Add ssh-oidc config (#364)

* add ssh-oidc config * delete old playbook * linting
EGI-Federation · Sep 10, 2024 · 4a3368f · 4a3368f
1 parent 893e285
commit 4a3368f
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 4 deletions.
diff --git a/deploy/cloud-init.yaml b/deploy/cloud-init.yaml
@@ -73,3 +73,13 @@ write_files:
     encoding: base64
     path: /etc/openstack/clouds.yaml
     permissions: "0644"
+  - content: |
+      # Created by cloud-init
+      #
+      # 1. Access is restricted to members of the vo.cloud.egi.eu VO with the auditor role
+      #    urn:mace:egi.eu:group:cloud.egi.eu:role=auditor#aai.egi.eu
+      #
+      # 2. Once logged in, they have unrestricted sudo power:
+      %egi-eu_cloud-egi-eu ALL=(ALL) NOPASSWD:ALL
+    path: /etc/sudoers.d/motley
+    permissions: "0644"
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
@@ -30,6 +30,9 @@ image_sync_image: "ghcr.io/egi-federation/fedcloud-image-sync:sha-$SHORT_SHA"
 site_config_dir: "$(readlink -f ../sites)"
 EOF
 
+# install Ansible dependencies
+ansible-galaxy role install -r galaxy-requirements.yaml
+
 # Configure!
 if ansible-playbook -i inventory.yaml \
 	--extra-vars @secrets.yaml \

diff --git a/deploy/galaxy-requirements.yaml b/deploy/galaxy-requirements.yaml
@@ -0,0 +1,2 @@
+# ssh-oidc access
+- src: grycap.motley-cue
diff --git a/deploy/playbook.yaml b/deploy/playbook.yaml
@@ -2,6 +2,10 @@
 - hosts: all
   become: true
   roles:
+    - role: "grycap.motley-cue"
+      vars:
+        ssh_oidc_other_vos_name: cloud.egi.eu
+        ssh_oidc_other_vos_role: auditor
     - role: catchall
       vars:
         site_config_dir: ../sites/
diff --git a/playbook.yaml b/playbook.yaml