diff options
author | Christian Pointner <equinox@spreadspace.org> | 2018-12-01 23:14:05 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2018-12-01 23:14:05 +0100 |
commit | 17447210485bbe379beb9c7e9a3034e900110ed9 (patch) | |
tree | 1b911eed4ea5bce52a5bc24f0951dfe200ea3217 | |
parent | fixed acmetool self-signed cert handling (diff) |
moved to multi environment repo structure
-rw-r--r-- | .gitignore | 6 | ||||
-rw-r--r-- | ansible.cfg | 17 | ||||
-rwxr-xr-x | apply-role.sh | 10 | ||||
-rw-r--r-- | chaos-at-home/generic.yaml (renamed from generic.yaml) | 0 | ||||
-rw-r--r-- | elevate/generic.yaml | 5 | ||||
-rw-r--r-- | environment.sh | 82 | ||||
-rwxr-xr-x | gpg/add-key.sh | 17 | ||||
-rwxr-xr-x | gpg/create-environment.sh | 40 | ||||
-rwxr-xr-x | gpg/get-vault-pass- | 2 | ||||
-rwxr-xr-x | gpg/get-vault-pass-chaos-at-home | 2 | ||||
-rwxr-xr-x | gpg/get-vault-pass-elevate | 2 | ||||
-rwxr-xr-x | gpg/get-vault-pass-spreadspace | 2 | ||||
-rwxr-xr-x | gpg/get-vault-pass.sh | 20 | ||||
-rwxr-xr-x | gpg/gpg2.sh | 10 | ||||
-rwxr-xr-x | gpg/list-keys.sh | 10 | ||||
-rwxr-xr-x | gpg/remove-keys.sh | 19 | ||||
-rwxr-xr-x | gpg/set-vault-pass.sh | 15 | ||||
-rw-r--r-- | gpg/vault-keyring-chaos-at-home.gpg | bin | 0 -> 37630 bytes | |||
-rw-r--r-- | gpg/vault-keyring-elevate.gpg | bin | 0 -> 37630 bytes | |||
-rw-r--r-- | gpg/vault-keyring-spreadspace.gpg (renamed from gpg/vault-keyring.gpg) | bin | 37014 -> 37014 bytes | |||
-rw-r--r-- | gpg/vault-pass-chaos-at-home.gpg | 19 | ||||
-rw-r--r-- | gpg/vault-pass-elevate.gpg | 19 | ||||
-rw-r--r-- | gpg/vault-pass-spreadspace.gpg (renamed from gpg/vault-pass.gpg) | 0 | ||||
-rw-r--r-- | group_vars/spreadspace/vars.yml | 4 | ||||
-rw-r--r-- | group_vars/spreadspace/vault.yml | 10 | ||||
-rw-r--r-- | inventory/group_vars/all/main.yml (renamed from group_vars/all/vars.yml) | 0 | ||||
-rw-r--r-- | inventory/group_vars/elevate/main.yml (renamed from group_vars/elevate/vars.yml) | 0 | ||||
-rw-r--r-- | inventory/group_vars/hetzner/main.yml (renamed from group_vars/hetzner/vars.yml) | 0 | ||||
-rw-r--r-- | inventory/group_vars/k8s-emc/main.yml (renamed from group_vars/k8s-emc/vars.yml) | 0 | ||||
-rw-r--r-- | inventory/group_vars/skillz/main.yml (renamed from group_vars/skillz/vars.yml) | 0 | ||||
-rw-r--r-- | inventory/group_vars/spreadspace/main.yml | 8 | ||||
-rw-r--r-- | inventory/host_vars/calypso.yml (renamed from host_vars/calypso.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/dione.yml (renamed from host_vars/dione.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/elesearch.yml (renamed from host_vars/elesearch.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/emc-master.yml (renamed from host_vars/emc-master.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/emc-stats.yml (renamed from host_vars/emc-stats.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/helene.yml (renamed from host_vars/helene.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/sk2013.yml (renamed from host_vars/sk2013.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/sk2016.yml (renamed from host_vars/sk2016.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/telesto.yml (renamed from host_vars/telesto.yml) | 0 | ||||
-rw-r--r-- | inventory/host_vars/thetys.yml (renamed from host_vars/thetys.yml) | 0 | ||||
