From fd722cca3089a3fe6f7620f57d6e4b84be94e67b Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <lwirzenius@wikimedia.org>
Date: Wed, 3 Jul 2019 19:37:19 +0300
Subject: Add: playbooks etc for deploying VCSWorker

---
 components.yml                   | 14 ++++++++
 hosts                            |  1 +
 roles/vcsworker/files/ssh_config |  5 +++
 roles/vcsworker/files/token.pub  |  1 +
 roles/vcsworker/tasks/main.yml   | 73 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 94 insertions(+)
 create mode 100644 components.yml
 create mode 100644 roles/vcsworker/files/ssh_config
 create mode 100644 roles/vcsworker/files/token.pub
 create mode 100644 roles/vcsworker/tasks/main.yml

diff --git a/components.yml b/components.yml
new file mode 100644
index 0000000..3159fdd
--- /dev/null
+++ b/components.yml
@@ -0,0 +1,14 @@
+- hosts: api
+  remote_user: root
+  become: no
+  roles:
+    - vcsworker
+  vars:
+    gitlab_token: "{{ lookup('pipe', 'pass wmf/wmf-gitlab.vm.liw.fi/gitlab_token') }}"
+    vcsworker_ssh_pub: "{{ lookup('pipe', 'pass wmf/wmf-gitlab.vm.liw.fi/vcsworker_ssh.pub') }}"
+    vcsworker_ssh: "{{ lookup('pipe', 'pass wmf/wmf-gitlab.vm.liw.fi/vcsworker_ssh') }}"
+
+    hostname: wmf2-api
+
+    debian_codename: stretch
+    debian_mirror: deb.debian.org
diff --git a/hosts b/hosts
index 4e20e3a..7184d05 100644
--- a/hosts
+++ b/hosts
@@ -1,2 +1,3 @@
 gitlab          ansible_ssh_host=wmf-gitlab3.vm.liw.fi
 runner          ansible_ssh_host=wmf-runner3.vm.liw.fi
+api             ansible_ssh_host=wmf2-api.vm.liw.fi
diff --git a/roles/vcsworker/files/ssh_config b/roles/vcsworker/files/ssh_config
new file mode 100644
index 0000000..eec015e
--- /dev/null
+++ b/roles/vcsworker/files/ssh_config
@@ -0,0 +1,5 @@
+Host *
+    UserKnownHostsFile /dev/null
+    StrictHostKeyChecking no
+    PasswordAuthentication no
+    IdentityFile ~/.ssh/vcsworker
diff --git a/roles/vcsworker/files/token.pub b/roles/vcsworker/files/token.pub
new file mode 100644
index 0000000..7d2603b
--- /dev/null
+++ b/roles/vcsworker/files/token.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCesmXDo5ZG0/IbwTknMad4mOurX05PSW5cy9fk/KOO/2JbIicV1L5SS5NCXrwyrItXxaeXsYVugKO5z11Ont3Y3AG76NeyJHxqDLs1JjVWlLd9/KSaCI7jdCzC/bV3OOGjhMp4ZRmf6zrQrIZ9nCs2HTZ+3lIq2I03BLL+6KqY929wb7YlmNTsaW/RaKE4l0X5YzyxJfR8CN2exlXKMPCvOjQQtWvLGi68QZVbnkwpEfQbw2DeQJAeOo0QcrxLiA34hsf95SaeRTKY69Cv0wLmnjHQixIMaBvmW7CcKEvQ3D5oOG9XFcY3wbKJ8LyM7aq+FWXfswSAQpaTE8w3uMzdg0hypo+pqsiieftvBSY5IgoETtPaJGey8BIAYhCjP+Rwd6kX2vOiJHSdrf/5uK0OUlqZrSDoQnnUIZZpx63/VBVaQ4pAoqGvVhQr9svN9NojfJJ1zCUWicHOCXUEUxzQ2DFpraidxNnrjapEjTijM/GVbc28rVfZwuX9tdwrWM2UHOjeISiSJCs07P5hyfbWTh9vCbO3ffhQWhYA711budh7ZqxC3C4MaraTOMsp11LHu4eLxUvuw0OcLawX6bWy8SnXv/BdGKE6lO1hI3RZ+inVaRKIy8WagvmSvip3eK88dEHEgIoOsbmnDEytUpoDhoNpAH08lx1MIaYxtTm07w==
\ No newline at end of file
diff --git a/roles/vcsworker/tasks/main.yml b/roles/vcsworker/tasks/main.yml
new file mode 100644
index 0000000..955ae55
--- /dev/null
+++ b/roles/vcsworker/tasks/main.yml
@@ -0,0 +1,73 @@
+- name: "install VCSWorker dependencies and useful tools"
+  apt:
+    name:
+      - screen
+      - git
+      - haproxy
+      - psmisc
+      - python3
+      - python3-bottle
+      - python3-jwt
+      - python3-crypto
+    state: present
+
+- name: "install VCSWorker source"
+  git:
+    repo: git://git.liw.fi/wmf-ci-arch
+    dest: /srv/wmf-ci-arch
+
+- name: "create user for VCSWorker"
+  user:
+    name: _wmf
+    comment: "WMF CI"
+
+- name: "install key for checking incoming access tokens"
+  copy:
+    src: token.pub
+    dest: /etc/wmf_ci_token.pub
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: "create ~_wmf/.ssh"
+  file:
+    state: directory
+    dest: /home/_wmf/.ssh
+    owner: _wmf
+    group: _wmf
+    mode: '0700'
+
+- name: "install SSH public key for _wmf"
+  copy:
+    content: |
+      {{ vcsworker_ssh_pub }}
+    dest: /home/_wmf/.ssh/vcsworker.pub
+    owner: _wmf
+    group: _wmf
+    mode: '0644'
+
+- name: "install SSH private key for _wmf"
+  copy:
+    content: |
+      {{ vcsworker_ssh }}
+    dest: /home/_wmf/.ssh/vcsworker
+    owner: _wmf
+    group: _wmf
+    mode: '0600'
+
+# FIXME: This is clearly not OK for production.
+- name: "configure ssh to not check for new host keys"
+  copy:
+    src: ssh_config
+    dest: /home/_wmf/.ssh/config
+    owner: _wmf
+    group: _wmf
+    mode: '0644'
+
+- name: "install API access token for GitLab"
+  copy:
+    content: "{{ gitlab_token }}"
+    dest: /etc/wmf_gitlab_token
+    owner: _wmf
+    group: _wmf
+    mode: '0600'
-- 
cgit v1.2.1