~damien/infrastructure

745cdefd136505d17e01ee823519f4d73e5fab99 — Damien Radtke 3 months ago 41e11f7
Try out Packer again for image building
9 files changed, 371 insertions(+), 115 deletions(-)

D certs/consul-ca.pem
A certs/consul-ca.pem
D certs/nomad-ca.pem
A certs/nomad-ca.pem
D certs/vault-ca.pem
A certs/vault-ca.pem
D packer/image.json
A packer/image.pkr.hcl
A packer/scripts/install-hashicorp.sh
D certs/consul-ca.pem => certs/consul-ca.pem +0 -1
@@ 1,1 0,0 @@
/etc/ssl/consul/ca.pem
\ No newline at end of file

A certs/consul-ca.pem => certs/consul-ca.pem +21 -0
@@ 0,0 1,21 @@
-----BEGIN CERTIFICATE-----
MIIDbjCCAxSgAwIBAgIRAKmBPGUWTNvfcdgZV/gv468wCgYIKoZIzj0EAwIwgbkx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
IDIyNTMxMDU2MjUzNTkyMzk5NTIyNDE5NDY3NTgwMjQ5MDUyODY4NzAeFw0xOTA2
MTAxOTI1NTlaFw0yNDA2MDgxOTI1NTlaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyMjUzMTA1NjI1MzU5MjM5OTUy
MjQxOTQ2NzU4MDI0OTA1Mjg2ODcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR0
9YmzR/g6EqI/zERyL1S40Yvx0tb1VNC0n/MdOg4bFMi0ndWcuYz3mDKjyjZQ7Ft5
VkLFNw080l8K33hK1L8wo4H6MIH3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E
BTADAQH/MGgGA1UdDgRhBF85ZDo2NDozODo0NDo5YzowMDowNDo5YTphNDo5OTo1
MjplMTo0Njo4ZDpkNDo0NTo4Mjo1YzpmNTo0YTo3ZTo5YTpmYjoxZToyMjo3Yzpi
YTo0OTpkZTphNTpkNjozNDBqBgNVHSMEYzBhgF85ZDo2NDozODo0NDo5YzowMDow
NDo5YTphNDo5OTo1MjplMTo0Njo4ZDpkNDo0NTo4Mjo1YzpmNTo0YTo3ZTo5YTpm
YjoxZToyMjo3YzpiYTo0OTpkZTphNTpkNjozNDAKBggqhkjOPQQDAgNIADBFAiEA
nV22jJGiej7IPa+tV0o6eoVNsoH962+8A6Lk9f3zO1ACIEG3XRtHdNIs2vAIctNN
sF1JNUXq0AHW5Lm2Cv/okIsD
-----END CERTIFICATE-----

D certs/nomad-ca.pem => certs/nomad-ca.pem +0 -1
@@ 1,1 0,0 @@
/etc/ssl/nomad/ca.pem
\ No newline at end of file

A certs/nomad-ca.pem => certs/nomad-ca.pem +12 -0
@@ 0,0 1,12 @@
-----BEGIN CERTIFICATE-----
MIIB0zCCAXqgAwIBAgIUd4pPhLhydqq03M4jh5ZH0f8X9wkwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xOTA2MTAxNzU0MDBaFw0yNDA2
MDgxNzU0MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATr8+EV1u8DRUqTOAiH6BGiM4CUJBsQROgVPRRSqje8Sszd
8bh9PMWzPcf/GOEVyGCoqaTaMGj4fClH48CkFxQ8o0IwQDAOBgNVHQ8BAf8EBAMC
AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVTcurQ7sq3zXEZ+SJTscQHRv
54wwCgYIKoZIzj0EAwIDRwAwRAIgMpl9k9KouqRUQ8piZOOT7IJBfer5R2NyXYtf
aNzGdvUCIESia5RHdx687se2gNpQwv4tB5wF/YC8StAXBP/Tr7u/
-----END CERTIFICATE-----

D certs/vault-ca.pem => certs/vault-ca.pem +0 -1
@@ 1,1 0,0 @@
/etc/ssl/vault/ca.pem
\ No newline at end of file

