autosign: adjust playbooks for prod
We need to setup things in prod slightly differently, using keyctl. Copy in the service and scripts. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
parent
d3222f83e9
commit
c764d1ea86
3 changed files with 48 additions and 3 deletions
12
roles/robosignatory/files/robosignatory.service
Normal file
12
roles/robosignatory/files/robosignatory.service
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Robosignatory
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User = robosignatory
|
||||||
|
Group = robosignatory
|
||||||
|
Restart=no
|
||||||
|
ExecStart=/usr/bin/keyctl session - /usr/local/bin/sigul-add-key
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
5
roles/robosignatory/files/sigul-add-key
Normal file
5
roles/robosignatory/files/sigul-add-key
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/bash -e
|
||||||
|
# Courtesy of puiterwijk
|
||||||
|
passphrase=$(systemd-ask-password "Please enter passphrase for 'autosign' key: ")
|
||||||
|
keyctl add user "sigul:autosign" "${passphrase}" @s
|
||||||
|
exec /usr/bin/fedora-messaging --conf /etc/fedora-messaging/robosignatory.toml consume
|
||||||
|
|
@ -165,7 +165,7 @@
|
||||||
- robosignatory
|
- robosignatory
|
||||||
- robosignatory-config
|
- robosignatory-config
|
||||||
|
|
||||||
- name: Create /etc/systemd/system/fm-consumer@.service.d
|
- name: Create /etc/systemd/system/fm-consumer@.service.d (staging)
|
||||||
file:
|
file:
|
||||||
state: directory
|
state: directory
|
||||||
path: /etc/systemd/system/fm-consumer@.service.d
|
path: /etc/systemd/system/fm-consumer@.service.d
|
||||||
|
|
@ -177,7 +177,7 @@
|
||||||
- config
|
- config
|
||||||
- robosignatory
|
- robosignatory
|
||||||
|
|
||||||
- name: Configure fm-consumer@.service to run as robosignatory
|
- name: Configure fm-consumer@.service to run as robosignatory (staging)
|
||||||
copy:
|
copy:
|
||||||
src: fm-consumer@.service
|
src: fm-consumer@.service
|
||||||
dest: /etc/systemd/system/fm-consumer@.service.d/local.conf
|
dest: /etc/systemd/system/fm-consumer@.service.d/local.conf
|
||||||
|
|
@ -192,7 +192,7 @@
|
||||||
- config
|
- config
|
||||||
- robosignatory
|
- robosignatory
|
||||||
|
|
||||||
- name: Ensure fedora-messaging is enabled and started on the backend
|
- name: Ensure fedora-messaging is enabled and started on the backend (staging)
|
||||||
service:
|
service:
|
||||||
name: fm-consumer@robosignatory.service
|
name: fm-consumer@robosignatory.service
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
@ -202,6 +202,34 @@
|
||||||
- config
|
- config
|
||||||
- robosignatory
|
- robosignatory
|
||||||
|
|
||||||
|
- name: Configure key add script
|
||||||
|
copy:
|
||||||
|
src: sigul-add-key
|
||||||
|
dest: /usr/local/bin/sigul-add-key
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0711
|
||||||
|
when: env != 'staging'
|
||||||
|
notify:
|
||||||
|
- reload systemd
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- robosignatory
|
||||||
|
|
||||||
|
- name: Configure robosignatory.service
|
||||||
|
copy:
|
||||||
|
src: robosignatory.service
|
||||||
|
dest: /etc/systemd/system/robosignatory.service
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
when: env != 'staging'
|
||||||
|
notify:
|
||||||
|
- reload systemd
|
||||||
|
tags:
|
||||||
|
- config
|
||||||
|
- robosignatory
|
||||||
|
|
||||||
- name: Allow robosignatory to use systemd-ask-password
|
- name: Allow robosignatory to use systemd-ask-password
|
||||||
copy:
|
copy:
|
||||||
src: ask-password-robosignatory.conf
|
src: ask-password-robosignatory.conf
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue