From bab01a58a170027e7fa7641deb6bec4006f4fcae Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <lwirzenius@wikimedia.org>
Date: Sun, 7 Jul 2019 18:29:59 +0300
Subject: Add: artifact store

---
 components.yml                                   |  11 ++
 group_vars/all.yml                               |   2 +
 roles/artifacts/tasks/main.yml                   | 123 +++++++++++++++++++++++
 roles/artifacts/templates/artifact_store.yaml.j2 |   6 ++
 roles/haproxy/files/haproxy.cfg                  |   6 ++
 5 files changed, 148 insertions(+)
 create mode 100644 group_vars/all.yml
 create mode 100644 roles/artifacts/tasks/main.yml
 create mode 100644 roles/artifacts/templates/artifact_store.yaml.j2

diff --git a/components.yml b/components.yml
index e12ccf9..011828d 100644
--- a/components.yml
+++ b/components.yml
@@ -1,3 +1,14 @@
+- hosts: artifacts
+  remote_user: root
+  become: no
+  roles:
+    - haproxy
+    - artifacts
+  vars:
+    hostname: artifacts
+    haproxy_domain: wmf2-artifacts.vm.liw.fi
+    letsencrypt_email: liw@liw.fi
+
 - hosts: vcsworker
   remote_user: root
   become: no
diff --git a/group_vars/all.yml b/group_vars/all.yml
new file mode 100644
index 0000000..7147120
--- /dev/null
+++ b/group_vars/all.yml
@@ -0,0 +1,2 @@
+token_pub: |
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCesmXDo5ZG0/IbwTknMad4mOurX05PSW5cy9fk/KOO/2JbIicV1L5SS5NCXrwyrItXxaeXsYVugKO5z11Ont3Y3AG76NeyJHxqDLs1JjVWlLd9/KSaCI7jdCzC/bV3OOGjhMp4ZRmf6zrQrIZ9nCs2HTZ+3lIq2I03BLL+6KqY929wb7YlmNTsaW/RaKE4l0X5YzyxJfR8CN2exlXKMPCvOjQQtWvLGi68QZVbnkwpEfQbw2DeQJAeOo0QcrxLiA34hsf95SaeRTKY69Cv0wLmnjHQixIMaBvmW7CcKEvQ3D5oOG9XFcY3wbKJ8LyM7aq+FWXfswSAQpaTE8w3uMzdg0hypo+pqsiieftvBSY5IgoETtPaJGey8BIAYhCjP+Rwd6kX2vOiJHSdrf/5uK0OUlqZrSDoQnnUIZZpx63/VBVaQ4pAoqGvVhQr9svN9NojfJJ1zCUWicHOCXUEUxzQ2DFpraidxNnrjapEjTijM/GVbc28rVfZwuX9tdwrWM2UHOjeISiSJCs07P5hyfbWTh9vCbO3ffhQWhYA711budh7ZqxC3C4MaraTOMsp11LHu4eLxUvuw0OcLawX6bWy8SnXv/BdGKE6lO1hI3RZ+inVaRKIy8WagvmSvip3eK88dEHEgIoOsbmnDEytUpoDhoNpAH08lx1MIaYxtTm07w==
diff --git a/roles/artifacts/tasks/main.yml b/roles/artifacts/tasks/main.yml
new file mode 100644
index 0000000..942705b
--- /dev/null
+++ b/roles/artifacts/tasks/main.yml
@@ -0,0 +1,123 @@
+- name: "install ci-prep-ick.vm.liw.fi APT signing key"
+  apt_key:
+    data: |
+      -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+      mQINBFshHKIBEACyvcvvhCEJPS1WSV9aSVQ+Rj7GesEuNIZ1z9XUgfQ8OKYM2aS8
+      C0e8FsfBi6YezKqz9ZBuAbQ5dJ03HD+U3kApLLkteeVehIgkGtRa12XDC++RYU7p
+      UuE2RVOqKMVnL6GCcqY7TjagHfGFXE1LtYFzMZMjLqlvqcR3ACOB8SilSSZ4DYMM
+      Q8h3Dg8oC0kYnfYrOandA/XK+ecm2RAQ7g8yRw42GjFRAJlnlxYK4ZJ0HxMk1T+g
+      nESiGcVKT84nFvaU/Uxfz8jJsCoDaNV17c/Vk7BfDCvELavWpw6+aImPrlUS3UOu
+      6Znv3zLzlGQBzdoZf8D0hGXdxLPu9J8ywxjCxWasjjXJJ0x/Izh/IH1ssT5V3Erx
+      Emlw8bqumMub41Iib2BVB2ysJ5bqGb6Q9OBvYXAVqvuWajJnkOBP4Z1/t+r2/JUm
+      fSeH0Pgqf9juzlBGHCgjqsvzjDyZziusnHuVN2M5gFHQ2abyLX1l9YDDkwfStt2+
+      jXwJ6i09IJSy7MiWgKRTXiI/KFCMF1ajzizg8PgTFlr39iIMwae2GlG/RKaRB6/4
+      h9vWazMan5Qw0LmM5lcZquly7MUfOkbBXOug1dib2DndwbTSBdsefx8jEoONz/2Q
+      e4L+Vvkyze26IwPcNCtpgg+iPzhMAAITGixW/p3ATKHW6MFO25HzzlOBrQARAQAB
+      tDljaS1wcmVwLnZtLmxpdy5maSBBUFQgcmVwb3NpdG9yeSBzaWduaW5nIGtleSA8
+      bGl3QGxpdy5maT6JAk4EEwEKADgWIQQzxyeUNzWcU5u/64QL1UrLeCNqdQUCWyEc
+      ogIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAL1UrLeCNqdd2LD/9Oz7JB
+      cvhS98VIt+v9Ob55tXATLUbz/Qe+wjLKr8pk0qbopF5maUhbeahQ/Y+BO0w1FjC+
+      0Rgywzs2Rpo9l06+t3zhfZa+QctPbCgaVJ6SiA3sGC0ciUm6O+8qsUSGxaA3s0KV
+      Zn7bBz3cfx1IKVowVVRaKWuUatt0vNCk/AJOSqNuSonp6iDAGlpoUwNnrhSW5K54
+      mnSDE0PLQBPD2CGUet5nBuo0KrROsGbMhT4mzjKtqqXiOgitLL2STKo8IAjz46Kz
+      xi9/cdizN/FE2Q1uXWLyA/vXxKstxDQ2Ggs8u/siHWu2Ie0AnI6UZbElpvrjV5mV
+      swv+p5ZNng57jSlWNZvmng+fsF2kjVcNmonTmg5nUhKS5rmGBJyFTlWyKtpExOAb
+      DcYloBJqgf4QKzp5XIVd1NrzfQDLmlmxnQtQ2MYfq4PZ9GImDEirsBJ5dE1L+LDz
+      G7Ldyi22t4EoSSEzxeXoiE9m6/bnpamfOy6Lk0XXQcHAc3BXADO8FfvZLcyTE52s
+      H32k75M+ft+9CJhBkAfhBfvOXBuZolOFhs2FirlS0b3BDz0I357K7K98rjNiKvj/
+      XfLYfMqrWih3RD4xyUW6T8QSSM/Vqn3Klvl4MdroeSGR2gy+WMUy26+ZFVljdo40
+      HcOM0ZLArtQC+G6LdEaSLsJmB9HwvlJgXNQl0rkCDQRbIRyiARAA+7v9lLIbDzDv
+      UN+w/O07bT4GveLFcAREA7kmMrgrEi2WL5IZQfjezvW7Eee0hey6X26uWB8SRStQ
+      UOiDmVPovtf9yZgvZvejOXrCqHFgCpptVkI15I1htPRSmzUpJKkwfkoXcpmXfSgy
+      plFzQu/cAfsYRW/22mbd5IZ5kTRXqq/fNQCHSk7icTOzVygqT1Z+H5J20QTUVE6A
+      M/zvmu+VCsuVCiCl4QUZOwksZb7I80f/kFOUAVNRbgrsj2dNtP1GuNWvi9oL9yhW
+      z7Jm/4bMcboUBPnQqldoh3Ybi0pKa8q2/cHsE1vzIGF99sjylT70TaDOrZdvOipr
+      gxd5fxIprxSiSnQGb1/hD+PDiLw+nUn6anHy6Q7+FGEbvTTeAAA5TqbUGbga5Lxl
+      m5sfU7FIzFYyqt25H+S9Bj5F4SS4/MlZMH0KxsymSOPLVl41cn/ors6S9z/sAQZs
+      Hmoj+/QVd2d3dC2IuSNK08v+0jOQ+5CO4SG9te4//RUTiyQ9TW6MFwsl0gZiU9A0