-rw-r--r-- | inventory/hosts.ini (renamed from hosts.ini) | 54 | ||||
-rw-r--r-- | roles/blackmagic-desktopvideo/defaults/main.yml | 4 | ||||
-rw-r--r-- | roles/blackmagic-desktopvideo/tasks/main.yml | 2 | ||||
-rw-r--r-- | spreadspace/generic.yaml | 5 | ||||
-rw-r--r-- | spreadspace/group_vars/spreadspace.yml | 10 |
46 files changed, 345 insertions, 49 deletions
@@ -1,6 +1,8 @@ -/log -/gpg/vault-keyring.gpg~ *.pyc *.retry .*.sw? +/log +/gpg/vault-keyring-*.gpg~ +/.galaxy /.cache/ +/artifacts/ diff --git a/ansible.cfg b/ansible.cfg index f44889fd..8d436f20 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,19 +1,26 @@ [defaults] -inventory = ./hosts.ini -roles_path = ./roles:../roles -remote_user = root +inventory = ./inventory/hosts.ini +roles_path = ./.galaxy:./roles +nocows = 1 + log_path = ./log remote_tmp = /tmp/.ansible/tmp -nocows=1 -vault_password_file = ./gpg/get-vault-pass.sh + +filter_plugins = ./filter_plugins gathering = smart fact_caching = jsonfile fact_caching_connection = ./.cache/facts fact_caching_timeout = 7200 +## this will be set by environment.sh +#vault_identity_list = spreadspace@gpg/get-vault-pass-spreadsprace +## only try keys with matching vault-ids +vault_id_match = True + var_compression_level = 9 + [ssh_connection] pipelining = True ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s diff --git a/apply-role.sh b/apply-role.sh index 3d39f345..a2b0ac4f 100755 --- a/apply-role.sh +++ b/apply-role.sh @@ -1,13 +1,15 @@ #!/bin/bash -if [ -z "$1" ] || [ -z "$2" ] ; then - echo "$0 <host(s)> <role>" +if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] ; then + echo "$0 <environment> <host(s)> <role>" exit 1 fi +env="$1" +shift hosts="$1" shift role="$1" shift -echo "######## applying the role '$role' to host(s) '$hosts' ########" -exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ generic.yaml +echo "######## applying the role '$role' to host(s) '$hosts' in environment '$env' ########" +exec ansible-playbook -e "myhosts=$hosts" -e "myrole=$role" $@ "$env/generic.yaml" diff --git a/generic.yaml b/chaos-at-home/generic.yaml index d3b8de82..d3b8de82 100644 --- a/generic.yaml +++ b/chaos-at-home/generic.yaml diff --git a/elevate/generic.yaml b/elevate/generic.yaml new file mode 100644 index 00000000..d3b8de82 --- /dev/null +++ b/elevate/generic.yaml @@ -0,0 +1,5 @@ +--- +- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}" + hosts: "{{ myhosts }}" + roles: + - role: "{{ myrole }}" diff --git a/environment.sh b/environment.sh new file mode 100644 index 00000000..38a38340 --- /dev/null +++ b/environment.sh @@ -0,0 +1,82 @@ +## +## must be sourced in your interactive shell or by scripts before using vault files +## + +print_error() { + echo "\033[1;31mERROR:\033[1;0m $1" +} + +vault_environment__get() { + echo "${ANSIBLE_VAULT_IDENTITY_LIST}" | tr ',' '\n' | awk -F '@' '{ print($1) }' | sed '/^$/d' +} + +vault_environment__set() { + unset ANSIBLE_VAULT_IDENTITY_LIST + for e in "$@"; do + vault_environment__activate $e + done +} + +vault_environment__activate() { + if [ -z "$1" ]; then + print_error "please specify an environment" + return + fi + + if [ ! -f "gpg/get-vault-pass-$1" ]; then + print_error "failed to activate environment: '$1' .. could not find password file 'gpg/get-vault-pass-$1'" + return + fi + + for e in $(vault_environment__get); do + if [ "$1" = "$e" ]; then + return + fi + done + + if [ -z "${ANSIBLE_VAULT_IDENTITY_LIST}" ]; then + export ANSIBLE_VAULT_IDENTITY_LIST="$1@gpg/get-vault-pass-$1" + else + export ANSIBLE_VAULT_IDENTITY_LIST="${ANSIBLE_VAULT_IDENTITY_LIST},$1@gpg/get-vault-pass-$1" + fi +} + +vault_environment__deactivate() { + local new_list + + if [ -z "$1" ]; then + print_error "please specify an environment" + return + fi + + new_list="" + for e in $(vault_environment__get); do + if [ "$1" != "$e" ]; then + if [ -z "$new_list" ]; then + new_list="$e@gpg/get-vault-pass-$e" + else + new_list="$new_list,$e@gpg/get-vault-pass-$e" + fi + fi + done + + if [ -z "$new_list" ]; then + unset ANSIBLE_VAULT_IDENTITY_LIST + else + export ANSIBLE_VAULT_IDENTITY_LIST="$new_list" + fi +} + +op="$1" +if [ -n "$op" ]; then + shift +fi + +case $op in + activate|deactivate|set|get) + "vault_environment__$op" "$@" + ;; + *) + print_error "unknown operation: '$op'" + ;; +esac diff --git a/gpg/add-key.sh b/gpg/add-key.sh index 98e29174..82970a91 100755 --- a/gpg/add-key.sh +++ b/gpg/add-key.sh @@ -1,21 +1,28 @@ #!/bin/bash if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <keyfile> ]" + exit 1 +fi +NAME="$1" +shift + +if [ -z "$1" ]; then echo "no keyfile specified, reading from stdin ..." fi -"${BASH_SOURCE%/*}/gpg2.sh" --import $@ +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --import "$@" if [ $? -ne 0 ]; then - echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + echo -e "\nERROR: importing key(s) failed. Please revert any changes of the file gpg/vault-keyring-$NAME.gpg." exit 1 fi echo "" -"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +"${BASH_SOURCE%/*}/get-vault-pass-$NAME" | "${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" if [ $? -ne 0 ]; then echo -e "\nERROR: reencrypting vault password file failed!" - echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + echo " You might want to revert any changes on gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg!!" exit 1 fi echo "Successfully reencrypted vault password file!" -echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." +echo " Don't forget to commit the changes in gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/create-environment.sh b/gpg/create-environment.sh new file mode 100755 index 00000000..7ee5827b --- /dev/null +++ b/gpg/create-environment.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <keyfile> ]" + exit 1 +fi +NAME="$1" +shift + +if [ -e "${BASH_SOURCE%/*}/get-vault-pass-$NAME" ]; then + echo "environment '$NAME' already exists." + exit 0 +fi + + +if [ -z "$1" ]; then + echo "no keyfile specified, reading from stdin ..." +fi + +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --import "$@" +if [ $? -ne 0 ]; then + echo -e "\nERROR: importing key(s) failed." + exit 1 +fi + + +### enable this as soon https://github.com/ansible/ansible/issues/18319 has landed +#ln -s get-vault-pass- "${BASH_SOURCE%/*}/get-vault-pass-$NAME" +cp "${BASH_SOURCE%/*}/get-vault-pass-" "${BASH_SOURCE%/*}/get-vault-pass-$NAME" + +echo "" +echo "Please type in passphrase:" +"${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" +if [ $? -ne 0 ]; then + echo -e "\nERROR: creating vault password file failed!" + exit 1 +fi +echo "" +echo "Successfully created vault password file!" +echo " Don't