From 2c3c039923edaf91ef07cc7a51aa27aa1c6f6dbc Mon Sep 17 00:00:00 2001
From: Greg Fodor <gfodor@gmail.com>
Date: Sat, 22 Dec 2018 00:20:23 +0000
Subject: [PATCH] Update janus config scripts to generate user TOML

---
 ansible/config_deploy.sh                      |  2 +-
 ansible/config_generate.sh                    | 17 +++++
 ansible/janus-config.yml                      |  2 +
 .../janus/files/{reticulum.io.pem => wss.key} |  0
 .../janus/files/{reticulum.io.crt => wss.pem} |  0
 ansible/roles/janus/tasks/main.yml            | 72 +++++++++----------
 .../roles/janus/templates/dd-agent.toml.j2    |  2 +-
 ansible/roles/janus/vars/local.yml            |  5 ++
 ansible/roles/janus/vars/main.yml             | 18 +++--
 ansible/roles/janus/vars/remote.yml           |  9 +++
 10 files changed, 78 insertions(+), 49 deletions(-)
 create mode 100755 ansible/config_generate.sh
 rename ansible/roles/janus/files/{reticulum.io.pem => wss.key} (100%)
 rename ansible/roles/janus/files/{reticulum.io.crt => wss.pem} (100%)
 create mode 100644 ansible/roles/janus/vars/local.yml
 create mode 100644 ansible/roles/janus/vars/remote.yml

diff --git a/ansible/config_deploy.sh b/ansible/config_deploy.sh
index 6676087..81e241d 100755
--- a/ansible/config_deploy.sh
+++ b/ansible/config_deploy.sh
@@ -23,4 +23,4 @@ EC2_INFO=$(aws ec2 --region $REGION describe-instances)
 BASTION_IP=$(echo $EC2_INFO | jq -r ".Reservations | map(.Instances) | flatten | map(select(any(.State ; .Name == \"running\"))) | map(select(any(.Tags // [] | from_entries ; .[\"host-type\"] == \"${ENVIRONMENT}-bastion\"))) | .[] | .PublicIpAddress" | shuf | head -n1)
 TARGET_IP=$(echo $EC2_INFO | jq -r ".Reservations | map(.Instances) | flatten | map(select(any(.State ; .Name == \"running\"))) | map(select(any(.Tags // [] | from_entries ; .[\"host-type\"] == \"${ENVIRONMENT}-hab\"))) | .[] | .PrivateIpAddress" | shuf | head -n1)
 
-ansible-playbook --ask-vault-pass -i "${TARGET_IP}," --ssh-common-args="-i ~/.ssh/mozilla_mr_id_rsa -o ProxyCommand=\"ssh -W %h:%p -o StrictHostKeyChecking=no -i ~/.ssh/mozilla_mr_id_rsa ubuntu@${BASTION_IP}\"" --extra-vars "env=${ENVIRONMENT}" -u ubuntu "${HOST_TYPE}-config.yml"
+ansible-playbook --ask-vault-pass -i "${TARGET_IP}," --ssh-common-args="-i ~/.ssh/mozilla_mr_id_rsa -o ProxyCommand=\"ssh -W %h:%p -o StrictHostKeyChecking=no -i ~/.ssh/mozilla_mr_id_rsa ubuntu@${BASTION_IP}\"" --extra-vars "env=${ENVIRONMENT} connection=ssh" -u ubuntu "${HOST_TYPE}-config.yml"
diff --git a/ansible/config_generate.sh b/ansible/config_generate.sh
new file mode 100755
index 0000000..3bd4234
--- /dev/null
+++ b/ansible/config_generate.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+if [[ -z "$1" ]]; then
+  echo -e "
+Usage: config_generate.sh <host-type>
+
+Generates config for this host type into /hab/user
+"
+  exit 1
+fi
+
+# TODO this should get a lot smarter -- if you are on a branch, disallow. If you have working changes, warn the user and require a flag.
+git pull origin master
+
+HOST_TYPE=$1
+
+ansible-playbook -i "127.0.0.1," --extra-vars "env=local connection=local" "${HOST_TYPE}-config.yml"
diff --git a/ansible/janus-config.yml b/ansible/janus-config.yml
index 2616a11..2a13b05 100644
--- a/ansible/janus-config.yml
+++ b/ansible/janus-config.yml
@@ -3,5 +3,7 @@
 - hosts: all
   gather_facts: false
   become: true
+  become_user: "{{ 'hab' if connection == 'local' else 'root' }}"
+  connection: "{{ connection }}"
   roles:
   - role: janus
diff --git a/ansible/roles/janus/files/reticulum.io.pem b/ansible/roles/janus/files/wss.key
similarity index 100%
rename from ansible/roles/janus/files/reticulum.io.pem
rename to ansible/roles/janus/files/wss.key
diff --git a/ansible/roles/janus/files/reticulum.io.crt b/ansible/roles/janus/files/wss.pem
similarity index 100%
rename from ansible/roles/janus/files/reticulum.io.crt
rename to ansible/roles/janus/files/wss.pem
diff --git a/ansible/roles/janus/tasks/main.yml b/ansible/roles/janus/tasks/main.yml
index 95294c4..e55a152 100644
--- a/ansible/roles/janus/tasks/main.yml
+++ b/ansible/roles/janus/tasks/main.yml
@@ -1,12 +1,18 @@
 ---
 
