- hosts: workers
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - comfortable
    - unix_users
    - ick-worker
  vars:
    unix_users:
      - username: _ickwm
        sudo: yes
        ssh_key: "{{ wm_ssh_key }}"
        ssh_key_pub: "{{ wm_ssh_key_pub }}"

- hosts: artifacts
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - comfortable
    - letsencrypt
    - haproxy
    - ick-artifact-store
  vars:
    hostname: blobs
    letsencrypt_email: liw@liw.fi
    letsencrypt_domain: "{{ artifact_store_domain }}"

- hosts: controller
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - comfortable
    - letsencrypt
    - haproxy
    - ick-controller
  vars:
    hostname: controller
    letsencrypt_email: liw@liw.fi
    letsencrypt_domain: "{{ controller_domain }}"

- hosts: qvisqve
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - letsencrypt
    - haproxy
    - qvisqve
  vars:
    letsencrypt_email: liw@liw.fi
    letsencrypt_domain: "{{ qvisqve_domain }}"
    qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}"
    qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}"
    qvisqve_client_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
    qvisqve_client_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
    qvisqve_clients:
      liw:
        allowed_scopes:
          - uapi_version_get
          - uapi_projects_get
          - uapi_status_get
          - uapi_projects_post
          - uapi_projects_id_put
          - uapi_pipelines_get
          - uapi_projects_id_status_get
          - uapi_projects_id_status_put
          - uapi_pipelines_post
          - uapi_pipelines_id_put
          - uapi_projects_id_pipelines_id_get
          - uapi_builds_get
          - uapi_logs_get
          - uapi_logs_id_get
          - uapi_workers_get
          - uapi_workers_id_get
        client_secret:
            hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
            salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
            N: 16384
            key_len: 128
            p: 1
            r: 8
            version: 1
      worker1:
        allowed_scopes:
          - uapi_version_get
          - uapi_workers_post
          - uapi_work_id_get
          - uapi_work_post
          - uapi_blobs_id_put
          - uapi_blobs_id_get
        client_secret:
            hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
            salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
            N: 16384
            key_len: 128
            p: 1
            r: 8
            version: 1
      worker2:
        allowed_scopes:
          - uapi_version_get
          - uapi_workers_post
          - uapi_work_id_get
          - uapi_work_post
          - uapi_blobs_id_put
          - uapi_blobs_id_get
        client_secret:
            hash: "{{ lookup('pipe', 'pass show ick2/worker2_hash') }}"
            salt: "{{ lookup('pipe', 'pass show ick2/worker2_salt') }}"
            N: 16384
            key_len: 128
            p: 1
            r: 8
            version: 1

- hosts: apt
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - apt_repository
  vars:
    apt_distributions:
      - codename: stretch
        description: Release packages for stretch
      - codename: stretch-ci
        description: CI builds for stretch
      - codename: unstable
        description: Release packages for unstable
      - codename: unstable-ci
        description: CI builds for unstable
      - codename: liw-ci
        description: CI builds for unstable from liw