Add new role for bootstrapping the CI user with limited SSH keys

Add new ci-user role to netcup nodes

3 files changed, 33 insertions, 0 deletions

diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 4c2231e..976752e 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -10,6 +10,7 @@
   hosts: netcup
   roles:
     - certbot
+    - ci-user
     - alloy
     - nftables
     - prometheus-node-exporter
diff --git a/ansible/roles/ci-user/tasks/main.yml b/ansible/roles/ci-user/tasks/main.yml
new file mode 100644
index 0000000..68062a2
--- /dev/null
+++ b/ansible/roles/ci-user/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- name: Create new user for CI tasks
+  user:
+    name: "{{ ci_user_username }}"
+    groups: "{{ ci_user_extra_groups }}"
+    append: true
+    system: false
+    home: "{{ ci_user_homepath }}"
+  tags:
+    - role::ci-user
+
+- name: Add authorized SSH keys to CI user
+  ansible.posix.authorized_key:
+    user: "{{ ci_user_username }}"
+    key: "{{ item.key }}"
+    key_options: "{{ item.options }}"
+    comment: "{{ item.comment }}"
+  loop: "{{ ci_user_keys }}"
+  loop_control:
+    label: "{{ item.comment }}"
+  tags:
+    - role::ci-user
diff --git a/ansible/roles/ci-user/vars/main/main.yml b/ansible/roles/ci-user/vars/main/main.yml
new file mode 100644
index 0000000..713f93b
--- /dev/null
+++ b/ansible/roles/ci-user/vars/main/main.yml
@@ -0,0 +1,10 @@
+---
+ci_user_username: ci
+ci_user_homepath: /home/ci
+ci_user_extra_groups:
+  - www-data
+
+ci_user_keys:
+  - key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJTE2hcswFHJ3SQo9PvqhB7SYqk+jE7qrZXCNS7Hp0iZ
+    comment: github-actions-ci
+    options: 'command="rrsync /var/www"'