summaryrefslogtreecommitdiff
path: root/liw.yml
blob: e119ea9bf43e19f220b1fa8c9ca0d8102156ac58 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Should API clients in the ick instance verify that TLS certificates
# are signed by a known CA? Set to "no" if using self-signed certs.
verify_tls: no


# Should Let's Encrypt be used to get TLS certificates for the
# controller component? If not, the certificate defined in
# tls_certificate gets deployed instead.
letsencrypt: no
letsencrypt_email: liw@liw.fi
letsencrypt_domain: "{{ controller_domain }}"
tls_certificate: "{{ lookup('pipe', 'pass show ick2/ick.pem') }}"


# The Apache config for serving the APT repository needs to know the
# webmaster email.
apt_admin_email: liw@liw.fi


# The APT repository gets signed using a PGP key.
apt_signing_key: "{{ lookup('pipe', 'pass show ick2/apt_key') }}"
apt_signing_key_pub: "{{ lookup('pipe', 'pass show ick2/apt_key.pub') }}"
apt_signing_key_fingerprint: |
  {{ lookup('pipe', 'pass show ick2/apt_key.pub | gpg --with-colons | grep "^fpr:" | cut -d: -f10') }}

  
# Workers should each have separate ssh keys. FIXME: We only support
# the same key for each, at the moment.
wm_ssh_key: "{{  lookup('pipe', 'pass show ick2/wm_ssh_key') }}"
wm_ssh_key_pub: "{{  lookup('pipe', 'pass show ick2/wm_ssh_key_pub') }}"


# The notification service needs access to an SMTP server to send
# email. Ideally using the 587 port to submit the mail; this usually
# require authentication. STARTTLS will be used to talk to the SMTP
# server unconditionally.
smtp_server: pieni.net
smtp_port: 587
smtp_user: pienirelay
smtp_password: "{{ lookup('pipe', 'pass show pieni.net/pienirelay') }}"


# Worker client ids for Qvisqve is worker1, worker2, ... They all
# share a secret. FIXME: they should have separate secrets.
worker_secret: "{{ lookup('pipe', 'pass show ick2/worker_secret') }}"


# Qvisqve handles authentication of API clients and signs its access
# tokens using RSA public keys. Define the signing keys, plus an admin
# user (for using with icktool), and four workers. FIXME: each worker
# has here the same client secret.
qvisqve_token_public_key: "{{ lookup('pipe', 'pass show ick2/token_key.pub') }}"
qvisqve_token_private_key: "{{ lookup('pipe', 'pass show ick2/token_key') }}"
qvisqve_admin_hash: "{{ lookup('pipe', 'pass show ick2/liw_hash') }}"
qvisqve_admin_salt: "{{ lookup('pipe', 'pass show ick2/liw_salt') }}"
qvisqve_worker1_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
qvisqve_worker1_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
qvisqve_worker2_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
qvisqve_worker2_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
qvisqve_worker3_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
qvisqve_worker3_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"
qvisqve_worker4_hash: "{{ lookup('pipe', 'pass show ick2/worker1_hash') }}"
qvisqve_worker4_salt: "{{ lookup('pipe', 'pass show ick2/worker1_salt') }}"


# I like to have an addition "dist" in the APT repository, liwdev, so
# I can have ick build from a liw/dev branch, in addition to master,
# and put the resulting Debian packages where they don't get confused
# with the ones from master. Some day this will not require
# re-configuration of the APT repository via Ansible.
apt_distributions:
  - codename: stretch
    description: Release packages for stretch
  - codename: stretch-ci
    description: CI builds for stretch
  - codename: unstable
    description: Release packages for unstable
  - codename: unstable-ci
    description: CI builds for unstable
  - codename: liw-ci
    description: CI builds for unstable from liw