SSL cert dropping for ret nodes

2019-05-01 04:53:43 +00:00 · 2019-05-01 04:53:43 +00:00 · c2e7be1ef0
--- a/packer/ret/.gitignore
+++ b/packer/ret/.gitignore
@ -0,0 +1,3 @@
 keys
 secrets
--- a/packer/ret/README.md
+++ b/packer/ret/README.md
@ -0,0 +1,3 @@
 This image provides a Reticulum node.
 To build the image, run `build.sh` so keys/secrets will be decrypted.
--- a/packer/ret/build.sh
+++ b/packer/ret/build.sh
@ -0,0 +1,14 @@
 #!/usr/bin/env bash
 if [[ -z "$HUBS_OPS_SECRETS_PATH" ]]; then
  echo -e "You'll need to clone the ops secrets:
 git clone https://git-codecommit.us-west-1.amazonaws.com/v1/repos/hubs-ops-secrets
 Then set HUBS_OPS_SECRETS_PATH to point to the cloned repo."
  exit 1
 fi
 # Build packer image, decrypting and removing key files across runs
 gpg2 -o - -d $HUBS_OPS_SECRETS_PATH/packer/hab-base/secrets.tar.gz.gpg | tar xz && packer build image.json
 rm -rf secrets
--- a/packer/ret/image.json
+++ b/packer/ret/image.json
@ -0,0 +1,124 @@
 {
  "variables": {
    "aws_access_key": "",
    "aws_secret_key": ""
  },
  "builders": [{
    "type": "amazon-ebs",
    "access_key": "{{user `aws_access_key`}}",
    "secret_key": "{{user `aws_secret_key`}}",
    "region": "us-west-1",
    "associate_public_ip_address": true,
    "iam_instance_profile": "dev-packer",
    "subnet_id": "subnet-abacbdf3",
    "security_group_id": "sg-37a2c751",
    "source_ami_filter": {
      "filters": {
        "virtualization-type": "hvm",
        "name": "ubuntu/images/*ubuntu-bionic-18.04-amd64-server-*",
        "root-device-type": "ebs"
      },
      "owners": ["099720109477"],
      "most_recent": true
    },
    "instance_type": "m3.medium",
    "ssh_username": "ubuntu",
    "ami_name": "ret-{{timestamp}}"
  }],
  "provisioners": [
    { "type": "file", "source": "../shared/files/hostname-adjectives", "destination": "hostname-adjectives" },
    { "type": "file", "source": "../shared/files/hostname-nouns", "destination": "hostname-nouns" },
    { "type": "file", "source": "../shared/files/set_hostname.sh", "destination": "set_hostname.sh" },
    { "type": "file", "source": "../shared/files/set_host_type_prompt.sh", "destination": "set_host_type_prompt.sh" },
    { "type": "file", "source": "../shared/files/set-hostname.service", "destination": "set-hostname.service" },
    { "type": "file", "source": "../shared/files/save_service_files", "destination": "save_service_files" },
    { "type": "file", "source": "../shared/files/coredump.conf", "destination": "coredump.conf" },
    { "type": "file", "source": "../shared/files/sysctl.core.conf", "destination": "sysctl.core.conf" },
    { "type": "file", "source": "../shared/files/limits.core.conf", "destination": "limits.core.conf" },
    { "type": "file", "source": "../shared/files/sysctl.files.conf", "destination": "sysctl.files.conf" },
    { "type": "file", "source": "../shared/files/limits.files.conf", "destination": "limits.files.conf" },
    {
      "type": "shell",
      "execute_command": "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'",
      "inline": [
        "apt-get update",
        "apt-get update",
        "apt-get update",
        "DEBIAN_FRONTEND=noninteractive apt-get upgrade -y",
        "DEBIAN_FRONTEND=noninteractive apt-get install -y unattended-upgrades python3 awscli jq sysstat nfs-common gnupg2",
