diff options
author | Lars Wirzenius <liw@liw.fi> | 2017-12-04 22:26:26 +0200 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2017-12-04 22:26:26 +0200 |
commit | 5620730c68cc7a6ba96918455f265febc6dec991 (patch) | |
tree | 6ea4d83b7101bb0fb5d02c8276baf7710a3c7253 /roles/ick-controller | |
parent | 7b229ec380a5e985774d64e66bef818f21ffb166 (diff) | |
download | ick2-ansible-5620730c68cc7a6ba96918455f265febc6dec991.tar.gz |
Add: ick-controller ole
Diffstat (limited to 'roles/ick-controller')
-rw-r--r-- | roles/ick-controller/tasks/main.yml | 104 | ||||
-rw-r--r-- | roles/ick-controller/templates/controller.conf.j2 | 6 | ||||
-rw-r--r-- | roles/ick-controller/templates/haproxy.cfg.j2 | 44 |
3 files changed, 154 insertions, 0 deletions
diff --git a/roles/ick-controller/tasks/main.yml b/roles/ick-controller/tasks/main.yml new file mode 100644 index 0000000..0723a1d --- /dev/null +++ b/roles/ick-controller/tasks/main.yml @@ -0,0 +1,104 @@ +- name: install ick packages + apt: + name: "{{ item }}" + with_items: + - curl + - psmisc + - ick2 + - haproxy + - debootstrap + +# This should go away once we have isolated builds. +- name: install packages for building sites with ikiwiki + apt: + name: "{{ item }}" + with_items: + - ikiwiki + - libhighlight-perl + - graphviz + - rsync + +- name: create config dirs + file: + state: directory + path: "{{ item }}" + owner: root + group: root + mode: 0755 + with_items: + - /etc/ick + - /etc/haproxy + +- name: install controller config + template: + src: controller.conf.j2 + dest: /etc/ick/controller.conf + owner: root + group: root + mode: 0644 + +- name: install haproxy config + template: + src: haproxy.cfg.j2 + dest: /etc/haproxy/haproxy.cfg + owner: root + group: root + mode: 0644 + +- name: install TLS certificate + copy: + content: "{{ tls_certificate }}" + dest: /etc/ssl/ick.pem + owner: root + group: root + mode: 0600 + +- name: install token signing private key + copy: + content: "{{ token_private_key }}" + dest: /etc/ick/token_key + owner: _ickwm + group: _ickwm + mode: 0600 + +- name: install token signing public key + copy: + content: "{{ token_public_key }}" + dest: /etc/ick/token_key.pub + owner: _ickwm + group: _ickwm + mode: 0644 + +- name: create _ickwm .ssh + file: + state: directory + path: /var/lib/ick/wm/.ssh + owner: _ickwm + group: _ickwm + mode: 0700 + +- name: install ssh key for worker-manager + copy: + content: "{{ wm_ssh_key }}" + dest: /var/lib/ick/wm/.ssh/id_rsa + owner: _ickwm + group: _ickwm + mode: 0600 + +- name: install ssh public key for worker-manager + copy: + content: "{{ wm_ssh_key_pub }}" + dest: /var/lib/ick/wm/.ssh/id_rsa.pub + owner: _ickwm + group: _ickwm + mode: 0644 + +- name: enable and start units + service: + name: "{{ item }}" + state: restarted + enabled: yes + with_items: + - ick2 + - ick2-worker-manager + - haproxy diff --git a/roles/ick-controller/templates/controller.conf.j2 b/roles/ick-controller/templates/controller.conf.j2 new file mode 100644 index 0000000..22e6124 --- /dev/null +++ b/roles/ick-controller/templates/controller.conf.j2 @@ -0,0 +1,6 @@ +token-issuer: localhost +token-audience: localhost +token-public-key: "{{ token_public_key }}" +log: + - filename: /var/log/ick/controller.log +statedir: /var/lib/ick/state diff --git a/roles/ick-controller/templates/haproxy.cfg.j2 b/roles/ick-controller/templates/haproxy.cfg.j2 new file mode 100644 index 0000000..0772a4b --- /dev/null +++ b/roles/ick-controller/templates/haproxy.cfg.j2 @@ -0,0 +1,44 @@ +global + log 127.0.0.1 local4 + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + tune.ssl.default-dh-param 2048 + ssl-default-bind-options no-tls-tickets + ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +frontend http-in + bind *:80 + bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/ick.pem + + rspadd Strict-Transport-Security:\ max-age=15768000 + + acl any method GET HEAD POST PUT DELETE + + use_backend ick_controller if any + +backend ick_controller + server ick_controller_1 127.0.0.1:12765 |