Say you have 5 developers working on a site. One who is in charge of deployments and the others work on different aspects of the site, but do not/should not have access to the remote servers. However at the same time you want them up and running with the latest stuff as quickly as possible. Everything is easy to get synced without access to the actual servers, except for the database and uploads folder.
So I would like to allow these commands only on the remote servers, and nothing else. (They can pull but not push the DB, etc).
From what I understand, you can restrict users to specific actions by their SSH key within the authorized_keys file.
So essentially I would like to:
- Add other developers SSH keys to the users.yml file
- Assign specific commands to those SSH keys
- Deploy them to the remote servers during provisioning.
This is my uploads.yml file, which works as expected, but I am looking for a way to somehow allow people to pull but only allow one person to push (Same for my database.yml file).
---
- name: Sync uploads between environments
hosts: web
remote_user: "{{ web_user }}"
vars:
project: "{{ wordpress_sites[site] }}"
project_root: "{{ www_root }}/{{ site }}"
tasks:
# ansible-playbook uploads.yml -i /srv/www/example.dev/hosts/staging --extra-vars="site=example.dev mode=push"
- name: Push uploads
synchronize:
src: "{{ project.local_path }}/web/app/uploads/"
dest: "{{ project_root }}/current/web/app/uploads/"
rsync_opts: --exclude=.DS_Store
when: mode is not defined or mode == "push"
# ansible-playbook uploads.yml -i /srv/www/example.dev/hosts/staging --extra-vars="stg.example.com mode=pull"
- name: Pull uploads
synchronize:
src: "{{ project_root }}/current/web/app/uploads/"
dest: "{{ project.local_path }}/web/app/uploads/"
mode: pull
rsync_opts: --exclude=.DS_Store
when: mode is defined and mode == "pull"
I started looking at this old post but first thought I would check to see how other people handle this situation.
http://cybermashup.com/2013/05/14/restrict-ssh-logins-to-a-single-command/