se
|
||||
```bash
|
||||
cd vars
|
||||
cp dns-vars.example.yml dns-vars.yml
|
||||
cp gpg-vars.example.yml gpg-vars.yml
|
||||
cp k8s-vars.example.yml k8s-vars.yml
|
||||
cp container-vars.example.yml container-vars.yml
|
||||
cp webapp-vars.example.yml webapp-vars.yml
|
||||
@ -116,10 +118,13 @@ To get started, follow the [installation](../README.md#installation) guide to se
|
||||
cluster_control_ip: "" # eg: 23.111.78.179
|
||||
do_api_token: "" # eg: dop_v1...
|
||||
|
||||
# vars/gpg-vars.yml
|
||||
gpg_user_name: "" # Full name of the user for the GPG key
|
||||
gpg_user_email: "" # Email address associated with the GPG key
|
||||
gpg_passphrase: "" # Passphrase for securing the GPG key
|
||||
|
||||
# vars/k8s-vars.yml
|
||||
target_host: "deployment_host"
|
||||
gpg_key_id: "" # The sequence obtained in the previous step, eg: 0AFB10B643944C22
|
||||
vault_passphrase: "" # passphrase for GPG key
|
||||
org_id: "" # eg: lcn
|
||||
location_id: "" # eg: cad
|
||||
base_domain: "" # eg: laconic
|
||||
|
@ -10,6 +10,10 @@
|
||||
- vars/container-vars.yml
|
||||
- vars/k8s-vars.yml
|
||||
- vars/dns-vars.yml
|
||||
- vars/user-vars.yml
|
||||
|
||||
become: yes
|
||||
become_user: "{{username}}"
|
||||
|
||||
tasks:
|
||||
- name: Ensure gpg-keys directory exists
|
||||
@ -63,7 +67,7 @@
|
||||
-v /home/{{ ansible_user }}/config:/home/root/config \
|
||||
cerc/webapp-deployer-backend:local laconic-so publish-deployer-to-registry \
|
||||
--laconic-config /home/root/config/laconic.yml \
|
||||
--api-url https://webapp-deployer-api.{{ full_domain }} \
|
||||
--api-url https://webapp-deployer-api.pwa.{{ full_domain }} \
|
||||
--public-key-file /home/root/config/webapp-deployer-api.{{ full_domain }}.pgp.pub \
|
||||
--lrn lrn://{{ authority_name }}/deployers/webapp-deployer-api.{{ full_domain }} \
|
||||
--min-required-payment 100
|
||||
|
@ -8,6 +8,10 @@
|
||||
- vars/webapp-vars.yml
|
||||
- vars/dns-vars.yml
|
||||
- vars/k8s-vars.yml
|
||||
- vars/user-vars.yml
|
||||
|
||||
become: yes
|
||||
become_user: "{{username}}"
|
||||
|
||||
tasks:
|
||||
- name: Clone webapp-deployment-status-ui repository
|
||||
|
@ -8,6 +8,10 @@
|
||||
- vars/webapp-vars.yml
|
||||
- vars/dns-vars.yml
|
||||
- vars/k8s-vars.yml
|
||||
- vars/user-vars.yml
|
||||
|
||||
become: yes
|
||||
become_user: "{{username}}"
|
||||
|
||||
tasks:
|
||||
- name: Clone the stack repo
|
||||
|
@ -4,6 +4,12 @@
|
||||
environment:
|
||||
PATH: "{{ ansible_env.PATH }}:/home/{{ansible_user}}/bin"
|
||||
|
||||
vars_files:
|
||||
- vars/user-vars.yml
|
||||
|
||||
become: yes
|
||||
become_user: "{{username}}"
|
||||
|
||||
tasks:
|
||||
- name: Clone the fixturenet-laconicd-stack repo
|
||||
command: laconic-so fetch-stack git.vdb.to/cerc-io/fixturenet-laconicd-stack --pull
|
||||
|
@ -1,4 +1,6 @@
|
||||
- import_playbook: setup-user.yml
|
||||
- import_playbook: setup-dns.yml
|
||||
- import_playbook: setup-system.yml
|
||||
- import_playbook: setup-k8s.yml
|
||||
- import_playbook: setup-container-registry.yml
|
||||
- import_playbook: run-laconicd.yml