 - block:
+  - name: Include remote specific vars
+    include_vars:
+      file: "roles/janus/vars/remote.yml"
+    when: env != 'local'
+
   - name: Include environment specific vars
     include_vars:
       file: "roles/janus/vars/{{ env }}.yml"
 
   - name: Install moz hab-butterfly (needed until https://github.com/habitat-sh/habitat/issues/4066 is closed)
     shell: "hab pkg install mozillareality/hab-butterfly"
+    when: env != 'local'
 
   - name: Create work directory
     tempfile:
@@ -14,56 +20,42 @@
       suffix: deploy
     register: work_dir
 
-  - name: Write Janus config file
+  - name: "Write config"
     template:
-      src: janus-gateway.toml.j2
-      dest: "{{ work_dir.path }}/janus-gateway.toml"
+      src: "{{ item }}.toml.j2"
+      dest: "{{ work_dir.path }}/{{ item }}.toml"
+    loop: "{{ services }}"
 
-  - name: Write DD agent config file
-    template:
-      src: dd-agent.toml.j2
-      dest: "{{ work_dir.path }}/dd-agent.toml"
-
-  - name: Write DTLS key
+  - name: "Write local file"
     copy:
-      src: dtls.key
-      dest: "{{ work_dir.path }}/dtls.key"
+      src: "{{ item }}"
+      dest: "{{ work_dir.path }}/{{ item }}"
+    when: env != 'local'
+    loop: "{{ keyfiles }}"
 
-  - name: Write DTLS cert
-    copy:
-      src: dtls.pem
-      dest: "{{ work_dir.path }}/dtls.pem"
+  - name: "Deploy remote configs"
+    shell: "cat {{ work_dir.path }}/{{ item }}.toml | /hab/pkgs/mozillareality/hab-butterfly/0.39.1/20171118004554/bin/hab-butterfly config apply --peer $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) --org mozillareality --ring mr {{ item }}.default $(date +%s)"
+    when: env != 'local'
+    loop: "{{ services }}"
 
-  - name: Write WSS key
-    copy:
-      src: reticulum.io.pem
-      dest: "{{ work_dir.path }}/wss.key"
+  - name: "Make local target dir"
+    shell: "mkdir -p /hab/user/{{ item }}/config"
+    when: env == 'local'
+    loop: "{{ services }}"
 
-  - name: Write WSS cert
-    copy:
-      src: reticulum.io.crt
-      dest: "{{ work_dir.path }}/wss.pem"
+  - name: "Deploy local config"
+    shell: "cp {{ work_dir.path }}/{{ item }}.toml /hab/user/{{ item }}/config/user.toml"
+    when: env == 'local'
+    loop: "{{ services }}"
 
