Add ostree.baserock.org system

This is a new instance that can be used as an artifact cache by the
BuildStream build tool. Anyone can download artifacts over HTTPS.
Those given SSH access to the machine can write to the artifact cache
(this will likely be limited to automated build machines).

DNS is now set to point cache.baserock.org and ostree.baserock.org to
the HAProxy frontend.

The SSL certificate for the frontend-haproxy system has been regenerated
to include the cache.baserock.org and ostree.baserock.org domains.

3 files changed, 92 insertions, 0 deletions

diff --git a/baserock_ostree/image-config.yml b/baserock_ostree/image-config.yml
new file mode 100644
index 00000000..24e8be9b
--- /dev/null
+++ b/baserock_ostree/image-config.yml
@@ -0,0 +1,54 @@
+# System configuration for Baserock OStree cache server.
+#
+# Tested against Fedora 25 base image.
+---
+- hosts: ostree
+  gather_facts: false
+  sudo: yes
+  tasks:
+  # See: https://fedoramagazine.org/getting-ansible-working-fedora-23/
+  - name: install Python2 and required deps for Ansible modules
+    raw: dnf install -y python2 python2-dnf libselinux-python
+
+  - name: enable persistant journal
+    shell: mkdir /var/log/journal
+    args:
+      creates: /var/log/journal
+
+  - name: ensure system up to date
+    dnf: name=* state=latest
+
+  - name: install lvm2 tools
+    dnf: name=lvm2 state=latest
+
+  - name: lighttpd installed
+    dnf: name=lighttpd state=latest
+
+  - name: ostree installed
+    dnf: name=ostree state=latest
+
+  # We only need BuildStream for the bst-artifact-receive hook, but it's
+  # easiest to install all the deps
+  - name: buildstream dep - bubblewrap
+    dnf: name=bubblewrap state=latest
+  - name: buildstream dep - git
+    dnf: name=git state=latest
+  - name: buildstream dep - python3-gobject
+    dnf: name=python3-gobject state=latest
+  - name: buildstream dep - python3-pip
+    dnf: name=python3-pip state=latest
+
+  - name: buildstream sources
+    git: dest=/home/fedora/buildstream repo=https://gitlab.com/buildstream/buildstream version=dd15b1ba494c4725fd452b6723ff799d1708830c
+
+  - name: buildstream installed
+    command: /usr/bin/pip3 install .
+    args:
+      chdir: /home/fedora/buildstream
+      creates: /usr/bin/bst-artifact-receive
+
+  - name: disable SELinux on subsequent boots
+    selinux: state=disabled
+
+  - name: disable SELinux on current boot
+    command: setenforce 0
diff --git a/baserock_ostree/instance-config.yml b/baserock_ostree/instance-config.yml
new file mode 100644
index 00000000..6afe49f5
--- /dev/null
+++ b/baserock_ostree/instance-config.yml
@@ -0,0 +1,26 @@
+# Instance configuration for Baserock OStree cache server.
+#
+# Tested against Fedora 25 base image.
+---
+- hosts: ostree
+  gather_facts: false
+  sudo: yes
+  tasks:
+  - include: ../tasks/create-data-volume.yml lv_name=ostree lv_size=290g mountpoint=/srv
+
+  - name: data directory
+    file: mode=0755 owner=lighttpd group=lighttpd path=/srv/ostree/ state=directory
+
+  - name: cache repository
+    command: ostree init --repo=/srv/ostree/cache --mode=archive-z2
+    sudo_user: lighttpd
+    args:
+      creates: /srv/ostree/cache/config
+
+  - name: lighttpd configuration
+    copy:
+      src: lighttpd.conf
+      dest: /etc/lighttpd/lighttpd.conf
+
+  - name: restart lighttpd server
+    service: name=lighttpd enabled=yes state=restarted
diff --git a/baserock_ostree/lighttpd.conf b/baserock_ostree/lighttpd.conf
new file mode 100644
index 00000000..0126c723
--- /dev/null
+++ b/baserock_ostree/lighttpd.conf
@@ -0,0 +1,12 @@
+server.document-root = "/srv/ostree/"
+
+server.modules += (
+   "mod_access",
+   "mod_accesslog",
+   "mod_dirlisting",
+)
+
+server.errorlog   = "/var/log/lighttpd/error.log"
+accesslog.filename = "/var/log/lighttpd/access.log"
+
+server.dir-listing = "enable"