diff options
60 files changed, 753 insertions, 685 deletions
diff --git a/ci-prod-workers.hz b/ci-prod-workers.hz index cd9180a..407bf57 100644 --- a/ci-prod-workers.hz +++ b/ci-prod-workers.hz @@ -1,7 +1,12 @@ defaults: - type: cx11 + type: cx21 image: debian-9 hosts: - name: worker1 - groups: [worker] -# - name: worker2 + groups: [workers, ickhost] + - name: worker2 + groups: [workers, ickhost] + # - name: worker3 + # groups: [workers, ickhost] + # - name: worker4 + # groups: [workers, ickhost] diff --git a/create-controller b/create-controller new file mode 100755 index 0000000..2cf1360 --- /dev/null +++ b/create-controller @@ -0,0 +1,17 @@ +#!/bin/sh + +set -eu + +scopes=" +create +update +show +delete +" + +api="$1" +name="$2" +secret="$3" + +qvisqvetool -a "$api" create client "$name" "$secret" +qvisqvetool -a "$api" allow-scope client "$name" $scopes diff --git a/create-user b/create-user new file mode 100755 index 0000000..fbb93a6 --- /dev/null +++ b/create-user @@ -0,0 +1,46 @@ +#!/bin/sh + +set -eu + +scopes=" +uapi_blobs_id_get +uapi_blobs_id_put +uapi_builds_get +uapi_builds_id_delete +uapi_builds_id_get +uapi_logs_get +uapi_logs_id_delete +uapi_logs_id_get +uapi_pipelines_get +uapi_pipelines_id_delete +uapi_pipelines_id_get +uapi_pipelines_id_put +uapi_pipelines_post +uapi_projects_get +uapi_projects_id_delete +uapi_projects_id_get +uapi_projects_id_put +uapi_projects_id_status_get +uapi_projects_id_status_put +uapi_projects_post +uapi_status_get +uapi_version_get +uapi_workers_get +uapi_workers_id_delete +uapi_workers_id_get +create +update +show +delete +uapi_work_get +uapi_work_post +uapi_workers_post +" + +api="$1" +name="$2" +secret="$3" + +qvisqvetool -a "$api" delete client "$name" || true +qvisqvetool -a "$api" create client "$name" "$secret" +qvisqvetool -a "$api" allow-scope client "$name" $scopes diff --git a/create-worker b/create-worker new file mode 100755 index 0000000..d2e0f4a --- /dev/null +++ b/create-worker @@ -0,0 +1,28 @@ +#!/bin/sh + +set -eu + +scopes=" +uapi_blobs_id_get +uapi_blobs_id_put +uapi_builds_id_get +uapi_logs_id_get +uapi_notify_post +uapi_projects_get +uapi_version_get +uapi_work_get +uapi_work_post +uapi_workers_post +create +update +show +delete +" + +api="$1" +name="$2" +secret="$3" + +qvisqvetool -a "$api" delete client "$name" || true +qvisqvetool -a "$api" create client "$name" "$secret" +qvisqvetool -a "$api" allow-scope client "$name" $scopes diff --git a/demo-workers.hz b/demo-workers.hz deleted file mode 100644 index f5aa0c1..0000000 --- a/demo-workers.hz +++ /dev/null @@ -1,8 +0,0 @@ -defaults: - type: cx11 - image: debian-9 -hosts: - - name: worker1 - groups: [workers, ickhost] - - name: worker2 - groups: [workers, ickhost] diff --git a/demo.hz b/demo.hz deleted file mode 100644 index 717f548..0000000 --- a/demo.hz +++ /dev/null @@ -1,7 +0,0 @@ -defaults: - type: cx11 - image: debian-9 -hosts: - - name: controller - type: cx21 - groups: [ickhost] diff --git a/effi.hz b/effi.hz deleted file mode 100644 index 6146f71..0000000 --- a/effi.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cx11 - image: debian-9 -hosts: - - name: reg diff --git a/effi.yml b/effi.yml deleted file mode 100644 index 8945f1d..0000000 --- a/effi.yml +++ /dev/null @@ -1,72 +0,0 @@ -- hosts: reg - remote_user: root - become: yes - roles: - - role: sane_debian_system - - role: comfortable - - role: unix_users - - role: haproxy - - role: qvisqve - - role: muck - tags: muck - - role: effi-reg - tags: effi-reg - vars: - hostname: effidemo - - debian_codename: stretch - - sources_lists: - - repo: "deb http://ci-prod-controller.vm.liw.fi/debian stretch-ci main ickhost" - signing_key: "{{ ci_prod_apt_signing_key }}" - - unix_users: - - username: root - authorized_keys: | - {{ liw_ssh_key_pub }} - {{ wm_ssh_key_pub }} - - letsencrypt_email: liw@liw.fi - haproxy_domain: "{{ reg_domain }}" - haproxy_rules: - - name: qvisqve1 - path: /token - backends: ["127.0.0.1:{{ qvisqve_port }}"] - - - name: qvisqve2 - path: /clients - backends: ["127.0.0.1:{{ qvisqve_port }}"] - - - name: qvisqve3 - path: /auth - backends: ["127.0.0.1:{{ qvisqve_port }}"] - - - name: effiapi1 - path: /status - backends: ["127.0.0.1:{{ effiapi_port }}"] - - - name: effiapi2 - path: /memb - backends: ["127.0.0.1:{{ effiapi_port }}"] - - - name: effiapi3 - path: /search - backends: ["127.0.0.1:{{ effiapi_port }}"] - - - name: effireg1 - path: / - backends: ["127.0.0.1:{{ effireg_port }}"] - - - name: effireg2 - path: /callback - backends: ["127.0.0.1:{{ effireg_port }}"] - - muck_port: 12765 - effiapi_port: 8080 - effireg_port: 8181 - - qvisqve_port: 10000 - qvisqve_domain: "{{ reg_domain }}" - - wm_ssh_key_pub: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWvVYqyPen0CFhfx9dzzCKNbQ7fUpbCRdlQ/PI4sAv5R+gjUYjZJ3HQQhdkEx6mwY+fGYgGIAY9xiTi+BzXSPPtuWUypB2/ee+Dh5Uqica1TCj/3txmFGE7qwD+AqoJYbDAD1x17AaCIEDgHv2wOQ2o8GlOKTK9mGgvZWTUgIUF7PObotg8/M6TV4NO3of7ZSJ0yqumU/GLaJ8UkvYVQ3Gj0w8tbX6xiJKcOnMyM+P+JIFRKKi/SzjymVfAie9OAlIcDEYTeT6dtqWYB6hT0/40D0ZcxOfIg07/m4A956hH9AzRKuz01w2phP2zQyHRUSOCWa5EWF/H9snxpeE5Ein liw@exolobe3 diff --git a/group_vars/all.yml b/group_vars/all.yml index aebe579..94bbb04 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,95 +1,5 @@ -liw_ssh_key_pub: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 - -ivan_ssh_key_pub: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjUH6a8Jb+3eG6mSv3gnkSt0qJ3Qf3kG5x4twpPbfiQ6nN1ZdQhvdklkzKR/eIY4jjYgdeImxUzqQ7GbAfMjuk2mbqRDbdIka0uvsTRTcWhts2zy9XGc2t6+fa41xth3Ur21oAl9lAtGH4MPkNEI4o1svy4uu1OWr23Ri5qz305Ud777hBENx/TgyzT79zllVUE+3/CtS9j1ukLlkMkTpvNmy96OtiwEnQjXwUf7lYm8DOD+CaZKZKulOv3R4Ov7IGuqtqAQfPq6unRQX43+Rc/Fa7zfeWy9TXsMU2weo5xHmlyolrasazSA/96jWDWFuqJiObeNi2iZsC/0wqW3dF/vVV1JNRBtTJhci3k+nm0RCMZtKLT4DKbQ0SFDmyVDQjeCg8XsbbFn9q4SbvbKewsVdIlJaQfB9ApLCt8VMxlR0oKjTYW5r2P6h37/156qrdI9Bif7VsSuNXqkQRJSs4rv3pYZdWJdwrpB3A5cZ9T3YsStkfYXZLDYJeT8wNWIRfGO8y/WOr/sb1iqTAy6s00qLLtUSCDmQUwc4duCzTLnPs18WRtF7xXGcUmLSwdks8IoUsq3lQEkLaTSeKlryaaIAXDdDhWPAqmnoVdNJZwmWIJgU1LYk/TYxrbGeCfOCPKSngFpdGGtHmYv04WaarFD5w6jBUlpZhQAC+/FGKlw== Ivan Dolgov - - -nodesource_signing_key: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: GnuPG v1 - Comment: GPGTools - https://gpgtools.org - - mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+ - W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs - fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy - qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7 - 89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD - Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7 - C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/ - G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc - Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft - qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm - EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB - tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2 - AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy - jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ - kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1 - GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm - XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU - VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka - 1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI - IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc - pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn - xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y - gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI - AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ - fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ - Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh - 41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea - JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD - xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi - vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/ - aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o - QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK - yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3 - QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek - fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK - CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec - 0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1 - PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh - qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15 - ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac - hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb - DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4 - xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu - G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd - sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy - /qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g== - =CLGF - -----END PGP PUBLIC KEY BLOCK----- - - -ql_ick_apt_signing_key: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - - mQINBFsqXtgBEADkoJ5/pbHjDHxYteLm9aFeaRrkTzorLRQJbLJrzKhhdk6rHC1e - PLhTOto5dIzk1WaFL9y4YYcTcH8DG3RECfYN0XP7alO7jSUSbavMzFkdTCfj7nve - VzXFOHKAPjQ5sNk1RmkXhymN47Jz0P7wDXuPfUOesYcsZbiPqYt58Lo8uM9cXxxw - 7QKr1fcgiobVIOliUGRK5xd1ouf89RHnNx4mnGU8h253Uj/3W2HxYvjQJ+viJwZ5 - 2RBG0If0+NT2mWo57b91TadkNh3ePPGzeQ44HK/FKyTmJh/LhYhVTIUd1V2a8Lb4 - ZsLbsLbKZ5JOWMluCE15zfRm5i5jCr/kKw6jkXl/GSsTTTKP/7QLDTsV8bpQTQIB - gH63zTdbNnGgOdW8h6Mbba5fxk5uYikVCzyXrBJMz1iPN81kmrKxrNQHeD/W+izE - Is1vgRCob0FQvXY12nUioxHalzpo48hfPLqraN+YrLV+ZMay+mDawp9I4UyjZZVJ - BvPtIFVk00dan0qRvrJSDC01I8e3OiPnSR/fxYpsgnRMZq/izR6vxurcvltw4xZf - qQduHQIwhMBS0fqZsWA2+iRxcoJHSHyU8GjaR56J7FyVFRVYALEDRwMivGQJA9EB - tGs/to6jKI44/mTQuINSXbqg675fK8BBD9cKfgbm0e7d29RL1opKHmkc/QARAQAB - tC5RdmFybkxhYnMgQ0kgc2lnbmluZyBrZXkgMiA8b3BzQHF2YXJubGFicy5jb20+ - iQJOBBMBCgA4FiEEuNQCV3NzVKizncG08iKomR2ZL5QFAlsqXtgCGwMFCwkIBwMF - FQoJCAsFFgIDAQACHgECF4AACgkQ8iKomR2ZL5TnsxAAt3bqgpVD4WhtzJY2HaC4 - EwfNApC3K2pdHTNH02fA2xbw/cZoVzyq+8yHfMy30EeWfQmyAf3yUM0GcmQuKq8S - qRcP3AthGZCMZlYoRorpTe+1RnpSvxcty9feDSdyvhDQvz7sWiy1apbn378eYGyk - uuRUgyzmeYOyQvtpEshiGcQNANJYTOAlV5txqzkZEVAuATnaFo0zIpg37uYgl/Hq - doongXIU3vYKEum000/h04198Na1j1X/5q3sdUvBu4s6FuSSG+Y2gHLM+ZvpQ3AA - H7PNypPHqKgVVbid67OyzQr4AX+dD90G1Y/3tgZu4Y2YS84G5t9TWmkj5gKdeMIk - osNui5ewSKF99goMu8nFT5BIQzAYVinE1GdDO4nZuBVRntbb+aizDVBrQmtDogDy - QhmZN2zDXu+mSCOuc/4Vz0WzStaVt/0IGn8mhAYzWDD9qhG0y9iQjMqsJL8Mz4aU - zhHdLtCDzPkmA/PmJ5xMWkYBg3o50Zym7th5VNx7WiH1x60aIuop1cY4ijIwtq2I - pk15xAMkpJu0GpmLj11NyAdNKh1ZO4C++++VeSybedUe8cALY2w7fYFoKaHlLMTJ - Yl0IOnX5Arsu/uDf+MEr8KqUot7wClCu2xc+Uibl82TvJughSXos837VVqwsXbrP - O0r4lo6OxPSsGD4HZ4/hbwk= - =Iy6+ - -----END PGP PUBLIC KEY BLOCK----- +liw_personal_ssh_key_pub: | + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQe6lsTapAxiwhhEeE/ixuK+5N8esCsMWoekQqjtxjP liw personal systems ci_prep_apt_signing_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- diff --git a/group_vars/apt.yml b/group_vars/apt.yml index 39c33c0..e793ee4 100644 --- a/group_vars/apt.yml +++ b/group_vars/apt.yml @@ -5,10 +5,6 @@ apt_signing_key_pub: FIXME apt_signing_key_fingerprint: FIXME apt_admin_email: FIXME apt_distributions: - - codename: stretch - description: Release packages for stretch - - codename: stretch-ci - description: CI builds for stretch - codename: unstable description: Release packages for unstable - codename: unstable-ci diff --git a/group_vars/ickhost.yml b/group_vars/ickhost.yml index d68a56e..67b4290 100644 --- a/group_vars/ickhost.yml +++ b/group_vars/ickhost.yml @@ -1,29 +1,27 @@ qvisqve_token_public_key: FIXME tls_certificate: FIXME -debian_codename: stretch -debian_mirror: deb.debian.org -debian_mirror_src: deb.debian.org - ci_prefix: "" -sources_lists: - - repo: "deb http://deb.debian.org/debian stretch-backports main" - - repo: "deb http://code.liw.fi/debian stretch main ickhost" - signing_key: "{{ code_liw_fi_signing_key }}" - - repo: "deb http://ci-prod-controller.vm.liw.fi/debian stretch main ickhost" +sane_debian_system_sources_lists: +# - repo: "deb http://code.liw.fi/debian unstable main ickhost" +# signing_key: "{{ code_liw_fi_signing_key }}" + - repo: "deb http://ci-prod-controller.vm.liw.fi/debian unstable-ci main ickhost" + signing_key: "{{ ci_prod_apt_signing_key }}" -controller_port: 12765 -artifact_store_port: 12766 +controller_port: 3333 +artifact_store_port: 5555 qvisqve_port: 10000 -notify_port: 12767 +notify_port: 6666 ickweb_port: 10001 apache_port: 8080 +muck_port: 4444 controller_url: "https://{{ controller_domain }}" artifact_store_url: "https://{{ artifact_store_domain }}" qvisqve_url: "https://{{ qvisqve_domain }}" notify_url: "https://{{ notify_domain }}/notify" +muck_url: "https://{{ muck_domain }}" apt_uploader_ssh_public_keys: - "{{ wm_ssh_key_pub }}" @@ -43,6 +41,18 @@ haproxy_rules: path: /web backends: ["127.0.0.1:{{ ickweb_port }}"] + - name: res + path: /res + backends: ["127.0.0.1:{{ muck_port }}"] + + - name: search + path: /search + backends: ["127.0.0.1:{{ muck_port }}"] + + - name: status + path: /status + backends: ["127.0.0.1:{{ muck_port }}"] + - name: blobs path: /blobs backends: ["127.0.0.1:{{ artifact_store_port }}"] @@ -0,0 +1,21 @@ +ick +worker1 + +[ickhost] +ick +worker1 + +[controller] +ick + +[qvisqve] +ick + +[apt] +ick + +[notify] +ick + +[workers] +worker1 diff --git a/hosts.ci-prep b/hosts.ci-prep deleted file mode 100644 index 4a6a4f1..0000000 --- a/hosts.ci-prep +++ /dev/null @@ -1 +0,0 @@ -ick ansible_ssh_host=ci-prep-ick.vm.liw.fi diff --git a/hosts.ci-prod b/hosts.ci-prod deleted file mode 100644 index c8c8c4b..0000000 --- a/hosts.ci-prod +++ /dev/null @@ -1 +0,0 @@ -controller ansible_ssh_host=ci-prod-controller.vm.liw.fi diff --git a/hosts.ci-prod-workers b/hosts.ci-prod-workers deleted file mode 100644 index 04f6763..0000000 --- a/hosts.ci-prod-workers +++ /dev/null @@ -1 +0,0 @@ -worker1 ansible_ssh_host=ci-prod-workers-worker1.vm.liw.fi diff --git a/hosts.demo b/hosts.demo deleted file mode 100644 index c972f63..0000000 --- a/hosts.demo +++ /dev/null @@ -1 +0,0 @@ -controller ansible_ssh_host=demo-controller.vm.liw.fi diff --git a/hosts.demo-workers b/hosts.demo-workers deleted file mode 100644 index df6fb6a..0000000 --- a/hosts.demo-workers +++ /dev/null @@ -1,2 +0,0 @@ -worker1 ansible_ssh_host=demo-workers-worker1.vm.liw.fi -worker2 ansible_ssh_host=demo-workers-worker2.vm.liw.fi diff --git a/hosts.e5-workers b/hosts.e5-workers new file mode 100644 index 0000000..f58d68b --- /dev/null +++ b/hosts.e5-workers @@ -0,0 +1,5 @@ +[ickhost] +workera + +[workers] +workera diff --git a/hosts.effi b/hosts.effi deleted file mode 100644 index eb032a7..0000000 --- a/hosts.effi +++ /dev/null @@ -1 +0,0 @@ -reg ansible_ssh_host=effi-reg.vm.liw.fi diff --git a/hosts.ick b/hosts.ick deleted file mode 100644 index e69de29..0000000 --- a/hosts.ick +++ /dev/null diff --git a/hosts.ickdev b/hosts.ickdev deleted file mode 100644 index 642cded..0000000 --- a/hosts.ickdev +++ /dev/null @@ -1 +0,0 @@ -api ansible_ssh_host=ickdev-api.vm.liw.fi diff --git a/hosts.muck b/hosts.muck deleted file mode 100644 index e69de29..0000000 --- a/hosts.muck +++ /dev/null diff --git a/ick-api.yml b/ick-api.yml deleted file mode 100644 index e22403c..0000000 --- a/ick-api.yml +++ /dev/null @@ -1,42 +0,0 @@ -- hosts: api - remote_user: root - become: yes - roles: - - sane_debian_system - - unix_users - - comfortable - vars: - hostname: api - qvisqve_domain: "{{ controller_domain }}" - artifact_store_domain: "{{ controller_domain }}" - apt_domain: "{{ controller_domain }}" - notify_domain: "{{ controller_domain }}" - - liw_ssh_key_pub: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAlECa3tbFGXhB3Zh/4/GhM11THOThVfiuLqqJ2dpWHEClzpKJHpzzwWt7g9z/MMQNMsUJLy+okz+De6hdjjmYJ9kG9Sr3H4YKq6itGQMj7L/cH3WS3ynp0uy0oW3hf932vDZKQ8iy9vczXH+ERYl+4TYae1Jp4Hyf4/2IYxEfuhKctvSvqySST3Qk9JNZ71HFGOWhjH/MmoCLoT1v+HkqmHdYf/GMKGRo3gqCEGgCgNErYYIyKm3OF3dHXK+hyGLE/cZNu6fU5woW3rvtUCFt08Ri2pm0cnXXJn9jQIMxfS5Kkf64svwgzKmPqgX1f4flopYPlsBXduCgzbJvj+lpgauAk/i1A5B01CFa9sI4C6pHZmwk1qxRwN+4IXL2CQt+tDgYC84ZDDd8R7cNyL22a3KhMQmdHtvog1beAa3Ab+J+cafkXXN+Es9f1wQjzk7DiHupmJIVofBvPP+cRcB46rwha6ati8Fa5QkT9rXFNqQsKk7jq8TIi54Bm15OOa0jInGG3TM17b9Ftu2WTJSAaqgBnDfZiInK7HEvC6K/IBljrN3oGagmFZPrAvzw7d6C2/nKFAQtfoMcE5oWVDrJyjsmJ8oaru0E8rwj7mMvyKPgEMnXTGXLWDgEo50+i291m4bkCxVwiOPbPRvdMll1Y8qfBAPT76sY4Ikgcw/2iw== openpgp:0xBBE80E50 - - ivan_ssh_key_pub: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEeGFCBvqrYfNiQMpNnC8R7l9IfOhwLWhfu/MxSf7k0xa39hlnz4G/2A2br4TFP/RQPP+5zVtEiDrlf0Zwv5Z32/D5hFLd18qixmFyhTNBnLpO3Hlf+qGgfgM7IuTh49gs8fhGYuYem8qH247/ez5HNpKmBiJ+leaNUS06RTCF3J1JdKSb/wtxK1VFxaoxXfhlxVgjETSALWC39YvTZhtiZ8sVOF60opUQUYcEwW5sehB0Bhj3uiCOY4bfdNvmrWXmirS1SIw+b+RUu9mcit8haJM3U6SXlyPc62OJq3boyVn+ZtVhwlMmNdET0v1bzPle9X8xyoDd6op0zCSq0MuU6ryKzZt7jAyWSjx7IFo+dz7nPnAI85OPmGY1yQ+o12KZQtqIsT2dDRZW3pegyeNln9QeW0I9hBQRKHDfLQSVp41Mc0PYJFnKVHgufHDwDO/h+xiYcrFecP3E97jMlc/LCkWEdUQv0os3Dk9o38Z0lJMmHltNZGY9UcyqfT6aS4EWGaYf7XT74JO4zw2SyB3+YuohwRdvvanrlJ50cAOFTPmkEukbp2p6cYGQdwZHwGPMBbqphnTEzeKWhkjvok+MeBydQu25bC76E1HAYFlqJBviFuS3yE7xsNcOf1FtSoCTZ5wDUnc5hiuJtIUxhFjpnh3CargX3oax2dhayLMlWQ== ivan@fl522 - - pyry_ssh_key_pub: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDSWuT9Zh6EPKKkvB8LTKahEipIZez3whoa8WxDCzT8grVImfKpszU5vpUlF+gz9rXooDVE4yQp3g5Dxm2keYatyDa22OzbqYC2QeWteKqr+s2GLcAc/faHUMNiP9pt46C2W/h/zI21cu3KTbbPl9MGFRbP82kBVsiwFTT2aZd62cbV8/GEj7yOZyyULU5f0MoKvHxs97zVvkzNCY3byS/X3VdREUUFe5GdD9RL5zqIEeFlwFYBNlh56diwW/g4GDJ0uQPn77Pw2nFPdli4ibP3ftSIX+Ys8aWHZwzvxNhZocmwrxGRzpTqweeXL8XKgRfhnqT6g7GFFOyaKftB0hsFIkG1gb8TQ2GCxKfRqhDePaey5+Q4qkyGhRHsteOocFVYNucKjf1rD3titb2+BHTCYt4oNqPyr4BmbfJ9qKj/Fw/8mNIw9uxKRZr57a42lqCZa6CglHo0P/Fr7xjqL2HuUcfnl5g7dJyalZhiPVr535cPfFYjLYWl8WvFsyfLCphQDKdi9THpY93V4bwB03M4gs4lwluVUG6/GOI7ONW61BoH97NduBb9pCYrr5suQgGsAi0oY97XaidpO4AAjfiTvMBlMiGPjtgGI5A2rYcUa6tGrsFu/MBQ8TNTv2iOUt1sCPlXq5sqLKBlj4DnYlC1F1v5kpN7rnr2M0MnCnyHLw== openpgp:0xC082E95A - - unix_users: - - username: root - sudo: yes - - username: ivan - sudo: yes - authorized_keys: | - {{ ivan_ssh_key_pub }} - - username: pyry - sudo: yes - authorized_keys: | - {{ pyry_ssh_key_pub }} - - username: liw - sudo: yes - authorized_keys: | - {{ liw_ssh_key_pub }} - - username: ickapi - - sources_lists: - - repo: "deb http://deb.debian.org/debian buster main" diff --git a/ick-cluster.yml b/ick-cluster.yml index 1f2f399..b146b1f 100644 --- a/ick-cluster.yml +++ b/ick-cluster.yml @@ -1,20 +1,34 @@ -- hosts: controller - remote_user: root +- hosts: ick + remote_user: debian become: yes roles: - sane_debian_system - - unix_users - comfortable - - haproxy + - apt_repository + - haproxy-for-ick - qvisqve - ick-controller - ick-artifact-store - - apt_repository - ick-notifier - - ickweb + - muck + tasks: + - shell: | + sed -i 's/self._verify = None/self._verify = False/' /usr/lib/python3/dist-packages/ick2/client.py + sed -i 's/self._verify = verify/self._verify = False/' /usr/lib/python3/dist-packages/ick2/client.py + sed -i '/sendmail/d' /usr/lib/python3/dist-packages/ick2/notificationapi.py + - systemd: + state: restarted + name: ick-controller + - systemd: + state: restarted + name: notification_service vars: - hostname: ickhost + sane_debian_system_version: 2 + sane_debian_system_codename: buster + + haproxy_domain: "{{ controller_domain }}" qvisqve_domain: "{{ controller_domain }}" artifact_store_domain: "{{ controller_domain }}" apt_domain: "{{ controller_domain }}" notify_domain: "{{ controller_domain }}" + muck_domain: "{{ controller_domain }}" diff --git a/ick-ui.yml b/ick-ui.yml deleted file mode 100644 index eba69b8..0000000 --- a/ick-ui.yml +++ /dev/null @@ -1,37 +0,0 @@ -- hosts: ui - remote_user: root - become: yes - roles: - - sane_debian_system - - unix_users - - comfortable - - apache_server - - ick_ui - vars: - hostname: ick - - wm_ssh_key_pub: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}" - - unix_users: - - username: root - authorized_keys: | - {{ wm_ssh_key_pub }} - {{ demo_wm_ssh_key_pub }} - {{ liw_ssh_key_pub }} - - username: ivan - sudo: yes - authorized_keys: | - {{ ivan_ssh_key_pub }} - - letsencrypt: yes - letsencrypt_email: liw@liw.fi - - static_sites: - - domain: ick-ui.vm.liw.fi - owner: root - ownermail: liw@liw.fi - letsencrypt: yes - - sources_lists: - - repo: "deb https://deb.nodesource.com/node_10.x stretch main" - signing_key: "{{ nodesource_signing_key }}" diff --git a/ick-workers.yml b/ick-workers.yml index 9cda47c..5011d80 100644 --- a/ick-workers.yml +++ b/ick-workers.yml @@ -1,10 +1,38 @@ - hosts: workers - remote_user: root + remote_user: debian become: yes roles: - sane_debian_system - comfortable - unix_users - ick-worker + tasks: + - shell: | + sed -i "s/'uapi_logs_id_get',/'uapi_logs_id_get','create','update','show','delete',/" /usr/bin/worker_manager + - systemd: + state: restarted + name: ick-worker + - apt: + name: + - psmisc vars: - verify_tls: yes + ansible_python_interpreter: /usr/bin/python3 + + sane_debian_system_version: 2 + sane_debian_system_codename: buster + sane_debian_system_hostname: "{{ inventory_hostname }}" + + unix_users_version: 2 + unix_users: + - username: debian + sudo: yes + authorized_keys: | + {{ liw_personal_ssh_key_pub }} + - username: _ickwm + sudo: yes + ssh_key: "{{ wm_ssh_key }}" + ssh_key_pub: "{{ wm_ssh_key_pub }}" + authorized_keys: | + {{ liw_personal_ssh_key_pub }} + + verify_tls: no @@ -1,5 +0,0 @@ -defaults: - type: cx11 - image: debian-9 -hosts: - - name: ui diff --git a/ick2.yml b/ick2.yml deleted file mode 100644 index 263420d..0000000 --- a/ick2.yml +++ /dev/null @@ -1,24 +0,0 @@ -- hosts: ick - remote_user: root - become: yes - roles: - - sane_debian_system - - comfortable - - unix_users - - haproxy - - qvisqve - - ick-controller - - ick-artifact-store - - apt_repository - - ick-notifier - - ick-worker - - ickweb - vars: - hostname: ickhost - controller_domain: "{{ ick_domain }}" - qvisqve_domain: "{{ controller_domain }}" - artifact_store_domain: "{{ controller_domain }}" - apt_domain: "{{ controller_domain }}" - apt_domain_set: false - notify_domain: "{{ controller_domain }}" - diff --git a/ickdev.hz b/ickdev.hz deleted file mode 100644 index 142281e..0000000 --- a/ickdev.hz +++ /dev/null @@ -1,7 +0,0 @@ -defaults: - type: cx11 - image: debian-9 -hosts: - - name: api - type: cx21 - groups: [ickhost] diff --git a/ickweb.hz b/ickweb.hz deleted file mode 100644 index 0f8c8f5..0000000 --- a/ickweb.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cx11 - image: debian-9 -hosts: - - name: demo diff --git a/ickweb.yml b/ickweb.yml deleted file mode 100644 index a78a82c..0000000 --- a/ickweb.yml +++ /dev/null @@ -1,18 +0,0 @@ -- hosts: demo - remote_user: root - become: yes - roles: - - sane_debian_system - - unix_users - - ickweb - vars: - hostname: ickweb - locales: - - fi_FI.UTF-8 - - en_GB.UTF-8 - debian_codename: stretch - sources_lists: - - repo: "deb http://deb.debian.org/debian stretch-backports main" - qvisqve_token_public_key: "{{ lookup('pipe', 'pass show qvisqve/token_key_pub') }}" - - letsencrypt_email: liw@liw.fi @@ -53,29 +53,16 @@ qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}" qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}" qvisqve_admin_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}" qvisqve_admin_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}" -qvisqve_worker1_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" -qvisqve_worker1_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" -qvisqve_worker2_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" -qvisqve_worker2_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" -qvisqve_worker3_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" -qvisqve_worker3_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" -qvisqve_worker4_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" -qvisqve_worker4_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" +qvisqve_liw_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}" +qvisqve_liw_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}" +qvisqve_controller_secret: "{{ lookup('pipe', 'pass show ick2/controller_secret') }}" +qvisqve_controller_hash: "{{ lookup('pipe', 'pass show ick2/controller_hash') }}" +qvisqve_controller_salt: "{{ lookup('pipe', 'pass show ick2/controller_salt') }}" +qvisqve_worker_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" +qvisqve_worker_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" - -# I like to have an addition "dist" in the APT repository, liwdev, so -# I can have ick build from a liw/dev branch, in addition to master, -# and put the resulting Debian packages where they don't get confused -# with the ones from master. Some day this will not require -# re-configuration of the APT repository via Ansible. apt_distributions: - - codename: stretch - description: Release packages for stretch - - codename: stretch-ci - description: CI builds for stretch - codename: unstable description: Release packages for unstable - codename: unstable-ci description: CI builds for unstable - - codename: liw-ci - description: CI builds for unstable from liw diff --git a/muck.hz b/muck.hz deleted file mode 100644 index 9b7729e..0000000 --- a/muck.hz +++ /dev/null @@ -1,5 +0,0 @@ -defaults: - type: cx11 - image: debian-9 -hosts: - - name: muck diff --git a/muck.yml b/muck.yml deleted file mode 100644 index 593447a..0000000 --- a/muck.yml +++ /dev/null @@ -1,52 +0,0 @@ -- hosts: muck - remote_user: root - become: yes - roles: - - sane_debian_system - - unix_users - - comfortable - - haproxy - - qvisqve - - muck - vars: - hostname: muck - - debian_codename: stretch - debian_mirror: deb.debian.org - debian_mirror_src: deb.debian.org - - sources_lists: - - repo: "deb http://ci-prod-controller.vm.liw.fi/debian stretch-ci main ickhost" - signing_key: "{{ ci_prod_apt_signing_key }}" - - letsencrypt_email: liw@liw.fi - letsencrypt_domain: "{{ muck_domain }}" - - haproxy_domain: "{{ muck_domain }}" - haproxy_rules: - - name: qvisqve1 - path: /token - backends: ["127.0.0.1:{{ qvisqve_port }}"] - - - name: qvisqve2 - path: /clients - backends: ["127.0.0.1:{{ qvisqve_port }}"] - - - name: muck1 - path: /status - backends: ["127.0.0.1:{{ muck_port }}"] - - - name: muck2 - path: /res - backends: ["127.0.0.1:{{ muck_port }}"] - - - name: muck3 - path: /search - backends: ["127.0.0.1:{{ muck_port }}"] - - muck_port: 12765 - - qvisqve_port: 10000 - qvisqve_domain: "{{ muck_domain }}" - qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}" - qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}" diff --git a/roles/apt_repository/tasks/main.yml b/roles/apt_repository/tasks/main.yml index 70374aa..047af9e 100644 --- a/roles/apt_repository/tasks/main.yml +++ b/roles/apt_repository/tasks/main.yml @@ -20,9 +20,9 @@ - incron - apache2 -- name: install apache tls module - apache2_module: - name: ssl +# - name: install apache tls module +# apache2_module: +# name: ssl - name: create APT repository directory file: @@ -32,6 +32,12 @@ group: apt mode: 0755 +- name: configure apache to only listen on port 8080 + lineinfile: + dest: /etc/apache2/ports.conf + regexp: "^ *Listen .