Commit 5078e210 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

phrik: reduce access and allow restarting in phrik group

Reduce the access to phrik.archlinux.org to only demize by for now
defines arch_users in phrik's host_vars. Add a polkit rule to allow
users in the phrik group to restart phrik.
parent 91583726
......@@ -147,6 +147,11 @@ The following steps should be used to update our managed servers:
- patchwork
- projects (projects.archlinux.org)
### phrik.archlinux.org
- phrik (irc bot) users in the phrik group defined in
the hosts vars and re-used the archusers role. Users
in the phrik group are allowed to restar the irc bot.
### soyuz
#### Services
......@@ -154,7 +159,6 @@ The following steps should be used to update our managed servers:
- releng
- sogrep
- /~user/ webhost
- irc bot (phrik)
- matrix
- docker images
- arch boxes (packer)
......
......@@ -3,3 +3,10 @@ filesystem: btrfs
zabbix_agent_templates:
- Template OS Linux
- Template App Borg Backup
arch_users:
demize:
name: "Johannes Löthberg"
ssh_key: demize.pub
shell: /bin/zsh
groups:
- tu
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "phrik.service" &&
subject.isInGroup("phrik")) {
return polkit.Result.YES;
}
});
......@@ -24,6 +24,9 @@
- name: install phrik sudoers config
copy: src=sudoers dest=/etc/sudoers.d/phrik
- name: install polkit rule for restarting phrik
copy: src=20-manage-phrik.rules dest=/etc/polkit-1/rules.d/20-manage-phrik.rules
- name: install phrik systemd service
copy: src=phrik.service dest=/etc/systemd/system/phrik.service
notify:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment