ick2.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

- hosts: qvisqve
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - letsencrypt
    - haproxy
    - qvisqve
  vars:
    letsencrypt_email: liw@liw.fi
    letsencrypt_domain: "{{ qvisqve_domain }}"
    qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}"
    qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}"
    qvisqve_client_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
    qvisqve_client_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
    qvisqve_clients:
      admin:
        allowed_scopes:
          - uapi_version_get
          - uapi_projects_get
          - uapi_status_get
          - uapi_projects_post
          - uapi_projects_id_get
          - uapi_projects_id_put
          - uapi_projects_id_delete
          - uapi_pipelines_get
          - uapi_pipelines_id_delete
          - uapi_projects_id_status_get
          - uapi_projects_id_status_put
          - uapi_pipelines_post
          - uapi_pipelines_id_put
          - uapi_builds_get
          - uapi_logs_get
          - uapi_logs_id_get
          - uapi_workers_get
          - uapi_workers_id_get
          - uapi_notify_post
        client_secret:
            hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
            salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
            N: 16384
            key_len: 128
            p: 1
            r: 8
            version: 1
      ick2:
        allowed_scopes:
          - uapi_version_get
          - uapi_workers_post
          - uapi_work_get
          - uapi_work_post
          - uapi_blobs_id_put
          - uapi_blobs_id_get
        client_secret:
            hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
            salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
            N: 16384
            key_len: 128
            p: 1
            r: 8
            version: 1

- hosts: ick2
  remote_user: root
  become: yes
  roles:
    - sane_debian_system
    - comfortable
    - unix_users
    - letsencrypt
    - haproxy
    - ick-controller
    - ick-worker
    - ick-artifact-store
    - apt_repository
  vars:
    hostname: ick2

    debian_codename: stretch

    controller_domain: 127.0.0.1
    controller_port: 12765

    artifact_store_domain: 127.0.0.1
    artifact_store_port: 12766

    controller_url: "https://{{ controller_domain }}"

    unix_users:
      - username: _ickwm
        sudo: yes
        ssh_key: "{{ wm_ssh_key }}"
        ssh_key_pub: "{{ wm_ssh_key_pub }}"

    letsencrypt_email: liw@liw.fi
    letsencrypt_domain: "{{ artifact_store_domain }}"

    apt_distributions:
      - codename: stretch
        description: Release packages for stretch
      - codename: stretch-ci
        description: CI builds for stretch
      - codename: unstable
        description: Release packages for unstable
      - codename: unstable-ci
        description: CI builds for unstable
      - codename: liw-ci
        description: CI builds for unstable from liw