*$" + line: "Listen 8080" + - name: configure apache to server repo over http template: src: "{{ item.src }}" @@ -44,6 +50,11 @@ - src: apache-http.conf dest: 000-default.conf +- name: restart Apache + systemd: + name: apache2 + state: restarted + - name: mkdir /src/apt/conf file: path: /srv/apt/conf @@ -102,10 +113,9 @@ name: key.pub - name: import gpg keys for apt - become_user: apt shell: | cd /home/apt - gpg --import key key.pub + sudo -u apt gpg --import key key.pub - name: delete temp key copies file: @@ -128,9 +138,13 @@ group: apt mode: 0755 +- name: "create incrontab for apt" + copy: + content: | + /srv/apt/incoming IN_CLOSE_WRITE /srv/apt/process-incoming + dest: /srv/apt/incrontab + - name: set up incrontab for processing incoming uploads shell: | - incrontab - << EOF - /srv/apt/incoming IN_CLOSE_WRITE /srv/apt/process-incoming - EOF - become_user: apt + sudo -u apt incrontab /srv/apt/incrontab + diff --git a/roles/apt_repository/templates/apache-http.conf b/roles/apt_repository/templates/apache-http.conf index 46a54ed..c15905f 100644 --- a/roles/apt_repository/templates/apache-http.conf +++ b/roles/apt_repository/templates/apache-http.conf @@ -1,4 +1,3 @@ -Listen 8080 <VirtualHost _default_:{{ apache_port }}> ServerAdmin {{ apt_admin_email }} diff --git a/roles/comfortable/tasks/main.yml b/roles/comfortable/tasks/main.yml index c00f642..ebf3fa5 100644 --- a/roles/comfortable/tasks/main.yml +++ b/roles/comfortable/tasks/main.yml @@ -6,6 +6,7 @@ - curl - psmisc - locales-all + - jq - name: "remove uncomfortable packages" apt: name: "{{ item }}" diff --git a/roles/haproxy-for-ick/README b/roles/haproxy-for-ick/README new file mode 100644 index 0000000..ed0360a --- /dev/null +++ b/roles/haproxy-for-ick/README @@ -0,0 +1 @@ +Install haproxy and set up a Let's Encrypt TLS certificate for it. diff --git a/roles/haproxy-for-ick/defaults/main.yml b/roles/haproxy-for-ick/defaults/main.yml new file mode 100644 index 0000000..12e2906 --- /dev/null +++ b/roles/haproxy-for-ick/defaults/main.yml @@ -0,0 +1,14 @@ +# Set the domain haproxy serves, used for the TLS certificate. + +haproxy_domain: FIXME + +# List haproxy rules: a list of dicts like this: +# +# name: foo +# path: /foo +# backends: +# - 127.0.0.1:8080 +# - 127.0.0.1:8181 + +haproxy_rules: [] + diff --git a/roles/haproxy-for-ick/files/haproxy.crt b/roles/haproxy-for-ick/files/haproxy.crt new file mode 100644 index 0000000..fbaf6ee --- /dev/null +++ b/roles/haproxy-for-ick/files/haproxy.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYzCCAkugAwIBAgIUdxKP8RqYs3OcgUXeSgU8P3l88wMwDQYJKoZIhvcNAQEL +BQAwQTETMBEGA1UEAwwKZG9tYWluLmNvbTEdMBsGA1UECgwUTXkgQ29tcGFueSBO +YW1lIExURC4xCzAJBgNVBAYTAlVTMB4XDTIxMDMxNTA5NDcxMloXDTIyMDMxNTA5 +NDcxMlowQTETMBEGA1UEAwwKZG9tYWluLmNvbTEdMBsGA1UECgwUTXkgQ29tcGFu +eSBOYW1lIExURC4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAwdItzZ33l2SKLcoV7bze9jVWcZOikW1OHyjho7LPiFGbjq/Tkzz+ +OrtOfX83976SrZPudKqMmZm01eFzSTe+cR0Iq5toLAVjK69y1fn0TVPuV+nsLvHE +jVJqxhDWLklcz9rf496Z58atD4ZigyRJ+OZBxvt8TlBw4LzdGyVN7nWstz6iJnO/ +6fU+8IJU6lsUdA7t7dWWPC/qjMRh+SUMbFhK/7dPfNn7Fa22Xh+dxH/iwod2tA1b +lIGgl7lsyIVhO1nFgVFE23/1fQMCmVT3hDH0hrsk62u4AoSWUjVq/O2+92IkXhVg +UpjSek8KBlHWpIrOBnOMYPfkLuKW0WOYhwIDAQABo1MwUTAdBgNVHQ4EFgQUwPjU +LVoATZ7ZcjgW29v3IwyzXJUwHwYDVR0jBBgwFoAUwPjULVoATZ7ZcjgW29v3Iwyz +XJUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKyTZRVtK4Cyg +cKc6eVUKUk9v9Mr+hJ/WY6hEqX7Kun49EvNg/oK+pQGO73r4CZ6RY7Wud5Op49dn +4szp6fYCEi3Ep7PjZBPb6ngKMXhxlcjq9O/r73N29L2neTgIAVukuYyCJA3A9qXu +PuAYL3IqQbMU4BFkoFo0NmxoeR0zrgyZUtcnsM5zk8uVV1k3ElDnbcYyfC9Xoe3b +fpqCjHe1LmZoStd92eXL2utyzkY8yCH8Hu1xp0cudg8u8PAz3yFVKdZn1bL2pSqP +Srlw5KMPpkpecDfmrVFX767OkTx9VuqMFfwk4ayHvCIo3F+QEIf1rn0NVwkMMzrq +mhBCibPHQA== +-----END CERTIFICATE----- diff --git a/roles/haproxy-for-ick/files/haproxy.key b/roles/haproxy-for-ick/files/haproxy.key new file mode 100644 index 0000000..63c114c --- /dev/null +++ b/roles/haproxy-for-ick/files/haproxy.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDB0i3NnfeXZIot +yhXtvN72NVZxk6KRbU4fKOGjss+IUZuOr9OTPP46u059fzf3vpKtk+50qoyZmbTV +4XNJN75xHQirm2gsBWMrr3LV+fRNU+5X6ewu8cSNUmrGENYuSVzP2t/j3pnnxq0P +hmKDJEn45kHG+3xOUHDgvN0bJU3uday3PqImc7/p9T7wglTqWxR0Du3t1ZY8L+qM +xGH5JQxsWEr/t0982fsVrbZeH53Ef+LCh3a0DVuUgaCXuWzIhWE7WcWBUUTbf/V9 +AwKZVPeEMfSGuyTra7gChJZSNWr87b73YiReFWBSmNJ6TwoGUdakis4Gc4xg9+Qu +4pbRY5iHAgMBAAECggEBAI4gCjhBwsHAFtc23dej7LcMK6RDRy1uwp90wejhAO+M +MA50fif0zNPSb970v9yqYTJpTK0+NrWXkZRYqsog10RorufvoHbPSIZLNGEV1gAy +MI9E2E0gOioLKoKs6/GrGCTO8ehNXfwootTEjU5u+NNMPSWlWeSvdeZGd7glJb1a +Qb+801gtedryo73j4+Wntq7KUAuvZO1M88bcI9q8wYVn3RfneJGLZAm/8MF8fqrI +sgtpGgCvPfuA2OvzgnWOEC9O4Cn0HlqGm5BFnoHiBUlo6XJ4yBL1/YdPzjmT1+rS +hNTNSKEGTFQ+qzNQRdaF4WoubfXPJgrMKOeGnMYmgSECgYEA+4t41wZEcnFvIfd+ +5nID8/LqCqLgH0wSW6cavtzjSqhMCV3P7BFT3R5kAYIvl1z7P6Iu7SQX7ucJyoJt +ONTOiaIPl9Sfuc1lYBcyGmBp9+zn8fDUabQZ8vu4kPnEi1oGc3TCl3NDNmi3tzgi +P8PJH3IvLlUCjWnUXfm6s5VaSDECgYEAxUD7UZyAihAxGeKzVfUmHIMJAzObtOMp +K7AcVZ/XYsYUq56sNUcDRv5rv6pUx3ry+Jpa13yoWusxa+7YU+MXV6Glw11Jo2Vl +0QHwYrV4oyYso0MUwlLdck1FgBwRz3yUJGiGjyXL8J0ILCEUwPnb80/I/ekfv82o +Ai3vWbrP9jcCgYB784A6RMZZtnfSvwhzOd+kyCB32UajZXLuYuuU/XerBD9jpiyc +4PT4Us9oxuP4rELKWnrRNCXu/T4f4iE8DfEwdQFGCeojPokjzopL4RKWrtCksc2Z +wLvAtjV+ivVEzbm8Dt8Mjimil/tfd3O5BBsJOdTx+cXmNS4GmNZdQ81XIQKBgBDu +5SQ6ZSZ1AWIRfgexBdaIwStPMNy0a4JemfAXyqumCXw6INpqADQF/0Xy31hIi7cf +uRCqmOFFM3bqiBObeROCwvIkff/S4oywt+whW/vVeRuC1LNh3bTEQWUgA79mGGmP +t41uVzWOpXb0WA3A5Urb3Is/igQzKWsWemefi969AoGBAKlcbc1W+ihSGLWC05TV +OATBzbknGpFz3F7U3ROGHLJLVzwJt8kfBA4RgoIZk4ZRcgwj61GmgFKwUJJG9z27 +SCBw2MAGOW97/pEyY814q6NBMmj943NfsLNtAB9dqfrqfE2KAA84rY0EQIR0+26K +imPnDav0mfZdsnb/mvfiCu8X +-----END PRIVATE KEY----- diff --git a/roles/haproxy-for-ick/files/haproxy.pem b/roles/haproxy-for-ick/files/haproxy.pem new file mode 100644 index 0000000..cf218da --- /dev/null +++ b/roles/haproxy-for-ick/files/haproxy.pem @@ -0,0 +1,49 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDB0i3NnfeXZIot +yhXtvN72NVZxk6KRbU4fKOGjss+IUZuOr9OTPP46u059fzf3vpKtk+50qoyZmbTV +4XNJN75xHQirm2gsBWMrr3LV+fRNU+5X6ewu8cSNUmrGENYuSVzP2t/j3pnnxq0P +hmKDJEn45kHG+3xOUHDgvN0bJU3uday3PqImc7/p9T7wglTqWxR0Du3t1ZY8L+qM +xGH5JQxsWEr/t0982fsVrbZeH53Ef+LCh3a0DVuUgaCXuWzIhWE7WcWBUUTbf/V9 +AwKZVPeEMfSGuyTra7gChJZSNWr87b73YiReFWBSmNJ6TwoGUdakis4Gc4xg9+Qu +4pbRY5iHAgMBAAECggEBAI4gCjhBwsHAFtc23dej7LcMK6RDRy1uwp90wejhAO+M +MA50fif0zNPSb970v9yqYTJpTK0+NrWXkZRYqsog10RorufvoHbPSIZLNGEV1gAy +MI9E2E0gOioLKoKs6/GrGCTO8ehNXfwootTEjU5u+NNMPSWlWeSvdeZGd7glJb1a +Qb+801gtedryo73j4+Wntq7KUAuvZO1M88bcI9q8wYVn3RfneJGLZAm/8MF8fqrI +sgtpGgCvPfuA2OvzgnWOEC9O4Cn0HlqGm5BFnoHiBUlo6XJ4yBL1/YdPzjmT1+rS +hNTNSKEGTFQ+qzNQRdaF4WoubfXPJgrMKOeGnMYmgSECgYEA+4t41wZEcnFvIfd+ +5nID8/LqCqLgH0wSW6cavtzjSqhMCV3P7BFT3R5kAYIvl1z7P6Iu7SQX7ucJyoJt +ONTOiaIPl9Sfuc1lYBcyGmBp9+zn8fDUabQZ8vu4kPnEi1oGc3TCl3NDNmi3tzgi +P8PJH3IvLlUCjWnUXfm6s5VaSDECgYEAxUD7UZyAihAxGeKzVfUmHIMJAzObtOMp +K7AcVZ/XYsYUq56sNUcDRv5rv6pUx3ry+Jpa13yoWusxa+7YU+MXV6Glw11Jo2Vl +0QHwYrV4oyYso0MUwlLdck1FgBwRz3yUJGiGjyXL8J0ILCEUwPnb80/I/ekfv82o +Ai3vWbrP9jcCgYB784A6RMZZtnfSvwhzOd+kyCB32UajZXLuYuuU/XerBD9jpiyc +4PT4Us9oxuP4rELKWnrRNCXu/T4f4iE8DfEwdQFGCeojPokjzopL4RKWrtCksc2Z +wLvAtjV+ivVEzbm8Dt8Mjimil/tfd3O5BBsJOdTx+cXmNS4GmNZdQ81XIQKBgBDu +5SQ6ZSZ1AWIRfgexBdaIwStPMNy0a4JemfAXyqumCXw6INpqADQF/0Xy31hIi7cf +uRCqmOFFM3bqiBObeROCwvIkff/S4oywt+whW/vVeRuC1LNh3bTEQWUgA79mGGmP +t41uVzWOpXb0WA3A5Urb3Is/igQzKWsWemefi969AoGBAKlcbc1W+ihSGLWC05TV +OATBzbknGpFz3F7U3ROGHLJLVzwJt8kfBA4RgoIZk4ZRcgwj61GmgFKwUJJG9z27 +SCBw2MAGOW97/pEyY814q6NBMmj943NfsLNtAB9dqfrqfE2KAA84rY0EQIR0+26K +imPnDav0mfZdsnb/mvfiCu8X +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDYzCCAkugAwIBAgIUdxKP8RqYs3OcgUXeSgU8P3l88wMwDQYJKoZIhvcNAQEL +BQAwQTETMBEGA1UEAwwKZG9tYWluLmNvbTEdMBsGA1UECgwUTXkgQ29tcGFueSBO +YW1lIExURC4xCzAJBgNVBAYTAlVTMB4XDTIxMDMxNTA5NDcxMloXDTIyMDMxNTA5 +NDcxMlowQTETMBEGA1UEAwwKZG9tYWluLmNvbTEdMBsGA1UECgwUTXkgQ29tcGFu +eSBOYW1lIExURC4xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAwdItzZ33l2SKLcoV7bze9jVWcZOikW1OHyjho7LPiFGbjq/Tkzz+ +OrtOfX83976SrZPudKqMmZm01eFzSTe+cR0Iq5toLAVjK69y1fn0TVPuV+nsLvHE +jVJqxhDWLklcz9rf496Z58atD4ZigyRJ+OZBxvt8TlBw4LzdGyVN7nWstz6iJnO/ +6fU+8IJU6lsUdA7t7dWWPC/qjMRh+SUMbFhK/7dPfNn7Fa22Xh+dxH/iwod2tA1b +lIGgl7lsyIVhO1nFgVFE23/1fQMCmVT3hDH0hrsk62u4AoSWUjVq/O2+92IkXhVg +UpjSek8KBlHWpIrOBnOMYPfkLuKW0WOYhwIDAQABo1MwUTAdBgNVHQ4EFgQUwPjU +LVoATZ7ZcjgW29v3IwyzXJUwHwYDVR0jBBgwFoAUwPjULVoATZ7ZcjgW29v3Iwyz +XJUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKyTZRVtK4Cyg +cKc6eVUKUk9v9Mr+hJ/WY6hEqX7Kun49EvNg/oK+pQGO73r4CZ6RY7Wud5Op49dn +4szp6fYCEi3Ep7PjZBPb6ngKMXhxlcjq9O/r73N29L2neTgIAVukuYyCJA3A9qXu +PuAYL3IqQbMU4BFkoFo0NmxoeR0zrgyZUtcnsM5zk8uVV1k3ElDnbcYyfC9Xoe3b +fpqCjHe1LmZoStd92eXL2utyzkY8yCH8Hu1xp0cudg8u8PAz3yFVKdZn1bL2pSqP +Srlw5KMPpkpecDfmrVFX767OkTx9VuqMFfwk4ayHvCIo3F+QEIf1rn0NVwkMMzrq +mhBCibPHQA== +-----END CERTIFICATE----- diff --git a/roles/haproxy-for-ick/subplot.md b/roles/haproxy-for-ick/subplot.md new file mode 100644 index 0000000..660cfd3 --- /dev/null +++ b/roles/haproxy-for-ick/subplot.md @@ -0,0 +1,5 @@ +# Role `haproxy` – set up a web proxy using haproxy + +This role sets up a host to be a web proxy using the haproxy +software. However, as I don't plan on working on the role, I haven't +made any acceptance criteria for it yet. diff --git a/roles/haproxy-for-ick/tasks/main.yml b/roles/haproxy-for-ick/tasks/main.yml new file mode 100644 index 0000000..ffce169 --- /dev/null +++ b/roles/haproxy-for-ick/tasks/main.yml @@ -0,0 +1,117 @@ +- name: "check haproxy_domain is set" + shell: | + if [ "{{ haproxy_domain }}" = "" ] || [ "{{ haproxy_domain }}" = "FIXME" ] + then + echo "ERROR: MUST set haproxy_domain" 1>&2 + exit 1 + fi + +# - name: "check letsencrypt_email is set" +# shell: | +# if [ "{{ letsencrypt_email }}" = "" ] || [ "{{ letsencrypt_email }}" = "FIXME" ] +# then +# echo "ERROR: MUST set letsencrypt_email" 1>&2 +# exit 1 +# fi + +- name: install haproxy + apt: + name: haproxy + +- name: "install haproxy TLS cert" + copy: + src: haproxy.pem + dest: /etc/ssl/haproxy.pem + mode: 0600 + +# - name: "install certbot" +# apt: +# name: certbot + +# - name: "install daily cron job to create haproxy.pem" +# copy: +# content: | +# #!/bin/sh +# set -eu +# cd /etc/letsencrypt/live/haproxy +# cat fullchain.pem privkey.pem > /etc/ssl/haproxy.pem +# systemctl restart haproxy +# dest: /etc/cron.daily/haproxy.pem +# owner: root +# group: root +# mode: 0755 + +# - name: "run certbot" +# shell: | +# set -eu +# certbot certonly \ +# --standalone \ +# --noninteractive \ +# --email "{{ letsencrypt_email }}" \ +# --agree-tos \ +# --expand \ +# --cert-name haproxy \ +# --keep \ +# --pre-hook "systemctl stop haproxy" \ +# --post-hook "systemctl start haproxy" \ +# -d "{{ haproxy_domain }}" +# /etc/cron.daily/haproxy.pem + +- name: "create config dirs" + file: + state: directory + path: "{{ item }}" + owner: root + group: root + mode: 0755 + with_items: + - /etc/haproxy + +- name: "drop haproxy frontends and backends lists" + file: + state: absent + path: "{{ item }}" + with_items: + - /etc/haproxy/frontends + - /etc/haproxy/backends + +- name: "create haproxy frontends list" + shell: | + ( + echo "" + echo " acl {{ item.name }} path_beg {{ item.path }}" + echo " use_backend {{ item.name }} if {{ item.name }}" + ) >> /etc/haproxy/frontends + with_items: + - "{{ haproxy_rules }}" + +- name: "create haproxy backends list" + shell: | + ( + echo "" + echo "backend {{ item.name }}" + i=0 + {% for backend in item.backends %} + i="$(expr $i + 1)" + echo " server {{ item.name }}_$i {{ backend }}" + {% endfor %} + ) >> /etc/haproxy/backends + with_items: + - "{{ haproxy_rules }}" + +- name: "copy haproxy preamble" + template: + src: haproxy.cfg.preamble + dest: /etc/haproxy + +- name: "assemble haproxy preamble" + shell: | + cd /etc/haproxy + cat haproxy.cfg.preamble frontends backends > haproxy.cfg + chmod 0755 haproxy.cfg + +- name: enable and start haproxy + service: + state: restarted + enabled: yes + name: haproxy diff --git a/roles/haproxy-for-ick/templates/haproxy.cfg.preamble b/roles/haproxy-for-ick/templates/haproxy.cfg.preamble new file mode 100644 index 0000000..e01bc4e --- /dev/null +++ b/roles/haproxy-for-ick/templates/haproxy.cfg.preamble @@ -0,0 +1,37 @@ +global + log 127.0.0.1 local4 + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + tune.ssl.default-dh-param 2048 + ssl-default-bind-options no-tls-tickets + ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +frontend http-in + bind *:80 + bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/haproxy.pem + + rspadd Strict-Transport-Security:\ max-age=15768000 diff --git