|
||||
|
@ -8,6 +8,10 @@
|
||||
- vars/k8s-vars.yml
|
||||
- vars/container-vars.yml
|
||||
- vars/dns-vars.yml
|
||||
- vars/user-vars.yml
|
||||
|
||||
become: yes
|
||||
become_user: "{{username}}"
|
||||
|
||||
tasks:
|
||||
- name: Generate spec file for the container-registry stack
|
||||
|
@ -9,8 +9,13 @@
|
||||
VAULT_KEY: "{{ vault_passphrase }}"
|
||||
|
||||
vars_files:
|
||||
- vars/k8s-vars.yml
|
||||
- vars/dns-vars.yml
|
||||
- vars/gpg-vars.yml
|
||||
- vars/k8s-vars.yml
|
||||
- vars/user-vars.yml
|
||||
|
||||
become: yes
|
||||
become_user: "{{username}}"
|
||||
|
||||
tasks:
|
||||
- name: Install Python and pip
|
||||
|
138
service-provider-setup/setup-system.yml
Normal file
138
service-provider-setup/setup-system.yml
Normal file
@ -0,0 +1,138 @@
|
||||
- name: Setup system for the service provider setup
|
||||
hosts: "{{ target_host }}"
|
||||
|
||||
environment:
|
||||
GNUPGHOME: /home/{{ ansible_user }}/.gnupg
|
||||
|
||||
vars_files:
|
||||
- vars/k8s-vars.yml
|
||||
- vars/dns-vars.yml
|
||||
- vars/gpg-vars.yml
|
||||
- vars/user-vars.yml
|
||||
|
||||
become: yes
|
||||
become_user: "{{username}}"
|
||||
|
||||
tasks:
|
||||
- name: Install required packages
|
||||
apt:
|
||||
name:
|
||||
- doas
|
||||
- zsh
|
||||
- tmux
|
||||
- git
|
||||
- jq
|
||||
- acl
|
||||
- curl
|
||||
- wget
|
||||
- netcat-traditional
|
||||
- fping
|
||||
- rsync
|
||||
- htop
|
||||
- iotop
|
||||
- iftop
|
||||
- tar
|
||||
- less
|
||||
- firewalld
|
||||
- sshguard
|
||||
- wireguard
|
||||
- iproute2
|
||||
- iperf3
|
||||
- zfsutils-linux
|
||||
- net-tools
|
||||
- ca-certificates
|
||||
- gnupg
|
||||
- sshpass
|
||||
- apache2-utils
|
||||
state: latest
|
||||
update_cache: true
|
||||
become: yes
|
||||
|
||||
- name: Set unique hostname
|
||||
hostname:
|
||||
name: "{{ inventory_hostname }}"
|
||||
when: ansible_hostname != inventory_hostname
|
||||
|
||||
- name: Verify status of firewalld and enable sshguard
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
enabled: yes
|
||||
state: started
|
||||
loop:
|
||||
- firewalld
|
||||
- sshguard
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Disable and remove snapd
|
||||
block:
|
||||
- name: Disable snapd services
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
enabled: no
|
||||
state: stopped
|
||||
loop:
|
||||
- snapd.service
|
||||
- snapd.socket
|
||||
- snapd.seeded
|
||||
- snapd.snap-repair.timer
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Purge snapd
|
||||
apt:
|
||||
name: snapd
|
||||
state: absent
|
||||
|
||||
- name: Remove snap directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- "{{ ansible_env.HOME }}/snap"
|
||||
- /snap
|
||||
- /var/snap
|
||||
- /var/lib/snapd
|
||||
become: yes
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Ensure GPG directory exists
|
||||
file:
|
||||
path: "{{ ansible_env.HOME }}/.gnupg"
|
||||
state: directory
|
||||
mode: '0700'
|
||||
|
||||
- name: Create GPG key parameters file
|
||||
copy:
|
||||
dest: /tmp/gpg_key_params.txt
|
||||
content: |
