add VM and docker compose for concourse

ansible/inventory/hosts.yml

@@ -1,4 +1,8 @@
 all:
+  hosts:
+    concourse:
+      ansible_user: root
+      ansible_host: concourse.dmz
   children:
     dataserver:
       hosts:

ansible/playbooks/concourse.yml

@@ -0,0 +1,15 @@
+- name: Install Concourse
+  hosts: concourse
+
+  pre_tasks:
+    - name: Delete externally managed environment file
+      shell:
+        cmd: "rm /usr/lib/python*/EXTERNALLY-MANAGED"
+      register: rm
+      changed_when: "rm.rc == 0"
+      failed_when: "false"
+
+  roles:
+    - {role: apt, tags: apt}
+    - {role: docker, tags: docker}
+    - {role: concourse, tags: concourse}

ansible/playbooks/lewis.yml

@@ -51,4 +51,3 @@
   roles:
     - {role: apt, tags: apt}
     - {role: deploy_ssh_certificates, tags: deploy_ssh_certificates}
-    - {role: docker, tags: docker}

ansible/roles/concourse/docker-compose.yml.j2

@@ -0,0 +1,38 @@
+# vi: ft=yaml
+version: '3'
+
+services:
+  concourse-db:
+    image: postgres
+    environment:
+      POSTGRES_DB: concourse
+      POSTGRES_PASSWORD: {{ postgres_password }}
+      POSTGRES_USER: concourse_user
+      PGDATA: /database
+    volumes:
+      - /mnt/data/concourse:/database
+
+  concourse:
+    image: concourse/concourse
+    command: quickstart
+    privileged: true
+    depends_on: [concourse-db]
+    ports: ["3000:8080"]
+    environment:
+      CONCOURSE_POSTGRES_HOST: concourse-db
+      CONCOURSE_POSTGRES_USER: concourse_user
+      CONCOURSE_POSTGRES_PASSWORD: {{ postgres_password }}
+      CONCOURSE_POSTGRES_DATABASE: concourse
+      CONCOURSE_EXTERNAL_URL: https://concourse.pim.kunis.nl:444
+      CONCOURSE_ADD_LOCAL_USER: admin:{{ admin_password }}
+      CONCOURSE_MAIN_TEAM_LOCAL_USER: test
+      # instead of relying on the default "detect"
+      CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER: overlay
+      CONCOURSE_CLIENT_SECRET: {{ client_secret }}
+      CONCOURSE_TSA_CLIENT_SECRET: {{ client_secret }}
+      CONCOURSE_X_FRAME_OPTIONS: allow
+      CONCOURSE_CONTENT_SECURITY_POLICY: "*"
+      CONCOURSE_CLUSTER_NAME: tutorial
+      CONCOURSE_WORKER_CONTAINERD_DNS_SERVER: "192.168.30.8"
+      # For ARM-based machine, change the Concourse runtime to "houdini"
+      CONCOURSE_WORKER_RUNTIME: "containerd"

ansible/roles/concourse/tasks/main.yml

@@ -0,0 +1,15 @@
+- name: Create working directory
+  file:
+    path: /srv/concourse
+    state: directory
+
+- name: Copy Docker compose
+  template:
+    src: "{{ role_path }}/docker-compose.yml.j2"
+    dest: /srv/concourse/docker-compose.yml
+
+- name: Start the Docker Compose
+  docker_compose:
+    project_src: /srv/concourse
+    pull: true
+    remove_orphans: true

ansible/roles/concourse/vars/main.yml

@@ -0,0 +1,25 @@
+admin_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  64656535303535626562666132643334616133313463336437623732313265313963376234316630
+  3966346366383561333938613332326132623431376264360a343664386634626133346263633337
+  66643161393166303831303764623930633232666135303962616230613638303339396264396338
+  6230396530616466370a393036366434613933306161366661626138346236643238643130636337
+  62633861393338643639623866366161396232636465636163626233316663396665666435643836
+  6436346533356165646230643435366432313764326630343633
+client_secret: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  34363932333537356530353931636537376364663431346136373834313638616266643238326265
+  3634316131636232336134666662356565386132326666300a363362663438636461626134376635
+  61653261383336313261626664373830313038366462613464356139386535613138313037643835
+  3630363033623434300a306263323163623766316238363635373834323165626533656330323535
+  36613833616538613864393735366137613631356538323533396437343566396138363636333136
+  62353636666639343037663230333961366565323839363362616239313133346666663634366662
+  643433346433616430646335383864643466
+postgres_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  62616561343739636436323266306137653363313038636166303731383037613337643962313038
+  3066393231613665613836356638636166393638386432660a656134323633313963336331333262
+  30353065633264616161363661386466353665303561393337366666623239323734393831633439
+  3263653064313533330a383161366130633231356466663363643664343062323561623438663862
+  39333466386563336631346538383533623961653434343663653138306531333165646431376236
+  3864333365353437666566363266323932636533626530333466

terraform/.gitignore

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
@@ -34,3 +34,5 @@ override.tf.json
 terraform.rc
 .terraform.lock.hcl
 *.tfbackend
+
+.vault_password

terraform/main.tf

@@ -1,6 +1,6 @@
 terraform {
   backend "pg" {
-    schema_name = "alexander"
+    schema_name = "concourse"
     conn_str    = "postgres://terraform@10.42.0.1/terraform_state"
   }
 
@@ -15,12 +15,10 @@ provider "libvirt" {
   uri = "qemu+ssh://root@lewis.hyp/system"
 }
 
-module "alexander" {
-  source          = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
-  name            = "alexander"
-  domain_name     = "tf-alexander"
+module "concourse" {
+  source      = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
+  name        = "concourse"
+  domain_name = "tf-concourse"
+  memory      = 1024 * 4
   hypervisor_host = "lewis.hyp"
-  mac             = "CA:FE:C0:FF:EE:0B"
-  memory          = 1024 * 2
-  insecure_password = true
 }