A certs/vault-ca.pem => certs/vault-ca.pem +12 -0
@@ 0,0 1,12 @@
-----BEGIN CERTIFICATE-----
MIIB1DCCAXqgAwIBAgIUNvSwRFXA5KeA066KuyvQddBteI8wCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0xOTA2MTAxODQ0MDBaFw0yNDA2
MDgxODQ0MDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAASTLoOG+Oxwu+lfgl+Jv80EgNd1xHkhjuPLzfGS6FOORRaZ
mLu9J/ahPV7KMpsA4Wo623RlENTV5/0PN7kXVHEKo0IwQDAOBgNVHQ8BAf8EBAMC
AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUC7W81wne6n5UtwbiY5FoYhSK
jhYwCgYIKoZIzj0EAwIDSAAwRQIhANfQD1+/LcgYq4DyI9uUPLci7Z98BEYJaQfX
C/LwQErSAiBk5McpVHbAVzmBS/SYH605qPEjzrNbCJZVFF+hP1hdZw==
-----END CERTIFICATE-----

D packer/image.json => packer/image.json +0 -112
@@ 1,112 0,0 @@
{
  "variables": {
    "linode_token": "c35ce850334f2bfed24c6ae0c404981c642da4813c69cfd9a63affa2346797b2",
    "consul_version": "1.7.2",
    "nomad_version": "0.10.5",
    "vault_version": "1.3.4"
  },
  "builders": [
    {
      "type": "linode",
      "linode_token": "{{user `linode_token`}}",

      "region": "ca-central",
      "swap_size": 256,
      "image": "linode/opensuse15.1",
      "instance_type": "g6-nanode-1",
      "instance_label": "cluster-imaging-{{timestamp}}",

      "image_label": "cluster-image-{{timestamp}}",
      "image_description": "Image representing a cluster member",

      "ssh_username": "root"
    }
  ],
  "provisioners": [
    {
      "type": "shell",
      "inline": ["zypper --non-interactive install wget jq firewalld moreutils"]
    },
    {
      "type": "shell",
      "inline": ["zypper --non-interactive remove gtk2 gtk3 cups ghostscript desktop-translations adwaita-icon-theme gstreamer"]
    },
    {
      "type": "shell",
      "inline": [
        "groupadd consul; mkdir /var/lib/consul /etc/consul.d /etc/ssl/consul; useradd --home-dir /var/lib/consul --gid consul consul; chown consul:consul /var/lib/consul /etc/consul.d /etc/ssl/consul",
        "groupadd nomad; mkdir /var/lib/nomad /etc/nomad.d /etc/ssl/nomad; useradd --home-dir /var/lib/nomad --gid nomad --gid consul nomad; chown nomad:nomad /var/lib/nomad /etc/nomad.d /etc/ssl/nomad",
        "groupadd vault; mkdir /var/lib/vault /etc/vault.d /etc/ssl/vault; useradd --home-dir /var/lib/vault --gid vault --gid consul vault; chown vault:vault /var/lib/vault /etc/vault.d /etc/ssl/vault"
      ]
    },
    {
      "type": "file",
      "source": "config/consul/base.hcl",
      "destination": "/etc/consul.d/base.hcl"
    },
    {
      "type": "file",
      "source": "config/nomad/base.hcl",
      "destination": "/etc/nomad.d/base.hcl"
    },
    {
      "type": "file",
      "source": "config/vault/base.hcl",
      "destination": "/etc/vault.d/vault.hcl"
    },
    {
      "type": "file",
      "source": "scripts/",
      "destination": "/usr/local/bin"
    },
    {
      "type": "file",
      "source": "firewall/services/",
      "destination": "/etc/firewalld/services"
    },
    {
      "type": "file",
      "source": "firewall/zones/",
      "destination": "/etc/firewalld/zones"
    },
    {
      "type": "file",
      "source": "services/",
      "destination": "/etc/systemd/system"
    },
    {
      "type": "file",
      "source": "/etc/ssl/consul/ca.pem",
      "destination": "/etc/ssl/consul/ca.pem"
    },
    {
      "type": "file",
      "source": "/etc/ssl/nomad/ca.pem",
      "destination": "/etc/ssl/nomad/ca.pem"
    },
    {
      "type": "file",
      "source": "config/cfssl.json",
      "destination": "/etc/ssl/cfssl.json"
    },
    {
      "type": "file",
      "source": "/etc/ssl/vault/ca.pem",
      "destination": "/etc/ssl/vault/ca.pem"
    },
    {
      "type": "file",
      "source": "config/profile.local",
      "destination": "/etc/profile.local"
    },
    {
      "type": "shell",
      "inline": [
        "wget --quiet -O /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64; chmod +x /usr/local/bin/cfssl",
        "install-hashicorp.sh consul {{user `consul_version`}}",
        "install-hashicorp.sh nomad {{user `nomad_version`}}",
        "install-hashicorp.sh vault {{user `vault_version`}}"
      ]
    }
  ]
}

