# Should API clients in the ick instance verify that TLS certificates
# are signed by a known CA? Set to "no" if using self-signed certs.
verify_tls: no


# Should Let's Encrypt be used to get TLS certificates for the
# controller component? If not, the certificate defined in
# tls_certificate gets deployed instead.
letsencrypt: no
letsencrypt_email: liw@liw.fi
letsencrypt_domain: "{{ controller_domain }}"
tls_certificate: "{{ lookup('pipe', 'pass show ick2/ick.pem') }}"


# The Apache config for serving the APT repository needs to know the
# webmaster email.
apt_admin_email: liw@liw.fi


# The APT repository gets signed using a PGP key.
apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}"
apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}"
apt_signing_key_fingerprint: |
  {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }}

  
# Workers should each have separate ssh keys. FIXME: We only support
# the same key for each, at the moment.
wm_ssh_key: "{{  lookup('pipe', 'pass show ick2/wm_ssh_key') }}"
wm_ssh_key_pub: "{{  lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}"


# The notification service needs access to an SMTP server to send
# email. Ideally using the 587 port to submit the mail; this usually
# require authentication. STARTTLS will be used to talk to the SMTP
# server unconditionally.
smtp_server: pieni.net
smtp_port: 587
smtp_user: pienirelay
smtp_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"


# Worker client ids for Qvisqve is worker1, worker2, ... They all
# share a secret. FIXME: they should have separate secrets.
worker_secret: "{{ lookup('pipe', 'pass show ick2/worker_secret') }}"


# Qvisqve handles authentication of API clients and signs its access
# tokens using RSA public keys. Define the signing keys, plus an admin
# user (for using with icktool), and four workers. FIXME: each worker
# has here the same client secret.
qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}"
qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}"
qvisqve_admin_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
qvisqve_admin_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
qvisqve_liw_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
qvisqve_liw_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
qvisqve_controller_secret: "{{ lookup('pipe', 'pass show ick2/controller_secret') }}"
qvisqve_controller_hash: "{{ lookup('pipe', 'pass show ick2/controller_hash') }}"
qvisqve_controller_salt: "{{ lookup('pipe', 'pass show ick2/controller_salt') }}"
qvisqve_worker_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
qvisqve_worker_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"

apt_distributions:
  - codename: unstable
    description: Release packages for unstable
  - codename: unstable-ci
    description: CI builds for unstable