autosign: adjust playbooks for prod
We need to setup things in prod slightly differently, using keyctl. Copy in the service and scripts. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
parent
d3222f83e9
commit
c764d1ea86
3 changed files with 48 additions and 3 deletions
12
roles/robosignatory/files/robosignatory.service
Normal file
12
roles/robosignatory/files/robosignatory.service
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=Robosignatory
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User = robosignatory
|
||||
Group = robosignatory
|
||||
Restart=no
|
||||
ExecStart=/usr/bin/keyctl session - /usr/local/bin/sigul-add-key
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
5
roles/robosignatory/files/sigul-add-key
Normal file
5
roles/robosignatory/files/sigul-add-key
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash -e
|
||||
# Courtesy of puiterwijk
|
||||
passphrase=$(systemd-ask-password "Please enter passphrase for 'autosign' key: ")
|
||||
keyctl add user "sigul:autosign" "${passphrase}" @s
|
||||
exec /usr/bin/fedora-messaging --conf /etc/fedora-messaging/robosignatory.toml consume
|
||||
|
|
@ -165,7 +165,7 @@
|
|||
- robosignatory
|
||||
- robosignatory-config
|
||||
|
||||
- name: Create /etc/systemd/system/fm-consumer@.service.d
|
||||
- name: Create /etc/systemd/system/fm-consumer@.service.d (staging)
|
||||
file:
|
||||
state: directory
|
||||
path: /etc/systemd/system/fm-consumer@.service.d
|
||||
|
|
@ -177,7 +177,7 @@
|
|||
- config
|
||||
- robosignatory
|
||||
|
||||
- name: Configure fm-consumer@.service to run as robosignatory
|
||||
- name: Configure fm-consumer@.service to run as robosignatory (staging)
|
||||
copy:
|
||||
src: fm-consumer@.service
|
||||
dest: /etc/systemd/system/fm-consumer@.service.d/local.conf
|
||||
|
|
@ -192,7 +192,7 @@
|
|||
- config
|
||||
- robosignatory
|
||||
|
||||
- name: Ensure fedora-messaging is enabled and started on the backend
|
||||
- name: Ensure fedora-messaging is enabled and started on the backend (staging)
|
||||
service:
|
||||
name: fm-consumer@robosignatory.service
|
||||
enabled: yes
|
||||
|
|
@ -202,6 +202,34 @@
|
|||
- config
|
||||
- robosignatory
|
||||
|
||||
- name: Configure key add script
|
||||
copy:
|
||||
src: sigul-add-key
|
||||
dest: /usr/local/bin/sigul-add-key
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0711
|
||||
when: env != 'staging'
|
||||
notify:
|
||||
- reload systemd
|
||||
tags:
|
||||
- config
|
||||
- robosignatory
|
||||
|
||||
- name: Configure robosignatory.service
|
||||
copy:
|
||||
src: robosignatory.service
|
||||
dest: /etc/systemd/system/robosignatory.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
when: env != 'staging'
|
||||
notify:
|
||||
- reload systemd
|
||||
tags:
|
||||
- config
|
||||
- robosignatory
|
||||
|
||||
- name: Allow robosignatory to use systemd-ask-password
|
||||
copy:
|
||||
src: ask-password-robosignatory.conf
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue