zuul-user: add role to install system-config key

This moves the creation of a zuul user with the Zuul per-project key
for system-config to a separate role from the static role, so it can
be reused on other hosts.

Change-Id: Ice605b70a2c42d9b85090406216253fec0820f50

playbooks/roles/static/tasks/main.yaml

@@ -8,6 +8,12 @@
     that:
       - afs_root.stat.exists
 
+- name: Install zuul user
+  include_role:
+    name: zuul-user
+  vars:
+    zuul_user_enable_sudo: True
+
 - name: Install apache2
   apt:
     name:
@@ -71,6 +77,3 @@
     - 50-tarballs.opendev.org
     - 50-tarballs.openstack.org
     - 50-zuul-ci.org
-
-- name: Install zuul user
-  include_tasks: zuul.yaml

playbooks/roles/zuul-user/README.rst

@@ -0,0 +1,11 @@
+zuul user
+
+Install a user ``zuul`` that has the per-project key from
+``system-config`` as an ``authorized_key``.
+
+**Role Variables**
+
+.. zuul:rolevar:: zuul_user_enable_sudo
+   :default: False
+
+   Enable passwordless ``sudo`` access for the zuul user.

playbooks/roles/zuul-user/defaults/main.yaml

@@ -0,0 +1 @@
+zuul_user_enable_sudo: False

playbooks/roles/zuul-user/tasks/main.yaml

@@ -11,6 +11,7 @@
     owner: root
     group: root
     mode: 0440
+  when: zuul_user_enable_sudo
 
 - name: Install system-config per-project key for zuul
   authorized_key:
@@ -18,3 +19,4 @@
     state: present
     key: |
       ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h'
+    comment: Zuul key from http://zuul.opendev.org/api/tenant/openstack/project-ssh-key/opendev/system-config.pub at 2020-02-26