Change: extract all vars user is expected

Put my vars into liw.yml. All variables in group_vars/* and
roles/*/defaults/main.yml are now expected to be generic and usable by
anyone.

1 files changed, 76 insertions, 0 deletions

diff --git a/liw.yml b/liw.yml
new file mode 100644
index 0000000..b5e5d1e
--- /dev/null
+++ b/liw.yml
@@ -0,0 +1,76 @@
+# Should API clients in the ick instance verify that TLS certificates
+# are signed by a known CA? Set to "no" if using self-signed certs.
+verify_tls: no
+
+
+# Should Let's Encrypt be used to get TLS certificates for the
+# controller component? If not, the certificate defined in
+# tls_certificate gets deployed instead.
+letsencrypt: no
+letsencrypt_email: liw@liw.fi
+letsencrypt_domain: "{{ controller_domain }}"
+tls_certificate: "{{ lookup('pipe', 'pass show ick2/ick.pem') }}"
+
+
+# The Apache config for serving the APT repository needs to know the
+# webmaster email.
+apt_admin_email: liw@liw.fi
+
+
+# The APT repository gets signed using a PGP key.
+apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}"
+apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}"
+apt_signing_key_fingerprint: |
+  {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }}
+
+  
+# Workers should each have separate ssh keys. FIXME: We only support
+# the same key for each, at the moment.
+wm_ssh_key: "{{  lookup('pipe', 'pass show ick2/wm_ssh_key') }}"
+wm_ssh_key_pub: "{{  lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}"
+
+
+# The notification service needs access to an SMTP server to send
+# email. Ideally using the 587 port to submit the mail; this usually
+# require authentication. STARTTLS will be used to talk to the SMTP
+# server unconditionally.
+smtp_server: pieni.net
+smtp_port: 587
+smtp_user: pienirelay
+smtp_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"
+
+
+# Qvisqve handles authentication of API clients and signs its access
+# tokens using RSA public keys. Define the signing keys, plus an admin
+# user (for using with icktool), and four workers. FIXME: each worker
+# has here the same client secret.
+qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}"
+qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}"
+qvisqve_admin_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
+qvisqve_admin_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
+qvisqve_worker1_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
+qvisqve_worker1_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
+qvisqve_worker2_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
+qvisqve_worker2_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
+qvisqve_worker3_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
+qvisqve_worker3_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
+qvisqve_worker4_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
+qvisqve_worker4_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
+
+
+# I like to have an addition "dist" in the APT repository, liwdev, so
+# I can have ick build from a liw/dev branch, in addition to master,
+# and put the resulting Debian packages where they don't get confused
+# with the ones from master. Some day this will not require
+# re-configuration of the APT repository via Ansible.
+apt_distributions:
+  - codename: stretch
+    description: Release packages for stretch
+  - codename: stretch-ci
+    description: CI builds for stretch
+  - codename: unstable
+    description: Release packages for unstable
+  - codename: unstable-ci
+    description: CI builds for unstable
+  - codename: liw-ci
+    description: CI builds for unstable from liw