2020-07-15 20:54:57 +02:00
|
|
|
#!/bin/env bash
|
|
|
|
|
|
|
|
# Prepended to this automatically are the following:
|
|
|
|
#SERVER=
|
|
|
|
#HOSTNAME=
|
|
|
|
#ROLES=
|
|
|
|
#REPO_URL=
|
|
|
|
#BRANCH=
|
|
|
|
#SSH_SECRET_ID=
|
|
|
|
|
2021-07-13 21:00:50 +02:00
|
|
|
if ! curl -fLs -m 5 http://169.254.169.254/latest/dynamic/instance-identity/document | grep instanceId; then
|
2020-07-15 20:54:57 +02:00
|
|
|
echo "This should be run on AWS instances, not locally."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
set -e
|
|
|
|
set -x
|
|
|
|
|
|
|
|
# Set the hostname early
|
2020-10-15 04:55:57 +02:00
|
|
|
echo "$HOSTNAME" >/etc/hostname
|
2020-07-15 20:54:57 +02:00
|
|
|
hostname "$HOSTNAME"
|
|
|
|
sed -i "s/localhost$/localhost $HOSTNAME $SERVER/" /etc/hosts
|
|
|
|
|
|
|
|
# Delete the ubuntu user
|
|
|
|
userdel ubuntu
|
|
|
|
|
|
|
|
# Make sure root doesn't have a password
|
|
|
|
passwd -d root
|
|
|
|
|
|
|
|
# Allow root logins
|
|
|
|
sed -i 's/disable_root: true/disable_root: false/' /etc/cloud/cloud.cfg
|
|
|
|
|
2020-10-15 09:29:38 +02:00
|
|
|
# Ensure all apt updates (here and in the installer) are non-interactive
|
|
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
|
|
|
2020-07-15 20:54:57 +02:00
|
|
|
# Dependencies to install AWS CLI
|
|
|
|
(
|
|
|
|
apt-get -qy update
|
|
|
|
apt-get -qy -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
|
2021-06-25 01:28:27 +02:00
|
|
|
apt-get -qy install jq unzip curl
|
2020-07-15 20:54:57 +02:00
|
|
|
apt-get -qy autoclean
|
|
|
|
)
|
|
|
|
|
2021-06-25 03:24:21 +02:00
|
|
|
# The following line gets subbed in with the contents of bootstrap-awscli.sh
|
2020-07-15 20:54:57 +02:00
|
|
|
AWS=
|
|
|
|
|
|
|
|
# Set up AWS so we can use the role credentials we were started with, which give secrets access
|
|
|
|
mkdir -p /root/.aws
|
|
|
|
cat >/root/.aws/config <<EOF
|
|
|
|
[default]
|
|
|
|
region = us-east-1
|
|
|
|
output = text
|
|
|
|
credential_source = Ec2InstanceMetadata
|
|
|
|
EOF
|
|
|
|
|
|
|
|
# Set up public keys for root, so we can fetch the repo; this is a
|
|
|
|
# function so we do can it again later with the zulip user
|
|
|
|
function install_keys() {
|
|
|
|
USERNAME="$1"
|
2020-10-15 04:55:57 +02:00
|
|
|
SSHDIR="$(getent passwd "$USERNAME" | cut -d: -f6)/.ssh"
|
2020-07-15 20:54:57 +02:00
|
|
|
KEYDATA="$($AWS --output text \
|
2020-10-15 04:55:57 +02:00
|
|
|
secretsmanager get-secret-value \
|
|
|
|
--secret-id "$SSH_SECRET_ID" \
|
|
|
|
--query SecretString)"
|
2020-07-15 20:54:57 +02:00
|
|
|
mkdir -p "$SSHDIR"
|
2020-10-27 21:00:20 +01:00
|
|
|
for KEYFILE in $(echo "$KEYDATA" | jq -r 'keys[]'); do
|
|
|
|
echo "$KEYDATA" | jq -r ".[\"$KEYFILE\"]" | base64 -d >"$SSHDIR/$KEYFILE"
|
|
|
|
if [[ "$KEYFILE" != *".pub" ]]; then
|
|
|
|
chmod 600 "$SSHDIR/$KEYFILE"
|
|
|
|
fi
|
|
|
|
done
|
2020-10-15 04:55:57 +02:00
|
|
|
chown -R "$USERNAME:$USERNAME" "$SSHDIR"
|
2020-07-15 20:54:57 +02:00
|
|
|
}
|
|
|
|
install_keys root
|
|
|
|
|
|
|
|
# Provide GitHub known_hosts setup; you can verify against fingerprints at
|
|
|
|
# https://docs.github.com/en/github/authenticating-to-github/githubs-ssh-key-fingerprints
|
|
|
|
# via `ssh-keygen -lf`
|
|
|
|
cat >/root/.ssh/known_hosts <<EOF
|
|
|
|
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
|
|
|
EOF
|
|
|
|
|
|
|
|
cd /root
|
|
|
|
git clone "$REPO_URL" zulip -b "$BRANCH"
|
|
|
|
git -C zulip checkout "$BRANCH"
|
|
|
|
|
|
|
|
(
|
|
|
|
VIRTUALENV_NEEDED=$(if echo "$ROLES" | grep -q app_frontend; then echo -n yes; else echo -n no; fi)
|
|
|
|
export VIRTUALENV_NEEDED
|
2020-10-15 09:29:38 +02:00
|
|
|
export PUPPET_CLASSES="$ROLES"
|
|
|
|
export APT_OPTIONS="-o Dpkg::Options::=--force-confnew"
|
2020-07-15 20:54:57 +02:00
|
|
|
/root/zulip/scripts/setup/install \
|
|
|
|
--self-signed-cert \
|
|
|
|
--no-init-db
|
|
|
|
)
|
|
|
|
|
|
|
|
install_keys zulip
|
|
|
|
|
|
|
|
reboot
|