Merge "Use ssh_keypairs role to generate keys for repo sync"
This commit is contained in:
commit
5aefc76d47
|
@ -43,10 +43,6 @@ repo_service_home_folder: /var/www
|
|||
repo_service_user_name: nginx
|
||||
repo_service_group_name: www-data
|
||||
|
||||
# If you want to regenerate the repo users SSH keys, on each run, set this var to True
|
||||
# Otherwise keys will be generated on the first run and not regenerated each run.
|
||||
repo_recreate_keys: False
|
||||
|
||||
# Main web server port
|
||||
repo_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
|
||||
repo_server_port: 8181
|
||||
|
@ -60,3 +56,33 @@ repo_build_global_links_dirname: links
|
|||
# directory placed by the deployer will also be transferred
|
||||
repo_upper_constraints_path: "/etc/openstack_deploy/upper-constraints"
|
||||
|
||||
# Delegated host for operating the ssh certificate authority
|
||||
repo_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
|
||||
|
||||
# directory on the setup host to create and store SSH keypairs
|
||||
repo_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}"
|
||||
|
||||
#Each repo host needs a signed ssh certificate to log into the others
|
||||
repo_ssh_keypairs:
|
||||
- name: "repo-{{ inventory_hostname }}"
|
||||
cert:
|
||||
signed_by: "{{ openstack_ssh_signing_key }}"
|
||||
principals: "{{ repo_ssh_key_principals | default('repo') }}"
|
||||
valid_from: "{{ repo_ssh_key_valid_from | default('always') }}"
|
||||
valid_to: "{{ repo_ssh_key_valid_to | default('forever') }}"
|
||||
|
||||
#Each repo host needs the signed ssh certificate installing to the repo_server user
|
||||
repo_ssh_keypairs_install_keys:
|
||||
owner: "{{ repo_service_user_name }}"
|
||||
group: "{{ repo_service_group_name }}"
|
||||
keys:
|
||||
- cert: "repo-{{ inventory_hostname }}"
|
||||
dest: "{{ repo_service_home_folder }}/.ssh/id_rsa"
|
||||
|
||||
#Each repo host must trust the SSHD certificate authoritiy in the sshd configuration
|
||||
repo_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
|
||||
|
||||
#Each repo host must allow SSH certificates with the appropriate principal to log into the repo_server user
|
||||
repo_ssh_keypairs_principals:
|
||||
- user: "{{ repo_service_user_name }}"
|
||||
principals: "{{ repo_ssh_key_principals | default(['repo']) }}"
|
||||
|
|
|
@ -41,14 +41,29 @@
|
|||
tags:
|
||||
- repo_server-config
|
||||
|
||||
- include: repo_key_populate.yml
|
||||
- name: Create ssh keys for synchronising repo contents
|
||||
include_role:
|
||||
name: openstack.osa.ssh_keypairs
|
||||
args:
|
||||
apply:
|
||||
tags:
|
||||
- repo-key
|
||||
- repo_server-config
|
||||
vars:
|
||||
ssh_keypairs_setup_hosst: "{{ repo_ssh_keypairs_setup_host }}"
|
||||
ssh_keypairs_dir: "{{ repo_ssh_keypairs_dir }}"
|
||||
ssh_keypairs: "{{ repo_ssh_keypairs }}"
|
||||
ssh_keypairs_install_keys: "{{ repo_ssh_keypairs_install_keys }}"
|
||||
ssh_keypairs_install_ca: "{{ repo_ssh_keypairs_install_ca }}"
|
||||
ssh_keypairs_principals: "{{ repo_ssh_keypairs_principals }}"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- include: repo_key_distribute.yml
|
||||
when: groups.repo_all|length > 1
|
||||
tags:
|
||||
- repo_server-config
|
||||
# TODO (jrosser) Remove this task for the Z release
|
||||
- name: Remove legacy authorized keys file
|
||||
file:
|
||||
path: "{{ repo_service_home_folder }}/.ssh/authorized_keys"
|
||||
state: absent
|
||||
|
||||
- include: repo_sync_manager.yml
|
||||
when: inventory_hostname == groups['repo_all'][0]
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
# Copyright 2014, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create authorized keys file from host vars
|
||||
authorized_key:
|
||||
user: "{{ repo_service_user_name }}"
|
||||
key: "{{ hostvars[item]['repo_pubkey'] | b64decode }}"
|
||||
with_items: "{{ groups['repo_all'] }}"
|
||||
when: hostvars[item]['repo_pubkey'] is defined
|
||||
tags:
|
||||
- repo-key
|
||||
- repo-key-store
|
|
@ -1,30 +0,0 @@
|
|||
---
|
||||
# Copyright 2014, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Get public key contents and store as var
|
||||
slurp:
|
||||
src: "{{ repo_service_home_folder }}/.ssh/id_rsa.pub"
|
||||
register: repo_pub
|
||||
changed_when: false
|
||||
tags:
|
||||
- repo-key
|
||||
- repo-key-create
|
||||
|
||||
- name: Register a fact for the repo user pub key
|
||||
set_fact:
|
||||
repo_pubkey: "{{ repo_pub.content }}"
|
||||
tags:
|
||||
- repo-key
|
||||
- repo-key-create
|
|
@ -19,21 +19,6 @@
|
|||
name: pack.threads
|
||||
value: '0'
|
||||
|
||||
- name: Remove old key file(s) if found
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: "absent"
|
||||
with_items:
|
||||
- "{{ repo_service_home_folder }}/.ssh/authorized_keys"
|
||||
- "{{ repo_service_home_folder }}/.ssh/id_rsa"
|
||||
- "{{ repo_service_home_folder }}/.ssh/id_rsa.pub"
|
||||
when: repo_recreate_keys | bool
|
||||
|
||||
- name: Generate the nginx system user ssh key
|
||||
user:
|
||||
name: "{{ repo_service_user_name }}"
|
||||
generate_ssh_key: "yes"
|
||||
|
||||
- name: Enable SSHD
|
||||
systemd:
|
||||
name: "{{ repo_server_sshd }}"
|
||||
|
|
Loading…
Reference in New Issue