-  - name: Deploy Janus configs
-    shell: "cat {{ work_dir.path }}/janus-gateway.toml | /hab/pkgs/mozillareality/hab-butterfly/0.39.1/20171118004554/bin/hab-butterfly config apply --peer $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) --org mozillareality --ring mr janus-gateway.default $(date +%s)"
-
-  - name: Deploy Datadog Agent configs
-    shell: "cat {{ work_dir.path }}/dd-agent.toml | /hab/pkgs/mozillareality/hab-butterfly/0.39.1/20171118004554/bin/hab-butterfly config apply --peer $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) --org mozillareality --ring mr dd-agent.default $(date +%s)"
-
-  - name: Deploy DTLS key
-    shell: "/hab/pkgs/mozillareality/hab-butterfly/0.39.1/20171118004554/bin/hab-butterfly file upload --peer $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) --org mozillareality --ring mr janus-gateway.default $(date +%s) {{ work_dir.path }}/dtls.key"
-
-  - name: Deploy DTLS pem
-    shell: "/hab/pkgs/mozillareality/hab-butterfly/0.39.1/20171118004554/bin/hab-butterfly file upload --peer $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) --org mozillareality --ring mr janus-gateway.default $(date +%s) {{ work_dir.path }}/dtls.pem"
-
-  - name: Deploy WSS key
-    shell: "/hab/pkgs/mozillareality/hab-butterfly/0.39.1/20171118004554/bin/hab-butterfly file upload --peer $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) --org mozillareality --ring mr janus-gateway.default $(date +%s) {{ work_dir.path }}/wss.key"
-
-  - name: Deploy WSS pem
-    shell: "/hab/pkgs/mozillareality/hab-butterfly/0.39.1/20171118004554/bin/hab-butterfly file upload --peer $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) --org mozillareality --ring mr janus-gateway.default $(date +%s) {{ work_dir.path }}/wss.pem"
+  - name: "Deploy remote file"
+    shell: "/hab/pkgs/mozillareality/hab-butterfly/0.39.1/20171118004554/bin/hab-butterfly file upload --peer $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) --org mozillareality --ring mr janus-gateway.default $(date +%s) {{ work_dir.path }}/{{ item }}"
+    when: env != 'local'
+    loop: "{{ keyfiles }}"
 
   always:
   - name: Remove work directory
     file:
       path: "{{ work_dir.path }}"
       state: absent
+    when: env != 'local'
diff --git a/ansible/roles/janus/templates/dd-agent.toml.j2 b/ansible/roles/janus/templates/dd-agent.toml.j2
index bab0f63..72318c0 100644
--- a/ansible/roles/janus/templates/dd-agent.toml.j2
+++ b/ansible/roles/janus/templates/dd-agent.toml.j2
@@ -2,4 +2,4 @@
 api_key = "{{ dd_api_key }}"
 
 [aws]
-collect_ec2_tags = "yes"
+collect_ec2_tags = "{{ collect_ec2_tags }}"
diff --git a/ansible/roles/janus/vars/local.yml b/ansible/roles/janus/vars/local.yml
new file mode 100644
index 0000000..b56f10f
--- /dev/null
+++ b/ansible/roles/janus/vars/local.yml
@@ -0,0 +1,5 @@
+---
+
+janus_admin_secret: secret
+dd_api_key: datadog_api_key
+collect_ec2_tags: "no"
diff --git a/ansible/roles/janus/vars/main.yml b/ansible/roles/janus/vars/main.yml
index f89f12c..6f604bd 100644
--- a/ansible/roles/janus/vars/main.yml
+++ b/ansible/roles/janus/vars/main.yml
@@ -1,7 +1,11 @@
-$ANSIBLE_VAULT;1.1;AES256
-30616330313032396463653131643162303633353938373163393531336439613137646436373536
-6263353435313932393639626337323936373139313538320a366631386366326337376437613234
-31313931376162353134643461383031326261653061303862363639656132626635353938663534
-6434303732643363350a653338393031646133366561666536373064313036663934623566653662
-31333430623430623766323164356631323866313032306539373964393834386339393261303763
-3135363764646234303834393930386232303262643232356537
+---
+
+services:
+  - janus-gateway
+  - dd-agent
+
+keyfiles:
+  - dtls.key
+  - dtls.pem
+  - wss.pem # reticulum.io.pem
+  - wss.key # reticulum.io.crt
diff --git a/ansible/roles/janus/vars/remote.yml b/ansible/roles/janus/vars/remote.yml
new file mode 100644
index 0000000..1c384d4
--- /dev/null
+++ b/ansible/roles/janus/vars/remote.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+35666466663239636231326263646239323430306337643939633563343731303838336336333038
+3039636137356364383063353930303432316134616437610a613263353032303061313738323835
+33313535393735386630356262613033343961376538303935393766306439656332326132353633
+3163383663326434630a643237623466363131653561303631633632336431346333613134626331
+63353436353631396364633331323932626365323062376634616434636136666530306265376162
+34343336646635666534323232363261303331626461396361393133643338363264373464306633
+31643034646563333836346265633536366265666632623764336630393739643338643161383130
+37383763333365323663