forget to commit gpg/get-vault-pass-$NAME, gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/get-vault-pass- b/gpg/get-vault-pass- new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass- @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-chaos-at-home b/gpg/get-vault-pass-chaos-at-home new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-chaos-at-home @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-elevate b/gpg/get-vault-pass-elevate new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-elevate @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass-spreadspace b/gpg/get-vault-pass-spreadspace new file mode 100755 index 00000000..37f60413 --- /dev/null +++ b/gpg/get-vault-pass-spreadspace @@ -0,0 +1,2 @@ +#!/bin/bash +exec "${BASH_SOURCE%/*}/get-vault-pass.sh" "${BASH_SOURCE##*/get-vault-pass-}" diff --git a/gpg/get-vault-pass.sh b/gpg/get-vault-pass.sh index 202c94f7..6cf2ff9a 100755 --- a/gpg/get-vault-pass.sh +++ b/gpg/get-vault-pass.sh @@ -1,2 +1,20 @@ #!/bin/bash -gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null +if [ -z "$1" ]; then + echo "Usage: $0 <environment>" + exit 1 +fi +NAME="$1" +shift + +gpg2 --decrypt --batch --no-tty --quiet < "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg" + +# Ansible up to including 2.6 seems to have a bug which ignores the setting of 'vault_id_match = True' +# in ansible.cfg (or the equivalent environment variable). +# +# To make it possible to use ansible-vault view as a textconv filter for git, we need to support +# the case that some people do not have access to all vaults. So let's return an invalid +# secret, and pretend success. +if [ $? -ne 0 ]; then + echo This is my secret. There are many others like it, but this one is mine. My secret is my best friend. It is my life. I must master it as I must master my life. Without me, my secret is useless. Without my secret, I am useless. Please do not quote from movies when searching for a passphrase. + exit 0 +fi diff --git a/gpg/gpg2.sh b/gpg/gpg2.sh index 27435ab5..2c0f2157 100755 --- a/gpg/gpg2.sh +++ b/gpg/gpg2.sh @@ -1,2 +1,10 @@ #!/bin/bash -exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-options --no-default-keyring --trust-model always $@ + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ .. additional parameters passwd on to gpg2 .. ]" + exit 1 +fi +NAME="$1" +shift + +exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring-$NAME.gpg" --secret-keyring /dev/null --no-default-keyring --trust-model always "$@" diff --git a/gpg/list-keys.sh b/gpg/list-keys.sh index 4b010495..4166fa59 100755 --- a/gpg/list-keys.sh +++ b/gpg/list-keys.sh @@ -1,2 +1,10 @@ #!/bin/bash -exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@ + +if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ .. additional parameters passwd on to gpg2 .. ]" + exit 1 +fi +NAME="$1" +shift + +exec "${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --list-keys "$@" diff --git a/gpg/remove-keys.sh b/gpg/remove-keys.sh index 80ae1573..d5fd93c3 100755 --- a/gpg/remove-keys.sh +++ b/gpg/remove-keys.sh @@ -1,9 +1,16 @@ #!