From 83b3574f3abf2c367a7a687867273e6259975ce6 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Wed, 13 Jun 2018 15:01:18 +0300 Subject: Change: update stuff for deploying working ick instances --- group_vars/apt.yml | 18 +++++++ group_vars/ick.yml | 38 --------------- group_vars/ickhost.yml | 35 +++++++++++++ group_vars/notify.yml | 5 ++ group_vars/workers.yml | 7 ++- host_vars/ick2.yml | 23 --------- ick-cluster.yml | 130 ++++--------------------------------------------- ick2.yml | 70 ++------------------------ run-cluster.sh | 47 +++++++++++------- run-playbook | 5 -- run-single.sh | 31 +++++++----- 11 files changed, 126 insertions(+), 283 deletions(-) create mode 100644 group_vars/apt.yml delete mode 100644 group_vars/ick.yml create mode 100644 group_vars/ickhost.yml create mode 100644 group_vars/notify.yml delete mode 100644 host_vars/ick2.yml delete mode 100755 run-playbook diff --git a/group_vars/apt.yml b/group_vars/apt.yml new file mode 100644 index 0000000..70fa580 --- /dev/null +++ b/group_vars/apt.yml @@ -0,0 +1,18 @@ +apt_uploader_ssh_public_keys: + - "{{ wm_ssh_key_pub }}" +apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}" +apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}" +apt_signing_key_fingerprint: | + {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }} +apt_admin_email: liw@liw.fi +apt_distributions: + - codename: stretch + description: Release packages for stretch + - codename: stretch-ci + description: CI builds for stretch + - codename: unstable + description: Release packages for unstable + - codename: unstable-ci + description: CI builds for unstable + - codename: liw-ci + description: CI builds for unstable from liw diff --git a/group_vars/ick.yml b/group_vars/ick.yml deleted file mode 100644 index d349d4f..0000000 --- a/group_vars/ick.yml +++ /dev/null @@ -1,38 +0,0 @@ -debian_codename: stretch -debian_mirror: deb.debian.org -debian_mirror_src: deb.debian.org - -wm_ssh_key: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key') }}" -wm_ssh_key_pub: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}" - -sources_lists: - - repo: "deb http://code.liw.fi/debian stretch main" - keyring_package: code.liw.fi-keyring - signing_key: "{{ code_liw_fi_signing_key }}" - -token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}" -token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}" -tls_certificate: "{{ lookup('pipe', 'pass show ick2/ick.pem') }}" - -controller_domain: 127.0.0.1 -controller_port: 12765 - -artifact_store_domain: 127.0.0.1 -artifact_store_port: 12766 - -qvisqve_port: 10000 -notification_service_port: 12767 - -controller_url: "https://{{ controller_domain }}" -artifact_store_url: "https://{{ artifact_store_domain }}" -qvisqve_url: "https://{{ qvisqve_domain }}" - -apt_uploader_ssh_public_keys: - - "{{ wm_ssh_key_pub }}" -apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}" -apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}" -apt_signing_key_fingerprint: | - {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }} -apt_admin_email: liw@liw.fi - -ci_prefix: "" diff --git a/group_vars/ickhost.yml b/group_vars/ickhost.yml new file mode 100644 index 0000000..ec545e4 --- /dev/null +++ b/group_vars/ickhost.yml @@ -0,0 +1,35 @@ +debian_codename: stretch +debian_mirror: deb.debian.org +debian_mirror_src: deb.debian.org + +ci_prefix: "" + +sources_lists: + - repo: "deb http://code.liw.fi/debian stretch main" + keyring_package: code.liw.fi-keyring + signing_key: "{{ code_liw_fi_signing_key }}" + +token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}" +token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}" +tls_certificate: "{{ lookup('pipe', 'pass show ick2/ick.pem') }}" + +controller_port: 12765 +artifact_store_port: 12766 +qvisqve_port: 10000 +notify_port: 12767 + +controller_url: "https://{{ controller_domain }}" +artifact_store_url: "https://{{ artifact_store_domain }}" +qvisqve_url: "https://{{ qvisqve_domain }}" +notify_url: "https://{{ notify_domain }}/notify" + +apt_uploader_ssh_public_keys: + - "{{ wm_ssh_key_pub }}" +apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}" +apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}" +apt_signing_key_fingerprint: | + {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }} +apt_admin_email: liw@liw.fi + +wm_ssh_key: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key') }}" +wm_ssh_key_pub: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}" diff --git a/group_vars/notify.yml b/group_vars/notify.yml new file mode 100644 index 