Adding a new employee to the playbook-infrastructure and servers¶
This chapter describes how to add a new employee to the playbook-infrastructure and the servers. It also describes how to remove access of cancelled employees.
SSH access¶
A new employees SSH public key has to be added to the dictionary humans in inventory/group_vars/all.yml.
role-ssh creates Linux users for employees on the servers. These Linux users are defined in the dictionary ssh_users.
It is commonly split up into subgroups like ssh_users_admins or ssh_users_staging, which are defined in different inventory/group_vars/ or inventory/host_vars/ files. This allows for defining which employees have access to which groups of servers.
Make sure to run grep -r ssh_users_ inventory/ to make sure you added the new employee everywhere.
When using the SSH public key in other variables, remember to always refer to the dictionary via {{ humans['j.doe']['ssh_public_key'] }}.
When the inventory/ is setup correctly, run cake -f baseline_ssh. This will create the employees Linux user on the servers and setup the SSH public key.
playbook secrets¶
When moving the new employees GPG public key to .pass/gpg-keys/, the filename of the .asc file HAS TO MATCH the email address stated during the creation of the GPG keypair (in this Example j.doe@example.com-11:
# Move file in place and rename to email address defined in the public key
CAKE master * mv new-employees-public-key.asc .pass/gpg-keys/j.doe@example.com-11.asc
# Check that the file was named correctly
CAKE master * gpg2 --list-keys j.doe@example.com-11
pub rsa4096 2023-07-03 [SC] [expires: 2027-07-03]
ED52FEB3B80E7B75EABFD7F605DBF6C7AAC65740
uid [ultimate] Peter Knig <j.doe@example.com-11>
sub rsa4096 2023-07-03 [E] [expires: 2027-07-03]
Now the new GPG public key has to be imported into your workstations list of GPG public keys.
In order to encrypt secrets (passwords) for other employees, you have to "ultimately trust" (GPG speak) the new employees public key.
cake will automatically open the correct gpg2 dialogue for you, just just have to follow its instructions:
CAKE master * cake -f gpg_import_public_keys
[...]
cake INFO You need to turst this key: j.doe@example.com.asc
cake INFO Enter: 5 - y - quit
cake Press enter to continue
[ENTER]
[...]
Your decision? <- type 5 here, then ENTER
Do you really want to set this key to ultimate trust? (y/N) <- type y here, then ENTER
[...]
gpg> <- type exit here, then ENTER
Now all secrets have to be reencrypted for the new employee. For this run:
cake -f gpg_reencrypt
Importing a new GPG key¶
After a new employee has been added and its GPG public key has been pushed to the playbook-infrastructure git repository, all other employees have to git pull and import the new employees public key as well. This way the old employees can encrypt future secrets (passwords, changelog files) for the new employee.
The new employee also has to do this step to import the GPG public keys of all other employees.
CAKE master * cake -f gpg_import_public_keys
[...]
cake INFO You need to turst this key: j.doe@example.com.asc
cake INFO Enter: 5 - y - quit
cake Press enter to continue
[ENTER]
[...]
Your decision? <- type 5 here, then ENTER
Do you really want to set this key to ultimate trust? (y/N) <- type y here, then ENTER
[...]
gpg> <- type exit here, then ENTER
employee VPN¶
The new employees wireguard public key has to be added to the dictionary wireguard_peers in plays/util/server/wireguard.yml. After this update the wireguard VPN on the gateway-1 and -2 servers:
cake -f util_server_wireguard
Additionally, the new employees wireguard workstation IPs have to be added on the gateway-1 and -2 servers to the shorewall_rules_custom dictionary. After that:
cake -f baseline_shorewall -l util-gateway