init

2 files changed, 28 insertions, 0 deletions

diff --git a/docs/INFRA_PLAYBOOK.md b/docs/INFRA_PLAYBOOK.md
new file mode 100644
index 0000000..043d4dc
--- /dev/null
+++ b/docs/INFRA_PLAYBOOK.md
@@ -0,0 +1,9 @@
+Registering a new internal machine <hostname>:
+
+1. Register <hostname>.pub.infra.hatecomputers.club A record -> public ipv4
+2. Register <hostname>.int.infra.hatecomputers.club A record -> internal ipv4 in 10.155.0.0/16 subnet
+3. Put it on the internal VPN. i.e. add <hostname>.pub... in the wireguard-mesh after allowing ssh to root and everything
+4. Run the wireguard-mesh playbook
+5. Update the inventory record in wireguard-mesh to <hostname>.int...
+6. Now run the deploy-common playbook to allow ssh only internally, debugging as necessary if needed ; it should just work :))
+7. Add your new roles!
diff --git a/docs/PEOPLE_PLAYBOOK.md b/docs/PEOPLE_PLAYBOOK.md
new file mode 100644
index 0000000..2eb468b
--- /dev/null
+++ b/docs/PEOPLE_PLAYBOOK.md
@@ -0,0 +1,19 @@
+obviously, don't let people have usernames that would conflict with anything internal (i.e. "email", "infra*", etc.) and are only alphanumeric
+
+```sh
+kanidm login --name idm_admin
+kanidm person create --name idm_admin <username> "<display name>"
+kanidm person credential create-reset-token <username> --name idm_admin
+
+# allow them to set a unix/ldap password
+kanidm person posix set --name idm_admin <username>
+kanidm person posix set --name idm_admin <username> --shell /bin/zsh
+
+# give them email access (need unix access)
+kanidm person update <username> --legalname "<display name>" --mail <username>@hatecomputers.club
+kanidm group add-members mail <username>
+```
+
+groups you'll probably want to add people:
++ gitea-access
++ mail