Commit Graph

21 Commits

Author SHA1 Message Date
Alex Vandiver 3d63a87384 kandra: Puppet github.com keys to both root and zulip users.
We update to add the ecdsa-sha2-nistp256 key as well.
2024-02-07 10:42:12 -08:00
Alex Vandiver b23d90ed62 puppet: Rename puppet/zulip_ops to puppet/kandra.
This makes for easier tab-completion, and also is a bit more explicit
about the expected consumer.
2024-02-06 17:56:27 -08:00
Alex Vandiver 0bd1e2b434 puppet: Rename and limit production key distribution. 2024-02-02 17:24:12 -08:00
Alex Vandiver ff00c01538 bootstrap-aws-installer: Pull all keys from secretsmanager. 2024-01-31 16:41:04 -08:00
Alex Vandiver 6902d5db47 install-aws-cli: Also install and keep up to date using Puppet.
We previously only did this install on the developer machine and on
initial boot.  Also run it from puppet to make sure we keep the binary
up-to-date.
2024-01-31 16:41:04 -08:00
Alex Vandiver bd87f53c86 install-aws-server: Build a tool to smuggle scripts inline in the bootdata. 2024-01-31 16:41:04 -08:00
Alex Vandiver 38bf1c5d22 install-aws-cli: Move into puppet files. 2024-01-31 16:41:04 -08:00
Alex Vandiver 7448ab6234 bootstrap-aws-installer: Update the github.com SSH key.
Per https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/.
2023-03-24 12:01:55 -07:00
Alex Vandiver 12a5317b8c bootstrap-aws-installer: Switch to an IMDSv2-compatible URL.
We don't use the token we request for anything, but a straight GET
request would fail in an IMDSv2-only environment.
2022-10-28 16:52:54 -07:00
Alex Vandiver 721a1d7a10 bootstrap-aws-installer: Drop "credential_source" in .aws/config.
Setting `credential_source` is used when assuming role credentials --
that is, when running as one role, use the AssumeRole right to become
someone else.

The AWS command-line tools only do this if `role_arn`, the role to
assume, is also set -- if it is not set, it transparently falls
through to IAM role attached to the EC2 instance profile.  However,
with the `aws-sdk-go` package, used by Teleport, this configuration
produces an error.

Remove the `credential_source = Ec2InstanceMetadata` line, which isn't
necessary for the AWS CLI, and interferes with Teleport operation.
2022-10-28 16:52:54 -07:00
Alex Vandiver 88fcf6862f bootstrap-aws-installer: Add ed-25519 host key. 2022-10-28 16:52:54 -07:00
Alex Vandiver 1be9ab2690 install-aws-server: Assume zulip_ops::profile:: prefix on all roles.
This will require that any profile-specific sections of
`$HOME/.zulip-install-server.conf` be renamed to their short form.
2022-06-28 09:39:31 -04:00
Alex Vandiver f5d4dea2f0 bootstrap-aws-installer: Leave `ubuntu` user deletion until the last.
This makes it easier to log in and figure out what went wrong if
something failed during the bootstrapping process.
2022-06-28 09:39:31 -04:00
Alex Vandiver a35af3f38b install/upgrade: Allow new packages during `apt-get upgrade`.
`postgresql-14.4` is a notable upgrade in the PostgreSQL series, as it
fixes potential database corruption from `CREATE INDEX CONCURRENTLY`
statements which are run while rows are modified[1].  However, it also
requires an upgrade from `libllvm9` to `libllvm10`, which means it is
not installed by a mere `apt-get upgrade`.

Add the `--with-new-pkgs` flag to all of the potentially relevant
`apt-get upgrade` calls, so that this (and similar) packages are
upgraded successfully.

[1]: https://www.postgresql.org/docs/release/14.4/
2022-06-21 11:21:49 -07:00
Anders Kaseorg 47897c76a2 scripts: Use curl -f (--fail).
This makes curl exit with nonzero status on HTTP 4xx/5xx errors.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-07-13 16:47:49 -07:00
Anders Kaseorg 06033545eb bootstrap-awscli: Remove executable bit.
Even though this looks like an independently runnable script, it
should not be run independently: a SHA-256 mismatch will fail to stop
the script, unless it was sourced from another script that has ‘set
-e’.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-06-28 17:13:57 -04:00
Anders Kaseorg 91bfebca7d install: Replace wget with curl.
curl uses Happy Eyeballs to avoid long timeouts on systems with broken
IPv6.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2021-06-25 09:05:07 -07:00
Alex Vandiver f0b11d62f6 provisioning: Support non-RSA SSH keys.
Use the parts of the JSON to determine the files it should create.
2020-10-27 13:43:45 -07:00
Anders Kaseorg dfaea9df65 shfmt: Reformat shell scripts with shfmt.
https://github.com/mvdan/sh

Signed-off-by: Anders Kaseorg <anders@zulip.com>
2020-10-15 15:16:00 -07:00
Alex Vandiver 0d5760d59f install-aws-server: Force non-interactive dist-upgrade.
Installing an updated linux kernel package, as can happen during the
`apt dist-upgrade` done by the installer, can cause grub to pop up a
prompt to update its configuration file.  In an unattended headless
configuration, this will stop the installation.

Explicitly configure apt to be non-interactive, and prefer the newest
configuration, during the install.
2020-10-15 14:39:20 -07:00
Alex Vandiver a2fc823c3f provisioning: Use AWS CLI to automate provisioning
The previous steps for standing up a new host were somewhat manual.
This further scripts the process, by using the AWS CLI to start the
instance, and pass it a "user data" script to provision itself upon
boot.  This results in a hands-off provisioning process which
completes in 5min.

Additional settings are required for `~/.zulip-install-server.conf`.
It is not suited for all roles, as it assumes one instance type and
security group value.  Additionally, not all of the post-provision
process is currently automated -- Nagios SSH key verification, for
instance, is still a manual step.  There are also additional steps for
database or frontend servers.  Regardless, this is a move toward
automated provisioning.
2020-07-24 12:40:14 -07:00