+      CQ/GkmG3zIGSdQyCU+GIlMDI4SUc/ojzMJYVbsQ8WiKsjlnWu/7eQpGuQIe1dg7c
+      MCFgV5rBRKYyZyNxIdJkmKKt3IJL6d+FsQfNkvWvdsdXW9K1O7YnTwQavEIXrRkY
+      UoZ7JlTK1Ce2Iw78Ro00R3AEzLpg4OkAEQEAAYkCNgQYAQoAIBYhBDPHJ5Q3NZxT
+      m7/rhAvVSst4I2p1BQJbIRyiAhsMAAoJEAvVSst4I2p1N8oP/2WWQ5XVvySTBBQx
+      ob7SzKDgD2V/GLY2tv0vDv/dW5ChNuwFtCgr2kDNZV1ifKsTwpeLqONGps3f0AzV
+      Vuo2ErBKzGBk6lbjFMw7HKLeE0C0N9DsVN3yAHeGzy8dkezXE+eGDvN0aEVXypQc
+      p/5P0Al9rl4Y/EMVGSo4X5qYxXYzu1A4NrmtcqF0qlXzD1pzmQ0W1BdwF+hRsMB+
+      2SFYH/ij45kiLr0PRb99ojmQqWtqPGKHw+8uI9HyiwwzgRR2qS7YC7kDt0cy4Y/t
+      bKDyuTbWsau9FAiln8kghbQXI1XM2R62cmC/wymo0Vl/kGj4p4PPoN/bVlkty6qd
+      ee1/WrwBHertJnhQfCe2yCM4pNEznKnyQaJ2weDuBTw3YgyrYb6iOJ6VpCVFf7uM
+      0K8DE9BBeztwiU80v6UYh5Sz2nfvc2KjInF8f+weFGWKFdx9VOOdwxP6bmRVGfV0
+      AYRhTlPc8XjNYwRLAhZciqB1Hyd6ZxcLUUV8f9YruGOp0srdZ4QmCkT95PuWJeVo
+      up6NujqA32VHa+qNWx3jNZaNgRuH8RzL4s4ZZ4q/3vPU5ndkFvEvSpjyYoC1ewxs
+      n8ut9fiKU6GaUnDxvfVE1cXdnj4yHMkn91bor5ne+DtyAG1yHItA+hNzLllbgk0F
+      bMfuB4umuQx6SYFpP1FF0yc+Xwzn
+      =SvUJ
+      -----END PGP PUBLIC KEY BLOCK-----
+
+- name: "install ci-prod-controller.vm.liw.fi APT signing key"
+  apt_key:
+    data: |
+      -----BEGIN PGP PUBLIC KEY BLOCK-----
+
+      mQINBFrLO7kBEADdz6mHstYmKU5Dp6OSjxWtWaqTDOX1sJdmmaIK/9EKVIH0Maxp
+      5kvVO5G6mULLAjv/kLG0MxasHPrq8I2A/y8AqKAGVL8QelwLjQMIFZ30/VbGQPHS
+      +T5TZXEnoQtNce1GUhFwJ38ZyjjwHBFV9tSec7rZ2Q3YeM3nNnGPf6DacXGfEOPO
+      HIN4sXAN2hzNXNjKRzTIvxQseb6nr7afUh/SlZ3yhQOCrIzmYlD7tP9WJe7ofL0p
+      JY4pDQYw8rT6nC2BE/ioemh84kERCT1vCe+OVFlSRuMlqfEv+ZpKQ+itOmPDQ/lM
+      jpUm1K2hrW/lWpxT/ZxHKo/w1K36J5WshgMZxfUu5BMCL9LMqMcrXNhNjDMfxDMM
+      3yBPOvQ4ls6fecOZ/bsFo1p8VzMk/w/eG8vPs5yuNa5XxN95yFMXoOHGb5Xbu8D4
+      6yiW+Af70LbiSNpGdmNdneiGB2fY38NxBukPw5u3S5qG8HedSmMr1RvSr5kHoAAe
+      UbOY+BYaaKsTAT7+1skUW1o3FJSqoRKCHAzTsMWC6zzhR8hRn7jVrrguH1hGbqq5
+      TZSCFQZExuTJ7uXrTLG0WoBXIjB5wWNcSeXn8myUWYB51nJNF4tJBouZOz9JwWGl
+      kiAQkrHnBttLQWdW9FyjbIoTZMtpvVx+m6ObGTGdGL1cNlLAvWprMXGc+QARAQAB
+      tDJJY2sgQVBUIHJlcG9zaXRvcnkgc2lnbmluZyBrZXkgKDIwMTgpIDxsaXdAbGl3
+      LmZpPokCTgQTAQgAOBYhBKL1uyDoXyxUH3O717Wr+TZVS6PGBQJayzu5AhsDBQsJ
+      CAcCBhUICQoLAgQWAgMBAh4BAheAAAoJELWr+TZVS6PGB5QQANTcikhRUHwt9N4h
+      dGc/Hp6CbqdshMoWlwpFskttoVDxQG5OAobuZl5XyzGcmja1lT85RGkZFfbca0IZ
+      LnXOLLSAu51QBkXNaj4OhjK/0uQ+ITrvL6RQSXNgHiUTR/W2XD1GIUq6nBqe2GSN
