Skip to content

GitLab user provisioning: API-driven SSH key and access token registration

Summary

Automate GitLab account setup for each agent so they can interact with GitLab (push code, create MRs, comment on issues) without manual configuration.

Requirements

  1. SSH key registration — on first boot (or config change), register each agent's public SSH key with their GitLab account via the GitLab API
  2. Access level enforcement — the accessLevel option (reporter/developer/maintainer) should map to GitLab group/project membership permissions
  3. Token provisioning — create or rotate personal access tokens as needed

Design Considerations

  • Requires a bootstrap credential with admin access to create/manage GitLab users
  • Should be idempotent (re-running does not create duplicate keys)
  • Consider a oneshot systemd service that runs after network is up
  • Agent GitLab accounts must already exist (or this module should create them)

Dependencies

  • Depends on #7 (secret management) for storing generated tokens/keys

Acceptance Criteria

  • SSH keys registered for all agents on GitLab
  • Access levels enforced per agent definition
  • Idempotent — safe to re-run
  • Tested on earthrealm