- hosts: bridge.openstack.org
  name: "Bridge: configure the bastion host"
  become: true
  roles:
    - pip3
    # Note for production use we expect to take the defaults; unit
    # test jobs override this to test with latest upstream ansible.
    # For example, if there is a fix on the ansible stable branch we
    # need that is unreleased, you could do the following:
    #
    #  install_ansible_name: '{{ bridge_ansible_name | default("git+https://github.com/ansible/ansible.git@stable-2.7") }}'
    #  install_ansible_version: '{{ bridge_ansible_version | default(None) }}'
    - role: install-ansible
      install_ansible_name: '{{ bridge_ansible_name | default("ansible") }}'
      install_ansible_version: '{{ bridge_ansible_version | default("2.7.3") }}'
      install_ansible_openstacksdk_name: '{{ bridge_openstacksdk_name | default("openstacksdk") }}'
      install_ansible_openstacksdk_version: '{{ bridge_openstacksdk_verison | default("latest") }}'
      # NOTE(ianw): At 2018-12, ARA is only enabled during gate
      # testing jobs as we decide if or how to store data on
      # production bridge.o.o
      install_ansible_ara_name: '{{ bridge_ara_name | default("ara") }}'
      install_ansible_ara_version: '{{ bridge_ara_version | default("0.16.1") }}'
    - root-keys
    - ansible-cron
    - cloud-launcher-cron
  tasks:
    - name: Allow Zuul to trigger Ansible
      authorized_key:
        state: present
        user: root
        key: "{{ item }}"
      loop:
        - "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/system-config.pub"
        - "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/project-config.pub"