0000000..c620183 --- /dev/null +++ b/group_vars/notify.yml @@ -0,0 +1,5 @@ +smtp_server: pieni.net +smtp_port: 587 +smtp_user: pienirelay +smtp_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + diff --git a/group_vars/workers.yml b/group_vars/workers.yml index c5046dc..6501d88 100644 --- a/group_vars/workers.yml +++ b/group_vars/workers.yml @@ -1,2 +1,5 @@ -wm_ssh_key: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key') }}" -wm_ssh_key_pub: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}" +unix_users: + - username: _ickwm + sudo: yes + ssh_key: "{{ wm_ssh_key }}" + ssh_key_pub: "{{ wm_ssh_key_pub }}" diff --git a/host_vars/ick2.yml b/host_vars/ick2.yml deleted file mode 100644 index 468d365..0000000 --- a/host_vars/ick2.yml +++ /dev/null @@ -1,23 +0,0 @@ -# FIXME: change the hostname if you prefer -hostname: ick2 - -debian_codename: stretch -debian_mirror: deb.debian.org -debian_mirror_src: deb.debian.org - -sources_lists: - - repo: "deb http://code.liw.fi/debian stretch main" - keyring_package: code.liw.fi-keyring - signing_key: "{{ code_liw_fi_signing_key }}" - -wm_ssh_key: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key') }}" -wm_ssh_key_pub: "{{ lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}" -token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}" -token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}" -tls_certificate: "{{ lookup('pipe', 'pass show ick2/ick.pem') }}" - -unix_users: - - username: _ickwm - sudo: yes - ssh_key: "{{ wm_ssh_key }}" - ssh_key_pub: "{{ wm_ssh_key_pub }}" diff --git a/ick-cluster.yml b/ick-cluster.yml index f50cc0b..8c59fb2 100644 --- a/ick-cluster.yml +++ b/ick-cluster.yml @@ -7,27 +7,9 @@ - unix_users - ick-worker vars: - unix_users: - - username: _ickwm - sudo: yes - ssh_key: "{{ wm_ssh_key }}" - ssh_key_pub: "{{ wm_ssh_key_pub }}" + verify_tls: yes -- hosts: artifacts - remote_user: root - become: yes - roles: - - sane_debian_system - - comfortable - - letsencrypt - - haproxy - - ick-artifact-store - vars: - hostname: blobs - letsencrypt_email: liw@liw.fi - letsencrypt_domain: "{{ artifact_store_domain }}" - -- hosts: controller +- hosts: ick remote_user: root become: yes roles: @@ -35,109 +17,15 @@ - comfortable - letsencrypt - haproxy + - qvisqve - ick-controller + - ick-artifact-store + - apt_repository - ick-notifier vars: - hostname: controller - letsencrypt_email: liw@liw.fi - letsencrypt_domain: "{{ controller_domain }}" - smtp_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" + hostname: ick -- hosts: qvisqve - remote_user: root - become: yes - roles: - - sane_debian_system - - letsencrypt - - haproxy - - qvisqve - vars: + verify_tls: yes + letsencrypt: yes letsencrypt_email: liw@liw.fi - letsencrypt_domain: "{{ qvisqve_domain }}" - qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}" - qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}" - qvisqve_client_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}" - qvisqve_client_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}" - qvisqve_clients: - liw: - allowed_scopes: - - uapi_version_get - - uapi_projects_get - - uapi_status_get - - uapi_projects_post - - uapi_projects_id_get - - uapi_projects_id_put - - uapi_projects_id_delete - - uapi_pipelines_get - - uapi_pipelines_id_delete - - uapi_projects_id_status_get - - uapi_projects_id_status_put - - uapi_pipelines_post - - uapi_pipelines_id_put - - uapi_builds_get - - uapi_logs_get - - uapi_logs_id_get - - uapi_workers_get - - uapi_workers_id_get - - uapi_notify_post - client_secret: - hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}" - salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}" - N: 16384 - key_len: 128 - p: 1 - r: 8 - version: 1 - worker1: - allowed_scopes: - - uapi_version_get - - uapi_workers_post - - uapi_work_get - - uapi_work_post - - uapi_blobs_id_put - - uapi_blobs_id_get - - uapi_notify_post - client_secret: - hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}" - salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}" - N: 16384 - key_len: 128 - p: 1 - r: 8 - version: 1 - worker2: - allowed_scopes: - - uapi_version_get - - uapi_workers_post - - uapi_work_get - - uapi_work_post - - uapi_blobs_id_put - - uapi_blobs_id_get - - uapi_notify_post - client_secret: - hash: "{{ lookup('pipe', 'pass show ick2/worker2_hash') }}" - salt: "{{ lookup('pipe', 'pass show ick2/worker2_salt') }}" - N: 16384 - key_len: 128 - p: 1 - r: 8 - version: 1 - -- hosts: apt - remote_user: root - become: yes - roles: - - sane_debian_system - - apt_repository - vars: - apt_distributions: - - codename: stretch - description: Release packages for stretch - - codename: stretch-ci - description: CI builds for stretch - - codename: unstable - description: Release packages for unstable - - codename: unstable-ci - description: CI builds for unstable - - codename: liw-ci - description: CI builds for unstable from liw + letsencrypt_domain: "{{ controller_domain }}" diff --git a/ick2.yml b/ick2.yml index 3b1bab8..b505687 100644 --- a/ick2.yml +++ b/ick2.yml @@ -1,4 +1,4 @@ -- hosts: single +- hosts: ick remote_user: root become: yes roles: @@ -9,75 +9,13 @@ - haproxy - qvisqve - ick-controller - - ick-worker - ick-artifact-store - - ick-notifier - apt_repository + - ick-notifier + - ick-worker vars: hostname: ick - debian_codename: stretch - ci_prefix: "" + verify_tls: no letsencrypt: no - letsencrypt_email: liw@liw.fi - letsencrypt_domain: "{{ qvisqve_domain }}" tls_certificate: "{{ lookup('pipe', 'pass show ick2/ick.pem') }}" - verify_tls: no - - token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}" - token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}" - - qvisqve_domain: 127.0.0.1 - qvisqve_port: 10000 - qvisqve_url: "https://{{ qvisqve_domain }}" - - controller_domain: 127.0.0.1 - controller_port: 12765 - controller_url: "https://{{ controller_domain }}" - - artifact_store_domain: 127.0.0.1 - artifact_store_port: 12766 - artifact_store_url: "https://{{ artifact_store_domain }}" - - apt_domain: 127.0.0.1 - - notify_domain: 127.0.0.1 - notify_url: "https://{{ notify_domain }}/notify" - notify_port: 12767 - - smtp_server: pieni.net - smtp_port: 587 - smtp_user: pienirelay - smtp_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}" - - unix_users: - - username: _ickwm - sudo: yes - ssh_key: "{{ wm_ssh_key }}" - ssh_key_pub: "{{ wm_ssh_key_pub }}" - - apt_uploader_ssh_public_keys: - - "{{ wm_ssh_key_pub }}" - apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}" - apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}" - apt_signing_key_fingerprint: | - {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }} - apt_admin_email: liw@liw.fi - apt_distributions: - - codename: stretch - description: Release packages for stretch - - codename: stretch-ci - description: CI builds for stretch - - codename: unstable - description: Release packages for unstable - - codename: unstable-ci - description: CI builds for unstable - - codename: liw-ci - description: CI builds for unstable from liw - - sources_lists: - - repo: "deb http://code.liw.fi/debian stretch main" - keyring_package: code.liw.fi-keyring - signing_key: "{{ code_liw_fi_signing_key }}" - - repo: "deb http://ci-prod-apt.vm.liw.fi/debian liw-ci main" - signing_key: "{{ ci_prod_apt_signing_key }}" diff --git a/run-cluster.sh b/run-cluster.sh index 8311fb7..4c987ab 100755 --- a/run-cluster.sh +++ b/run-cluster.sh @@ -3,26 +3,36 @@ set -eu -hosts_in="$1" -shift 1 - - -getip() +getaddr() { - awk -v "name=$1" '$1 == name { print $2 }' "$hosts_in" + awk -v "name=$1" '$1 == name { print $2 }' "$hosts_in" | + sed 's/ansible_ssh_host=//' } mkhosts() { cat < hosts.tmp ansible-playbook -i hosts.tmp ick-cluster.yml \ - -e "qvisqve_domain=$(getip qvisqve)" \ - -e "controller_domain=$(getip controller)" \ - -e "artifact_store_domain=$(getip artifacts)" \ - -e "apt_domain=$(getip apt)" \ + -e "qvisqve_domain=$(getaddr controller)" \ + -e "controller_domain=$(getaddr controller)" \ + -e "artifact_store_domain=$(getaddr controller)" \ + -e "apt_domain=$(getaddr controller)" \ + -e "notify_domain=$(getaddr controller)" \ "$@" diff --git a/run-playbook b/run-playbook deleted file mode 100755 index 46716ef..0000000 --- a/run-playbook +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -set -eu - -ansible-playbook -i hosts "$@" diff --git a/run-single.sh b/run-single.sh index 4033b22..4b9ad06 100755 --- a/run-single.sh +++ b/run-single.sh @@ -3,7 +3,7 @@ set -eu -getip() +getaddr() { awk -v "name=$1" '$1 == name { print $2 }' "$hosts_in" | sed 's/ansible_ssh_host=//' @@ -13,16 +13,25 @@ getip() mkhosts() { cat < hosts.tmp ansible-playbook \ -i hosts.tmp \ ick2.yml \ - -e qvisqve_domain="$(getip single)" \ - -e controller_domain="$(getip single)" \ - -e artifact_store_domain="$(getip single)" \ - -e apt_domain="$(getip single)" \ - -e notify_domain="$(getip single)" \ + -e qvisqve_domain="$(getaddr ick)" \ + -e controller_domain="$(getaddr ick)" \ + -e artifact_store_domain="$(getaddr ick)" \ + -e apt_domain="$(getaddr ick)" \ + -e notify_domain="$(getaddr ick)" \ "$@" -- cgit v1.2.1