a3da8deb0f
- Add app_ssh_access role to install forced-command keys for infra-register-stdin and infra-deregister\n- Ensure required infra-controller runtime directories exist on services host\n- Add helper script to generate/register both Actions SSH secrets and update vault public keys
92 lines
No EOL
3.2 KiB
YAML
92 lines
No EOL
3.2 KiB
YAML
---
|
|
- name: Compute app SSH allowed IP
|
|
set_fact:
|
|
app_ssh_allowed_ip_effective: >-
|
|
{{
|
|
(app_ssh_allowed_ip | default('', true))
|
|
if (app_ssh_allowed_ip | default('', true) | length) > 0
|
|
else (hostvars[app_ssh_allowed_host].public_ipv4
|
|
| default(hostvars[app_ssh_allowed_host].ansible_host, true))
|
|
}}
|
|
|
|
- name: Compute register SSH public key
|
|
set_fact:
|
|
app_ssh_register_key_effective: >-
|
|
{{
|
|
(app_ssh_register_key | default('', true))
|
|
if (app_ssh_register_key | default('', true) | length) > 0
|
|
else (
|
|
SERVICE_SSH_REGISTER_PUBLIC_KEY
|
|
| default(lookup('env', 'SERVICE_SSH_REGISTER_PUBLIC_KEY'), true)
|
|
)
|
|
}}
|
|
no_log: true
|
|
|
|
- name: Compute deregister SSH public key
|
|
set_fact:
|
|
app_ssh_deregister_key_effective: >-
|
|
{{
|
|
(app_ssh_deregister_key | default('', true))
|
|
if (app_ssh_deregister_key | default('', true) | length) > 0
|
|
else (
|
|
SERVICE_SSH_DEREGISTER_PUBLIC_KEY
|
|
| default(lookup('env', 'SERVICE_SSH_DEREGISTER_PUBLIC_KEY'), true)
|
|
)
|
|
}}
|
|
no_log: true
|
|
|
|
- name: Fail if register SSH public key is missing
|
|
fail:
|
|
msg: "SERVICE_SSH_REGISTER_PUBLIC_KEY is required (must be an SSH public key like 'ssh-ed25519 AAAA...')"
|
|
when: app_ssh_register_key_effective | length == 0
|
|
|
|
- name: Fail if deregister SSH public key is missing
|
|
fail:
|
|
msg: "SERVICE_SSH_DEREGISTER_PUBLIC_KEY is required (must be an SSH public key like 'ssh-ed25519 AAAA...')"
|
|
when: app_ssh_deregister_key_effective | length == 0
|
|
|
|
- name: Fail if register SSH public key does not look like an SSH key
|
|
fail:
|
|
msg: "SERVICE_SSH_REGISTER_PUBLIC_KEY does not look like an SSH public key"
|
|
when: not (app_ssh_register_key_effective is match('^ssh-'))
|
|
|
|
- name: Fail if deregister SSH public key does not look like an SSH key
|
|
fail:
|
|
msg: "SERVICE_SSH_DEREGISTER_PUBLIC_KEY does not look like an SSH public key"
|
|
when: not (app_ssh_deregister_key_effective is match('^ssh-'))
|
|
|
|
- name: Fail if app SSH allowed host/IP cannot be determined
|
|
fail:
|
|
msg: "Unable to determine app SSH allowed IP"
|
|
when: app_ssh_allowed_ip_effective | length == 0
|
|
|
|
- name: Ensure app SSH user exists
|
|
user:
|
|
name: "{{ app_ssh_user }}"
|
|
state: present
|
|
create_home: true
|
|
shell: /bin/bash
|
|
|
|
- name: Ensure .ssh directory exists
|
|
file:
|
|
path: "/home/{{ app_ssh_user }}/.ssh"
|
|
state: directory
|
|
owner: "{{ app_ssh_user }}"
|
|
group: "{{ app_ssh_user }}"
|
|
mode: "0700"
|
|
|
|
- name: Install restricted authorized key for register
|
|
authorized_key:
|
|
user: "{{ app_ssh_user }}"
|
|
state: present
|
|
key: "{{ app_ssh_register_key_effective }}"
|
|
key_options: >-
|
|
command="/usr/local/sbin/infra-register-stdin",from="{{ app_ssh_allowed_ip_effective }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding
|
|
|
|
- name: Install restricted authorized key for deregister
|
|
authorized_key:
|
|
user: "{{ app_ssh_user }}"
|
|
state: present
|
|
key: "{{ app_ssh_deregister_key_effective }}"
|
|
key_options: >-
|
|
command="/usr/local/sbin/infra-deregister",from="{{ app_ssh_allowed_ip_effective }}",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding |