ick-cluster.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

- hosts: workers
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - comfortable
    - unix_users
    - ick-worker
  vars:
    wm_ssh_key: "{{  lookup('pipe', 'pass show ick2/wm_ssh_key') }}"
    wm_ssh_key_pub: "{{  lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}"
    unix_users:
      - username: _ickwm
        sudo: yes
        ssh_key: "{{ wm_ssh_key }}"
        ssh_key_pub: "{{ wm_ssh_key_pub }}"

- hosts: artifacts
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - comfortable
    - letsencrypt
    - haproxy
    - ick-artifact-store
  vars:
    hostname: blobs

- hosts: controller
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - comfortable
    - letsencrypt
    - haproxy
    - ick-controller
  vars:
    hostname: controller
    letsencrypt_email: liw@liw.fi
    letsencrypt_domain: controller.liw.fi

- hosts: qvisqve
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - letsencrypt
    - haproxy
    - qvisqve
  vars:
    letsencrypt_email: liw@liw.fi
    letsencrypt_domain: qvisqve.liw.fi
    qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}"
    qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}"
    qvisqve_client_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
    qvisqve_client_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
    qvisqve_clients:
      liw:
        allowed_scopes:
          - uapi_version_get
          - uapi_projects_get
          - uapi_projects_post
          - uapi_pipelines_get
          - uapi_pipelines_post
          - uapi_projects_id_pipelines_id_get
          - uapi_builds_get
          - uapi_logs_get
          - uapi_logs_id_get
          - uapi_workers_get
          - uapi_workers_id_get
        client_secret:
            hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
            salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
            N: 16384
            key_len: 128
            p: 1
            r: 8
            version: 1
      worker1:
        allowed_scopes:
          - uapi_version_get
          - uapi_workers_post
          - uapi_work_id_get
          - uapi_work_post
          - uapi_blobs_id_put
          - uapi_blobs_id_get
        client_secret:
            hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
            salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
            N: 16384
            key_len: 128
            p: 1
            r: 8
            version: 1
      worker2:
        allowed_scopes:
          - uapi_version_get
          - uapi_workers_post
          - uapi_work_id_get
          - uapi_work_post
          - uapi_blobs_id_put
          - uapi_blobs_id_get
        client_secret:
            hash: "{{ lookup('pipe', 'pass show ick2/worker2_hash') }}"
            salt: "{{ lookup('pipe', 'pass show ick2/worker2_salt') }}"
            N: 16384
            key_len: 128
            p: 1
            r: 8
            version: 1