From 9dbe5bcfcbaeddae9004b0798ec3dc221a3421a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 4 Dec 2020 16:21:52 +0100 Subject: [PATCH 01/15] Deploy a script to create new VMs It uses `virt-install` with the official Ubuntu 20.04 cloud image as a starting point, with cloud-init to add our SSH keys to the ubuntu user and set up Zerotier. USAGE: create_vm VMNAME Closes #244 --- site-cookbooks/kosmos_kvm/.gitignore | 22 ++++ site-cookbooks/kosmos_kvm/CHANGELOG.md | 5 + site-cookbooks/kosmos_kvm/LICENSE | 21 ++++ site-cookbooks/kosmos_kvm/README.md | 4 + site-cookbooks/kosmos_kvm/chefignore | 110 +++++++++++++++++++ site-cookbooks/kosmos_kvm/files/create_vm | 91 +++++++++++++++ site-cookbooks/kosmos_kvm/kitchen.yml | 32 ++++++ site-cookbooks/kosmos_kvm/metadata.rb | 20 ++++ site-cookbooks/kosmos_kvm/recipes/default.rb | 32 ++++++ 9 files changed, 337 insertions(+) create mode 100644 site-cookbooks/kosmos_kvm/.gitignore create mode 100644 site-cookbooks/kosmos_kvm/CHANGELOG.md create mode 100644 site-cookbooks/kosmos_kvm/LICENSE create mode 100644 site-cookbooks/kosmos_kvm/README.md create mode 100644 site-cookbooks/kosmos_kvm/chefignore create mode 100644 site-cookbooks/kosmos_kvm/files/create_vm create mode 100644 site-cookbooks/kosmos_kvm/kitchen.yml create mode 100644 site-cookbooks/kosmos_kvm/metadata.rb create mode 100644 site-cookbooks/kosmos_kvm/recipes/default.rb diff --git a/site-cookbooks/kosmos_kvm/.gitignore b/site-cookbooks/kosmos_kvm/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/site-cookbooks/kosmos_kvm/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos_kvm/CHANGELOG.md b/site-cookbooks/kosmos_kvm/CHANGELOG.md new file mode 100644 index 0000000..79223d6 --- /dev/null +++ b/site-cookbooks/kosmos_kvm/CHANGELOG.md @@ -0,0 +1,5 @@ +# kosmos_kvm CHANGELOG + +# 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos_kvm/LICENSE b/site-cookbooks/kosmos_kvm/LICENSE new file mode 100644 index 0000000..dd321fd --- /dev/null +++ b/site-cookbooks/kosmos_kvm/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2020 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/site-cookbooks/kosmos_kvm/README.md b/site-cookbooks/kosmos_kvm/README.md new file mode 100644 index 0000000..650ceaf --- /dev/null +++ b/site-cookbooks/kosmos_kvm/README.md @@ -0,0 +1,4 @@ +# kosmos_kvm + +TODO: Enter the cookbook description here. + diff --git a/site-cookbooks/kosmos_kvm/chefignore b/site-cookbooks/kosmos_kvm/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/site-cookbooks/kosmos_kvm/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_kvm/files/create_vm b/site-cookbooks/kosmos_kvm/files/create_vm new file mode 100644 index 0000000..4b83d01 --- /dev/null +++ b/site-cookbooks/kosmos_kvm/files/create_vm @@ -0,0 +1,91 @@ +#!/bin/bash +set -e + +# The base VM was downloaded using the following commands: +# mkdir /var/lib/libvirt/images/base +# curl -o http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img /var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2 +# chown -R libvirt-qemu:root /var/lib/libvirt/images/base + +if [[ $# -eq 0 ]] ; then + echo 'USAGE: create_vm VMNAME' + exit 1 +fi +VMNAME=$1 + + +# Directory where image files will be stored +IMAGE_DIR=/var/lib/libvirt/images +IMAGE_FILE=${VMNAME}.qcow2 +IMAGE_PATH=$IMAGE_DIR/$IMAGE_FILE +CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso +BASE_FILE=${IMAGE_DIR}/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2 + +# Disk size assigned to the VM +DISKSIZE=10 # Unit: GB + +# Create the VM image if it does not already exist +if [ ! -f "$IMAGE_PATH" ]; then + echo "info: image file $IMAGE_PATH not found. creating new image" + # Important: -F qcow2 is required to set the image format + qemu-img create -b "$BASE_FILE" -f qcow2 -F qcow2 "$IMAGE_PATH" ${DISKSIZE}G + chmod 600 "$IMAGE_PATH" + if [ $? -ne 0 ]; then + echo "error: failed to create image" + exit 1 + fi +fi + +# Dump the image info +qemu-img info "$IMAGE_PATH" + +# Check if the cloud-init metadata file exists +# if not, generate it +if [ ! -r $CIDATA_PATH ]; then + pushd $(dirname $CIDATA_PATH) + mkdir -p $VMNAME + cd $VMNAME + + cat > user-data <<-EOS +#cloud-config +ssh_authorized_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw0I82gT8R4tpsqWGovLyjm2SR2F863MqNz224h3h/wl0xA5Eu0eRro+ELLv2hoebqQbcMsb89X5+7ObhDRar+b7tzDlXq4x+ECkAy6WbDSmBp3kNVd7muT4c9Zw7UxKsIvIm1ven1TkJ3UG80o6PyGiAUlBj4puIQwhp7OVknVutBBe8Rpp4f6BEuWluwpnPxc3KSaGhhr9p10xeX69cfspH40r8vHpI0zp19O5GpfYSOEH64UbwRpN2QypNB8ISmDHFsNGwdz0Ba4qrEOSGU9GveyOcsvEtt630/0fHqtbPBovOYu/FJISQZya2tofDig4EngBCJNfsPCbXFHtlp greg@karekinian.com + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDyUDR7ZE6HWmjvlfKrG8Ci+q5E4adbyboKvyYVkUXaTYt+DgisPPAqfGkd0yAHgVnmOS/3f5c3D6RrIXcxFmzwpV2BtmGZztBnEYvC5q8XPQhmu6AFl6ZDjh9XzUeO52py8tt5ZJ9W1R2ob/rlgX8txNHi6XwzuvPxZ7NR/iNup7cruBzkHABhwTvTfwaErufr6eNmNjh5VatNTei1ld6yWtmvbYJqJlpq6YyPu9vYNYPg0AB7I+OqOJhzHXhelY28GSP9KF3GDcHDtN1bV21g9+COcdKhMShQaw1WIkfQKdiuFictZIOCP0/uYSiFhyyoSvISiC3eT8zIimRbDRj basti@skddc.local + +runcmd: + # Enable serial console (for virsh) + - systemctl enable serial-getty@ttyS0.service && systemctl start serial-getty@ttyS0.service + - curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import + - if z=\$(curl -s 'https://install.zerotier.com/' | gpg"); then echo "$z" | sudo bash; fi +EOS + + cat > meta-data <<-EOS +instance-id: $VMNAME +local-hostname: $VMNAME +EOS + + genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data + chown libvirt-qemu:kvm "$CIDATA_PATH" + chmod 600 "$CIDATA_PATH" + popd +fi + +# setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking +virt-install \ + --name cloudinit-1 \ + --ram 2048 \ + --vcpus 1\ + --cpu host \ + --arch x86_64 \ + --os-type linux \ + --os-variant ubuntu16.04 \ + --hvm \ + --virt-type kvm \ + --disk "$IMAGE_PATH" \ + --cdrom "$CIDATA_PATH" \ + --boot hd \ + --network=bridge=virbr0,model=virtio \ + --graphics none \ + --serial pty \ + --console pty \ + --autostart \ + --import diff --git a/site-cookbooks/kosmos_kvm/kitchen.yml b/site-cookbooks/kosmos_kvm/kitchen.yml new file mode 100644 index 0000000..e5bbf3c --- /dev/null +++ b/site-cookbooks/kosmos_kvm/kitchen.yml @@ -0,0 +1,32 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest via +## localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports.html + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/config_yml_kitchen.html + # product_name: chef + # product_version: 15 + +verifier: + name: inspec + +platforms: + - name: ubuntu-18.04 + - name: centos-7 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default + attributes: diff --git a/site-cookbooks/kosmos_kvm/metadata.rb b/site-cookbooks/kosmos_kvm/metadata.rb new file mode 100644 index 0000000..ecf09da --- /dev/null +++ b/site-cookbooks/kosmos_kvm/metadata.rb @@ -0,0 +1,20 @@ +name 'kosmos_kvm' +maintainer 'Kosmos Developers' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/Configures kosmos_kvm' +long_description 'Installs/Configures kosmos_kvm' +version '0.1.0' +chef_version '>= 14.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//kosmos_kvm/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//kosmos_kvm' diff --git a/site-cookbooks/kosmos_kvm/recipes/default.rb b/site-cookbooks/kosmos_kvm/recipes/default.rb new file mode 100644 index 0000000..baba371 --- /dev/null +++ b/site-cookbooks/kosmos_kvm/recipes/default.rb @@ -0,0 +1,32 @@ +# +# Cookbook:: kosmos_kvm +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +package 'virtinst' + +cookbook_file "/usr/local/sbin/create_vm" do + source "create_vm" + mode "0750" +end From e6b7794e20920cd6f676154fe5d53fc50757f237 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 4 Dec 2020 16:27:42 +0100 Subject: [PATCH 02/15] Extract firewall definitions to their own recipe This allows us