Merge pull request #1413 from cat-bro/hop-key-complex-rules

Add ssh key for accessing workers from galaxy-backup, galaxy, galaxy-queue

files/keys/internal_hop_key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+HmTcHhYpvhy0J+h5/XUrWJ/S6/94Ju48B9NF+4cqdcIGtUFFK8mM5bDPGc36a7+NkH0JL+DoG1X7hbjX13B2kQTVVB5tvSIzsSpx79zTwxMSSQJIcZ0Z99GXclzt81KLQ0zCYnN8X42+Cq4mU9jaXUnnmFlcmjTP2XmB311VGqv3ujCdYjaoyqB9C8kP2/dtuMHXCDZ9urg9pGlkb/3354tehahbFgA9XazCe8sMGApXloa9xMHdiCkTZ0YXSI9bvyEQIuWmgZL5ZNjlF41hnYk/b+u/22xFlvetot5OMYOONuQN6UMlVwua2lakmO7Q8zWRLunGIBxfmuJceheT internal_hop_key

galaxy-backup_playbook.yml

@@ -6,6 +6,7 @@
       - group_vars/VAULT
       - host_vars/galaxy-backup.yml
       - secret_group_vars/stats_server_vault
+      - secret_group_vars/ubuntu_maintenance_key
   pre_tasks:
     - name: Attach volume to instance
       include_role:

galaxy-db_playbook.yml

@@ -7,6 +7,7 @@
       - group_vars/dbservers.yml
       - host_vars/galaxy-db.usegalaxy.org.au.yml
       - secret_group_vars/stats_server_vault
+      - secret_group_var/ubuntu_maintenance_key
   pre_tasks:
       - name: Attach volume to instance
         include_role:

galaxy-misc-nfs_playbook.yml

@@ -6,6 +6,7 @@
     - group_vars/VAULT
     - group_vars/nfs_servers.yml
     - host_vars/galaxy-misc-nfs.usegalaxy.org.au.yml
+    - secret_group_vars/ubuntu_maintenance_key
     - secret_group_vars/stats_server_vault
   pre_tasks:
     - name: Create nfs directories

galaxy-queue_playbook.yml

@@ -9,6 +9,7 @@
       - group_vars/galaxy_etca_slurm.yml
       - secret_group_vars/stats_server_vault
       - secret_group_vars/etca_vault.yml
+      - secret_group_vars/ubuntu_maintenance_key
   roles:
       - common
       - insspb.hostname

galaxy-user-nfs_playbook.yml

@@ -7,6 +7,7 @@
     - group_vars/nfs_servers.yml
     - host_vars/galaxy-user-nfs.usegalaxy.org.au.yml
     - secret_group_vars/stats_server_vault
+    - secret_group_vars/ubuntu_maintenance_key
   pre_tasks:
     # - name: Attach volumes to instance # handle user nfs mounting manually
     #   include_role:

galaxy-workers_playbook.yml

@@ -6,6 +6,7 @@
       - group_vars/VAULT
       - group_vars/galaxy_etca_slurm.yml
       - group_vars/galaxy_workers.yml
+      - secret_group_vars/ubuntu_maintenance_key  # TODO: when branches are merged, rename this file to internal_keys
       - secret_group_vars/stats_server_vault
   pre_tasks:
       - name: Attach volume to instance

group_vars/all.yml

@@ -228,6 +228,10 @@ internal_ssh_keys:
     private_key_content: "{{ vault_ubuntu_maintenance_key }}"
     public_key_src: files/keys/ubuntu_maintenance_key.pub
     user: ubuntu
+  internal_hop_key:
+    private_key_content: "{{ vault_internal_hop_key }}"
+    public_key_src: files/keys/internal_hop_key.pub
+    user: ubuntu
 
