From 47e4cf87179afca1f766bc67c8f5770b0dfb98fa Mon Sep 17 00:00:00 2001
From: bax1489 <fabian.gallenkamp@uni-hamburg.de>
Date: Thu, 26 Sep 2019 11:51:16 +0200
Subject: [PATCH] added key based authentication for git cloning

---
 .gitignore          |  1 +
 README.md           | 20 ++++++++++++++++++--
 configure_otree.yml | 30 ++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 7999768..5998b01 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@ hosts
 templates/nginx_unmodified_confs/
 group_vars/otree_servers.yml
 files/
+keys/
 *.retry
 *.swp
 *.save
diff --git a/README.md b/README.md
index 2a4fb13..8bfa294 100644
--- a/README.md
+++ b/README.md
@@ -71,14 +71,30 @@ otree_users:
     # app_repo: "https://github.com/oTree-org/oTree.git"  
 ```
 
-### (optional) upload otree project
+### Get the otree project on your server
+
+#### Option A: upload otree project directly into ansible project
 1. If no git-repository ``app_repo``-value with your otree configuration is provided, you have to place a copy of the project files (with scp) in ``files/<otree_username>/``.
 
+#### Option B: clone via git and provide ssh keys
+1. If git-repository ``app_repo`` is provided and the repo is private you have to setup key authentication.
+2. Generate a public-private key pair in the ansible project ``keys/<otree_instance_name>/`` with ``ssh-keygen -f id -t ed25519 -N '' -a 100``
+3. Upload public key in your git provider (GitLab: User Settings->SSH Keys) and make sure you have access to the specified project in ``app_repo``
+
 And now run the playbook.
 
 ## change the configuration
 1. Adapt your inventory-config again with ``nano ~/otree-ansible/group_vars/otree_servers.yml`` and run the playbook.
 
+## setup ssh keys
+1. Generate a public-private key pair in the ansible project ``keys/<otree_instance_name>/`` with ``ssh-keygen -f id -t ed25519 -N '' -a 100``
+2. Upload public key in your git provider (GitLab: User Settings->SSH Keys) and make sure you have access to the specified project in ``app_repo``
+
 ## run the playbook
 1. Change directory: ``cd ~/otree-ansible/``
-2. Run: ``ansible-playbook site.yml``
\ No newline at end of file
+2. Run: ``ansible-playbook site.yml``
+
+## FAQ
+
+### There is an error with redis in apt installation
+Solution: Disable ipv6 in ``/etc/redis/redis.conf``
diff --git a/configure_otree.yml b/configure_otree.yml
index 84082a9..d7396dc 100644
--- a/configure_otree.yml
+++ b/configure_otree.yml
@@ -21,12 +21,42 @@
       with_dict: "{{ otree_users }}"
       when: item.value.override
 
+    - name: copy over ssh key files
+      synchronize:
+        src: "keys/{{ item.key }}/"
+        dest: "/home/{{ item.key }}/.ssh/"
+        delete: yes
+      with_dict: "{{ otree_users }}"
+      when: item.value.override and item.value.app_repo is defined
+
+    - name: set owner and group permissions restricted for key files
+      file:
+        path: "/home/{{ item.key }}/.ssh/"
+        state: directory
+        owner: "{{ item.key }}"
+        group: "{{ item.key }}"
+        mode: "0600"
+        recurse: yes
+      with_dict: "{{ otree_users }}"
+      when: item.value.override and item.value.app_repo is defined
+
+    - name: set owner and group permissions for folder
+      file:
+        path: "/home/{{ item.key }}/.ssh/"
+        state: directory
+        owner: "{{ item.key }}"
+        group: "{{ item.key }}"
+        mode: "0700"
+      with_dict: "{{ otree_users }}"
+      when: item.value.override and item.value.app_repo is defined
+
     - name: clone projects accordingly
       git:
         repo: "{{ item.value.app_repo }}"
         dest: "/home/{{ item.key }}/otree/"
         accept_hostkey: yes
         recursive: yes
+        key_file: "/home/{{ item.key }}/.ssh/id"
       become: yes
       become_user: "{{ item.key }}"
       with_dict: "{{ otree_users }}"
-- 
GitLab