1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
INSTALL ick2
=============================================================================
The easy way to install ick2 is to use the script below. To prepare:
* Install ansible, pass, git, and have or create a PGP key pair.
* Clone git://git.liw.fi/ick2
* Clone git://git.liw.fi/ansibleness
* Clone git://git.qvarnlabs.net/debian-ansible
* Create a VM. Should contain Debian stretch.
* edit `ansibleness/ansible/hosts` to change the `ick2` line to
append `ansible_ssh_host=192.168.42.42`, where 192.168.42.42 is
the actual address of the VM (not needed if the VM is accessible
using the name `ick2`)
* also edit edit `ick2.yml` to set `remote_user` to a username that
can do sudo without a password, and that you can access via ssh,
without a password (not needed if the user is `ansible`)
* Save the script below into setup.py and run it: Change the
FINGEPRINT line to refer to your PGP fingerprint. You need to give
it paths to the three git checkouts.
./setup.sh "PATH/TO/ick2" "PATH/TO/ansibleness/ansible" \
"PATH/TO/debian-ansible/roles/"
* This should set up the VM to run the Ick2 controller and a worker.
It may take a while.
* Create `~/.config/icktool/icktool.yaml`:
config:
controller: https://192.168.42.42
token-private-key-cmd: pass show ick2/token_key
verify-tls: no
* Verify: in the ick2 checkout, run:
export PASSWORD_STORE_DIR=passwords
./icktool --controller https://192.168.42.42 version
./icktool --controller https://192.168.42.42 token
Where 192.168.42.42 is again the address of the VM. The version command
should report the version number, the token command should write a
line of what looks like garbage, but is actually a JWT token.
Alternatively, you can add code.liw.fi/debian to your APT sources
list, and install the ick2 package, and do the configuration manually.
See the roles/ick-controller/tasks/main.yml file in the ansiblness
repository for details. The script sets up a self-signed TLS
certificate and a token signing key. These get stored in a new pass(1)
passowrd store, by the script.
Setup.py
-----------------------------------------------------------------------------
#!/bin/sh
set -eu
SRC="$1"
PLAYBOOKS="$2"
export ANSIBLE_ROLES_PATH="$3"
export FINGERPRINT='DBE5439D97D8262664A1B01844E17740B8611E9C'
export PASSWORD_STORE_DIR="$(pwd)/passwords"
ssh-keygen -N '' -f worker_manager_key
"$SRC/generate-rsa-key" token_key
openssl req -subj '/CN=domain.com/O=My Company Name LTD./C=US' -new \
-newkey rsa:2048 -days 365 -nodes -x509 \
-keyout ick2.key -out ick2.crt
cat ick2.key ick2.crt > ick.pem
if [ ! -e "$PASSWORD_STORE_DIR" ]
then
pass init "$FINGERPRINT"
pass insert -m ick2/wm_ssh_key < worker_manager_key
pass insert -m ick2/wm_ssh_key_pub < worker_manager_key.pub
pass insert -m ick2/token_key < token_key
pass insert -m ick2/token_key.pub < token_key.pub
pass insert -m ick2/ick.pem < ick.pem
fi
(cd "$PLAYBOOKS" && ansible-playbook -i hosts ick2.yml)
|