mirror of https://github.com/zulip/zulip.git
puppet: Rename and limit production key distribution.
This commit is contained in:
Alex Vandiver
Tim Abbott
parent
d910ea27fe
commit
0bd1e2b434
|
|
@ -62,12 +62,12 @@ class zulip_ops::profile::base {
|
||||||
user { 'root': }
|
user { 'root': }
|
||||||
zulip_ops::user_dotfiles { 'root':
|
zulip_ops::user_dotfiles { 'root':
|
||||||
home => '/root',
|
home => '/root',
|
||||||
keys => 'common',
|
keys => 'internal-read-only-deploy-key',
|
||||||
authorized_keys => 'common',
|
authorized_keys => 'common',
|
||||||
}
|
}
|
||||||
|
|
||||||
zulip_ops::user_dotfiles { 'zulip':
|
zulip_ops::user_dotfiles { 'zulip':
|
||||||
keys => 'common',
|
keys => 'internal-read-only-deploy-key',
|
||||||
authorized_keys => 'common',
|
authorized_keys => 'common',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,4 +10,11 @@ class zulip_ops::profile::chat_zulip_org inherits zulip_ops::profile::base {
|
||||||
zulip_ops::firewall_allow { 'http': }
|
zulip_ops::firewall_allow { 'http': }
|
||||||
zulip_ops::firewall_allow { 'https': }
|
zulip_ops::firewall_allow { 'https': }
|
||||||
zulip_ops::firewall_allow { 'smtp': }
|
zulip_ops::firewall_allow { 'smtp': }
|
||||||
|
|
||||||
|
Zulip_Ops::User_Dotfiles['root'] {
|
||||||
|
keys => false,
|
||||||
|
}
|
||||||
|
Zulip_Ops::User_Dotfiles['zulip'] {
|
||||||
|
keys => false,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,13 @@ class zulip_ops::profile::prod_app_frontend inherits zulip_ops::profile::base {
|
||||||
include zulip_ops::app_frontend
|
include zulip_ops::app_frontend
|
||||||
include zulip::hooks::zulip_notify
|
include zulip::hooks::zulip_notify
|
||||||
|
|
||||||
|
Zulip_Ops::User_Dotfiles['root'] {
|
||||||
|
keys => 'internal-limited-write-deploy-key',
|
||||||
|
}
|
||||||
|
Zulip_Ops::User_Dotfiles['zulip'] {
|
||||||
|
keys => 'internal-limited-write-deploy-key',
|
||||||
|
}
|
||||||
|
|
||||||
$conntrack_max = zulipconf('application_server', 'conntrack_max', 262144)
|
$conntrack_max = zulipconf('application_server', 'conntrack_max', 262144)
|
||||||
zulip::sysctl { 'conntrack':
|
zulip::sysctl { 'conntrack':
|
||||||
content => template('zulip_ops/sysctl.d/40-conntrack.conf.erb'),
|
content => template('zulip_ops/sysctl.d/40-conntrack.conf.erb'),
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@ EOF
|
||||||
# smuggles the install-ssh-keys binary into this one.
|
# smuggles the install-ssh-keys binary into this one.
|
||||||
# install-ssh-keys, in turn, pulls key data from AWS' secret manager.
|
# install-ssh-keys, in turn, pulls key data from AWS' secret manager.
|
||||||
INSTALL_SSH_KEYS="inline!puppet/zulip_ops/files/install-ssh-keys"
|
INSTALL_SSH_KEYS="inline!puppet/zulip_ops/files/install-ssh-keys"
|
||||||
"$INSTALL_SSH_KEYS" root prod/ssh/keys/common
|
"$INSTALL_SSH_KEYS" root prod/ssh/keys/internal-read-only-deploy-key
|
||||||
|
|
||||||
# Provide GitHub known_hosts setup; you can verify against fingerprints at
|
# Provide GitHub known_hosts setup; you can verify against fingerprints at
|
||||||
# https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
|
# https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue