#!/usr/bin/env bash
# <UDF name="hostname" label="Server hostname" />
# <UDF name="consul_version" label="Consul version" default="" />
# <UDF name="nomad_version" label="Nomad version" default="" />
# <UDF name="vault_version" label="Vault version" default="" />
# TODO: separate out application concerns from server/client concerns.
# The Nomad servers need to be deployed with Consul clients.
# See: https://www.nomadproject.io/guides/install/production/reference-architecture.html
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
# Redirect all output in this script to logger.
exec 1> >(logger --stderr --tag stackscript) 2>&1
# {{{ set_hostname
function set_hostname () {
echo "[Setting Hostname]"
hostnamectl set-hostname "${HOSTNAME}"
}
# }}}
# {{{ install_base_packages
function install_base_packages () {
echo "[Installing Base Packages]"
zypper --non-interactive install \
sudo jq firewalld
}
# }}}
# {{{ create_user
function create_user () {
useradd damien
mkdir /home/damien
touch /home/damien/.bashrc # needed in order to install autocompletion
mkdir /home/damien/.ssh
cp /root/.ssh/authorized_keys /home/damien/.ssh/
chown -R damien:users /home/damien
sed -i 's/#PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
service sshd reload
echo 'damien ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/damien
}
# }}}
# {{{ install_cfssl
function install_cfssl () {
echo "[Installing CFSSL]"
curl -o /usr/local/bin/cfssl "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"
chmod +x /usr/local/bin/cfssl
curl -o /usr/local/bin/cfssljson "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64"
chmod +x /usr/local/bin/cfssljson
}
# }}}
# {{{ install_hashicorp
function install_hashicorp () {
local name="$1"
local version="$2"
local osarch="linux_amd64"
cat >/tmp/hashicorp.asc <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JAU4EEwEKADgWIQSRpuf4XQXG
VjC+8YlRhS2HNI/8TAUCXn0BIQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK
CRBRhS2HNI/8TJITCACT2Zu2l8Jo/YLQMs+iYsC3gn5qJE/qf60VWpOnP0LG24rj
k3j4ET5P2ow/o9lQNCM/fJrEB2CwhnlvbrLbNBbt2e35QVWvvxwFZwVcoBQXTXdT
+G2cKS2Snc0bhNF7jcPX1zau8gxLurxQBaRdoL38XQ41aKfdOjEico4ZxQYSrOoC
RbF6FODXj+ZL8CzJFa2Sd0rHAROHoF7WhKOvTrg1u8JvHrSgvLYGBHQZUV23cmXH
yvzITl5jFzORf9TUdSv8tnuAnNsOV4vOA6lj61Z3/0Vgor+ZByfiznonPHQtKYtY
kac1M/Dq2xZYiSf0tDFywgUDIF/IyS348wKmnDGjuQENBFMORM0BCADWj1GNOP4O
wJmJDjI2gmeok6fYQeUbI/+Hnv5Z/cAK80Tvft3noy1oedxaDdazvrLu7YlyQOWA
M1curbqJa6ozPAwc7T8XSwWxIuFfo9rStHQE3QUARxIdziQKTtlAbXI2mQU99c6x
vSueQ/gq3ICFRBwCmPAm+JCwZG+cDLJJ/g6wEilNATSFdakbMX4lHUB2X0qradNO
J66pdZWxTCxRLomPBWa5JEPanbosaJk0+n9+P6ImPiWpt8wiu0Qzfzo7loXiDxo/
0G8fSbjYsIF+skY+zhNbY1MenfIPctB9X5iyW291mWW7rhhZyuqqxN2xnmPPgFmi
QGd+8KVodadHABEBAAGJATwEGAECACYCGwwWIQSRpuf4XQXGVjC+8YlRhS2HNI/8
TAUCXn0BRAUJEvOKdwAKCRBRhS2HNI/8TEzUB/9pEHVwtTxL8+VRq559Q0tPOIOb
h3b+GroZRQGq/tcQDVbYOO6cyRMR9IohVJk0b9wnnUHoZpoA4H79UUfIB4sZngma
enL/9magP1uAHxPxEa5i/yYqR0MYfz4+PGdvqyj91NrkZm3WIpwzqW/KZp8YnD77
VzGVodT8xqAoHW+bHiza9Jmm9Rkf5/0i0JY7GXoJgk4QBG/Fcp0OR5NUWxN3PEM0
dpeiU4GI5wOz5RAIOvSv7u1h0ZxMnJG4B4MKniIAr4yD7WYYZh/VxEPeiS/E1CVx
qHV5VVCoEIoYVHIuFIyFu1lIcei53VD6V690rmn0bp4A5hs+kErhThvkok3c
=+mCN
-----END PGP PUBLIC KEY BLOCK-----
EOF
gpg --import /tmp/hashicorp.asc
pushd /tmp
local base="https://releases.hashicorp.com/${name}/${version}"
local archive="${name}_${version}_${osarch}.zip"
local checksum="${name}_${version}_SHA256SUMS"
local checksum_sig="${checksum}.sig"