to use them for KVM hosts as well. Until now we had set up ufw rules manually on the two KVM hosts (draco and centaurus) Refs #244 --- site-cookbooks/kosmos-base/recipes/default.rb | 2 +- .../kosmos-bitcoin/recipes/firewall.rb | 32 +++++++++++ .../kosmos-bitcoin/recipes/source.rb | 7 +-- .../kosmos-btcpayserver/recipes/proxy.rb | 3 +- .../kosmos-dirsrv/recipes/default.rb | 9 +-- .../kosmos-dirsrv/recipes/firewall.rb | 33 +++++++++++ .../kosmos-ejabberd/recipes/default.rb | 30 +--------- .../kosmos-ejabberd/recipes/firewall.rb | 57 +++++++++++++++++++ .../kosmos-ipfs/attributes/default.rb | 1 + site-cookbooks/kosmos-ipfs/recipes/default.rb | 7 +-- .../recipes/firewall_public_gateway.rb | 32 +++++++++++ .../kosmos-ipfs/recipes/firewall_swarm.rb | 32 +++++++++++ .../kosmos-ipfs/recipes/public_gateway.rb | 7 +-- .../kosmos-nginx/recipes/default.rb | 8 +-- .../kosmos-nginx/recipes/firewall.rb | 33 +++++++++++ .../kosmos-nginx/recipes/with_perl.rb | 8 +-- .../kosmos-postgresql/recipes/default.rb | 14 ++--- .../recipes/firewall_replicas.rb | 36 ++++++++++++ .../kosmos-postgresql/recipes/replica.rb | 2 +- .../kosmos_gitea/recipes/default.rb | 4 -- site-cookbooks/sockethub/recipes/_firewall.rb | 3 +- 21 files changed, 274 insertions(+), 86 deletions(-) create mode 100644 site-cookbooks/kosmos-bitcoin/recipes/firewall.rb create mode 100644 site-cookbooks/kosmos-dirsrv/recipes/firewall.rb create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/firewall.rb create mode 100644 site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb create mode 100644 site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb create mode 100644 site-cookbooks/kosmos-nginx/recipes/firewall.rb create mode 100644 site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb diff --git a/site-cookbooks/kosmos-base/recipes/default.rb b/site-cookbooks/kosmos-base/recipes/default.rb index 9ee8ab8..d5df463 100644 --- a/site-cookbooks/kosmos-base/recipes/default.rb +++ b/site-cookbooks/kosmos-base/recipes/default.rb @@ -64,7 +64,7 @@ unless node.chef_environment == "development" ] end - include_recipe 'kosmos-base::firewall' + include_recipe "kosmos-base::firewall" include_recipe 'kosmos-postfix' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb b/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb new file mode 100644 index 0000000..f1018d1 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb @@ -0,0 +1,32 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# + +firewall_rule 'bitcoind' do + port [8333] # TODO adjust for testnet + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/source.rb index d93f004..0d60853 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/source.rb @@ -158,9 +158,4 @@ systemd_unit 'bitcoind.service' do action [:create, :enable, :start] end -# TODO move to custom kosmos cookbook before publishing bitcoin cookbook -firewall_rule 'bitcoind' do - port [8333] # TODO adjust for testnet - protocol :tcp - command :allow -end +include_recipe "kosmos-bitcoin::firewall" diff --git a/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb b/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb index 4a47729..621161e 100644 --- a/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb +++ b/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb @@ -25,7 +25,8 @@ end nginx_certbot_site server_name unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" + firewall_rule "btcpayserver" do port node["kosmos-btcpayserver"]["port"] protocol :tcp diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb index 2f189df..6bcb871 100644 --- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb +++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb @@ -37,14 +37,9 @@ end # with the run context is confusing: # # https://github.com/chef-cookbooks/firewall/issues/134 -unless node.chef_environment == "development" - include_recipe "firewall" - firewall_rule "ldap" do - port [389, 636] - protocol :tcp - command :allow - end +include_recipe "kosmos-dirsrv::firewall" +unless node.chef_environment == "development" # backup the data dir and the config files node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"] include_recipe "backup" diff --git a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb new file mode 100644 index 0000000..b466666 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: kosmos-dirsrv +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "ldap" do + port [389, 636] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 0cde474..01225cb 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -219,35 +219,7 @@ service "ejabberd" do end unless node.chef_environment == "development" - firewall_rule 'ejabberd' do - port [5222, 5223, 5269, 5443] - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_cluster' do - port [4369] - protocol :tcp - command :allow - end - - firewall_rule 'erlang_cluster' do - port [4200..4210] - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_stun_turn' do - port 3478 - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_turn' do - port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] - protocol :tcp - command :allow - end + include_recipe "kosmos-ejabberd::firewall" end # diff --git a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb new file mode 100644 index 0000000..5d2ac3a --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb @@ -0,0 +1,57 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "ejabberd" do + port [5222, 5223, 5269, 5443] + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_cluster' do + port [4369] + protocol :tcp + command :allow +end + +firewall_rule 'erlang_cluster' do + port [4200..4210] + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_stun_turn' do + port 3478 + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_turn' do + port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/attributes/default.rb b/site-cookbooks/kosmos-ipfs/attributes/default.rb index bce7a81..860fb87 100644 --- a/site-cookbooks/kosmos-ipfs/attributes/default.rb +++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb @@ -17,6 +17,7 @@ node.default['kosmos-ipfs']['ipfs']['config'] = { node.default['kosmos-ipfs']['nginx']['api_port'] = 5001 node.default['kosmos-ipfs']['nginx']['gateway_port'] = 9090 node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444 +node.default['kosmos-ipfs']['nginx']['swarm_p2p_port'] = 4001 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org" node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v1.0.2" diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb index 202faf4..b642a8c 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/default.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb @@ -34,10 +34,5 @@ node['kosmos-ipfs']['ipfs']['config'].each do |k, v| end unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule 'ipfs_swarm_p2p' do - port 4001 - protocol :tcp - command :allow - end + include_recipe "kosmos-ipfs::firewall_swarm" end diff --git a/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb new file mode 100644 index 0000000..116c436 --- /dev/null +++ b/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb @@ -0,0 +1,32 @@ +# +# Cookbook Name:: kosmos-ipfs +# Recipe:: firewall_public_gateway +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'firewall' +firewall_rule 'ipfs_api' do + port node['kosmos-ipfs']['nginx']['external_api_port'] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb b/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb new file mode 100644 index 0000000..056d288 --- /dev/null +++ b/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb @@ -0,0 +1,32 @@ +# +# Cookbook Name:: kosmos-ipfs +# Recipe:: firewall_swarm +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'firewall' +firewall_rule 'ipfs_swarm_p2p' do + port