/bin/bash if [ -z "$1" ]; then + echo "Usage: $0 <environment> [ <key-id> [ <key-id> [ .. ] ] ]" + exit 1 +fi +NAME="$1" +shift + +if [ -z "$1" ]; then echo "Please specify at least one key ID!" echo "" - echo "You can find out the key ID using the command: gpg/list-keys.sh" + echo "You can find out the key ID using the command: ${0%/*}/list-keys.sh $NAME" echo "" echo " Here is an example output:" echo "" @@ -18,18 +25,18 @@ if [ -z "$1" ]; then exit 1 fi -"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@ +"${BASH_SOURCE%/*}/gpg2.sh" $NAME --delete-keys $@ if [ $? -ne 0 ]; then - echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg." + echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring-$NAME.gpg." exit 1 fi echo "" -"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh" +"${BASH_SOURCE%/*}/get-vault-pass-$NAME" | "${BASH_SOURCE%/*}/set-vault-pass.sh" "$NAME" if [ $? -ne 0 ]; then echo -e "\nERROR: reencrypting vault password file failed!" - echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!" + echo " You might want to revert any changes on gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg!!" exit 1 fi echo "Successfully reencrypted vault password file!" -echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg." +echo " Don't forget to commit the changes in gpg/vault-pass-$NAME.gpg and gpg/vault-keyring-$NAME.gpg." diff --git a/gpg/set-vault-pass.sh b/gpg/set-vault-pass.sh index 1fb3426c..64191a37 100755 --- a/gpg/set-vault-pass.sh +++ b/gpg/set-vault-pass.sh @@ -1,6 +1,13 @@ #!/bin/bash -keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}') +if [ -z "$1" ]; then + echo "Usage: $0 <environment>" + exit 1 +fi +NAME="$1" +shift + +keyids=$("${BASH_SOURCE%/*}/list-keys.sh" "$NAME" --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}') if [ -z "$keyids" ]; then echo "ERROR: no keys to encrypt to, is the keyring empty?" exit 1 @@ -12,9 +19,9 @@ for keyid in $keyids; do done -"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients +"${BASH_SOURCE%/*}/gpg2.sh" "$NAME" --yes --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" $receipients if [ $? -ne 0 ]; then - rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$" + rm -f "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" exit 1 fi -mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg" +mv "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg.$$" "${BASH_SOURCE%/*}/vault-pass-$NAME.gpg" diff --git a/gpg/vault-keyring-chaos-at-home.gpg b/gpg/vault-keyring-chaos-at-home.gpg Binary files differnew file mode 100644 index 00000000..864ce7d3 --- /dev/null +++ b/gpg/vault-keyring-chaos-at-home.gpg diff --git a/gpg/vault-keyring-elevate.gpg b/gpg/vault-keyring-elevate.gpg Binary files differnew file mode 100644 index 00000000..161d61bc --- /dev/null +++ b/gpg/vault-keyring-elevate.gpg diff --git a/gpg/vault-keyring.gpg b/gpg/vault-keyring-spreadspace.gpg Binary files differindex 8d2e0443..8d2e0443 100644 --- a/gpg/vault-keyring.gpg +++ b/gpg/vault-keyring-spreadspace.gpg diff --git a/gpg/vault-pass-chaos-at-home.gpg b/gpg/vault-pass-chaos-at-home.gpg new file mode 100644 index 00000000..b69478a6 --- /dev/null +++ b/gpg/vault-pass-chaos-at-home.gpg @@ -0,0 +1,19 @@ +-----BEGIN PGP MESSAGE----- + +hQIMA+Qd5U24qffPAQ//XhC91fRTgM2g8c9sPYLVakqUrr0ErQNWCUvKCRQxV3TA +sxgKWdIpuam4mW7HkE96BHGB+qLd//lrq+LM3jCZFUHgGal1XyWgHwAoHNC0y8Cg +5LKdVyGhDeeh8dSAs9pYouyfwUx3UTG9sFFcm5Nl7KFXP38VHA9ZyerUmC0g7t7F +l5mQmtK+Nc+ZBrZ5+Yr79U/f1VeKaNX2qkDbBrQmO+VubZ4covr4S1amG34ymvlr +2mLf+9wV8sGiOikZTzdDyCtO+32BpjuYvfoZnFRpTdCeKa0niFyrzvqFn6C0No9H +zhIY/SDdfauzLIIvj6WODOW0H6ILVGJ0Eq9KGACTAka+98uhIunHB4MKpOBC01x9 +LLCiISodqIfQuuOHVz4jJqHAwq+MGm0vmoWOfqiNDnOnRCC2kJnMP9K/wynPmXdm +eLSfOz9/8sOqW0MLL5Ugz0sZr9+5rdISlSf2/oa4ssJb3uUQwlSGkG+2MwD0dEMT +wowZBJOrGhGtKxzLRzSsErkng/j/arW3NU9Rai9RIzfyUFjDND5SqnTBdWp+AZqc +YGAeQ1hBTPQzYppx9qgF51p0rGzBmoB9/wC3Td0HavJaswtiwUL4/BATenoMzkG4 +KnB81ZFpkFW1Ze3XilFtmKXXqWpj7dURQ54D4moIwV2dk6dSCKmRumJVREKa5NvS +vAHID0sr7R7BF4z/IrdElmrXa1HExsPAIkPLeyUeU8fkvToSJ009avz6f68hkWEp +vR4hzN6Fe14HU4m9NP8Gn7HJsBnym8d93E8KVKcyEdCb9La1FfFHWm2Ado85Vll0 +EN/GMVhrD2sbX4Dz7+TCklx7n+hzZahankBgP4/1ZyTrrUyQvYNuczXPanckmrCV +DQaYuh+RY1C4bRgQZy47nQzCsYqZpxyn6jH2LvWZWyN9xDuj6vPefphfawqv +=MPgO +-----END PGP MESSAGE----- diff --git a/gpg/vault-pass-elevate.gpg b/gpg/vault-pass-elevate.gpg new file mode 100644 index 00000000..382a0e3a --- /dev/null +++ b/gpg/vault-pass-elevate.gpg @@ -0,0 +1,19 @@ +-----BEGIN PGP MESSAGE----- + +hQIMA+Qd5U24qffPARAAh/hpOPDkQFckrlbmwFYiKtMyzJcHVOeSckFAsGYh0BFa +MzcbLqdRPGDwZL9yIruc/6ubQv1zqq8MZcvRW7BZkkCzBk5h2BcJ76iMgWfcwte6 +Jc2pmog36GihU9t41BJFtxm6mazEN4JTW3SC6i1boMPEJBOEcSIu8SBAFNGm0nCq +GL0j9Rw/T/EiMtmjY6c9nMTSnhOtcedpWeBsMPtYoWAo8/ea1kaGHCON+UGs6/4D +QUhI/ate8RA0vAD6NFkZE9C+uwU22/cyT7pZZTA11ohF32aF4vyVgMf9UY0+MYy0 ++msJZps2KRmECcVZiFGQZ2/OwU4tnYq53jUwL1erzADeFAco4vKtc7yVffN/pIn8 +aQ48kaKe9WT064fe92zWJfWF285fyEB8we72j6AmwA5RxIViVvl/2xdCdYNN6yv+ +kqYmdCEBdMHhcDz73K2mCGeqlkB8+DVpeHwtn+TT5J1IeFkCiK2LD2PtpyqV7BTn +dExQaKtUCbF3+jiPTv6N5ChMbY5ql2roN2zzHgoGVNREGaTxJXnkroJpxaelf4Q3 +ahnNE+/3G16TNCpzYXBNWh9wIHh+6mFhwqKxPy40goW4TMXqSs9+n1MCQhu8GCTH +8CsW6tK98vBgzbhoWLyyNVa40hdltw4+D0YdRle+YFqHaiXJcf2/FjaLoz+jSXvS +uwHQGVypRlmepR7lAKTTVCEjBrJ3lnW7LcBsHEKTr1gX+UleiPri5e029BRLcJDR +PJE4PBi7fp4tAUgSiN6D+mVF0+eXz2px+NVPAeavveMY/oTl8GsPQc/hYtjW9CnM +nhadEDPSmkaLMkCjR6XApprZtuoPyHPSTFIKGTe4bSU1Ezbpd9XNfXcU2Gz55JEk +rAvuyAfHqyXB1zzyA3UTPvRDAw0TN72wbMPEg2v5TE8TFB2Q3XoDuZYsN/A= +=fg/w +-----END PGP MESSAGE----- diff --git a/gpg/vault-pass.gpg b/gpg/vault-pass-spreadspace.gpg index 20130b37..20130b37 100644 --- a/gpg/vault-pass.gpg +++ b/gpg/vault-pass-spreadspace.gpg diff --git a/group_vars/spreadspace/vars.yml b/group_vars/spreadspace/vars.yml deleted file mode 100644 index 30011725..00000000 --- a/group_vars/spreadspace/vars.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -sshserver_root_keys: "{{ [ ssh_keys.equinox.spread ] | join('\n') }}" - -acmetool_account_email: equinox@spreadspace.org diff --git a/group_vars/spreadspace/vault.yml b/group_vars/spreadspace/vault.yml deleted file mode 100644 index 625cf08f..00000000 --- a/group_vars/spreadspace/vault.yml +++ /dev/null @@ -1,10 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -32323866383432633535336666356561623133626164346637376531333330313938363639303763 -6665643638373736653863366537336432333662396638660a336564616431313330623065643733 -66326231663364303432623839363638303565646438373333653837633235373961656633366333 -6330393836653433610a386633343737646663313764356538653664336539366630313837323739 -38363165373462386230356338396662653634316534343738643438343132616132333238623333 -30313339653537643066343262373339336363333030353538326466653833313638356639316237 -39313632373831613161306535656133363266353133343865373561346266306538363935303538 -30313164356361613265613763616364316330663735653662643937666166316562633339363037 -3733 diff --git a/group_vars/all/vars.yml b/inventory/group_vars/all/main.yml index 65417f03..65417f03 100644 --- a/group_vars/all/vars.yml +++ b/inventory/group_vars/all/main.yml diff --git a/group_vars/elevate/vars.yml b/inventory/group_vars/elevate/main.yml index 1808db88..1808db88 100644 --- a/group_vars/elevate/vars.yml +++ b/inventory/group_vars/elevate/main.yml diff --git a/group_vars/hetzner/vars.yml b/inventory/group_vars/hetzner/main.yml index 2e5c8b4a..2e5c8b4a 100644 --- a/group_vars/hetzner/vars.yml +++ b/inventory/group_vars/hetzner/main.yml diff --git a/group_vars/k8s-emc/vars.yml b/inventory/group_vars/k8s-emc/main.yml index 6b1344ae..6b1344ae 100644 --- a/group_vars/k8s-emc/vars.yml +++ b/inventory/group_vars/k8s-emc/main.yml diff --git a/group_vars/skillz/vars.yml b/inventory/group_vars/skillz/main.yml index 4d8f679d..4d8f679d 100644 --- a/group_vars/skillz/vars.yml +++ b/inventory/group_vars/skillz/main.yml diff --git a/inventory/group_vars/spreadspace/main.yml b/inventory/group_vars/spreadspace/main.yml new file mode 100644 index 00000000..cfe1ec2b --- /dev/null +++ b/inventory/group_vars/spreadspace/main.yml @@ -0,0 +1,8 @@ +--- +sshserver_root_keys: "{{ [ ssh_keys.equinox.spread ] | join('\n') }}" + +acmetool_account_email: equinox@spreadspace.org + +blackmagic_desktopvideo_apt: + username: "streaming" + password: "{{ vault_spreadspace.blackmagic_desktopvideo_apt_password }}" diff --git a/host_vars/calypso.yml b/inventory/host_vars/calypso.yml index ff853586..ff853586 100644 --- a/host_vars/calypso.yml +++ b/inventory/host_vars/calypso.yml diff --git a/host_vars/dione.yml b/inventory/host_vars/dione.yml index 75b289c2..75b289c2 100644 --- a/host_vars/dione.yml +++ b/inventory/host_vars/dione.yml diff --git a/host_vars/elesearch.yml b/inventory/host_vars/elesearch.yml index 0e235000..0e235000 100644 --- a/host_vars/elesearch.yml +++ b/inventory/host_vars/elesearch.yml diff --git a/host_vars/emc-master.yml b/inventory/host_vars/emc-master.yml index 95b3062a..95b3062a 100644 --- a/host_vars/emc-master.yml +++ b/inventory/host_vars/emc-master.yml diff --git a/host_vars/emc-stats.yml b/inventory/host_vars/emc-stats.yml index 89352b4f..89352b4f 100644 --- a/host_vars/emc-stats.yml +++ b/inventory/host_vars/emc-stats.yml diff --git a/host_vars/helene.yml b/inventory/host_vars/helene.yml index b40fb069..b40fb069 100644 --- a/host_vars/helene.yml +++ b/inventory/host_vars/helene.yml diff --git a/host_vars/sk2013.yml b/inventory/host_vars/sk2013.yml index 920748c1..920748c1 100644 --- a/host_vars/sk2013.yml +++ b/inventory/host_vars/sk2013.yml diff --git a/host_vars/sk2016.yml b/inventory/host_vars/sk2016.yml index 872223db..872223db 100644 --- a/host_vars/sk2016.yml +++ b/inventory/host_vars/sk2016.yml diff --git a/host_vars/telesto.yml b/inventory/host_vars/telesto.yml index ff853586..ff853586 100644 --- a/host_vars/telesto.yml +++ b/inventory/host_vars/telesto.yml diff --git a/host_vars/thetys.yml b/inventory/host_vars/thetys.yml index ff853586..ff853586 100644 --- a/host_vars/thetys.yml +++ b/inventory/host_vars/thetys.yml diff --git a/hosts.ini b/inventory/hosts.ini index 28fb4e4e..771b1b2c 100644 --- a/hosts.ini +++ b/inventory/hosts.ini @@ -1,3 +1,16 @@ +[all:vars] +ansible_host={{ inventory_hostname }}.