Seeding Aether

2024-04-01 00:52:29 -05:00
parent 3a01543c8b
commit 9aa0a89b79
10 changed files with 307 additions and 0 deletions
--- a/roles/Aether/tasks/client.yml
+++ b/roles/Aether/tasks/client.yml
@@ -0,0 +1,27 @@
+---
+
+ - name: Copy the key
+   become: true
+   copy:
+     dest: /home/aether/.ssh/aether
+     content: "{{ aether_key.stdout }}"
+
+ - name: Copy the public key
+   become: true
+   copy:
+     dest: /home/aether/.ssh/aether.pub
+     content: "{{ aether_key.stdout }}"
+
+ - name: Enable the service
+   become: yes
+   service:
+     name: aether.timer
+     state: enabled
+     running: yes
+
+ - name: Enable the service - 2
+   become: yes
+   service:
+     name: aether-gen.timer
+     state: disabled
+     running: no
--- a/roles/Aether/tasks/main.yml
+++ b/roles/Aether/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+
+ - name: Install the package
+   become: true
+   ignore_errors: true
+   package:
+     name: Aether
+     state: present
+
+ - name: Validate the user
+   vars:
+     service_account: aether
+   include_tasks: ../roles/common/service_account.yml
+
+ - name: Ensure the Aether identity is protected.
+   become: true
+   file:
+     path: "{{ item }}"
+     state: directory
+     owner: aether
+     group: aether
+     mode: 0700
+   loop:
+     - /home/aether/.ssh
+     - /usr/local/etc/Aether
+     - /usr/local/etc/Aether/backup-entries
+     - /usr/local/backup
+
+ - name: Ensure the Aether identity exists
+   delegate_to: Core # Core will track the identity that will then be shared to everyone else.
+   become: true
+   command:
+     creates: /home/aether/.ssh/aether
+     chdir: /home/aether/.ssh/
+     cmd: ssh-keygen -t ed25519 -N "" -f ./aether
+
+ - name: Read the Aether identity
+   become: true
+   delegate_to: Core
+   command: cat /home/aether/.ssh/aether
+   register: aether_key
+
+ - name: Read the Aether public identity
+   become: true
+   delegate_to: Core
+   command: cat /home/aether/.ssh/aether.pub
+   register: aether_pubkey
+
+ - include_tasks: source.yml
+   when: "{{ inventory_hostname }} is 'Core'"
+
+ - include_tasks: client.yml
+   when: "{{ inventory_hostname }} is 'Core'"
+
+ - name: Ensure the Aether identity files are protected.
+   become: true
+   file:
+     path: "{{ item }}"
+     owner: aether
+     group: aether
+     mode: 0600
+   loop:
+     - /home/aether/.ssh/aether
+     - /home/aether/.ssh/aether.pub
--- a/roles/Aether/tasks/source.yml
+++ b/roles/Aether/tasks/source.yml
@@ -0,0 +1,42 @@
+---
+
+ - name: Copy the backup scripts
+   become: yes
+   copy:
+     src: "backup-entries/{{ inventory_hostname }}"
+     dest: "/usr/local/etc/Aether/backup-entries"
+     owner: aether
+     group: aether
+
+ - name: Seed the backup passphrase
+   become: yes
+   copy:
+     content: "{{ passwords['Aether'] }}"
+     dest: "/usr/local/etc/Aether/pass.txt"
+     owner: aether
+     group: aether
+     mode: 0600
+
+ - name: Enable the generation service
+   become: yes
+   when: "{{ inventory_hostname }} == 'Core'"
+   service:
+     name: aether-gen.timer
+     state: enabled
+     running: yes
+
+ - name: Enable the generation service - 2
+   become: yes
+   when: "{{ inventory_hostname }} == 'Core'"
+   service:
+     name: aether.timer
+     state: disabled
+     running: no
+
+ - name: Set up the authorized_keys
+   template:
+     src: authorized_keys.j2
+     dest: /home/aether/.ssh/authorized_keys
+     mode: 0600
+     owner: aether
+     group: aether