From bbad09e2b15eeca86f83a9d2a97449baf71e326f Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Wed, 1 May 2024 01:33:35 -0700 Subject: init --- docs/INFRA_PLAYBOOK.md | 9 +++++++++ docs/PEOPLE_PLAYBOOK.md | 19 +++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 docs/INFRA_PLAYBOOK.md create mode 100644 docs/PEOPLE_PLAYBOOK.md (limited to 'docs') diff --git a/docs/INFRA_PLAYBOOK.md b/docs/INFRA_PLAYBOOK.md new file mode 100644 index 0000000..043d4dc --- /dev/null +++ b/docs/INFRA_PLAYBOOK.md @@ -0,0 +1,9 @@ +Registering a new internal machine : + +1. Register .pub.infra.hatecomputers.club A record -> public ipv4 +2. Register .int.infra.hatecomputers.club A record -> internal ipv4 in 10.155.0.0/16 subnet +3. Put it on the internal VPN. i.e. add .pub... in the wireguard-mesh after allowing ssh to root and everything +4. Run the wireguard-mesh playbook +5. Update the inventory record in wireguard-mesh to .int... +6. Now run the deploy-common playbook to allow ssh only internally, debugging as necessary if needed ; it should just work :)) +7. Add your new roles! diff --git a/docs/PEOPLE_PLAYBOOK.md b/docs/PEOPLE_PLAYBOOK.md new file mode 100644 index 0000000..2eb468b --- /dev/null +++ b/docs/PEOPLE_PLAYBOOK.md @@ -0,0 +1,19 @@ +obviously, don't let people have usernames that would conflict with anything internal (i.e. "email", "infra*", etc.) and are only alphanumeric + +```sh +kanidm login --name idm_admin +kanidm person create --name idm_admin "" +kanidm person credential create-reset-token --name idm_admin + +# allow them to set a unix/ldap password +kanidm person posix set --name idm_admin +kanidm person posix set --name idm_admin --shell /bin/zsh + +# give them email access (need unix access) +kanidm person update --legalname "" --mail @hatecomputers.club +kanidm group add-members mail +``` + +groups you'll probably want to add people: ++ gitea-access ++ mail -- cgit v1.2.3-70-g09d2