diff --git a/packer/ret/.gitignore b/packer/ret/.gitignore new file mode 100644 index 0000000..281414a --- /dev/null +++ b/packer/ret/.gitignore @@ -0,0 +1,3 @@ +keys +secrets + diff --git a/packer/ret/README.md b/packer/ret/README.md new file mode 100644 index 0000000..5f32510 --- /dev/null +++ b/packer/ret/README.md @@ -0,0 +1,3 @@ +This image provides a Reticulum node. + +To build the image, run `build.sh` so keys/secrets will be decrypted. diff --git a/packer/ret/build.sh b/packer/ret/build.sh new file mode 100755 index 0000000..310ddf9 --- /dev/null +++ b/packer/ret/build.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +if [[ -z "$HUBS_OPS_SECRETS_PATH" ]]; then + echo -e "You'll need to clone the ops secrets: + +git clone https://git-codecommit.us-west-1.amazonaws.com/v1/repos/hubs-ops-secrets + +Then set HUBS_OPS_SECRETS_PATH to point to the cloned repo." + exit 1 +fi + +# Build packer image, decrypting and removing key files across runs +gpg2 -o - -d $HUBS_OPS_SECRETS_PATH/packer/hab-base/secrets.tar.gz.gpg | tar xz && packer build image.json +rm -rf secrets diff --git a/packer/ret/image.json b/packer/ret/image.json new file mode 100644 index 0000000..31de734 --- /dev/null +++ b/packer/ret/image.json @@ -0,0 +1,124 @@ +{ + "variables": { + "aws_access_key": "", + "aws_secret_key": "" + }, + "builders": [{ + "type": "amazon-ebs", + "access_key": "{{user `aws_access_key`}}", + "secret_key": "{{user `aws_secret_key`}}", + "region": "us-west-1", + "associate_public_ip_address": true, + "iam_instance_profile": "dev-packer", + "subnet_id": "subnet-abacbdf3", + "security_group_id": "sg-37a2c751", + "source_ami_filter": { + "filters": { + "virtualization-type": "hvm", + "name": "ubuntu/images/*ubuntu-bionic-18.04-amd64-server-*", + "root-device-type": "ebs" + }, + "owners": ["099720109477"], + "most_recent": true + }, + "instance_type": "m3.medium", + "ssh_username": "ubuntu", + "ami_name": "ret-{{timestamp}}" + }], + "provisioners": [ + { "type": "file", "source": "../shared/files/hostname-adjectives", "destination": "hostname-adjectives" }, + { "type": "file", "source": "../shared/files/hostname-nouns", "destination": "hostname-nouns" }, + { "type": "file", "source": "../shared/files/set_hostname.sh", "destination": "set_hostname.sh" }, + { "type": "file", "source": "../shared/files/set_host_type_prompt.sh", "destination": "set_host_type_prompt.sh" }, + { "type": "file", "source": "../shared/files/set-hostname.service", "destination": "set-hostname.service" }, + { "type": "file", "source": "../shared/files/save_service_files", "destination": "save_service_files" }, + { "type": "file", "source": "../shared/files/coredump.conf", "destination": "coredump.conf" }, + { "type": "file", "source": "../shared/files/sysctl.core.conf", "destination": "sysctl.core.conf" }, + { "type": "file", "source": "../shared/files/limits.core.conf", "destination": "limits.core.conf" }, + { "type": "file", "source": "../shared/files/sysctl.files.conf", "destination": "sysctl.files.conf" }, + { "type": "file", "source": "../shared/files/limits.files.conf", "destination": "limits.files.conf" }, + { + "type": "shell", + "execute_command": "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'", + "inline": [ + "apt-get update", + "apt-get update", + "apt-get update", + "DEBIAN_FRONTEND=noninteractive apt-get upgrade -y", + "DEBIAN_FRONTEND=noninteractive apt-get install -y unattended-upgrades python3 awscli jq sysstat nfs-common gnupg2", + "update-alternatives --install /usr/bin/python python /usr/bin/python3 1", + "mv coredump.conf /etc/systemd", + "mv sysctl.core.conf /etc/sysctl.d/60-core.conf", + "chown root:root /etc/sysctl.d/60-core.conf", + "chmod 0644 /etc/sysctl.d/60-core.conf", + "mv limits.core.conf /etc/security/limits.d/core.conf", + "chown root:root /etc/security/limits.d/core.conf", + "mv sysctl.files.conf /etc/sysctl.d/60-files.conf", + "chown root:root /etc/sysctl.d/60-files.conf", + "chmod 0644 /etc/sysctl.d/60-files.conf", + "mv limits.files.conf /etc/security/limits.d/files.conf", + "chown root:root /etc/security/limits.d/files.conf", + "mkdir -p /var/lib/coredump", + "chmod a+wx /var/lib/coredump", + "perl -p -i -e 's/false/true/g' /etc/default/sysstat", + "echo 'DefaultLimitCORE=infinity' >> /etc/systemd/system.conf", + "echo 'DefaultLimitNOFILE=infinity' >> /etc/systemd/system.conf", + "echo 'DefaultLimitMEMLOCK=infinity' >> /etc/systemd/system.conf", + "perl -p -i -e 's/preserve_hostname: false/preserve_hostname: true/g' /etc/cloud/cloud.cfg", + "mv hostname-nouns /usr/share/dict", + "mv hostname-adjectives /usr/share/dict", + "mv set_host_type_prompt.sh /usr/bin", + "mv set_hostname.sh /usr/bin", + "mv set-hostname.service /lib/systemd/system", + "mv save_service_files /usr/bin", + "chown root:root /lib/systemd/system/set-hostname.service", + "systemctl enable set-hostname", + "chown root:root /usr/share/dict/hostname-nouns", + "chown root:root /usr/share/dict/hostname-adjectives", + "chown root:root /usr/bin/set_hostname.sh", + "chown root:root /usr/bin/set_host_type_prompt.sh", + "chown root:root /usr/bin/save_service_files", + "chmod +x /usr/bin/set_host_type_prompt.sh", + "chmod +x /usr/bin/set_hostname.sh", + "chmod +x /usr/bin/save_service_files", + "echo \". /usr/bin/set_host_type_prompt.sh\" >> /home/ubuntu/.bashrc", + "echo \". /usr/bin/set_host_type_prompt.sh\" >> /root/.bashrc" + ] + }, + { "type": "file", "source": "../shared/files/hab-with-census.service", "destination": "hab.service" }, + { "type": "file", "source": "../shared/files/hab-discover-peer", "destination": "hab-discover-peer" }, + { + "type": "shell", + "execute_command": "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'", + "inline": [ + "curl -L \"https://api.bintray.com/content/habitat/stable/linux/x86_64/hab-0.73.0-20190115004751-x86_64-linux.tar.gz?bt_package=hab-x86_64-linux\" | tar xvz", + "find . -name 'hab' -exec mv {} /usr/bin \\;", + "chmod +x /usr/bin/hab", + "mv hab.service /lib/systemd/system", + "chown root:root /lib/systemd/system/hab.service", + "systemctl enable hab", + "mv hab-discover-peer /usr/bin", + "chown root:root /usr/bin/hab-discover-peer", + "chmod +x /usr/bin/hab-discover-peer", + "mkdir -p /hab/cache", + "groupadd -g 1001 hab", + "useradd -u 1001 -g 1001 hab" + ] + }, + { "type": "file", "source": "secrets", "destination": "." }, + { + "type": "shell", + "execute_command": "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'", + "inline": [ + "mv secrets/hab-keys /hab/cache/keys", + "chown -R root:root /hab/cache/keys", + "chmod -R 0600 /hab/cache/keys", + "mkdir -p /hab/svc/reticulum/files", + "mv secrets/reticulum/* /hab/svc/reticulum/files", + "chown -R hab:hab /hab/svc", + "chmod -R 0600 /hab/svc/reticulum/files/*", + "rm -rf secrets" + ] + } + ] +} diff --git a/terraform/modules/ret/main.tf b/terraform/modules/ret/main.tf index 4f95575..d38f348 100644 --- a/terraform/modules/ret/main.tf +++ b/terraform/modules/ret/main.tf @@ -39,13 +39,13 @@ data "aws_acm_certificate" "ret-alb-listener-cert-east" { most_recent = true } -data "aws_ami" "hab-census-ami" { +data "aws_ami" "ret-ami" { most_recent = true owners = ["self"] filter { name = "name" - values = ["hab-census-*"] + values = ["ret-*"] } } @@ -528,7 +528,7 @@ resource "aws_route53_record" "ret-smoke-alb-dns" { resource "aws_launch_configuration" "ret-pool" { count = "${length(var.ret_pools)}" - image_id = "${data.aws_ami.hab-census-ami.id}" + image_id = "${data.aws_ami.ret-ami.id}" instance_type = "${var.ret_instance_type}" security_groups = [ "${aws_security_group.ret.id}", @@ -564,6 +564,11 @@ hubs_page_origin = "https://s3-${var.shared["region"]}.amazonaws.com/${data.terr spoke_page_origin = "https://s3-${var.shared["region"]}.amazonaws.com/${data.terraform_remote_state.base.assets_bucket_id}/spoke/pages/live" EOTOML +aws s3 cp s3://${aws_s3_bucket.ret-bucket.id}/reticulum-files.tar.gz.gpg . +gpg2 -d --pinentry-mode=loopback --passphrase-file=/hab/svc/reticulum/files/gpg-file-key.txt reticulum-files.tar.gz.gpg | tar xz -C /hab/svc/reticulum/files +rm reticulum-files.tar.gz.gpg +chown hab:hab /hab/svc/reticulum/files/* + sudo /usr/bin/hab svc load mozillareality/reticulum --strategy ${var.reticulum_restart_strategy} --url https://bldr.habitat.sh --channel ${var.ret_pools[count.index]} sudo /usr/bin/hab svc load mozillareality/dd-agent --strategy at-once --url https://bldr.habitat.sh --channel stable EOF @@ -589,7 +594,7 @@ resource "aws_autoscaling_group" "ret-pool" { resource "aws_launch_configuration" "ret-smoke-pool" { count = "${length(var.ret_pools)}" - image_id = "${data.aws_ami.hab-census-ami.id}" + image_id = "${data.aws_ami.ret-ami.id}" instance_type = "${var.ret_instance_type}" security_groups = [ "${aws_security_group.ret.id}", @@ -629,6 +634,11 @@ hubs_page_origin = "https://s3-${var.shared["region"]}.amazonaws.com/${data.terr spoke_page_origin = "https://s3-${var.shared["region"]}.amazonaws.com/${data.terraform_remote_state.base.assets_bucket_id}/spoke/pages/latest" EOTOML +aws s3 cp s3://${aws_s3_bucket.ret-bucket.id}/reticulum-files.tar.gz.gpg . +gpg2 -d --pinentry-mode=loopback --passphrase-file=/hab/svc/reticulum/files/gpg-file-key.txt reticulum-files.tar.gz.gpg | tar xz -C /hab/svc/reticulum/files +rm reticulum-files.tar.gz.gpg +chown hab:hab /hab/svc/reticulum/files/* + sudo /usr/bin/hab svc load mozillareality/reticulum --strategy ${var.reticulum_restart_strategy} --url https://bldr.habitat.sh --channel ${var.ret_pools[count.index]} sudo /usr/bin/hab svc load mozillareality/dd-agent --strategy at-once --url https://bldr.habitat.sh --channel stable EOF