 # Golang
 golang_version: '1.15.6' # default for role version 2.6.3

group_vars/galaxy_workers.yml

@@ -28,3 +28,9 @@ docker_users:
   - "{{ galaxy_user.name }}"
 docker_daemon_options: # TODO: Uncomment as soon as there is a volume
   data-root: /mnt/docker-data
+
+# internal ssh keys
+extra_keys:
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy']['internal_ip'] }},{{ hostvars['galaxy-backup']['internal_ip'] }},{{ hostvars['galaxy-queue']['internal_ip'] }},{{ hostvars['galaxy-handlers']['internal_ip'] }}"

host_vars/galaxy-backup.yml

@@ -37,3 +37,15 @@ weekly_backup_day: 6  #Weekly backups will run on this day of the week
 retention_day: 6       #Keep daily backups for this many days (6 days)
 retention_week: 21     #Keep weekly backups for this many days (21 days = 3 weeks)
 retention_month: 61    #Keep monthly backups for this many days (61 days ~ 2 months)
+
+extra_keys:
+  - id: internal_hop_key
+    type: private
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy']['internal_ip'] }},{{ hostvars['galaxy-queue']['internal_ip'] }},{{ hostvars['galaxy-handlers']['internal_ip'] }}"
+
+# ssh config, only for ubuntu
+ssh_config_id_file: "/home/{{ ssh_config_user }}/.ssh/internal_hop_key"
+ssh_config_user: ubuntu
+ssh_config_hosts: "{{ galaxy_group }}"

host_vars/galaxy-db.usegalaxy.org.au.yml

@@ -46,3 +46,8 @@ postgresql_pg_hba_conf:
   - host all all "{{ hostvars['galaxy']['internal_ip'] }}/32" md5
   - host all all "{{ hostvars['galaxy-handlers']['internal_ip'] }}/32" md5
   - host all all "{{ hostvars['galaxy-backup']['internal_ip'] }}/32" md5
+
+extra_keys:
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy']['internal_ip'] }},{{ hostvars['galaxy-backup']['internal_ip'] }}"

host_vars/galaxy-handlers.usegalaxy.org.au.yml

@@ -72,3 +72,10 @@ flower_galaxy_conf: "{{ galaxy_config_file }}"
 
 # #flower_broker_api: "https://flower:{{ rabbitmq_password_flower }}@{{ rabbitmq_url }}/api/"
 flower_broker_url: "pyamqp://flower:{{ vault_rabbitmq_password_galaxy_prod }}@{{ hostvars['galaxy-queue']['internal_ip'] }}:5671//galaxy/galaxy_queues?ssl=1"
+
+extra_keys:
+  - id: internal_hop_key
+    type: private
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy-backup']['internal_ip'] }},{{ hostvars['galaxy']['internal_ip'] }},{{ hostvars['galaxy-queue']['internal_ip'] }}"

host_vars/galaxy-job-nfs.usegalaxy.org.au.yml

@@ -13,3 +13,6 @@ extra_keys:
   - id: ubuntu_maintenance_key
     type: public
     from: "{{ hostvars['galaxy']['internal_ip'] }}"
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy']['internal_ip'] }},{{ hostvars['galaxy-backup']['internal_ip'] }},{{ hostvars['galaxy-queue']['internal_ip'] }},{{ hostvars['galaxy-handlers']['internal_ip'] }}"

host_vars/galaxy-misc-nfs.usegalaxy.org.au.yml

@@ -25,3 +25,9 @@ nfs_exports:
   - "{{ nfs_app_dir }} {{ hostvars['galaxy'].internal_ip.split('.')[:-1] | join('.') }}.0/24(rw,async,no_root_squash,no_subtree_check)"
   - "{{ nfs_tools_dir }} {{ hostvars['galaxy'].internal_ip.split('.')[:-1] | join('.') }}.0/24(rw,async,no_root_squash,no_subtree_check)"
   - "{{ nfs_custom_indices_dir }} {{ hostvars['galaxy'].internal_ip.split('.')[:-1] | join('.') }}.0/24(rw,async,no_root_squash,no_subtree_check)"
+
+# internal ssh keys
+extra_keys:
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy']['internal_ip'] }},{{ hostvars['galaxy-backup']['internal_ip'] }},{{ hostvars['galaxy-queue']['internal_ip'] }},{{ hostvars['galaxy-handlers']['internal_ip'] }}"

