~damien/infrastructure

infrastructure/stackscripts/cluster-member.sh -rw-r--r-- 6.9 KiB
b481ba41 — Damien Radtke Suppress cluster env output if non-interactive 6 days ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#!/usr/bin/env bash
# <UDF name="hostname" label="Server hostname" />
# <UDF name="consul_version" label="Consul version" default="" />
# <UDF name="nomad_version" label="Nomad version" default="" />
# <UDF name="vault_version" label="Vault version" default="" />

# TODO: separate out application concerns from server/client concerns.
# The Nomad servers need to be deployed with Consul clients.
# See: https://www.nomadproject.io/guides/install/production/reference-architecture.html

set -o errexit
set -o nounset
set -o pipefail
set -o xtrace

# Redirect all output in this script to logger.
exec 1> >(logger --stderr --tag stackscript) 2>&1

# {{{ set_hostname
function set_hostname () {
  echo "[Setting Hostname]"
  hostnamectl set-hostname "${HOSTNAME}"
}
# }}}

# {{{ install_base_packages
function install_base_packages () {
  echo "[Installing Base Packages]"
  zypper --non-interactive install \
    sudo jq firewalld
}
# }}}

# {{{ create_user
function create_user () {
  useradd damien
  mkdir /home/damien
  touch /home/damien/.bashrc  # needed in order to install autocompletion
  mkdir /home/damien/.ssh
  cp /root/.ssh/authorized_keys /home/damien/.ssh/
  chown -R damien:users /home/damien
  sed -i 's/#PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
  service sshd reload
  echo 'damien ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/damien
}
# }}}

# {{{ install_cfssl
function install_cfssl () {
  echo "[Installing CFSSL]"
  curl -o /usr/local/bin/cfssl "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"
  chmod +x /usr/local/bin/cfssl

  curl -o /usr/local/bin/cfssljson "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64"
  chmod +x /usr/local/bin/cfssljson
}
# }}}

# {{{ install_hashicorp
function install_hashicorp () {
  local name="$1"
  local version="$2"
  local osarch="linux_amd64"

  cat >/tmp/hashicorp.asc <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JAU4EEwEKADgWIQSRpuf4XQXG
VjC+8YlRhS2HNI/8TAUCXn0BIQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK
CRBRhS2HNI/8TJITCACT2Zu2l8Jo/YLQMs+iYsC3gn5qJE/qf60VWpOnP0LG24rj
k3j4ET5P2ow/o9lQNCM/fJrEB2CwhnlvbrLbNBbt2e35QVWvvxwFZwVcoBQXTXdT
+G2cKS2Snc0bhNF7jcPX1zau8gxLurxQBaRdoL38XQ41aKfdOjEico4ZxQYSrOoC
RbF6FODXj+ZL8CzJFa2Sd0rHAROHoF7WhKOvTrg1u8JvHrSgvLYGBHQZUV23cmXH
yvzITl5jFzORf9TUdSv8tnuAnNsOV4vOA6lj61Z3/0Vgor+ZByfiznonPHQtKYtY
kac1M/Dq2xZYiSf0tDFywgUDIF/IyS348wKmnDGjuQENBFMORM0BCADWj1GNOP4O
wJmJDjI2gmeok6fYQeUbI/+Hnv5Z/cAK80Tvft3noy1oedxaDdazvrLu7YlyQOWA
M1curbqJa6ozPAwc7T8XSwWxIuFfo9rStHQE3QUARxIdziQKTtlAbXI2mQU99c6x
vSueQ/gq3ICFRBwCmPAm+JCwZG+cDLJJ/g6wEilNATSFdakbMX4lHUB2X0qradNO
J66pdZWxTCxRLomPBWa5JEPanbosaJk0+n9+P6ImPiWpt8wiu0Qzfzo7loXiDxo/
0G8fSbjYsIF+skY+zhNbY1MenfIPctB9X5iyW291mWW7rhhZyuqqxN2xnmPPgFmi
QGd+8KVodadHABEBAAGJATwEGAECACYCGwwWIQSRpuf4XQXGVjC+8YlRhS2HNI/8
TAUCXn0BRAUJEvOKdwAKCRBRhS2HNI/8TEzUB/9pEHVwtTxL8+VRq559Q0tPOIOb
h3b+GroZRQGq/tcQDVbYOO6cyRMR9IohVJk0b9wnnUHoZpoA4H79UUfIB4sZngma
enL/9magP1uAHxPxEa5i/yYqR0MYfz4+PGdvqyj91NrkZm3WIpwzqW/KZp8YnD77
VzGVodT8xqAoHW+bHiza9Jmm9Rkf5/0i0JY7GXoJgk4QBG/Fcp0OR5NUWxN3PEM0
dpeiU4GI5wOz5RAIOvSv7u1h0ZxMnJG4B4MKniIAr4yD7WYYZh/VxEPeiS/E1CVx
qHV5VVCoEIoYVHIuFIyFu1lIcei53VD6V690rmn0bp4A5hs+kErhThvkok3c
=+mCN
-----END PGP PUBLIC KEY BLOCK-----
EOF
  
