add ssh-oidc config

EGI-Federation · Sep 10, 2024 · be35342 · be35342
1 parent 893e285
commit be35342
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 0 deletions.
diff --git a/deploy/cloud-init.yaml b/deploy/cloud-init.yaml
@@ -73,3 +73,13 @@ write_files:
     encoding: base64
     path: /etc/openstack/clouds.yaml
     permissions: "0644"
+  - content: |
+      # Created by cloud-init
+      #
+      # 1. Access is restricted to members of the vo.cloud.egi.eu VO with the auditor role
+      #    urn:mace:egi.eu:group:cloud.egi.eu:role=auditor#aai.egi.eu
+      #
+      # 2. Once logged in, they have unrestricted sudo power:
+      %egi-eu_cloud-egi-eu ALL=(ALL) NOPASSWD:ALL
+    path: /etc/sudoers.d/motley
+    permissions: '0644'
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
@@ -30,6 +30,9 @@ image_sync_image: "ghcr.io/egi-federation/fedcloud-image-sync:sha-$SHORT_SHA"
 site_config_dir: "$(readlink -f ../sites)"
 EOF
 
+# install Ansible dependencies
+ansible-galaxy role install -r galaxy-requirements.yaml
+
 # Configure!
 if ansible-playbook -i inventory.yaml \
 	--extra-vars @secrets.yaml \

diff --git a/deploy/galaxy-requirements.yaml b/deploy/galaxy-requirements.yaml
@@ -0,0 +1,2 @@
+# ssh-oidc access
+- src: grycap.motley-cue
diff --git a/deploy/playbook.yaml b/deploy/playbook.yaml
@@ -2,6 +2,9 @@
 - hosts: all
   become: true
   roles:
+    - role: 'grycap.motley-cue'
+      ssh_oidc_other_vos_name: cloud.egi.eu
+      ssh_oidc_other_vos_role: auditor
     - role: catchall
       vars:
         site_config_dir: ../sites/