node['kosmos-ipfs']['nginx']['swarm_p2p_port'] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb index 3ed5fe1..7d9927f 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb @@ -49,10 +49,5 @@ end nginx_certbot_site domain unless node.chef_environment == "development" - include_recipe "firewall" - firewall_rule 'ipfs_api' do - port node['kosmos-ipfs']['nginx']['external_api_port'] - protocol :tcp - command :allow - end + include_recipe "kosmos-ipfs::firewall_public_gateway" end diff --git a/site-cookbooks/kosmos-nginx/recipes/default.rb b/site-cookbooks/kosmos-nginx/recipes/default.rb index 87f386f..c01301e 100644 --- a/site-cookbooks/kosmos-nginx/recipes/default.rb +++ b/site-cookbooks/kosmos-nginx/recipes/default.rb @@ -84,11 +84,5 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do end unless node.chef_environment == "development" - include_recipe 'kosmos-base::firewall' - - firewall_rule 'http/https' do - port [80, 443] - protocol :tcp - command :allow - end + include_recipe "kosmos-nginx::firewall" end diff --git a/site-cookbooks/kosmos-nginx/recipes/firewall.rb b/site-cookbooks/kosmos-nginx/recipes/firewall.rb new file mode 100644 index 0000000..ca6cbe2 --- /dev/null +++ b/site-cookbooks/kosmos-nginx/recipes/firewall.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: kosmos-nginx +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "http/https" do + port [80, 443] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-nginx/recipes/with_perl.rb b/site-cookbooks/kosmos-nginx/recipes/with_perl.rb index bac0223..5be4fda 100644 --- a/site-cookbooks/kosmos-nginx/recipes/with_perl.rb +++ b/site-cookbooks/kosmos-nginx/recipes/with_perl.rb @@ -23,11 +23,5 @@ cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do end unless node.chef_environment == "development" - include_recipe 'kosmos-base::firewall' - - firewall_rule 'http/https' do - port [80, 443] - protocol :tcp - command :allow - end + include_recipe 'kosmos-nginx::firewall' end diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb index c7d289b..b3c9f4f 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/default.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb @@ -76,14 +76,8 @@ postgresql_replicas.each do |replica| notifies :reload, "service[#{postgresql_service}]", :immediately end - unless node.chef_environment == "development" - include_recipe "firewall" - - firewall_rule "postgresql replica #{replica[:hostname]}" do - port 5432 - protocol :tcp - command :allow - source replica[:ipaddress] - end - end +end + +unless node.chef_environment == "development" + include_recipe "kosmos-postgresql::firewall_replicas" end diff --git a/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb b/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb new file mode 100644 index 0000000..0ad0a47 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb @@ -0,0 +1,36 @@ +# +# Cookbook:: kosmos-postgresql +# Recipe:: firewall_replicas +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +postgresql_replicas.each do |replica| + firewall_rule "postgresql replica #{replica[:hostname]}" do + port 5432 + protocol :tcp + command :allow + source replica[:ipaddress] + end +end diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos-postgresql/recipes/replica.rb index b063edf..651b18a 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/replica.rb @@ -70,7 +70,7 @@ systemctl start #{postgresql_service} node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" firewall_rule "postgresql primary #{primary[:hostname]}" do port 5432 diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 2cc43c5..724572e 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -159,7 +159,3 @@ nginx_site domain do end nginx_certbot_site domain - -unless node.chef_environment == "development" - include_recipe "firewall" -end diff --git a/site-cookbooks/sockethub/recipes/_firewall.rb b/site-cookbooks/sockethub/recipes/_firewall.rb index 0c46c53..dd61637 100644 --- a/site-cookbooks/sockethub/recipes/_firewall.rb +++ b/site-cookbooks/sockethub/recipes/_firewall.rb @@ -25,7 +25,8 @@ # THE SOFTWARE. unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" + firewall_rule 'sockethub' do port node['sockethub']['external_port'].to_i protocol :tcp From ee7a117d630ebdc8f143903c7baf8cdbd3d1e669 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 4 Dec 2020 16:29:22 +0100 Subject: [PATCH 03/15] Add initial kosmos_zerotier cookbook For now it only includes the firewall rule Refs #244 --- site-cookbooks/kosmos_zerotier/.gitignore | 22 ++++ site-cookbooks/kosmos_zerotier/CHANGELOG.md | 7 ++ site-cookbooks/kosmos_zerotier/LICENSE | 21 ++++ site-cookbooks/kosmos_zerotier/README.md | 4 + .../kosmos_zerotier/attributes/default.rb | 1 + site-cookbooks/kosmos_zerotier/chefignore | 110 ++++++++++++++++++ site-cookbooks/kosmos_zerotier/kitchen.yml | 32 +++++ site-cookbooks/kosmos_zerotier/metadata.rb | 10 ++ .../kosmos_zerotier/recipes/default.rb | 25 ++++ .../kosmos_zerotier/recipes/firewall.rb | 31 +++++ 10 files changed, 263 insertions(+) create mode 100644 site-cookbooks/kosmos_zerotier/.gitignore create mode 100644 site-cookbooks/kosmos_zerotier/CHANGELOG.md create mode 100644 site-cookbooks/kosmos_zerotier/LICENSE create mode 100644 site-cookbooks/kosmos_zerotier/README.md create mode 100644 site-cookbooks/kosmos_zerotier/attributes/default.rb create mode 100644 site-cookbooks/kosmos_zerotier/chefignore create mode 100644 site-cookbooks/kosmos_zerotier/kitchen.yml create mode 100644 site-cookbooks/kosmos_zerotier/metadata.rb create mode 100644 site-cookbooks/kosmos_zerotier/recipes/default.rb create mode 100644 site-cookbooks/kosmos_zerotier/recipes/firewall.rb diff --git a/site-cookbooks/kosmos_zerotier/.gitignore b/site-cookbooks/kosmos_zerotier/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos_zerotier/CHANGELOG.md b/site-cookbooks/kosmos_zerotier/CHANGELOG.md new file mode 100644 index 0000000..a5b0f4e --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/CHANGELOG.md @@ -0,0 +1,7 @@ +# kosmos_zerotier CHANGELOG + +# 0.1.0 + +Initial release. + +- For now this only contains the firewall rule diff --git a/site-cookbooks/kosmos_zerotier/LICENSE b/site-cookbooks/kosmos_zerotier/LICENSE new file mode 100644 index 0000000..dd321fd --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2020 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/site-cookbooks/kosmos_zerotier/README.md b/site-cookbooks/kosmos_zerotier/README.md new file mode 100644 index 0000000..8645fb0 --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/README.md @@ -0,0 +1,4 @@ +# kosmos_zerotier + +TODO: Enter the cookbook description here. + diff --git a/site-cookbooks/kosmos_zerotier/attributes/default.rb b/site-cookbooks/kosmos_zerotier/attributes/default.rb new file mode 100644 index 0000000..5f017af --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/attributes/default.rb @@ -0,0 +1 @@ +node.default["kosmos_zerotier"]["server_port"] = 9993 diff --git a/site-cookbooks/kosmos_zerotier/chefignore b/site-cookbooks/kosmos_zerotier/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_zerotier/kitchen.yml b/site-cookbooks/kosmos_zerotier/kitchen.yml new file mode 100644 index 0000000..e5bbf3c --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/kitchen.yml @@ -0,0 +1,32 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest via +## localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports.html + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/config_yml_kitchen.html + # product_name: chef + # product_version: 15 + +verifier: + name: inspec + +platforms: + - name: ubuntu-18.04 + - name: centos-7 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default + attributes: diff --git a/site-cookbooks/kosmos_zerotier/metadata.rb