{{ host_domain }} +ansible_user=root +ansible_port=22000 + + +############################### +# environment: chaos-at-home + +[chaos-at-home:vars] +host_domain=chaos-at-home.org +environment_group=chaos-at-home + [chaos-at-home] prometheus web @@ -9,8 +22,16 @@ pan keyserver mimas + +############################### +# environment: spreadspace + +[spreadspace:vars] +host_domain=spreadspace.org +environment_group=spreadspace + [spreadspace] -ssbuild +build ansible_port=222 calypso telesto thetys @@ -19,27 +40,50 @@ helene emc-test +############################### +# environment: elevate + +[skillz:vars] +host_domain=skillz.biz +environment_group=elevate + [skillz] sk2013 sk2016 sktorrent -[emc-xx] -#emc-0[0:6] -emc-00 +[elevate:vars] +host_domain=elevate.at +environment_group=elevate [elevate] elewolke elestream elemedia elesearch + +[elevate:children] +emc + + +[emc:vars] +host_domain=spreadspace.org + +[emc] emc-stats emc-master -[elevate:children] +[emc:children] emc-xx +[emc-xx] +#emc-0[0:6] +emc-00 + + +############################### +# host categories [kvmhosts] prometheus diff --git a/roles/blackmagic-desktopvideo/defaults/main.yml b/roles/blackmagic-desktopvideo/defaults/main.yml new file mode 100644 index 00000000..8dde7e4d --- /dev/null +++ b/roles/blackmagic-desktopvideo/defaults/main.yml @@ -0,0 +1,4 @@ +--- +blackmagic_desktopvideo_apt: + username: "change-me" +# password: "secret" diff --git a/roles/blackmagic-desktopvideo/tasks/main.yml b/roles/blackmagic-desktopvideo/tasks/main.yml index 632f36ea..5283b628 100644 --- a/roles/blackmagic-desktopvideo/tasks/main.yml +++ b/roles/blackmagic-desktopvideo/tasks/main.yml @@ -11,7 +11,7 @@ - name: add repository entry apt_repository: - repo: deb https://{{ vault_build_spreadspace_blackmagic.username }}:{{ vault_build_spreadspace_blackmagic.password }}@build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic + repo: "deb https://{{ blackmagic_desktopvideo_apt.username }}:{{ blackmagic_desktopvideo_apt.password }}@build.spreadspace.org/ {{ ansible_distribution_release }} blackmagic" state: present filename: blackmagic mode: 0600 diff --git a/spreadspace/generic.yaml b/spreadspace/generic.yaml new file mode 100644 index 00000000..d3b8de82 --- /dev/null +++ b/spreadspace/generic.yaml @@ -0,0 +1,5 @@ +--- +- name: "Apply role {{ myrole }} to hosts: {{ myhosts }}" + hosts: "{{ myhosts }}" + roles: + - role: "{{ myrole }}" diff --git a/spreadspace/group_vars/spreadspace.yml b/spreadspace/group_vars/spreadspace.yml new file mode 100644 index 00000000..c34fdc8d --- /dev/null +++ b/spreadspace/group_vars/spreadspace.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.2;AES256;spreadspace +31313137643137373839333838343730353634616138643463333262373737356639396539643233 +3839663334323736343239373961353164646565653562390a383831383638383434623863333337 +34366232356438386563643165303735663737373566363038653061323765303466376135303565 +6331623630653931660a626235376639376231633735656333333764643064393834363134663936 +63393563323334373231643237353362653839326235336538363730356364643566303566316665 +64396539333132353131326664323866313161386232393536643733386231643737363962666531 +65336366336435633933666436616261303265326232386639333562323032393832633037636266 +36356262346132663165653530363239316438653637326330636537356234646535376365396538 +6231 |