host_vars/galaxy-queue.usegalaxy.org.au.yml

@@ -215,4 +215,16 @@ pip_install_packages:
 nginx_check_conf: False
 
 redis_requirepass: "{{ vault_redis_requirepass }}"
-redis_bind_interface: 0.0.0.0
+redis_bind_interface: 0.0.0.0
+
+extra_keys:
+  - id: internal_hop_key
+    type: private
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy-backup']['internal_ip'] }},{{ hostvars['galaxy']['internal_ip'] }},{{ hostvars['galaxy-handlers']['internal_ip'] }}"
+
+# ssh config, only for ubuntu
+ssh_config_id_file: "/home/{{ ssh_config_user }}/.ssh/internal_hop_key"
+ssh_config_user: ubuntu
+ssh_config_hosts: "{{ galaxy_group }}"

host_vars/galaxy-user-nfs.usegalaxy.org.au.yml

@@ -36,3 +36,9 @@ nfs_exports:
   - "{{ volA_path }} {{ hostvars['galaxy'].internal_ip.split('.')[:-1] | join('.') }}.0/24(rw,async,no_root_squash,no_subtree_check)"
   - "{{ volB_path }} {{ hostvars['galaxy'].internal_ip.split('.')[:-1] | join('.') }}.0/24(rw,async,no_root_squash,no_subtree_check)"
   - "{{ volC_path }} {{ hostvars['galaxy'].internal_ip.split('.')[:-1] | join('.') }}.0/24(rw,async,no_root_squash,no_subtree_check)"
+
+# internal ssh keys
+extra_keys:
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy']['internal_ip'] }},{{ hostvars['galaxy-backup']['internal_ip'] }},{{ hostvars['galaxy-queue']['internal_ip'] }},{{ hostvars['galaxy-handlers']['internal_ip'] }}"

host_vars/galaxy.usegalaxy.org.au.yml

@@ -368,6 +368,11 @@ rpc_pulsar_machines:
 extra_keys:
   - id: ubuntu_maintenance_key
     type: private
+  - id: internal_hop_key
+    type: private
+  - id: internal_hop_key
+    type: public
+    from: "{{ hostvars['galaxy-backup']['internal_ip'] }},{{ hostvars['galaxy-handlers']['internal_ip'] }},{{ hostvars['galaxy-queue']['internal_ip'] }}"
 
 # # grt-sender role # TODO: what of GRT??
 # grt_sender_dir: /mnt/var/galactic_radio_telescope
@@ -625,3 +630,8 @@ webhook_plugins:
   - demo
   - gtn
   - news
+
+# ssh config, only for ubuntu
+ssh_config_id_file: "/home/{{ ssh_config_user }}/.ssh/internal_hop_key"
+ssh_config_user: ubuntu
+ssh_config_hosts: "{{ galaxy_group }}"

roles/common/tasks/main.yml

@@ -9,7 +9,6 @@
   ansible.builtin.apt_key:
     url: https://repos.influxdata.com/influxdata-archive_compat.key
     state: present
-  when: ansible_distribution_major_version is version('22', '<')
 
 - name: Update the apt repos and base OS
   apt:
@@ -91,6 +90,10 @@
   loop_control:
     loop_var: extra_key
 
+- name: Add ssh config
+  import_tasks: ssh_config.yml
+  when: ssh_config_hosts is defined
+
 - name: Make sure cloud configured hostname control is not present
   file:
     path: /etc/cloud/cloud.cfg.d/07_hostnamefix.cfg

roles/common/tasks/ssh_config.yml

@@ -0,0 +1,12 @@
+- name: Add entries to ssh config
+  blockinfile:
+    marker: "# {mark} ANSIBLE MANAGED BLOCK (common role: add ssh config entries)"
+    dest: "/home/{{ ssh_config_user }}/.ssh/config"
+    create: true
+    block: |
+        {% for item in ssh_config_hosts %}
+        Host {{ item }}
+            HostName {{ item }}
+            User {{ ssh_config_user }}
+            IdentityFile {{ ssh_config_id_file }}
+        {% endfor %}