internal-bot/deploy/playbooks/01_setup.yml at 44f3be782c44a4167d7cb8dd8c2052293338c597 · EuroPython/internal-bot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
- name: Deploy nginx and Let's Encrypt SSL certificate
  hosts: intbot_setup
  become: yes
  gather_facts: yes

  tasks:
    - name: Install Docker dependencies
      apt:
        name: "{{ package }}"
        state: present
        update_cache: yes
      vars:
        package:
          - apt-transport-https
          - ca-certificates
          - curl
          - gnupg
          - lsb-release
          - make

    - name: Install Docker
      block:
        - name: Add Docker GPG key
          apt_key:
            url: https://download.docker.com/linux/ubuntu/gpg
            state: present

        - name: Add Docker repository
          apt_repository:
            repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable
            state: present

        - name: Install Docker
          apt:
            name: docker-ce
            state: present

    - name: Combine non-root users to a single list
      set_fact:
        non_root_user_names: ["{{ nginx_user }}", "{{ app_user }}"]

    - name: Create non-root users
      block:
        - name: Add user
          ansible.builtin.user:
            name: "{{ username }}"
            shell: "/bin/bash"
            generate_ssh_key: yes
            ssh_key_type: ed25519
            ssh_key_comment: "{{ username }}@{{ inventory_hostname }}"
            create_home: yes
          loop: "{{ non_root_user_names }}"
          loop_control:
            loop_var: username

        - name: Make sure that user has permissions to the their home
          ansible.builtin.file:
            path: "/home/{{ username }}"
            state: directory
            owner: "{{ username }}"
            group: "{{ username }}"
          loop: "{{ non_root_user_names }}"
          loop_control:
            loop_var: username

        - name: Then copy the authorized_keys from root so you can ssh later to the user
          copy:
            src: "/root/.ssh/authorized_keys"
            dest: "/home/{{ username }}/.ssh/authorized_keys"
            owner: "{{ username }}"
            group: "{{ username }}"
            mode: "0600"
            remote_src: "yes"
          loop: "{{ non_root_user_names }}"
          loop_control:
            loop_var: username

        - name: Add the non root users (both nginx and app) to docker group
          user:
            name: "{{ username }}"
            groups: docker
            append: yes
          loop: "{{ non_root_user_names }}"
          loop_control:
            loop_var: username

    - name: Read the deploy public key
      slurp:
        src: "/home/{{ app_user }}/.ssh/id_ed25519.pub"
      register: deploy_key

    - name: Display the public key
      debug:
        msg: "For private repositories, make sure to put this key as deploy key on github:  {{ deploy_key.content | b64decode }}"