a/roles/ick-worker/files/ssh_config b/roles/ick-worker/files/ssh_config new file mode 100644 index 0000000..f63f188 --- /dev/null +++ b/roles/ick-worker/files/ssh_config @@ -0,0 +1,2 @@ +Host git.liw.fi + Port 12765 diff --git a/roles/ick-worker/tasks/main.yml b/roles/ick-worker/tasks/main.yml index f945f54..8ba7b6a 100644 --- a/roles/ick-worker/tasks/main.yml +++ b/roles/ick-worker/tasks/main.yml @@ -45,3 +45,11 @@ dest: /etc/ssh/ssh_config state: present line: "StrictHostKeyChecking no" + +- name: configure ssh client to use the right port for git.liw.fi + copy: + src: ssh_config + dest: /home/_ickwm/.ssh/config + owner: _ickwm + group: _ickwm + mode: 0644 diff --git a/roles/ick-worker/templates/worker_manager.yaml.j2 b/roles/ick-worker/templates/worker_manager.yaml.j2 index ea52e06..a3277b7 100644 --- a/roles/ick-worker/templates/worker_manager.yaml.j2 +++ b/roles/ick-worker/templates/worker_manager.yaml.j2 @@ -1,6 +1,6 @@ config: controller: "{{ controller_url }}" - client-id: "{{ hostname }}" + client-id: "{{ inventory_hostname }}" client-secret-cmd: "echo {{ worker_secret }}" log: /var/log/ickwm/worker_manager.log log-level: debug diff --git a/roles/muck/defaults/main.yml b/roles/muck/defaults/main.yml new file mode 100644 index 0000000..09ec462 --- /dev/null +++ b/roles/muck/defaults/main.yml @@ -0,0 +1 @@ +muck_port: 4444 diff --git a/roles/muck/tasks/main.yml b/roles/muck/tasks/main.yml index 816fc6c..ec347be 100644 --- a/roles/muck/tasks/main.yml +++ b/roles/muck/tasks/main.yml @@ -14,6 +14,7 @@ copy: content: | { + "port": "{{ muck_port }}", "muck-url": "https://localhost:{{ muck_port }}", "log": "/var/log/muck/muck.log", "store": "/var/lib/muck/store", diff --git a/roles/qvisqve/tasks/main.yml b/roles/qvisqve/tasks/main.yml index 2d19c75..1634b69 100644 --- a/roles/qvisqve/tasks/main.yml +++ b/roles/qvisqve/tasks/main.yml @@ -11,9 +11,8 @@ - name: "install Qvisqve" apt: - name: "{{ item }}" - with_items: - - qvisqve + name: + - qvisqve - name: "create Qvisqve store dir" file: @@ -39,6 +38,48 @@ owner: _qvisqve group: _qvisqve +- name: "create directory for Qvisqve clients" + file: + state: directory + path: /var/lib/qvisqve/client + owner: _qvisqve + group: _qvisqve + mode: 0755 + +- name: "install Qvisqve admin client" + template: + src: client.j2 + dest: /var/lib/qvisqve/client/admin + mode: 0600 + owner: _qvisqve + group: _qvisqve + +- name: "install Ick controller client" + template: + src: controller.j2 + dest: /var/lib/qvisqve/client/controller + mode: 0600 + owner: _qvisqve + group: _qvisqve + +- name: "install Ick liw client" + template: + src: liw.j2 + dest: /var/lib/qvisqve/client/liw + mode: 0600 + owner: _qvisqve + group: _qvisqve + +- name: "install Ick worker clients" + template: + src: worker.j2 + dest: "/var/lib/qvisqve/client/{{ item }}" + mode: 0600 + owner: _qvisqve + group: _qvisqve + with_items: + - worker1 + - name: "enable and restart Qvisqve services" service: name: "{{ item }}" diff --git a/roles/qvisqve/templates/client.j2 b/roles/qvisqve/templates/client.j2 new file mode 100644 index 0000000..f3faac3 --- /dev/null +++ b/roles/qvisqve/templates/client.j2 @@ -0,0 +1,33 @@ +allowed_scopes: + - uapi_clients_get + - uapi_clients_id_get + - uapi_clients_id_put + - uapi_clients_id_delete + - uapi_clients_post + - uapi_applications_post + - uapi_applications_get + - uapi_applications_id_get + - uapi_applications_id_put + - uapi_applications_id_delete + - uapi_clients_id_secret_put + - uapi_users_post + - uapi_users_get + - uapi_users_id_get + - uapi_users_id_put + - uapi_users_id_secret_put + - uapi_users_id_delete + - uapi_applications_post + - uapi_applications_get + - uapi_applications_id_get + - uapi_applications_id_put + - uapi_applications_id_delete + - uapi_applications_id_scret_put + - uapi_applications_id_secret_put +hashed_secret: + hash: "{{ qvisqve_admin_hash }}" + salt: "{{ qvisqve_admin_salt }}" + N: 16384 + key_len: 128 + p: 1 + r: 8 + version: 1 diff --git a/roles/qvisqve/templates/controller.j2 b/roles/qvisqve/templates/controller.j2 new file mode 100644 index 0000000..3703232 --- /dev/null +++ b/roles/qvisqve/templates/controller.j2 @@ -0,0 +1,13 @@ +allowed_scopes: + - create + - update + - show + - delete +hashed_secret: + hash: "{{ qvisqve_controller_hash }}" + salt: "{{ qvisqve_controller_salt }}" + N: 16384 + key_len: 128 + p: 1 + r: 8 + version: 1 diff --git a/roles/qvisqve/templates/liw.j2 b/roles/qvisqve/templates/liw.j2 new file mode 100644 index 0000000..5e4af24 --- /dev/null +++ b/roles/qvisqve/templates/liw.j2 @@ -0,0 +1,78 @@ +allowed_scopes: + - uapi_clients_get + - uapi_clients_id_get + - uapi_clients_id_put + - uapi_clients_id_delete + - uapi_clients_post + - uapi_applications_post + - uapi_applications_get + - uapi_applications_id_get + - uapi_applications_id_put + - uapi_applications_id_delete + - uapi_clients_id_secret_put + - uapi_users_post + - uapi_users_get + - uapi_users_id_get + - uapi_users_id_put + - uapi_users_id_secret_put + - uapi_users_id_delete + - uapi_applications_post + - uapi_applications_get + - uapi_applications_id_get + - uapi_applications_id_put + - uapi_applications_id_delete + - uapi_applications_id_scret_put + - uapi_applications_id_secret_put + - uapi_projects_post + - uapi_projects_get + - uapi_projects_id_get + - uapi_projects_id_put + - uapi_projects_id_delete + - uapi_pipelines_post + - uapi_pipelines_get + - uapi_pipelines_id_get + - uapi_pipelines_id_put + - uapi_pipelines_id_delete + - uapi_workers_post + - uapi_workers_get + - uapi_workers_id_get + - uapi_workers_id_put + - uapi_workers_id_delete + - uapi_work_post + - uapi_work_get + - uapi_work_id_get + - uapi_work_id_put + - uapi_work_id_delete + - uapi_builds_post + - uapi_builds_get + - uapi_builds_id_get + - uapi_builds_id_put + - uapi_builds_id_delete + - uapi_logs_post + - uapi_logs_get + - uapi_logs_id_get + - uapi_logs_id_put + - uapi_logs_id_delete + + - uapi_version_get + - uapi_work_post + - uapi_status_get + - uapi_projects_id_status_get + - uapi_projects_id_status_put + - uapi_blobs_id_get + - uapi_blobs_id_put + - uapi_notify_post + + - create + - update + - show + - delete + +hashed_secret: + hash: "{{ qvisqve_liw_hash }}" + salt: "{{ qvisqve_liw_salt }}" + N: 16384 + key_len: 128 + p: 1 + r: 8 + version: 1 diff --git a/roles/qvisqve/templates/worker.j2 b/roles/qvisqve/templates/worker.j2 new file mode 100644 index 0000000..6a0c050 --- /dev/null +++ b/roles/qvisqve/templates/worker.j2 @@ -0,0 +1,26 @@ +# secret: /{{ worker_secret }}/ +allowed_scopes: +- uapi_version_get +- uapi_workers_post +- uapi_work_get +- uapi_work_post +- uapi_blobs_id_put +- uapi_blobs_id_get +- uapi_notify_post +- uapi_builds_id_get +- uapi_logs_id_get +- uapi_version_get +- uapi_projects_get +- create +- update +- show +- delete +hashed_secret: + N: 16384 + hash: {{ qvisqve_worker_hash }} + key_len: 128 + p: 1 + r: 8 + salt: {{ qvisqve_worker_salt }} + version: 1 +id: {{ item }} diff --git a/run-cluster.sh b/run-cluster.sh index 4c987ab..2ae3cc2 100755 --- a/run-cluster.sh +++ b/run-cluster.sh @@ -2,51 +2,7 @@ set -eu - -getaddr() -{ - awk -v "name=$1" '$1 == name { print $2 }' "$hosts_in" | - sed 's/ansible_ssh_host=//' -} - - -mkhosts() -{ - cat <<EOF -ick ansible_ssh_host=$(getaddr controller) -worker1 hostname=worker1 ansible_ssh_host=$(getaddr worker1) -worker2 hostname=worker2 ansible_ssh_host=$(getaddr worker2) - -[ickhost] -ick -worker1 -worker2 - -[controller] -ick - -[qvisqve] -ick - -[apt] -ick - -[notify] -ick - -[workers] -worker1 -worker2 -EOF -} - -hosts_in="$1" -shift 1 -mkhosts > hosts.tmp -ansible-playbook -i hosts.tmp ick-cluster.yml \ - -e "qvisqve_domain=$(getaddr controller)" \ - -e "controller_domain=$(getaddr controller)" \ - -e "artifact_store_domain=$(getaddr controller)" \ - -e "apt_domain=$(getaddr controller)" \ - -e "notify_domain=$(getaddr controller)" \ +ansible-playbook -i hosts ick-cluster.yml \ + -e controller_domain=ick \ + -e @liw.yml \ "$@" diff --git a/run-workers.sh b/run-workers.sh new file mode 100755 index 0000000..450ee9f --- /dev/null +++ b/run-workers.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -eu + + +controller_domain="$1" +shift 1 + +ansible-playbook -i hosts.e5-workers ick-workers.yml \ + -e "controller_domain=$controller_domain" \ + -e "apt_domain=$controller_domain" \ + -e @liw.yml \ + "$@" diff --git a/test-ick b/test-ick deleted file mode 100755 index 0a29d69..0000000 --- a/test-ick +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/sh -# -# This is a helper script to make it easier for me to test all ick -# compontents together. -# -# This script optionally installs (based on first arg: yes or no) ick -# on a cluster, and then sets up a couple of test projects, and builds -# those. -# -# See the run-cluster.sh file for how the cluster is set up. -# -# The ci-vars.yaml file has the variables for setting up the test -# instance. -# -# See ickdev.yaml for the ick projects that are set up: ick_streatch -# and ick2. If you change the project names, you need to edit this -# file. -# -# This script assume you have icktool installed and configured, and -# that the ick2-ansible repository is checked out at a given location -# (see below). Also the ick rules are checked out (liw-ci repo). Also, -# the cluster hostnames are listed in hosts.ickdev. All of the various -# values work for me. If you'd like to make this more general, that'd -# be fantastic: please submit patches. -# -# Lars Wirzenius - - -set -eu - - -run_ansible="$1" -ci_dist="$2" -prefix="$3" - -ansible="$HOME/code/ick/ick2-ansible" -rules="$HOME/code/ick/liw-ci" -controller="https://ickdev2-controller.vm.liw.fi" - -tool() -{ - "$HOME/code/ick/ick2/icktool" -c "$controller" --no-verify-tls "$@" -} - -build_status() -{ - tool status | awk -v "p=$1" '$1 == p { print $5 }' -} - -current_log() -{ - tool status | awk -v "p=$1" '$1 == p { print $7 }' -} - -wait_for_build_to_start() -{ - local project="$1" - local prevlog="$2" - - echo "Waiting for build of $project to start" - while true - do - log="$(current_log "$project")" - [ "$log" != "" ] - [ "$prevlog" != "" ] - if [ "$log" = "$prevlog" ] - then - # Build hasn't started - sleep 5 - continue - fi - break - done - echo "Project $project build has started" -} - -wait_for_build_to_finish() -{ - local project="$1" - - echo "Waiting for build of $project to finish" - while true - do - bs="$(build_status "$project")" - case "$bs" in - OK) echo "Build is finished"; break ;; - building) sleep 5; continue ;; - FAILED*) echo "Build failed: $bs" 1>&2 ; exit 1 ;; - *) echo "Don't understand build status $bs" 1>&2 ; exit 1 ;; - esac - done -} - - -build() -{ - local project="$1" - local log="$(current_log "$project")" - - echo "Triggering $project" - tool trigger "$project" - wait_for_build_to_start "$project" "$log" - wait_for_build_to_finish "$project" -} - - -if [ "$run_ansible" = yes ] -then - cd "$ansible" - ./run-cluster.sh hosts.ickdev -e "ci_prefix=$prefix" -e "ci_dist=$ci_dist" -e @ci-vars.yml -fi - -tool make-it-so < "${rules}/ickdev.yaml" - -build notify -#build ick_stretch -#build ick2 @@ -0,0 +1,27 @@ +projects: + +- project: systree + parameters: + debian_codename: buster + packages: + - apt-transport-https + - jq + - python3 + artifact_name: systree + pipelines: + - ick/build_debian_systree + +- project: hello + parameters: + systree_name: systree + notify: [] + pipelines: &deb_ci_pipelines + - hello + +pipelines: + +- pipeline: hello + actions: + - where: host + shell: | + echo hello, world diff --git a/web.yml b/web.yml deleted file mode 100644 index ccb94a7..0000000 --- a/web.yml +++ /dev/null @@ -1,72 +0,0 @@ -- hosts: web - remote_user: root - become: no - roles: - - sane_debian_system - - unix_users - - apache_server - - vars: - hostname: web - debian_codename: stretch - debian_mirror: deb.debian.org - debian_mirror_src: deb.debian.org - - static_sites: - - domain: files.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: ick.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: ick-staging.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: mallorca.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: code.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: bugs.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: distix.obnam.org - ownermail: liw@liw.fi - owner: ickliwfi - - - domain: tickets.distix.eu - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: liw.iki.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: noir.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: ick-support.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: www.docstory.fi - owner: ickliwfi - ownermail: liw@liw.fi - - - domain: wedding.docstory.fi - owner: ickliwfi - ownermail: liw@liw.fi - - unix_users: - - username: ickliwfi - comment: Ick website - authorized_keys: | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWvVYqyPen0CFhfx9dzzCKNbQ7fUpbCRdlQ/PI4sAv5R+gjUYjZJ3HQQhdkEx6mwY+fGYgGIAY9xiTi+BzXSPPtuWUypB2/ee+Dh5Uqica1TCj/3txmFGE7qwD+AqoJYbDAD1x17AaCIEDgHv2wOQ2o8GlOKTK9mGgvZWTUgIUF7PObotg8/M6TV4NO3of7ZSJ0yqumU/GLaJ8UkvYVQ3Gj0w8tbX6xiJKcOnMyM+P+JIFRKKi/SzjymVfAie9OAlIcDEYTeT6dtqWYB6hT0/40D0ZcxOfIg07/m4A956hH9AzRKuz01w2phP2zQyHRUSOCWa5EWF/H9snxpeE5Ein liw@exolobe3 |