+      31S1baYKKVj5QIMsi7Dq8ls3BBXuPCE+xTSaNmGWjes2t9pPidcRvxsksCLY1qgw
+      P1GFXBeMkBQ29kBP87SUL15SIk7OiQLlEURCy5iRls5rt/YEsdEpRWIb0Tm5Nrjv
+      2M3VM+iBhfNXTwj0rJ34mlycF1qQmA7YcTEobT7z587GPY0VWzBpQUnEQj7rQWPM
+      cDYY0b+I6kQ8VKOaL4wVAtE98d7HzFIrIrwhTKufnrWrVDPYsmLZ+LPC1jiF7JBD
+      SR6Vftb+SdDR9xoE1yRuXbC6IfoW+5/qQNrdQ2mm9BFw5jOonBqchs18HTTf3441
+      6SWwP9fY3Vi+IZphPPi0Gf85oMStgnv/Wnw6LacEL32ek39Desero/D8iGLZernK
+      Q2mC9mua5A/bYGVhsNWyURNFkKdbFa+/wW3NfdKYyZnsSfo+jJ2luNewrhAY7Kod
+      GWXTer9RxzTGA3EXFGvNr+BBOOxSj0SfWTl0Olo7J5dnxof+jLAUS1VHpceHGHps
+      GSJSdir7NkZidgwoCPA7BTqsb5LN
+      =dXB0
+      -----END PGP PUBLIC KEY BLOCK-----
+
+- name: "add ci-prep-ick APT repo to sources.lists"
+  apt_repository:
+    repo: "deb http://ci-prep-ick.vm.liw.fi/debian stretch-ci main"
+    update_cache: yes
+    state: present
+
+- name: "add ci-prod-controller APT repo to sources.lists"
+  apt_repository:
+    repo: "deb http://ci-prod-controller.vm.liw.fi/debian stretch-ci main"
+    update_cache: yes
+    state: present
+
+- name: "create /etc/ick"
+  file:
+    state: directory
+    path: /etc/ick
+
+- name: "install artifact store config"
+  template:
+    src: artifact_store.yaml.j2
+    dest: /etc/ick/artifact_store.yaml
+
+- name: "install ick2 for its artifact store"
+  apt:
+    name: ick2
+    state: present
+
+- name: "enable and (re)start the artifact store"
+  systemd:
+    name: artifact_store
+    daemon_reload: yes
+    enabled: yes
+    state: restarted
+    
diff --git a/roles/artifacts/templates/artifact_store.yaml.j2 b/roles/artifacts/templates/artifact_store.yaml.j2
new file mode 100644
index 0000000..ba3dbde
--- /dev/null
+++ b/roles/artifacts/templates/artifact_store.yaml.j2
@@ -0,0 +1,6 @@
+token-issuer: iss
+token-audience: aud
+token-public-key: "{{ token_pub }}"
+log:
+  - filename: /var/log/ickas/artifact_store.log
+blobdir: /var/lib/ick/blobs
diff --git a/roles/haproxy/files/haproxy.cfg b/roles/haproxy/files/haproxy.cfg
index 4bb9ebf..5c450c4 100644
--- a/roles/haproxy/files/haproxy.cfg
+++ b/roles/haproxy/files/haproxy.cfg
@@ -36,8 +36,14 @@ frontend http-in
 
     rspadd Strict-Transport-Security:\ max-age=15768000
 
+    acl as path_beg /blobs/
+    use_backend as if as
+
     acl api path_beg /
     use_backend api if api
 
 backend api
     server api_1 127.0.0.1:2222
+
+backend as
+    server api_1 127.0.0.1:12766
-- 
cgit v1.2.1