INSTALL ick2
=============================================================================

The easy way to install ick2 is to use the script below. To prepare:

* Install ansible, pass, git, and have or create a PGP key pair.
* Clone git://git.liw.fi/ick2
* Clone git://git.liw.fi/ick2-ansible
* Clone git://git.qvarnlabs.net/debian-ansible
* Create a VM. Should contain Debian stretch.
  * edit `ick-ansible/hosts` to change the `ick2` line to
    append `ansible_ssh_host=192.168.42.42`, where 192.168.42.42 is
    the actual address of the VM (not needed if the VM is accessible
    using the name `ick2`)
  * also edit edit `ick2.yml` to set `remote_user` to a username that
    can do sudo without a password, and that you can access via ssh,
    without a password (not needed if the user is `ansible`)
* Save the script below into setup.sh and run it: Change the
  FINGEPRINT line to refer to your PGP fingerprint. You need to give
  it paths to the three git checkouts.

        ./setup.sh "PATH/TO/ick2" "PATH/TO/ick2-ansible" \
            "PATH/TO/debian-ansible/roles/"

* This should set up the VM to run the Ick2 controller and a worker.
  It may take a while.
* Create `~/.config/icktool/icktool.yaml`:

        config:
            controller: https://192.168.42.42
            token-private-key-cmd: pass show ick2/token_key
            verify-tls: no

* Verify: in the ick2 checkout, run:

        export PASSWORD_STORE_DIR=passwords
        ./icktool --controller https://192.168.42.42 version
        ./icktool --controller https://192.168.42.42 token

  Where 192.168.42.42 is again the address of the VM. The version command
  should report the version number, the token command should write a
  line of what looks like garbage, but is actually a JWT token.

Alternatively, you can add code.liw.fi/debian to your APT sources
list, and install the ick2 package, and do the configuration manually.
See the roles/ick-controller/tasks/main.yml file in the ick2-ansible
repository for details. The script sets up a self-signed TLS
certificate and a token signing key. These get stored in a new pass(1)
password store, by the script.


Setup.py
-----------------------------------------------------------------------------

    #!/bin/sh

    set -eu

    SRC="$1"
    PLAYBOOKS="$2"
    export ANSIBLE_ROLES_PATH="$3"

    export FINGERPRINT='DBE5439D97D8262664A1B01844E17740B8611E9C'
    export PASSWORD_STORE_DIR="$(pwd)/passwords"

    ssh-keygen -N '' -f worker_manager_key
    "$SRC/generate-rsa-key" token_key

    openssl req -subj '/CN=domain.com/O=My Company Name LTD./C=US' -new \
            -newkey rsa:2048 -days 365 -nodes -x509 \
            -keyout ick2.key -out ick2.crt
    cat ick2.key ick2.crt > ick.pem

    if [ ! -e "$PASSWORD_STORE_DIR" ]
    then
        pass init "$FINGERPRINT"

        pass insert -m ick2/wm_ssh_key < worker_manager_key
        pass insert -m ick2/wm_ssh_key_pub < worker_manager_key.pub

        pass insert -m ick2/token_key < token_key
        pass insert -m ick2/token_key.pub < token_key.pub

        pass insert -m ick2/ick.pem < ick.pem
    fi

    (cd "$PLAYBOOKS" && ansible-playbook -i hosts ick2.yml)