nemoinho/dev-machine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add ability to create ssh-keys and provide it to github and gitea

Browse Source 
Here we start to have some delicate secrets in the code. Therefore I
need a vault for ansible. This vault contains the tokens to upload
ssh-keys to github and my lovely gitea server.

Note, that this change also adds a `requirements.yml`, this is necessary
because I use the paramater "api_url" of the github_key resource which
was only added in v11, but the debian ansible was shippped with an older
collection.
This commit is contained in:
Felix Nehrke
2025-09-12 21:33:04 +02:00
parent c405e31f76
commit 34226a6d6d
7 changed files with 54 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,6 +1,7 @@
*.html *.html
*.pdf *.pdf
group_vars/*/local.config.yml group_vars/*/local.config.yml
password.txt
# Created by https://www.toptal.com/developers/gitignore/api/vim,intellij # Created by https://www.toptal.com/developers/gitignore/api/vim,intellij
# Edit at https://www.toptal.com/developers/gitignore?templates=vim,intellij # Edit at https://www.toptal.com/developers/gitignore?templates=vim,intellij

9
README.adoc
View File

@@ -22,6 +22,13 @@ sudo apt install ansible git
brew install ansible git brew install ansible git
---- ----
=== password.txt
To execute the playbook we need a password for the vault.
This password has to be stored in a `password.txt` containing exactly one line with only the password as content.
[NOTE]
Use a secure password and keep it in a password-manager.
== Setup == Setup
Make sure to configure the local environment: Make sure to configure the local environment:
This is done by copying `global_vars/localhost/local.config.yml.tpl` to `global_vars/localhost/local.config.yml` and adjust it to the local conditions. This is done by copying `global_vars/localhost/local.config.yml.tpl` to `global_vars/localhost/local.config.yml` and adjust it to the local conditions.
@@ -41,5 +48,7 @@ After the configuration the setup is very simple:
---- ----
git clone git@gitea.nehrke.info:nemoinho/dev-machine.git ~/Development/nemoinho/dev-machine git clone git@gitea.nehrke.info:nemoinho/dev-machine.git ~/Development/nemoinho/dev-machine
cd $_ cd $_
# make sure that we're on the latest requirements
ansible-galaxy install -r requirements.yml --upgrade
ansible-playbook main.yml ansible-playbook main.yml
---- ----

1
ansible.cfg
View File

@@ -5,3 +5,4 @@ become = True
ask-become-pass = True ask-become-pass = True
display_skipped_hosts = False display_skipped_hosts = False
error_on_undefined_vars = True error_on_undefined_vars = True
vault_password_file = password.txt

3
group_vars/localhost/common.config.yml
View File

@@ -2,3 +2,6 @@ fly_url_linux: https://ci.nehrke.info/api/v1/cli?arch=amd64&platform=linux
fly_url_darwin: https://ci.nehrke.info/api/v1/cli?arch=amd64&platform=darwin fly_url_darwin: https://ci.nehrke.info/api/v1/cli?arch=amd64&platform=darwin
fly_url: "{{ fly_url_darwin if ansible_os_family == 'Darwin' else fly_url_linux }}" fly_url: "{{ fly_url_darwin if ansible_os_family == 'Darwin' else fly_url_linux }}"
gitea_token: "{{ vault_gitea_token }}"
gitea_api_url: "https://gitea.nehrke.info/api/v1"
github_token: "{{ vault_github_token }}"

16
group_vars/localhost/vault.yml Normal file
View File

@@ -0,0 +1,16 @@
$ANSIBLE_VAULT;1.1;AES256
36303961316363323737363930613137366635656164656466303862643236376434643736333933
3934303637643266363561626265383065623835623062380a393962346661333165323762613535
33386434643533646638383931306633636139356638333863306631333263353262613563613532
3164383666303539310a396631313065633661626332316231346135643363306337303136373037
63323937363233656463323135663461383361616331366164666633623435333732636636303135
37373866613933313432393763636530333436333232383866313332356134666430383564376266
33313036623634396463656666633531643061393932333062383734393632653463623636616664
66653461373261303964393531396138356461623536643738303262393461643566313339303866
33366365316131643435643236653262363363633438633265366266646530666238373131623361
30626634613435323531636632306164346161363339396663323163333362373436373234666436
62623336396633393930623437353136376138343861613833336530636237343033623839333064
37313633366330646232366162336639383737663636306463663736323966613839343737613531
39363033366539303537643834616436616231396138323330333338623839336530333432633230
36313535356664633232633438376162613333653663356637323736363866373038353732386435
663935633462666536336332356435323539

22
main.yml
View File

@@ -18,3 +18,25 @@
url: "{{ fly_url }}" url: "{{ fly_url }}"
dest: "{{ lookup('env', 'HOME') }}/.local/bin/fly" dest: "{{ lookup('env', 'HOME') }}/.local/bin/fly"
mode: "u=rwx,g=rx,o=rx" mode: "u=rwx,g=rx,o=rx"
- name: Ensure ssh keypair
tags: [ssh]
openssh_keypair:
path: "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519"
type: ed25519
regenerate: full_idempotence
- name: Ensure ssh key on github
tags: [ssh,git]
github_key:
name: "{{ lookup('env', 'USER') }}@{{ hostname }}"
token: "{{ github_token }}"
pubkey: "{{ lookup('file', lookup('env', 'HOME') ~ '/.ssh/id_ed25519.pub') }}"
- name: Ensure ssh key on gitea
tags: [ssh, git]
github_key:
name: "{{ lookup('env', 'USER') }}@{{ hostname }}"
token: "{{ gitea_token }}"
pubkey: "{{ lookup('file', lookup('env', 'HOME') ~ '/.ssh/id_ed25519.pub') }}"
api_url: "{{ gitea_api_url }}"

2
requirements.yml Normal file
View File

@@ -0,0 +1,2 @@
collections:
- community.general