A packer/image.pkr.hcl => packer/image.pkr.hcl +146 -0
@@ 0,0 1,146 @@
packer {
  required_plugins {
    linode = {
      version = ">= 0.0.1"
      source  = "github.com/hashicorp/linode"
    }
  }
}

variable "linode_token" {
  type    = string
  default = "443c7fe73bb3179bc748b580f04e0b4b7e00d78c7df74eb84690cc322b9db08d"
}

variable "opensuse_version" {
  type    = string
  default = "15.3"
}

variable "consul_version" {
  type    = string
  default = "1.10.0"
}

variable "nomad_version" {
  type    = string
  default = "1.1.2"
}

variable "vault_version" {
  type    = string
  default = "1.7.3"
}

locals {
  timestamp = regex_replace(timestamp(), "[- TZ:]", "")
}

source "linode" "cluster-image" {
  image             = "linode/opensuse${var.opensuse_version}"
  image_description = <<EOF
	  openSUSE Leap ${var.opensuse_version}
	  Consul ${var.consul_version}
	  Nomad ${var.nomad_version}
	  Vault ${var.vault_version}
  EOF
  image_label       = "cluster-image-${local.timestamp}"
  instance_label    = "cluster-imaging-${local.timestamp}"
  instance_type     = "g6-nanode-1"
  linode_token      = "${var.linode_token}"
  region            = "ca-central"
  ssh_username      = "root"
  swap_size         = 256
}

build {
  sources = ["source.linode.cluster-image"]

  provisioner "shell" {
    inline = [
      "zypper --non-interactive install wget jq firewalld moreutils",
      "update-ca-certificates --verbose",
    ]
  }

  provisioner "file" {
  	destination = "/etc/consul.d/base.hcl"
    source      = "config/consul/base.hcl"
  }

  provisioner "file" {
    destination = "/etc/nomad.d/base.hcl"
    source      = "config/nomad/base.hcl"
  }

  provisioner "file" {
    destination = "/etc/vault.d/vault.hcl"
    source      = "config/vault/base.hcl"
  }

  provisioner "file" {
    destination = "/usr/local/bin"
    source      = "scripts/"
  }

  provisioner "file" {
    destination = "/etc/firewalld/services"
    source      = "firewall/services/"
  }

  provisioner "file" {
    destination = "/etc/firewalld/zones"
    source      = "firewall/zones/"
  }

  provisioner "file" {
    destination = "/etc/systemd/system"
    source      = "services/"
  }

  provisioner "shell" {
    script = "packer/scripts/install-hashicorp.sh"
    environment_vars = ["APP_NAME=consul", "APP_VERSION=${var.consul_version}"]
  }

  provisioner "shell" {
    script = "packer/scripts/install-hashicorp.sh"
    environment_vars = ["APP_NAME=nomad", "APP_VERSION=${var.nomad_version}"]
  }

  provisioner "shell" {
    script = "packer/scripts/install-hashicorp.sh"
    environment_vars = ["APP_NAME=vault", "APP_VERSION=${var.vault_version}"]
  }

  provisioner "file" {
    destination = "/etc/ssl/consul/ca.pem"
    source      = "certs/consul-ca.pem"
  }

  provisioner "file" {
    destination = "/etc/ssl/nomad/ca.pem"
    source      = "certs/nomad-ca.pem"
  }

  provisioner "file" {
    destination = "/etc/ssl/cfssl.json"
    source      = "config/cfssl.json"
  }

  provisioner "file" {
    destination = "/etc/ssl/vault/ca.pem"
    source      = "certs/vault-ca.pem"
  }

  provisioner "file" {
    destination = "/etc/profile.local"
    source      = "config/profile.local"
  }

  provisioner "shell" {
    inline = ["wget --quiet -O /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64; chmod +x /usr/local/bin/cfssl"]
  }
}

