Create additional SSH-keypair;Configure gitea

ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml

@@ -13,7 +13,7 @@
         INSTALL_K3S_EXEC: 'server --cluster-init --disable local-storage'
       when: ansible_facts.services['k3s.service'] is undefined
 
-    - name: Configure Traefik dashboard ingress
+    - name: Configure traefik dashboard ingress
       ansible.builtin.template:
         src: ingressroute.j2
         dest: /var/lib/rancher/k3s/server/manifests/{{ _template.name }}-manifest.yaml
@@ -201,16 +201,33 @@
 
     - name: Retrieve existing gitea configuration
       ansible.builtin.uri:
-        # url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/orgs
+        # url: "{{ item }}"
         url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/repos/search
         method: GET
       register: gitea_existing_config
+      # loop:
+      #   # - https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/orgs
+      #   - https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/repos/search
+      #   - https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/user/keys
 
     - debug:
         var: gitea_existing_config
 
     - block:
 
+        - name: Register SSH public key
+          ansible.builtin.uri:
+            url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/user/keys
+            method: POST
+            headers:
+              Authorization: token {{ gitea_api_token.json.sha1 }}
+            body:
+              key: "{{ gitops_sshkey.public_key }}"
+              read_only: false
+              title: GitOps
+# Initial testing
+          ignore_errors: yes
+
         - name: Create organization(s)
           ansible.builtin.uri:
             url: https://git.{{ vapp['metacluster.fqdn'] }}/api/v1/orgs

ansible/roles/firstboot/files/ansible_payload/roles/users/tasks/main.yml

@@ -5,10 +5,12 @@
     generate_ssh_key: yes
     ssh_key_bits: 2048
     ssh_key_file: .ssh/id_rsa
+
 - name: Save root SSH publickey
   ansible.builtin.lineinfile:
     path: /root/.ssh/authorized_keys
     line: "{{ vapp['guestinfo.rootsshkey'] }}"
+
 - name: Disable SSH password authentication
   ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
@@ -16,8 +18,18 @@
     line: "{{ item.line }}"
     state: "{{ item.state }}"
   loop:
-  - { regex: '^#PasswordAuthentication', line: 'PasswordAuthentication no', state: present}
+  - regex: '^#PasswordAuthentication'
-  - { regex: '^PasswordAuthentication yes', line: 'PasswordAuthentication yes', state: absent}
+    line: 'PasswordAuthentication no'
+    state: present
+  - regex: '^PasswordAuthentication yes'
+    line: 'PasswordAuthentication yes'
+    state: absent
+
+- name: Create dedicated SSH keypair
+  community.crypto.openssh_keypair:
+    path: /root/.ssh/git_rsa_id
+  register: gitops_sshkey
+
 - name: Delete 'ubuntu' user
   ansible.builtin.user:
     name: ubuntu

ansible/vars/metacluster.yml

@@ -122,6 +122,7 @@ dependencies:
   ansible_galaxy_collections:
     - ansible.posix
     - ansible.utils
+    - community.crypto
     - community.general
     - kubernetes.core