~damien/infrastructure

Miscellaneous files and tools for my personal infrastructure.
Finish initial v2 feature parity work
Fix some cert paths in fabio job

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~damien/infrastructure
read/write
git@git.sr.ht:~damien/infrastructure

You can also use your local clone with git send-email.

#My Infrastructure

This repository contains the tools and utilities used to run my personal Hashistack cluster, which includes Consul, Nomad, and Vault provisioned with Terraform and running on Linode with openSUSE.

#Folder overview

  • artifacts: Miscellaneous runtime artifacts, intended to be accessible via Minio, S3, or similar
  • certs: Consul, Nomad, and Vault all communicate over SSL with their own certificate authorities, whose certificates are defined here.
  • config: Various configuration files, mostly for Consul, Nomad, and Vault.
  • firewall: firewalld service and zone definitions.
  • jobs: Nomad job definitions.
  • packer: Packer image file. Not used, but maybe at some point.
  • policies: Vault policy definitions.
  • scripts: Scripts to be provisioned on cluster members.
  • services: systemd service definitions for Consul, Nomad, and Vault.
  • stackscripts: Linode stackscripts; only one currently, used for the first
  • support: Helpful files to be provisioned on the support box step of provisioning new members.
  • terraform: Terraform definition files, used for provisioning.
  • tools: Scripts to be used on a support box.

#Viewing the UIs

In order to view the UIs for Consul, Nomad, and Vault, you need to generate a certificate bundle with the CA's private key for each one, then scp it to your desktop and import it into your browser. In Firefox, you can go to Preferences -> Privacy & Security -> Certificates -> View Certificates and then import client certificates from the "Your Certificates" pane.

For example, to generate a bundle suitable for use with Nomad, run:

$ generate-client-cert-bundle nomad

OpenSSL will prompt you for a passphrase, and then you should see nomad.p12 in the current directory. This is the file that should be imported to Firefox.

#Notes

#Issuing Certificates

Use the issue-cert script from tools.

#Querying the raw Consul API

Since Consul is configured to listen for API requests over a Unix socket, you can use a command like this on a Consul node to query its HTTP API:

$ curl --unix-socket /var/run/consul/consul_https.sock http:///api/v1/agent/checks

#Finding largest packages

Use this command to find the largest installed RPM packages, normally used when setting up the Packer build to remove large unneeded packages:

rpm -qa --queryformat '%10{size} - %-25{name} \t %{version}\n' | sort -n

#Vault Cluster Setup

  1. Initialize and unseal the vault
  2. Mount a K/V v2 engine at secret/
  3. Write the policies defined in policies