// vim: set expandtab tabstop=2 shiftwidth=2 autoindent:

A packer/scripts/install-hashicorp.sh => packer/scripts/install-hashicorp.sh +180 -0
@@ 0,0 1,180 @@

osarch="linux_amd64"

# From https://www.hashicorp.com/security
cat >/tmp/hashicorp.asc <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGB9+xkBEACabYZOWKmgZsHTdRDiyPJxhbuUiKX65GUWkyRMJKi/1dviVxOX
PG6hBPtF48IFnVgxKpIb7G6NjBousAV+CuLlv5yqFKpOZEGC6sBV+Gx8Vu1CICpl
Zm+HpQPcIzwBpN+Ar4l/exCG/f/MZq/oxGgH+TyRF3XcYDjG8dbJCpHO5nQ5Cy9h
QIp3/Bh09kET6lk+4QlofNgHKVT2epV8iK1cXlbQe2tZtfCUtxk+pxvU0UHXp+AB
0xc3/gIhjZp/dePmCOyQyGPJbp5bpO4UeAJ6frqhexmNlaw9Z897ltZmRLGq1p4a
RnWL8FPkBz9SCSKXS8uNyV5oMNVn4G1obCkc106iWuKBTibffYQzq5TG8FYVJKrh
RwWB6piacEB8hl20IIWSxIM3J9tT7CPSnk5RYYCTRHgA5OOrqZhC7JefudrP8n+M
pxkDgNORDu7GCfAuisrf7dXYjLsxG4tu22DBJJC0c/IpRpXDnOuJN1Q5e/3VUKKW
mypNumuQpP5lc1ZFG64TRzb1HR6oIdHfbrVQfdiQXpvdcFx+Fl57WuUraXRV6qfb
4ZmKHX1JEwM/7tu21QE4F1dz0jroLSricZxfaCTHHWNfvGJoZ30/MZUrpSC0IfB3
iQutxbZrwIlTBt+fGLtm3vDtwMFNWM+Rb1lrOxEQd2eijdxhvBOHtlIcswARAQAB
tERIYXNoaUNvcnAgU2VjdXJpdHkgKGhhc2hpY29ycC5jb20vc2VjdXJpdHkpIDxz
ZWN1cml0eUBoYXNoaWNvcnAuY29tPokCVAQTAQoAPhYhBMh0AR8KtAURDQIQVTQ2
XZRy10aPBQJgffsZAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
EDQ2XZRy10aPtpcP/0PhJKiHtC1zREpRTrjGizoyk4Sl2SXpBZYhkdrG++abo6zs
buaAG7kgWWChVXBo5E20L7dbstFK7OjVs7vAg/OLgO9dPD8n2M19rpqSbbvKYWvp
0NSgvFTT7lbyDhtPj0/bzpkZEhmvQaDWGBsbDdb2dBHGitCXhGMpdP0BuuPWEix+
QnUMaPwU51q9GM2guL45Tgks9EKNnpDR6ZdCeWcqo1IDmklloidxT8aKL21UOb8t
cD+Bg8iPaAr73bW7Jh8TdcV6s6DBFub+xPJEB/0bVPmq3ZHs5B4NItroZ3r+h3ke
VDoSOSIZLl6JtVooOJ2la9ZuMqxchO3mrXLlXxVCo6cGcSuOmOdQSz4OhQE5zBxx
LuzA5ASIjASSeNZaRnffLIHmht17BPslgNPtm6ufyOk02P5XXwa69UCjA3RYrA2P
QNNC+OWZ8qQLnzGldqE4MnRNAxRxV6cFNzv14ooKf7+k686LdZrP/3fQu2p3k5rY
0xQUXKh1uwMUMtGR867ZBYaxYvwqDrg9XB7xi3N6aNyNQ+r7zI2lt65lzwG1v9hg
FG2AHrDlBkQi/t3wiTS3JOo/GCT8BjN0nJh0lGaRFtQv2cXOQGVRW8+V/9IpqEJ1
qQreftdBFWxvH7VJq2mSOXUJyRsoUrjkUuIivaA9Ocdipk2CkP8bpuGz7ZF4uQIN
BGB9+xkBEACoklYsfvWRCjOwS8TOKBTfl8myuP9V9uBNbyHufzNETbhYeT33Cj0M
GCNd9GdoaknzBQLbQVSQogA+spqVvQPz1MND18GIdtmr0BXENiZE7SRvu76jNqLp
KxYALoK2Pc3yK0JGD30HcIIgx+lOofrVPA2dfVPTj1wXvm0rbSGA4Wd4Ng3d2AoR
G/wZDAQ7sdZi1A9hhfugTFZwfqR3XAYCk+PUeoFrkJ0O7wngaon+6x2GJVedVPOs
2x/XOR4l9ytFP3o+5ILhVnsK+ESVD9AQz2fhDEU6RhvzaqtHe+sQccR3oVLoGcat
ma5rbfzH0Fhj0JtkbP7WreQf9udYgXxVJKXLQFQgel34egEGG+NlbGSPG+qHOZtY
4uWdlDSvmo+1P95P4VG/EBteqyBbDDGDGiMs6lAMg2cULrwOsbxWjsWka8y2IN3z
1stlIJFvW2kggU+bKnQ+sNQnclq3wzCJjeDBfucR3a5WRojDtGoJP6Fc3luUtS7V
5TAdOx4dhaMFU9+01OoH8ZdTRiHZ1K7RFeAIslSyd4iA/xkhOhHq89F4ECQf3Bt4
ZhGsXDTaA/VgHmf3AULbrC94O7HNqOvTWzwGiWHLfcxXQsr+ijIEQvh6rHKmJK8R
9NMHqc3L18eMO6bqrzEHW0Xoiu9W8Yj+WuB3IKdhclT3w0pO4Pj8gQARAQABiQI8
BBgBCgAmFiEEyHQBHwq0BRENAhBVNDZdlHLXRo8FAmB9+xkCGwwFCQlmAYAACgkQ
NDZdlHLXRo9ZnA/7BmdpQLeTjEiXEJyW46efxlV1f6THn9U50GWcE9tebxCXgmQf
u+Uju4hreltx6GDi/zbVVV3HCa0yaJ4JVvA4LBULJVe3ym6tXXSYaOfMdkiK6P1v
JgfpBQ/b/mWB0yuWTUtWx18BQQwlNEQWcGe8n1lBbYsH9g7QkacRNb8tKUrUbWlQ
QsU8wuFgly22m+Va1nO2N5C/eE/ZEHyN15jEQ+QwgQgPrK2wThcOMyNMQX/VNEr1
Y3bI2wHfZFjotmek3d7ZfP2VjyDudnmCPQ5xjezWpKbN1kvjO3as2yhcVKfnvQI5
P5Frj19NgMIGAp7X6pF5Csr4FX/Vw316+AFJd9Ibhfud79HAylvFydpcYbvZpScl
7zgtgaXMCVtthe3GsG4gO7IdxxEBZ/Fm4NLnmbzCIWOsPMx/FxH06a539xFq/1E2
1nYFjiKg8a5JFmYU/4mV9MQs4bP/3ip9byi10V+fEIfp5cEEmfNeVeW5E7J8PqG9
t4rLJ8FR4yJgQUa2gs2SNYsjWQuwS/MJvAv4fDKlkQjQmYRAOp1SszAnyaplvri4
ncmfDsf0r65/sd6S40g5lHH8LIbGxcOIN6kwthSTPWX89r42CbY8GzjTkaeejNKx
v1aCrO58wAtursO1DiXCvBY7+NdafMRnoHwBk50iPqrVkNA8fv+auRyB2/G5Ag0E
YH3+JQEQALivllTjMolxUW2OxrXb+a2Pt6vjCBsiJzrUj0Pa63U+lT9jldbCCfgP
wDpcDuO1O05Q8k1MoYZ6HddjWnqKG7S3eqkV5c3ct3amAXp513QDKZUfIDylOmhU
qvxjEgvGjdRjz6kECFGYr6Vnj/p6AwWv4/FBRFlrq7cnQgPynbIH4hrWvewp3Tqw
GVgqm5RRofuAugi8iZQVlAiQZJo88yaztAQ/7VsXBiHTn61ugQ8bKdAsr8w/ZZU5
HScHLqRolcYg0cKN91c0EbJq9k1LUC//CakPB9mhi5+aUVUGusIM8ECShUEgSTCi
KQiJUPZ2CFbbPE9L5o9xoPCxjXoX+r7L/WyoCPTeoS3YRUMEnWKvc42Yxz3meRb+
BmaqgbheNmzOah5nMwPupJYmHrjWPkX7oyyHxLSFw4dtoP2j6Z7GdRXKa2dUYdk2
x3JYKocrDoPHh3Q0TAZujtpdjFi1BS8pbxYFb3hHmGSdvz7T7KcqP7ChC7k2RAKO
GiG7QQe4NX3sSMgweYpl4OwvQOn73t5CVWYp/gIBNZGsU3Pto8g27vHeWyH9mKr4
