diff options
Diffstat (limited to 'liw.yml')
-rw-r--r-- | liw.yml | 76 |
1 files changed, 76 insertions, 0 deletions
@@ -0,0 +1,76 @@ +# Should API clients in the ick instance verify that TLS certificates +# are signed by a known CA? Set to "no" if using self-signed certs. +verify_tls: no + + +# Should Let's Encrypt be used to get TLS certificates for the +# controller component? If not, the certificate defined in +# tls_certificate gets deployed instead. +letsencrypt: no +letsencrypt_email: liw@liw.fi +letsencrypt_domain: "{{ controller_domain }}" +tls_certificate: "{{ lookup('pipe', 'pass show ick2/ick.pem') }}" + + +# The Apache config for serving the APT repository needs to know the +# webmaster email. +apt_admin_email: liw@liw.fi + + +# The APT repository gets signed using a PGP key. +apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}" +apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}" +apt_signing_key_fingerprint: | + {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }} + + +# Workers should each have separate ssh keys. FIXME: We only support +# the same key for each, at the moment. +wm_ssh_key: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key') }}" +wm_ssh_key_pub: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}" + + +# The notification service needs access to an SMTP server to send +# email. Ideally using the 587 port to submit the mail; this usually +# require authentication. STARTTLS will be used to talk to the SMTP +# server unconditionally. +smtp_server: pieni.net +smtp_port: 587 +smtp_user: pienirelay +smtp_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + + +# Qvisqve handles authentication of API clients and signs its access +# tokens using RSA public keys. Define the signing keys, plus an admin +# user (for using with icktool), and four workers. FIXME: each worker +# has here the same client secret. +qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}" +qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}" +qvisqve_admin_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}" +qvisqve_admin_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}" +qvisqve_worker1_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" +qvisqve_worker1_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" +qvisqve_worker2_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" +qvisqve_worker2_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" +qvisqve_worker3_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" +qvisqve_worker3_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" +qvisqve_worker4_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" +qvisqve_worker4_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" + + +# I like to have an addition "dist" in the APT repository, liwdev, so +# I can have ick build from a liw/dev branch, in addition to master, +# and put the resulting Debian packages where they don't get confused +# with the ones from master. Some day this will not require +# re-configuration of the APT repository via Ansible. +apt_distributions: + - codename: stretch + description: Release packages for stretch + - codename: stretch-ci + description: CI builds for stretch + - codename: unstable + description: Release packages for unstable + - codename: unstable-ci + description: CI builds for unstable + - codename: liw-ci + description: CI builds for unstable from liw |