  gpg --import /tmp/hashicorp.asc
  
  pushd /tmp
    local base="https://releases.hashicorp.com/${name}/${version}"
    local archive="${name}_${version}_${osarch}.zip"
    local checksum="${name}_${version}_SHA256SUMS"
    local checksum_sig="${checksum}.sig"
  
    # Download the checksum first and verify that it's signed by Hashicorp.
    curl -o "${checksum}" "${base}/${checksum}"
    curl -o "${checksum_sig}" "${base}/${checksum_sig}"
    sync
  
    # Verify that the checksum was signed by Hashicorp.
    gpg --verify "${checksum_sig}" "${checksum}" || exit 13
  
    # Now download the release and verify that the checksum matches.
    # Note that the checksum comes with sums for every platform,
    # so we need to filter down to 64-bit Linux to avoid failures caused by
    # the other releases not being present.
    curl -o "${archive}" "${base}/${archive}"
    sync
    cat "${checksum}" | grep -E "_${osarch}\\.zip$" | sha256sum --check - || exit 13
  
    # If we've reached this point, everything is good to go.
    unzip "${archive}"
    mv ./${name} /usr/local/bin/${name}-${version}
  
    # Attempt to create a symlink for it.
    ln -s "/usr/local/bin/${name}-${version}" "/usr/local/bin/${name}"
  popd

  local home_dir="/var/lib/${name}"
  local certs_dir="/etc/ssl/${name}"

  # This function copies client configs into /etc/<app>.d,
  # creates a user and group named after the app, creates
  # a home directory for them, and then enables+starts it.
  echo "[Setting up ${name}]"
  mkdir -p "${home_dir}" "${certs_dir}"
  groupadd "${name}"
  useradd --home-dir "${home_dir}" --gid "${name}" "${name}"

  chown -R "${name}:${name}" "${home_dir}"
  chown -R "${name}:${name}" "${certs_dir}"

  usermod -a -G "${name}" damien

  # vault and nomad need to be in the consul group so they can access the unix socket.
  # Technically, nomad doesn't need it since it runs as root, but it's good for consistency.
  usermod -a -G consul "${name}"
}
# }}}

# {{{ setup_dns
function setup_dns () {
  # Install named server and configure DNS.
  # This should be done last in order to ensure it doesn't interfere with previous operations.
  zypper --non-interactive install -t pattern dhcp_dns_server  # DNS server for forwarding to Consul

  # Configure the Consul zone for DNS.
  cat > /etc/named.d/consul.conf <<EOF
zone "consul" IN {
  type forward;
  forward only;
  forwarders { 127.0.0.1 port 8600; };
};
EOF
  yast2 sysconfig set NAMED_CONF_INCLUDE_FILES="consul.conf"
  systemctl enable named
  service named start

  yast2 sysconfig set NETCONFIG_DNS_STATIC_SERVERS=127.0.0.1
  cp /etc/resolv.conf /etc/resolv.conf.bak
  netconfig update -f  # -f required if Linode's Network Helper ran?
}
# }}}

set_hostname
update-ca-certificates --verbose  # sometimes the CA certs folder is empty, this seems to fix it
install_base_packages
create_user
systemctl enable firewalld; service firewalld start
install_cfssl
setup_dns

if [[ "${CONSUL_VERSION:-}" != "" ]]; then install_hashicorp consul "${CONSUL_VERSION}"; fi
if [[ "${NOMAD_VERSION:-}" != "" ]]; then install_hashicorp nomad "${NOMAD_VERSION}"; fi
if [[ "${VAULT_VERSION:-}" != "" ]]; then install_hashicorp vault "${VAULT_VERSION}"; fi

# Ensure certs dirs exist so that CAs can be provisioned.
mkdir -p /etc/ssl/{consul,nomad,vault}

echo "Stackscript complete"
touch /root/StackScript.complete

# vim: set expandtab shiftwidth=2 tabstop=2 foldmethod=marker: