2020-07-15 20:54:57 +02:00
|
|
|
#!/bin/env bash
|
|
|
|
|
|
|
|
# Prepended to this automatically are the following:
|
|
|
|
#SERVER=
|
|
|
|
#HOSTNAME=
|
2022-06-23 21:00:40 +02:00
|
|
|
#FULL_ROLES=
|
2020-07-15 20:54:57 +02:00
|
|
|
#REPO_URL=
|
|
|
|
#BRANCH=
|
|
|
|
|
2024-01-29 21:34:53 +01:00
|
|
|
export RUNNING_IN_CLOUD_INIT=1
|
2022-10-29 00:40:32 +02:00
|
|
|
if ! curl -fLs -m 5 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 10" >/dev/null; then
|
2020-07-15 20:54:57 +02:00
|
|
|
echo "This should be run on AWS instances, not locally."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
set -e
|
|
|
|
set -x
|
|
|
|
|
|
|
|
# Set the hostname early
|
2020-10-15 04:55:57 +02:00
|
|
|
echo "$HOSTNAME" >/etc/hostname
|
2020-07-15 20:54:57 +02:00
|
|
|
hostname "$HOSTNAME"
|
|
|
|
sed -i "s/localhost$/localhost $HOSTNAME $SERVER/" /etc/hosts
|
|
|
|
|
|
|
|
# Make sure root doesn't have a password
|
|
|
|
passwd -d root
|
|
|
|
|
|
|
|
# Allow root logins
|
|
|
|
sed -i 's/disable_root: true/disable_root: false/' /etc/cloud/cloud.cfg
|
|
|
|
|
2020-10-15 09:29:38 +02:00
|
|
|
# Ensure all apt updates (here and in the installer) are non-interactive
|
|
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
|
|
|
2020-07-15 20:54:57 +02:00
|
|
|
# Dependencies to install AWS CLI
|
|
|
|
(
|
|
|
|
apt-get -qy update
|
2022-06-20 23:29:19 +02:00
|
|
|
apt-get -qy --with-new-pkgs -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
|
2021-06-25 01:28:27 +02:00
|
|
|
apt-get -qy install jq unzip curl
|
2020-07-15 20:54:57 +02:00
|
|
|
apt-get -qy autoclean
|
|
|
|
)
|
|
|
|
|
2024-01-31 18:06:23 +01:00
|
|
|
# The following line gets subbed in by a call to pack-local-script,
|
|
|
|
# which will make $AWS_INSTALLER the path to a local copy of install-aws-cli
|
2024-02-06 21:40:19 +01:00
|
|
|
AWS_INSTALLER="inline!puppet/kandra/files/install-aws-cli"
|
2024-01-31 18:06:23 +01:00
|
|
|
|
|
|
|
# We then call it, to install the AWS CLI
|
|
|
|
"$AWS_INSTALLER"
|
2020-07-15 20:54:57 +02:00
|
|
|
|
bootstrap-aws-installer: Drop "credential_source" in .aws/config.
Setting `credential_source` is used when assuming role credentials --
that is, when running as one role, use the AssumeRole right to become
someone else.
The AWS command-line tools only do this if `role_arn`, the role to
assume, is also set -- if it is not set, it transparently falls
through to IAM role attached to the EC2 instance profile. However,
with the `aws-sdk-go` package, used by Teleport, this configuration
produces an error.
Remove the `credential_source = Ec2InstanceMetadata` line, which isn't
necessary for the AWS CLI, and interferes with Teleport operation.
2022-10-29 00:34:13 +02:00
|
|
|
# Set up a bare-bones AWS configuration
|
2020-07-15 20:54:57 +02:00
|
|
|
mkdir -p /root/.aws
|
|
|
|
cat >/root/.aws/config <<EOF
|
|
|
|
[default]
|
|
|
|
region = us-east-1
|
|
|
|
output = text
|
bootstrap-aws-installer: Drop "credential_source" in .aws/config.
Setting `credential_source` is used when assuming role credentials --
that is, when running as one role, use the AssumeRole right to become
someone else.
The AWS command-line tools only do this if `role_arn`, the role to
assume, is also set -- if it is not set, it transparently falls
through to IAM role attached to the EC2 instance profile. However,
with the `aws-sdk-go` package, used by Teleport, this configuration
produces an error.
Remove the `credential_source = Ec2InstanceMetadata` line, which isn't
necessary for the AWS CLI, and interferes with Teleport operation.
2022-10-29 00:34:13 +02:00
|
|
|
# Credentials are from the IAM role attached to the EC2 instance
|
2020-07-15 20:54:57 +02:00
|
|
|
EOF
|
|
|
|
|
2024-01-30 20:58:17 +01:00
|
|
|
# The following line gets replaced by pack-local-script output, which
|
|
|
|
# smuggles the install-ssh-keys binary into this one.
|
|
|
|
# install-ssh-keys, in turn, pulls key data from AWS' secret manager.
|
2024-02-06 21:40:19 +01:00
|
|
|
INSTALL_SSH_KEYS="inline!puppet/kandra/files/install-ssh-keys"
|
2024-02-01 18:31:00 +01:00
|
|
|
"$INSTALL_SSH_KEYS" root prod/ssh/keys/internal-read-only-deploy-key
|
2020-07-15 20:54:57 +02:00
|
|
|
|
|
|
|
# Provide GitHub known_hosts setup; you can verify against fingerprints at
|
|
|
|
# https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
|
|
|
|
# via `ssh-keygen -lf`
|
2024-02-07 18:23:28 +01:00
|
|
|
GITHUB_KEYS="inline!puppet/kandra/files/github.keys"
|
|
|
|
cat "$GITHUB_KEYS" >>/root/.ssh/known_hosts
|
2020-07-15 20:54:57 +02:00
|
|
|
|
|
|
|
cd /root
|
|
|
|
git clone "$REPO_URL" zulip -b "$BRANCH"
|
|
|
|
git -C zulip checkout "$BRANCH"
|
|
|
|
|
|
|
|
(
|
2022-06-23 21:00:40 +02:00
|
|
|
VIRTUALENV_NEEDED=$(if echo "$FULL_ROLES" | grep -q app_frontend; then echo -n yes; else echo -n no; fi)
|
2020-07-15 20:54:57 +02:00
|
|
|
export VIRTUALENV_NEEDED
|
2022-06-23 21:00:40 +02:00
|
|
|
export PUPPET_CLASSES="$FULL_ROLES"
|
2020-10-15 09:29:38 +02:00
|
|
|
export APT_OPTIONS="-o Dpkg::Options::=--force-confnew"
|
2020-07-15 20:54:57 +02:00
|
|
|
/root/zulip/scripts/setup/install \
|
|
|
|
--self-signed-cert \
|
|
|
|
--no-init-db
|
|
|
|
)
|
|
|
|
|
2022-06-23 20:46:09 +02:00
|
|
|
# Delete the ubuntu user
|
|
|
|
userdel ubuntu
|
|
|
|
|
2020-07-15 20:54:57 +02:00
|
|
|
reboot
|