Add: ick-controller ole

author: Lars Wirzenius <liw@liw.fi> 2017-12-04 22:26:26 +0200
committer: Lars Wirzenius <liw@liw.fi> 2017-12-04 22:26:26 +0200
commit: 5620730c68cc7a6ba96918455f265febc6dec991 (patch)
tree: 6ea4d83b7101bb0fb5d02c8276baf7710a3c7253 /roles/ick-controller
parent: 7b229ec380a5e985774d64e66bef818f21ffb166 (diff)
download: ick2-ansible-5620730c68cc7a6ba96918455f265febc6dec991.tar.gz
3 files changed, 154 insertions, 0 deletions
diff --git a/roles/ick-controller/tasks/main.yml b/roles/ick-controller/tasks/main.yml
new file mode 100644
index 0000000..0723a1d
--- /dev/null
+++ b/roles/ick-controller/tasks/main.yml
@@ -0,0 +1,104 @@
+- name: install ick packages
+  apt:
+    name: "{{ item }}"
+  with_items:
+    - curl
+    - psmisc
+    - ick2
+    - haproxy
+    - debootstrap
+
+# This should go away once we have isolated builds.
+- name: install packages for building sites with ikiwiki
+  apt:
+    name: "{{ item }}"
+  with_items:
+    - ikiwiki
+    - libhighlight-perl
+    - graphviz
+    - rsync
+
+- name: create config dirs
+  file:
+    state: directory
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: 0755
+  with_items:
+    - /etc/ick
+    - /etc/haproxy
+
+- name: install controller config
+  template:
+    src: controller.conf.j2
+    dest: /etc/ick/controller.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: install haproxy config
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    owner: root
+    group: root
+    mode: 0644
+
+- name: install TLS certificate
+  copy:
+    content: "{{ tls_certificate }}"
+    dest: /etc/ssl/ick.pem
+    owner: root
+    group: root
+    mode: 0600
+
+- name: install token signing private key
+  copy:
+    content: "{{ token_private_key }}"
+    dest: /etc/ick/token_key
+    owner: _ickwm
+    group: _ickwm
+    mode: 0600
+
+- name: install token signing public key
+  copy:
+    content: "{{ token_public_key }}"
+    dest: /etc/ick/token_key.pub
+    owner: _ickwm
+    group: _ickwm
+    mode: 0644
+
+- name: create _ickwm .ssh
+  file:
+    state: directory
+    path: /var/lib/ick/wm/.ssh
+    owner: _ickwm
+    group: _ickwm
+    mode: 0700
+
+- name: install ssh key for worker-manager
+  copy:
+    content: "{{ wm_ssh_key }}"
+    dest: /var/lib/ick/wm/.ssh/id_rsa
+    owner: _ickwm
+    group: _ickwm
+    mode: 0600
+
+- name: install ssh public key for worker-manager
+  copy:
+    content: "{{ wm_ssh_key_pub }}"
+    dest: /var/lib/ick/wm/.ssh/id_rsa.pub
+    owner: _ickwm
+    group: _ickwm
+    mode: 0644
+
+- name: enable and start units
+  service:
+    name: "{{ item }}"
+    state: restarted
+    enabled: yes
+  with_items:
+    - ick2
+    - ick2-worker-manager
+    - haproxy
diff --git a/roles/ick-controller/templates/controller.conf.j2 b/roles/ick-controller/templates/controller.conf.j2
new file mode 100644
index 0000000..22e6124
--- /dev/null
+++ b/roles/ick-controller/templates/controller.conf.j2
@@ -0,0 +1,6 @@
+token-issuer: localhost
+token-audience: localhost
+token-public-key: "{{ token_public_key }}"
+log:
+  - filename: /var/log/ick/controller.log
+statedir: /var/lib/ick/state
diff --git a/roles/ick-controller/templates/haproxy.cfg.j2 b/roles/ick-controller/templates/haproxy.cfg.j2
new file mode 100644
index 0000000..0772a4b
--- /dev/null
+++ b/roles/ick-controller/templates/haproxy.cfg.j2
@@ -0,0 +1,44 @@
+global
+    log        127.0.0.1 local4
+    chroot     /var/lib/haproxy
+    stats      socket /run/haproxy/admin.sock mode 660 level admin
+    stats      timeout 30s
+    user       haproxy
+    group      haproxy
+    daemon
+
+    ca-base    /etc/ssl/certs
+    crt-base   /etc/ssl/private
+    tune.ssl.default-dh-param 2048
+    ssl-default-bind-options no-tls-tickets
+    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+defaults
+    log        global
+    mode       http
+    option     httplog
+    option     dontlognull
+    timeout    connect 5000
+    timeout    client 50000
+    timeout    server 50000
+    errorfile  400 /etc/haproxy/errors/400.http
+    errorfile  403 /etc/haproxy/errors/403.http
+    errorfile  408 /etc/haproxy/errors/408.http
+    errorfile  500 /etc/haproxy/errors/500.http
+    errorfile  502 /etc/haproxy/errors/502.http
+    errorfile  503 /etc/haproxy/errors/503.http
+    errorfile  504 /etc/haproxy/errors/504.http
+
+
+frontend http-in
+    bind *:80
+    bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/ick.pem
+
+    rspadd Strict-Transport-Security:\ max-age=15768000
+
+    acl any method GET HEAD POST PUT DELETE
+
+    use_backend ick_controller if any
+
+backend ick_controller
+    server ick_controller_1 127.0.0.1:12765
author	Lars Wirzenius <liw@liw.fi>	2017-12-04 22:26:26 +0200
committer	Lars Wirzenius <liw@liw.fi>	2017-12-04 22:26:26 +0200
commit	5620730c68cc7a6ba96918455f265febc6dec991 (patch)
tree	6ea4d83b7101bb0fb5d02c8276baf7710a3c7253 /roles/ick-controller
parent	7b229ec380a5e985774d64e66bef818f21ffb166 (diff)
download	ick2-ansible-5620730c68cc7a6ba96918455f265febc6dec991.tar.gz