3ec0861e6b
This adds a script that will wrap emacs with gpg-agent when editing the secrets file. This avoids issues with rogue gpg-agents running on the system. Change-Id: Ic3cc73b5c25eab2ede41d8ca05b5695b817973d9
36 lines
1.7 KiB
YAML
36 lines
1.7 KiB
YAML
- hosts: bridge.openstack.org
|
|
name: "Bridge: configure the bastion host"
|
|
become: true
|
|
roles:
|
|
- pip3
|
|
# Note for production use we expect to take the defaults; unit
|
|
# test jobs override this to test with latest upstream ansible.
|
|
# For example, if there is a fix on the ansible stable branch we
|
|
# need that is unreleased, you could do the following:
|
|
#
|
|
# install_ansible_name: '{{ bridge_ansible_name | default("git+https://github.com/ansible/ansible.git@stable-2.7") }}'
|
|
# install_ansible_version: '{{ bridge_ansible_version | default(None) }}'
|
|
- role: install-ansible
|
|
install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}'
|
|
install_ansible_version: '{{ bridge_ansible_version | default("2.7.3") }}'
|
|
install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}'
|
|
install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}'
|
|
# NOTE(ianw): At 2018-12, ARA is only enabled during gate
|
|
# testing jobs as we decide if or how to store data on
|
|
# production bridge.o.o
|
|
install_ansible_ara_name: '{{ bridge_ara_name | default("ara") }}'
|
|
install_ansible_ara_version: '{{ bridge_ara_version | default("0.16.1") }}'
|
|
- root-keys
|
|
- ansible-cron
|
|
- cloud-launcher-cron
|
|
- edit-secrets-script
|
|
tasks:
|
|
- name: Allow Zuul to trigger Ansible
|
|
authorized_key:
|
|
state: present
|
|
user: root
|
|
key: "{{ item }}"
|
|
loop:
|
|
- "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/system-config.pub"
|
|
- "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/project-config.pub"
|