|
||||
Key-Type: RSA
|
||||
Key-Length: 4096
|
||||
Subkey-Type: RSA
|
||||
Name-Real: {{ gpg_user_name }}
|
||||
Name-Email: {{ gpg_user_email }}
|
||||
Expire-Date: 0
|
||||
Passphrase: {{ gpg_passphrase }}
|
||||
%no-protection
|
||||
%commit
|
||||
mode: '0600'
|
||||
|
||||
- name: Generate GPG key using the parameter file
|
||||
command: gpg --batch --gen-key /tmp/gpg_key_params.txt
|
||||
become_user: "{{ ansible_user }}"
|
||||
register: gpg_keygen_output
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Show GPG key generation output
|
||||
debug:
|
||||
var: gpg_keygen_output.stdout
|
||||
|
||||
- name: Fetch the Key ID of the most recently created GPG key
|
||||
shell: gpg --list-secret-keys --keyid-format=long | grep 'sec' | tail -n 1 | awk -F'/' '{print $2}' | awk '{print $1}'
|
||||
register: gpg_key_output
|
||||
|
||||
- name: Set the GPG key ID to a variable
|
||||
set_fact:
|
||||
sec_key_id: "{{ gpg_key_output.stdout }}"
|
||||
|
||||
- name: Show GPG Key ID
|
||||
debug:
|
||||
msg: "GPG Key ID: {{ sec_key_id }}"
|
@ -6,82 +6,6 @@
|
||||
- vars/user-vars.yml
|
||||
|
||||
tasks:
|
||||
- name: Set unique hostname
|
||||
hostname:
|
||||
name: "{{ inventory_hostname }}"
|
||||
when: ansible_hostname != inventory_hostname
|
||||
|
||||
# TODO: Move installation to k8s playbook
|
||||
- name: Install additional packages
|
||||
apt:
|
||||
name:
|
||||
- doas
|
||||
- zsh
|
||||
- tmux
|
||||
- git
|
||||
- jq
|
||||
- acl
|
||||
- curl
|
||||
- wget
|
||||
- netcat-traditional
|
||||
- fping
|
||||
- rsync
|
||||
- htop
|
||||
- iotop
|
||||
- iftop
|
||||
- tar
|
||||
- less
|
||||
- firewalld
|
||||
- sshguard
|
||||
- wireguard
|
||||
- iproute2
|
||||
- iperf3
|
||||
- zfsutils-linux
|
||||
- net-tools
|
||||
- ca-certificates
|
||||
- gnupg
|
||||
- sshpass
|
||||
state: latest
|
||||
update_cache: true
|
||||
|
||||
- name: Verify status of firewalld and enable sshguard
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
enabled: yes
|
||||
state: started
|
||||
loop:
|
||||
- firewalld
|
||||
- sshguard
|
||||
|
||||
- name: Disable and remove snapd
|
||||
block:
|
||||
- name: Disable snapd services
|
||||
systemd:
|
||||
name: "{{ item }}"
|
||||
enabled: no
|
||||
state: stopped
|
||||
loop:
|
||||
- snapd.service
|
||||
- snapd.socket
|
||||
- snapd.seeded
|
||||
- snapd.snap-repair.timer
|
||||
|
||||
- name: Purge snapd
|
||||
apt:
|
||||
name: snapd
|
||||
state: absent
|
||||
|
||||
- name: Remove snap directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
loop:
|
||||
- "{{ ansible_env.HOME }}/snap"
|
||||
- /snap
|
||||
- /var/snap
|
||||
- /var/lib/snapd
|
||||
become: yes
|
||||
|
||||
- name: Create a user
|
||||
user:
|
||||
name: "{{ username }}"
|
||||
@ -97,7 +21,7 @@
|
||||
|
||||
- name: Ensure .ssh directory exists for user
|
||||
file:
|
||||
path: /home/"{{ username }}"/.ssh
|
||||
path: /home/{{ username }}/.ssh
|
||||
state: directory
|
||||
owner: "{{ username }}"
|
||||
group: "{{ username }}"
|
||||
|
Loading…
Reference in New Issue
Block a user