INSTALL ick2
=============================================================================

The easy way to install ick2 is to use the script below. To prepare:

* Clone git://git.liw.fi/ick2
* Clone git://git.liw.fi/ansibleness
* Clone git://git.qvarnlabs.net/debian-ansible
* Create a VM. Should contain Debian stretch.
  * edit `ansibleness/ansible/hosts` to change the `ick2` line to
    append `ansible_ssh_host=127.0.0.1`, where 127.0.0.1 is the actual
    address of the VM
  * also edit edit `ick2.yml` to set `remote_user` to a username that
    can do sudo without a password, and that you can access via ssh,
    without a password
* On another host, install ansible, pass, and have or create a PGP key
  pair.
* Save the script below into setup.py and run it: Change the
  FINGEPRINT line to refer to your PGP fingerprint.
  
        ./setup.sh "PATH/TO/ick2" "PATH/TO/ansibleness/ansible" \
            "PATH/TO/debian-ansible/roles/"

* This should set up the VM to run the Ick2 controller and a worker.
* Verify: in the ick2 checkout, run:

        ./icktool --controller https://127.0.0.1 version
        ./icktool --controller https://127.0.0.1 token

  Where 127.0.0.1 is again the address of the VM. The version command
  should report the version number, the token command should write a
  line of what looks like garbage, but is actually a JWT token.

Alternatively, you can add code.liw.fi/debian to your APT sources
list, and install the ick2 package, and do the configuration manually.
See the roles/ick-controller/tasks/main.yml file in the ansiblness
repository for details.


Setup.py
-----------------------------------------------------------------------------

    #!/bin/sh

    set -eu

    SRC="$1"
    PLAYBOOKS="$2"
    export ANSIBLE_ROLES_PATH="$3"

    export FINGERPRINT='DBE5439D97D8262664A1B01844E17740B8611E9C'
    export PASSWORD_STORE_DIR="$(pwd)/passwords"

    ssh-keygen -N '' -f worker_manager_key
    "$SRC/generate-rsa-key" token_key

    openssl req -subj '/CN=domain.com/O=My Company Name LTD./C=US' -new \
            -newkey rsa:2048 -days 365 -nodes -x509 \
            -keyout ick2.key -out ick2.crt
    cat ick2.key ick2.crt > ick.pem

    if [ ! -e "$PASSWORD_STORE_DIR" ]
    then
        pass init "$FINGERPRINT"

        pass insert -m ick2/wm_ssh_key < worker_manager_key
        pass insert -m ick2/wm_ssh_key_pub < worker_manager_key.pub

        pass insert -m ick2/token_key < token_key
        pass insert -m ick2/token_key.pub < token_key.pub

        pass insert -m ick2/ick.pem < ick.pem
    fi

    (cd "$PLAYBOOKS" && ansible-playbook -i hosts ick2.yml)