        "update-alternatives --install /usr/bin/python python /usr/bin/python3 1",
        "mv coredump.conf /etc/systemd",
        "mv sysctl.core.conf /etc/sysctl.d/60-core.conf",
        "chown root:root /etc/sysctl.d/60-core.conf",
        "chmod 0644 /etc/sysctl.d/60-core.conf",
        "mv limits.core.conf /etc/security/limits.d/core.conf",
        "chown root:root /etc/security/limits.d/core.conf",
        "mv sysctl.files.conf /etc/sysctl.d/60-files.conf",
        "chown root:root /etc/sysctl.d/60-files.conf",
        "chmod 0644 /etc/sysctl.d/60-files.conf",
        "mv limits.files.conf /etc/security/limits.d/files.conf",
        "chown root:root /etc/security/limits.d/files.conf",
        "mkdir -p /var/lib/coredump",
        "chmod a+wx /var/lib/coredump",
        "perl -p -i -e 's/false/true/g' /etc/default/sysstat",
        "echo 'DefaultLimitCORE=infinity' >> /etc/systemd/system.conf",
        "echo 'DefaultLimitNOFILE=infinity' >> /etc/systemd/system.conf",
        "echo 'DefaultLimitMEMLOCK=infinity' >> /etc/systemd/system.conf",
        "perl -p -i -e 's/preserve_hostname: false/preserve_hostname: true/g' /etc/cloud/cloud.cfg",
        "mv hostname-nouns /usr/share/dict",
        "mv hostname-adjectives /usr/share/dict",
        "mv set_host_type_prompt.sh /usr/bin",
        "mv set_hostname.sh /usr/bin",
        "mv set-hostname.service /lib/systemd/system",
        "mv save_service_files /usr/bin",
        "chown root:root /lib/systemd/system/set-hostname.service",
        "systemctl enable set-hostname",
        "chown root:root /usr/share/dict/hostname-nouns",
        "chown root:root /usr/share/dict/hostname-adjectives",
        "chown root:root /usr/bin/set_hostname.sh",
        "chown root:root /usr/bin/set_host_type_prompt.sh",
        "chown root:root /usr/bin/save_service_files",
        "chmod +x /usr/bin/set_host_type_prompt.sh",
        "chmod +x /usr/bin/set_hostname.sh",
        "chmod +x /usr/bin/save_service_files",
        "echo \". /usr/bin/set_host_type_prompt.sh\" >> /home/ubuntu/.bashrc",
        "echo \". /usr/bin/set_host_type_prompt.sh\" >> /root/.bashrc"
      ]
    },
    { "type": "file", "source": "../shared/files/hab-with-census.service", "destination": "hab.service" },
    { "type": "file", "source": "../shared/files/hab-discover-peer", "destination": "hab-discover-peer" },
    {
      "type": "shell",
      "execute_command": "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'",
      "inline": [
        "curl -L \"https://api.bintray.com/content/habitat/stable/linux/x86_64/hab-0.73.0-20190115004751-x86_64-linux.tar.gz?bt_package=hab-x86_64-linux\" | tar xvz",
        "find . -name 'hab' -exec mv {} /usr/bin \\;",
        "chmod +x /usr/bin/hab",
        "mv hab.service /lib/systemd/system",
        "chown root:root /lib/systemd/system/hab.service",
        "systemctl enable hab",
        "mv hab-discover-peer /usr/bin",
        "chown root:root /usr/bin/hab-discover-peer",
        "chmod +x /usr/bin/hab-discover-peer",
        "mkdir -p /hab/cache",
        "groupadd -g 1001 hab",
        "useradd -u 1001 -g 1001 hab"
      ]
    },
    { "type": "file", "source": "secrets", "destination": "." },
    {
      "type": "shell",
      "execute_command": "echo 'packer' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'",
      "inline": [
        "mv secrets/hab-keys /hab/cache/keys",
        "chown -R root:root /hab/cache/keys",
        "chmod -R 0600 /hab/cache/keys",
        "mkdir -p /hab/svc/reticulum/files",
        "mv secrets/reticulum/* /hab/svc/reticulum/files",
        "chown -R hab:hab /hab/svc",
        "chmod -R 0600 /hab/svc/reticulum/files/*",
        "rm -rf secrets"
      ]
    }
  ]
 }
--- a/terraform/modules/ret/main.tf
+++ b/terraform/modules/ret/main.tf
@ -39,13 +39,13 @@ data "aws_acm_certificate" "ret-alb-listener-cert-east" {
  most_recent = true
 }
-data "aws_ami" "hab-census-ami" {
+data "aws_ami" "ret-ami" {
  most_recent = true
  owners = ["self"]
  filter {
    name = "name"
-    values = ["hab-census-*"]
+    values = ["ret-*"]
  }
 }
@ -528,7 +528,7 @@ resource "aws_route53_record" "ret-smoke-alb-dns" {
 resource "aws_launch_configuration" "ret-pool" {
  count = "${length(var.ret_pools)}"
-  image_id = "${data.aws_ami.hab-census-ami.id}"
+  image_id = "${data.aws_ami.ret-ami.id}"
  instance_type = "${var.ret_instance_type}"
  security_groups = [
    "${aws_security_group.ret.id}",
@ -564,6 +564,11 @@ hubs_page_origin = "https://s3-${var.shared["region"]}.amazonaws.com/${data.terr
 spoke_page_origin = "https://s3-${var.shared["region"]}.amazonaws.com/${data.terraform_remote_state.base.assets_bucket_id}/spoke/pages/live"
 EOTOML
 aws s3 cp s3://${aws_s3_bucket.ret-bucket.id}/reticulum-files.tar.gz.gpg .
 gpg2 -d --pinentry-mode=loopback --passphrase-file=/hab/svc/reticulum/files/gpg-file-key.txt reticulum-files.tar.gz.gpg | tar xz -C /hab/svc/reticulum/files
 rm reticulum-files.tar.gz.gpg
 chown hab:hab /hab/svc/reticulum/files/*
 sudo /usr/bin/hab svc load mozillareality/reticulum --strategy ${var.reticulum_restart_strategy} --url https://bldr.habitat.sh --channel ${var.ret_pools[count.index]}
 sudo /usr/bin/hab svc load mozillareality/dd-agent --strategy at-once --url https://bldr.habitat.sh --channel stable
 EOF
@ -589,7 +594,7 @@ resource "aws_autoscaling_group" "ret-pool" {
 resource "aws_launch_configuration" "ret-smoke-pool" {
  count = "${length(var.ret_pools)}"
-  image_id = "${data.aws_ami.hab-census-ami.id}"
+  image_id = "${data.aws_ami.ret-ami.id}"
  instance_type = "${var.ret_instance_type}"
  security_groups = [
    "${aws_security_group.ret.id}",
@ -629,6 +634,11 @@ hubs_page_origin = "https://s3-${var.shared["region"]}.amazonaws.com/${data.terr
 spoke_page_origin = "https://s3-${var.shared["region"]}.amazonaws.com/${data.terraform_remote_state.base.assets_bucket_id}/spoke/pages/latest"
 EOTOML
 aws s3 cp s3://${aws_s3_bucket.ret-bucket.id}/reticulum-files.tar.gz.gpg .
 gpg2 -d --pinentry-mode=loopback --passphrase-file=/hab/svc/reticulum/files/gpg-file-key.txt reticulum-files.tar.gz.gpg | tar xz -C /hab/svc/reticulum/files
 rm reticulum-files.tar.gz.gpg
 chown hab:hab /hab/svc/reticulum/files/*
 sudo /usr/bin/hab svc load mozillareality/reticulum --strategy ${var.reticulum_restart_strategy} --url https://bldr.habitat.sh --channel ${var.ret_pools[count.index]}
 sudo /usr/bin/hab svc load mozillareality/dd-agent --strategy at-once --url https://bldr.habitat.sh --channel stable
 EOF
		`@ -0,0 +1,3 @@`
							`This image provides a Reticulum node.`

							To build the image, run `build.sh` so keys/secrets will be decrypted.