cSepDhw+/X8FGRNdxNfpLKm7Vc0Sm9Sof8TRFrBTqX+vIQupYHRi5QQCuYaV6OVr
ITeegNK3So4m39d6ajCR9QxRbmjnx9UcnSYYDmIB6fpBuwT0ogNtABEBAAGJBHIE
GAEKACYCGwIWIQTIdAEfCrQFEQ0CEFU0Nl2UctdGjwUCYH4bgAUJAeFQ2wJAwXQg
BBkBCgAdFiEEs2y6kaLAcwxDX8KAsLRBCXaFtnYFAmB9/iUACgkQsLRBCXaFtnYX
BhAAlxejyFXoQwyGo9U+2g9N6LUb/tNtH29RHYxy4A3/ZUY7d/FMkArmh4+dfjf0
p9MJz98Zkps20kaYP+2YzYmaizO6OA6RIddcEXQDRCPHmLts3097mJ/skx9qLAf6
rh9J7jWeSqWO6VW6Mlx8j9m7sm3Ae1OsjOx/m7lGZOhY4UYfY627+Jf7WQ5103Qs
lgQ09es/vhTCx0g34SYEmMW15Tc3eCjQ21b1MeJD/V26npeakV8iCZ1kHZHawPq/
aCCuYEcCeQOOteTWvl7HXaHMhHIx7jjOd8XX9V+UxsGz2WCIxX/j7EEEc7CAxwAN
nWp9jXeLfxYfjrUB7XQZsGCd4EHHzUyCf7iRJL7OJ3tz5Z+rOlNjSgci+ycHEccL
YeFAEV+Fz+sj7q4cFAferkr7imY1XEI0Ji5P8p/uRYw/n8uUf7LrLw5TzHmZsTSC
UaiL4llRzkDC6cVhYfqQWUXDd/r385OkE4oalNNE+n+txNRx92rpvXWZ5qFYfv7E
95fltvpXc0iOugPMzyof3lwo3Xi4WZKc1CC/jEviKTQhfn3WZukuF5lbz3V1PQfI
xFsYe9WYQmp25XGgezjXzp89C/OIcYsVB1KJAKihgbYdHyUN4fRCmOszmOUwEAKR
3k5j4X8V5bk08sA69NVXPn2ofxyk3YYOMYWW8ouObnXoS8QJEDQ2XZRy10aPMpsQ
AIbwX21erVqUDMPn1uONP6o4NBEq4MwG7d+fT85rc1U0RfeKBwjucAE/iStZDQoM
ZKWvGhFR+uoyg1LrXNKuSPB82unh2bpvj4zEnJsJadiwtShTKDsikhrfFEK3aCK8
Zuhpiu3jxMFDhpFzlxsSwaCcGJqcdwGhWUx0ZAVD2X71UCFoOXPjF9fNnpy80YNp
flPjj2RnOZbJyBIM0sWIVMd8F44qkTASf8K5Qb47WFN5tSpePq7OCm7s8u+lYZGK
wR18K7VliundR+5a8XAOyUXOL5UsDaQCK4Lj4lRaeFXunXl3DJ4E+7BKzZhReJL6
EugV5eaGonA52TWtFdB8p+79wPUeI3KcdPmQ9Ll5Zi/jBemY4bzasmgKzNeMtwWP
fk6WgrvBwptqohw71HDymGxFUnUP7XYYjic2sVKhv9AevMGycVgwWBiWroDCQ9Ja
btKfxHhI2p+g+rcywmBobWJbZsujTNjhtme+kNn1mhJsD3bKPjKQfAxaTskBLb0V
wgV21891TS1Dq9kdPLwoS4XNpYg2LLB4p9hmeG3fu9+OmqwY5oKXsHiWc43dei9Y
yxZ1AAUOIaIdPkq+YG/PhlGE4YcQZ4RPpltAr0HfGgZhmXWigbGS+66pUj+Ojysc
j0K5tCVxVu0fhhFpOlHv0LWaxCbnkgkQH9jfMEJkAWMOuQINBGCAXCYBEADW6RNr
ZVGNXvHVBqSiOWaxl1XOiEoiHPt50Aijt25yXbG+0kHIFSoR+1g6Lh20JTCChgfQ
kGGjzQvEuG1HTw07YhsvLc0pkjNMfu6gJqFox/ogc53mz69OxXauzUQ/TZ27GDVp
UBu+EhDKt1s3OtA6Bjz/csop/Um7gT0+ivHyvJ/jGdnPEZv8tNuSE/Uo+hn/Q9hg
8SbveZzo3C+U4KcabCESEFl8Gq6aRi9vAfa65oxD5jKaIz7cy+pwb0lizqlW7H9t