# Download the checksum first and verify that it's signed by Hashicorp.
curl -o "${checksum}" "${base}/${checksum}"
curl -o "${checksum_sig}" "${base}/${checksum_sig}"
sync
# Verify that the checksum was signed by Hashicorp.
gpg --verify "${checksum_sig}" "${checksum}" || exit 13
# Now download the release and verify that the checksum matches.
# Note that the checksum comes with sums for every platform,
# so we need to filter down to 64-bit Linux to avoid failures caused by
# the other releases not being present.
curl -o "${archive}" "${base}/${archive}"
sync
cat "${checksum}" | grep -E "_${osarch}\\.zip$" | sha256sum --check - || exit 13
# If we've reached this point, everything is good to go.
unzip "${archive}"
mv ./${name} /usr/local/bin/${name}-${version}
# Attempt to create a symlink for it.
ln -s "/usr/local/bin/${name}-${version}" "/usr/local/bin/${name}"
popd
local home_dir="/var/lib/${name}"
local certs_dir="/etc/ssl/${name}"
# This function copies client configs into /etc/<app>.d,
# creates a user and group named after the app, creates
# a home directory for them, and then enables+starts it.
echo "[Setting up ${name}]"
mkdir -p "${home_dir}" "${certs_dir}"
groupadd "${name}"
useradd --home-dir "${home_dir}" --gid "${name}" "${name}"
chown -R "${name}:${name}" "${home_dir}"
chown -R "${name}:${name}" "${certs_dir}"
usermod -a -G "${name}" damien
# vault and nomad need to be in the consul group so they can access the unix socket.
# Technically, nomad doesn't need it since it runs as root, but it's good for consistency.
usermod -a -G consul "${name}"
}
# }}}
# {{{ setup_dns
function setup_dns () {
# Install named server and configure DNS.
# This should be done last in order to ensure it doesn't interfere with previous operations.
zypper --non-interactive install -t pattern dhcp_dns_server # DNS server for forwarding to Consul
# Configure the Consul zone for DNS.
cat > /etc/named.d/consul.conf <<EOF
zone "consul" IN {
type forward;
forward only;
forwarders { 127.0.0.1 port 8600; };
};
EOF
yast2 sysconfig set NAMED_CONF_INCLUDE_FILES="consul.conf"
systemctl enable named
service named start
yast2 sysconfig set NETCONFIG_DNS_STATIC_SERVERS=127.0.0.1
cp /etc/resolv.conf /etc/resolv.conf.bak
netconfig update -f # -f required if Linode's Network Helper ran?
}
# }}}
set_hostname
update-ca-certificates --verbose # sometimes the CA certs folder is empty, this seems to fix it
install_base_packages
create_user
systemctl enable firewalld; service firewalld start
install_cfssl
setup_dns
if [[ "${CONSUL_VERSION:-}" != "" ]]; then install_hashicorp consul "${CONSUL_VERSION}"; fi
if [[ "${NOMAD_VERSION:-}" != "" ]]; then install_hashicorp nomad "${NOMAD_VERSION}"; fi
if [[ "${VAULT_VERSION:-}" != "" ]]; then install_hashicorp vault "${VAULT_VERSION}"; fi
# Ensure certs dirs exist so that CAs can be provisioned.
mkdir -p /etc/ssl/{consul,nomad,vault}
echo "Stackscript complete"
touch /root/StackScript.complete
# vim: set expandtab shiftwidth=2 tabstop=2 foldmethod=marker: