~damien/infrastructure

7ade7c951b2b77d89b13a37e9ab38d5c274a9f33 — Damien Radtke 10 months ago 5243f3e
load-balancer nodes are almost up and running
A firewall/services/web.xml => firewall/services/web.xml +7 -0
@@ 0,0 1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Web</short>
  <description>Ports needed for HTTP and HTTPS</description>
  <port port="80" protocol="tcp"/>
  <port port="443" protocol="tcp"/>
</service>

M jobs/fabio.nomad.erb => jobs/fabio.nomad.erb +1 -1
@@ 11,7 11,7 @@ job "fabio" {

	group "fabio" {
		constraint {
			attribute = "${meta.role}"
			attribute = "${node.class}"
			value     = "load-balancer"
		}


M terraform/main.tf => terraform/main.tf +1 -1
@@ 76,7 76,7 @@ module "nomad-client-load-balancer" {
  clients           = 1
  consul_version    = "1.7.2"
  nomad_version     = "0.9.7"
	meta              = map("role", "load-balancer")
	node_class        = "load-balancer"
  consul_server_ips = module.consul-server.ips

  datacenter       = local.region

A terraform/nomad-client/domains.tf => terraform/nomad-client/domains.tf +35 -0
@@ 0,0 1,35 @@
data "linode_domain" "damienradtkecom" {
	domain = "damienradtke.com"
}

resource "linode_domain_record" "damienradtkecom_root_a" {
	count = var.node_class == "load-balancer" ? 1 : 0
	domain_id = data.linode_domain.damienradtkecom.id
	name = "@"
	record_type = "A"
	target = linode_instance.clients[0].ipv4
}

resource "linode_domain_record" "damienradtkecom_root_aaaa" {
	count = var.node_class == "load-balancer" ? 1 : 0
	domain_id = data.linode_domain.damienradtkecom.id
	name = "@"
	record_type = "AAAA"
	target = linode_instance.clients[0].ipv6
}

resource "linode_domain_record" "damienradtkecom_www_a" {
	count = var.node_class == "load-balancer" ? 1 : 0
	domain_id = data.linode_domain.damienradtkecom.id
	name = "www"
	record_type = "A"
	target = linode_instance.clients[0].ipv4
}

resource "linode_domain_record" "damienradtkecom_www_aaaa" {
	count = var.node_class == "load-balancer" ? 1 : 0
	domain_id = data.linode_domain.damienradtkecom.id
	name = "www"
	record_type = "AAAA"
	target = linode_instance.clients[0].ipv6
}

M terraform/nomad-client/main.tf => terraform/nomad-client/main.tf +24 -14
@@ 1,3 1,19 @@
locals {
	extra_provisions_for_class = {
		"load-balancer" = [
			"groupadd fabio",
      "useradd --gid fabio fabio",
      "mkdir -p --mode=0500 /etc/ssl/fabio",
			"chown fabio:fabio /etc/ssl/fabio",
      "/usr/local/bin/issue-cert.sh --user fabio --ca consul --name consul",
      "/usr/local/bin/issue-cert.sh --user fabio --ca vault --name vault",
			"firewall-cmd --zone=public --add-service=fabio --permanent",
			"firewall-cmd --zone=public --add-service=web --permanent",
			"firewall-cmd --reload",
		]
	}
}

resource "linode_instance" "clients" {
  count            = var.clients
  label            = "nomad-client-${random_id.clients[count.index].keepers.datacenter}-${replace(random_id.clients[count.index].b64_url, "-", "_")}"


@@ 86,6 102,8 @@ resource "linode_instance" "clients" {
					"/var/lib/ca-certificates/pem" = "/var/lib/ca-certificates/pem"
				}

				node_class = "${var.node_class}"

				meta {
					%{for key, value in var.meta~}
					"${key}" = "${value}"


@@ 179,17 197,6 @@ resource "linode_instance" "clients" {
    ]
  }

	// set up fabio cert directory and user
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }
    inline = [
			"groupadd fabio",
      "useradd --gid fabio fabio",
      "mkdir -p --mode=0500 /etc/ssl/fabio",
			"chown fabio:fabio /etc/ssl/fabio",
    ]
  }

  // issue certs
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }


@@ 200,9 207,6 @@ resource "linode_instance" "clients" {
      "/usr/local/bin/issue-cert.sh --user nomad --ca nomad --name nomad --hostnames client.global.nomad",
      "/usr/local/bin/issue-cert.sh --user nomad --ca consul --name consul",
      "/usr/local/bin/issue-cert.sh --user nomad --ca vault --name vault",
			// These last two enable Fabio to communicate with Consul and Vault while running.
      "/usr/local/bin/issue-cert.sh --user fabio --ca consul --name consul",
      "/usr/local/bin/issue-cert.sh --user fabio --ca vault --name vault",
    ]
  }



@@ 232,6 236,12 @@ resource "linode_instance" "clients" {
		]
  }

	// run extra provisions based on the node class
	provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }
		inline = lookup(local.extra_provisions_for_class, var.node_class, [])
	}

  // disable further root ssh
  provisioner "remote-exec" {
    connection { host = split("/", self.ipv6)[0] }

M terraform/nomad-client/variables.tf => terraform/nomad-client/variables.tf +5 -0
@@ 17,3 17,8 @@ variable meta {
	type = map(string)
	default = {}
}

variable node_class {
	type = string
	default = ""
}