Qlr3dBfdIcdzgR55hTFC5/XrcwJ6/nHVH/xGskEasnfCQX8RYKMuy0UADJy72TkZ
bYaCx+XXIcVB8GTOmJVoAhrTSSVLAZspfCnjwnSxisDn3ZzsYrq3cV6sU8b+QlIX
7VAjurE+5cZiVlaxgCjyhKqlGgmonnReWOBacCgL/UvuwMmMp5TTLmiLXLT7uxeG
ojEyoCk4sMrqrU1jevHyGlDJH9Taux15GILDwnYFfAvPF9WCid4UZ4Ouwjcaxfys
3LxNiZIlUsXNKwS3mhiMRL4TRsbs4k4QE+LIMOsauIvcvm8/frydvQ/kUwIhVTH8
0XGOH909bYtJvY3fudK7ShIwm7ZFTduBJUG473E/Fn3VkhTmBX6+PjOC50HR/Hyb
waRCzfDruMe3TAcE/tSP5CUOb9C7+P+hPzQcDwARAQABiQRyBBgBCgAmFiEEyHQB
Hwq0BRENAhBVNDZdlHLXRo8FAmCAXCYCGwIFCQlmAYACQAkQNDZdlHLXRo/BdCAE
GQEKAB0WIQQ3TsdbSFkTYEqDHMfIIMbVzSerhwUCYIBcJgAKCRDIIMbVzSerh0Xw
D/9ghnUsoNCu1OulcoJdHboMazJvDt/znttdQSnULBVElgM5zk0Uyv87zFBzuCyQ
JWL3bWesQ2uFx5fRWEPDEfWVdDrjpQGb1OCCQyz1QlNPV/1M1/xhKGS9EeXrL8Dw
F6KTGkRwn1yXiP4BGgfeFIQHmJcKXEZ9HkrpNb8mcexkROv4aIPAwn+IaE+NHVtt
IBnufMXLyfpkWJQtJa9elh9PMLlHHnuvnYLvuAoOkhuvs7fXDMpfFZ01C+QSv1dz
Hm52GSStERQzZ51w4c0rYDneYDniC/sQT1x3dP5Xf6wzO+EhRMabkvoTbMqPsTEP
xyWr2pNtTBYp7pfQjsHxhJpQF0xjGN9C39z7f3gJG8IJhnPeulUqEZjhRFyVZQ6/
siUeq7vu4+dM/JQL+i7KKe7Lp9UMrG6NLMH+ltaoD3+lVm8fdTUxS5MNPoA/I8cK
1OWTJHkrp7V/XaY7mUtvQn5V1yET5b4bogz4nME6WLiFMd+7x73gB+YJ6MGYNuO8
e/NFK67MfHbk1/AiPTAJ6s5uHRQIkZcBPG7y5PpfcHpIlwPYCDGYlTajZXblyKrw
BttVnYKvKsnlysv11glSg0DphGxQJbXzWpvBNyhMNH5dffcfvd3eXJAxnD81GD2z
ZAriMJ4Av2TfeqQ2nxd2ddn0jX4WVHtAvLXfCgLM2Gveho4jD/9sZ6PZz/rEeTvt
h88t50qPcBa4bb25X0B5FO3TeK2LL3VKLuEp5lgdcHVonrcdqZFobN1CgGJua8TW
SprIkh+8ATZ/FXQTi01NzLhHXT1IQzSpFaZw0gb2f5ruXwvTPpfXzQrs2omY+7s7
fkCwGPesvpSXPKn9v8uhUwD7NGW/Dm+jUM+QtC/FqzX7+/Q+OuEPjClUh1cqopCZ
EvAI3HjnavGrYuU6DgQdjyGT/UDbuwbCXqHxHojVVkISGzCTGpmBcQYQqhcFRedJ
yJlu6PSXlA7+8Ajh52oiMJ3ez4xSssFgUQAyOB16432tm4erpGmCyakkoRmMUn3p
wx+QIppxRlsHznhcCQKR3tcblUqH3vq5i4/ZAihusMCa0YrShtxfdSb13oKX+pFr
aZXvxyZlCa5qoQQBV1sowmPL1N2j3dR9TVpdTyCFQSv4KeiExmowtLIjeCppRBEK
eeYHJnlfkyKXPhxTVVO6H+dU4nVu0ASQZ07KiQjbI+zTpPKFLPp3/0sPRJM57r1+
aTS71iR7nZNZ1f8LZV2OvGE6fJVtgJ1J4Nu02K54uuIhU3tg1+7Xt+IqwRc9rbVr
pHH/hFCYBPW2D2dxB+k2pQlg5NI+TpsXj5Zun8kRw5RtVb+dLuiH/xmxArIee8Jq
ZF5q4h4I33PSGDdSvGXn9UMY5Isjpg==
=7pIB
-----END PGP PUBLIC KEY BLOCK-----
EOF

