From 261e91ee2ebc5850990041af9c4942eeb6833ac5 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Wed, 20 Jul 2022 08:40:18 +0200 Subject: [PATCH] Create additional SSH-keypair;Configure gitea --- .../roles/metacluster/tasks/main.yml | 21 +++++++++++++++++-- .../roles/users/tasks/main.yml | 16 ++++++++++++-- ansible/vars/metacluster.yml | 1 + 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml index cc55be4..9693f4c 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml @@ -13,7 +13,7 @@ INSTALL_K3S_EXEC: 'server --cluster-init --disable local-storage' when: ansible_facts.services['k3s.service'] is undefined - - name: Configure Traefik dashboard ingress + - name: Configure traefik dashboard ingress ansible.builtin.template: src: ingressroute.j2 dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml @@ -201,16 +201,33 @@ - name: Retrieve existing gitea configuration ansible.builtin.uri: - # url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/orgs + # url: "{{ item }}" url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/repos/search method: GET register: gitea_existing_config + # loop: + # # - https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/orgs + # - https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/repos/search + # - https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/user/keys - debug: var: gitea_existing_config - block: + - name: Register SSH public key + ansible.builtin.uri: + url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/user/keys + method: POST + headers: + Authorization: token {{ gitea_api_token.json.sha1 }} + body: + key: "{{ gitops_sshkey.public_key }}" + read_only: false + title: GitOps +# Initial testing + ignore_errors: yes + - name: Create organization(s) ansible.builtin.uri: url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/orgs diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml index 77f412f..f2c08d9 100644 --- a/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml +++ b/ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml @@ -5,10 +5,12 @@ generate_ssh_key: yes ssh_key_bits: 2048 ssh_key_file: .ssh/id_rsa + - name: Save root SSH publickey ansible.builtin.lineinfile: path: /root/.ssh/authorized_keys line: "{{ vapp['guestinfo.rootsshkey'] }}" + - name: Disable SSH password authentication ansible.builtin.lineinfile: path: /etc/ssh/sshd_config @@ -16,8 +18,18 @@ line: "{{ item.line }}" state: "{{ item.state }}" loop: - - { regex: '^#PasswordAuthentication', line: 'PasswordAuthentication no', state: present} - - { regex: '^PasswordAuthentication yes', line: 'PasswordAuthentication yes', state: absent} + - regex: '^#PasswordAuthentication' + line: 'PasswordAuthentication no' + state: present + - regex: '^PasswordAuthentication yes' + line: 'PasswordAuthentication yes' + state: absent + +- name: Create dedicated SSH keypair + community.crypto.openssh_keypair: + path: /root/.ssh/git_rsa_id + register: gitops_sshkey + - name: Delete 'ubuntu' user ansible.builtin.user: name: ubuntu diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index c73198d..10d933b 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -122,6 +122,7 @@ dependencies: ansible_galaxy_collections: - ansible.posix - ansible.utils + - community.crypto - community.general - kubernetes.core