gpg --import /tmp/hashicorp.asc

pushd /tmp
	base="https://releases.hashicorp.com/${APP_NAME}/${APP_VERSION}"
	archive="${APP_NAME}_${APP_VERSION}_${osarch}.zip"
	checksum="${APP_NAME}_${APP_VERSION}_SHA256SUMS"
	checksum_sig="${checksum}.sig"

	# Download the checksum first and verify that it's signed by Hashicorp.
	curl -o "${checksum}" "${base}/${checksum}"
	curl -o "${checksum_sig}" "${base}/${checksum_sig}"
	sync

	# Verify that the checksum was signed by Hashicorp.
	gpg --verify "${checksum_sig}" "${checksum}" || exit 13

	# Now download the release and verify that the checksum matches.
	# Note that the checksum comes with sums for every platform,
	# so we need to filter down to 64-bit Linux to avoid failures caused by
	# the other releases not being present.
	curl -o "${archive}" "${base}/${archive}"
	sync
	cat "${checksum}" | grep -E "_${osarch}\\.zip$" | sha256sum --check - || exit 13

	# If we've reached this point, everything is good to go.
	unzip "${archive}"
	mv ./${APP_NAME} /usr/local/bin/${APP_NAME}-${APP_VERSION}

	# Attempt to create a symlink for it.
	ln -s "/usr/local/bin/${APP_NAME}-${APP_VERSION}" "/usr/local/bin/${APP_NAME}"
popd

home_dir="/var/lib/${APP_NAME}"
certs_dir="/etc/ssl/${APP_NAME}"

# This function copies client configs into /etc/<app>.d,
# creates a user and group named after the app, creates
# a home directory for them, and then enables+starts it.
echo "[Setting up ${APP_NAME}]"
mkdir -p "${home_dir}" "${certs_dir}"
groupadd "${APP_NAME}"
useradd --home-dir "${home_dir}" --gid "${APP_NAME}" "${APP_NAME}"

chown -R "${APP_NAME}:${APP_NAME}" "${home_dir}"
chown -R "${APP_NAME}:${APP_NAME}" "${certs_dir}"

usermod -a -G "${APP_NAME}" damien

# vault and nomad need to be in the consul group so they can access the unix socket.
# Technically, nomad doesn't need it since it runs as root, but it's good for consistency.
usermod -a -G consul "${APP_NAME}"