b/site-cookbooks/kosmos_zerotier/metadata.rb new file mode 100644 index 0000000..d090fa9 --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/metadata.rb @@ -0,0 +1,10 @@ +name 'kosmos_zerotier' +maintainer 'Kosmos Developers' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/Configures kosmos_zerotier' +long_description 'Installs/Configures kosmos_zerotier' +version '0.1.0' +chef_version '>= 14.0' + +depends 'kosmos-base' diff --git a/site-cookbooks/kosmos_zerotier/recipes/default.rb b/site-cookbooks/kosmos_zerotier/recipes/default.rb new file mode 100644 index 0000000..1125c4a --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/recipes/default.rb @@ -0,0 +1,25 @@ +# +# Cookbook:: kosmos_zerotier +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. diff --git a/site-cookbooks/kosmos_zerotier/recipes/firewall.rb b/site-cookbooks/kosmos_zerotier/recipes/firewall.rb new file mode 100644 index 0000000..b179103 --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/recipes/firewall.rb @@ -0,0 +1,31 @@ +# +# Cookbook:: kosmos_zerotier +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +firewall_rule "zerotier" do + port node["kosmos_zerotier"]["server_port"] + protocol :tcp + command :allow +end From 1837285b79d79a9d24d89edc16d9d6a8516c5480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 4 Dec 2020 16:33:18 +0100 Subject: [PATCH 04/15] Add the kosmos_kvm recipe and the firewall rules ... to the KVM hosts, centaurus and draco Refs #244 --- nodes/centaurus.kosmos.org.json | 8 ++++++-- nodes/draco.kosmos.org.json | 12 ++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index dd3d075..3ba9afa 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -81,6 +81,10 @@ "role[gitea]", "role[postgresql_replica]", "role[discourse]", - "role[drone]" + "role[drone]", + "recipe[kosmos_kvm]", + "recipe[kosmos-ejabberd::firewall]", + "recipe[kosmos-postgresql::firewall_replicas]", + "recipe[kosmos_zerotier::firewall]" ] -} \ No newline at end of file +} diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 34a8a7c..f2ce70d 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -57,6 +57,14 @@ "recipe[kosmos-base]", "recipe[kosmos_encfs]", "role[postgresql_replica]", - "recipe[kosmos-bitcoin::source]" + "recipe[kosmos-bitcoin::source]", + "recipe[kosmos_kvm]", + "recipe[kosmos-ejabberd::firewall]", + "recipe[kosmos-ipfs::firewall_swarm]", + "recipe[kosmos-ipfs::firewall_public_gateway]", + "recipe[kosmos-postgresql::firewall_replicas]", + "recipe[kosmos-bitcoin::firewall]", + "recipe[kosmos_zerotier::firewall]", + "recipe[kosmos-nginx::firewall]" ] -} \ No newline at end of file +} From 89c8f42a464cf3ba8b89c2a290c6ecf2b118e405 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 8 Dec 2020 16:03:18 +0100 Subject: [PATCH 05/15] Set the description for the kosmos_kvm cookbook --- site-cookbooks/kosmos_kvm/metadata.rb | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/site-cookbooks/kosmos_kvm/metadata.rb b/site-cookbooks/kosmos_kvm/metadata.rb index ecf09da..966d2da 100644 --- a/site-cookbooks/kosmos_kvm/metadata.rb +++ b/site-cookbooks/kosmos_kvm/metadata.rb @@ -2,19 +2,7 @@ name 'kosmos_kvm' maintainer 'Kosmos Developers' maintainer_email 'mail@kosmos.org' license 'MIT' -description 'Installs/Configures kosmos_kvm' -long_description 'Installs/Configures kosmos_kvm' +description 'Install virt-install and deploy a script to create VMs' +long_description 'Install virt-install and deploy a script to create VMs with KVM' version '0.1.0' chef_version '>= 14.0' - -# The `issues_url` points to the location where issues for this cookbook are -# tracked. A `View Issues` link will be displayed on this cookbook's page when -# uploaded to a Supermarket. -# -# issues_url 'https://github.com//kosmos_kvm/issues' - -# The `source_url` points to the development repository for this cookbook. A -# `View Source` link will be displayed on this cookbook's page when uploaded to -# a Supermarket. -# -# source_url 'https://github.com//kosmos_kvm' From 176083497cbd662ebfbe59a1e4f876de85ec4498 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 8 Dec 2020 16:25:04 +0100 Subject: [PATCH 06/15] Install the libvirt-daemon-system package It creates the libvirt-qemu user --- site-cookbooks/kosmos_kvm/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_kvm/recipes/default.rb b/site-cookbooks/kosmos_kvm/recipes/default.rb index baba371..971ab49 100644 --- a/site-cookbooks/kosmos_kvm/recipes/default.rb +++ b/site-cookbooks/kosmos_kvm/recipes/default.rb @@ -24,7 +24,7 @@ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. -package 'virtinst' +package %w(virtinst libvirt-daemon-system) cookbook_file "/usr/local/sbin/create_vm" do source "create_vm" From 6f7b493173b6fe8c30a85ea1a2fb6ab01e5da6c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 8 Dec 2020 16:25:32 +0100 Subject: [PATCH 07/15] Create the base Ubuntu 20.04 cloud image with code --- site-cookbooks/kosmos_kvm/files/create_vm | 5 ----- site-cookbooks/kosmos_kvm/recipes/default.rb | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/site-cookbooks/kosmos_kvm/files/create_vm b/site-cookbooks/kosmos_kvm/files/create_vm index 4b83d01..4702bb6 100644 --- a/site-cookbooks/kosmos_kvm/files/create_vm +++ b/site-cookbooks/kosmos_kvm/files/create_vm @@ -1,11 +1,6 @@ #!/bin/bash set -e -# The base VM was downloaded using the following commands: -# mkdir /var/lib/libvirt/images/base -# curl -o http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img /var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2 -# chown -R libvirt-qemu:root /var/lib/libvirt/images/base - if [[ $# -eq 0 ]] ; then echo 'USAGE: create_vm VMNAME' exit 1 diff --git a/site-cookbooks/kosmos_kvm/recipes/default.rb b/site-cookbooks/kosmos_kvm/recipes/default.rb index 971ab49..c5e5901 100644 --- a/site-cookbooks/kosmos_kvm/recipes/default.rb +++ b/site-cookbooks/kosmos_kvm/recipes/default.rb @@ -26,6 +26,21 @@ package %w(virtinst libvirt-daemon-system) +directory "/var/lib/libvirt/images/base" do + recursive true + owner "libvirt-qemu" + group "root" + mode "0750" +end + +# Base Ubuntu 20.04 image +remote_file "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2" do + source "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img" + owner "libvirt-qemu" + group "root" + mode "0640" +end + cookbook_file "/usr/local/sbin/create_vm" do source "create_vm" mode "0750" From b3c1f81ec63faaba0b90809f2bb61d9d11890da5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 8 Dec 2020 16:26:14 +0100 Subject: [PATCH 08/15] Set the description of the kosmos_zerotier cookbook --- site-cookbooks/kosmos_zerotier/metadata.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_zerotier/metadata.rb b/site-cookbooks/kosmos_zerotier/metadata.rb index d090fa9..a67848b 100644 --- a/site-cookbooks/kosmos_zerotier/metadata.rb +++ b/site-cookbooks/kosmos_zerotier/metadata.rb @@ -2,8 +2,8 @@ name 'kosmos_zerotier' maintainer 'Kosmos Developers' maintainer_email 'mail@kosmos.org' license 'MIT' -description 'Installs/Configures kosmos_zerotier' -long_description 'Installs/Configures kosmos_zerotier' +description 'Installs/Configures zerotier' +long_description 'Installs/Configures zerotier' version '0.1.0' chef_version '>= 14.0' From 94a34e4758ce6f0bd2a6d629cf6a9ba340dc383d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 8 Dec 2020 16:33:27 +0100 Subject: [PATCH 09/15] Add arguments for RAM and number of CPUs --- site-cookbooks/kosmos_kvm/files/create_vm | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/site-cookbooks/kosmos_kvm/files/create_vm b/site-cookbooks/kosmos_kvm/files/create_vm index 4702bb6..bdb0b81 100644 --- a/site-cookbooks/kosmos_kvm/files/create_vm +++ b/site-cookbooks/kosmos_kvm/files/create_vm @@ -1,12 +1,17 @@ #!/bin/bash set -e -if [[ $# -eq 0 ]] ; then - echo 'USAGE: create_vm VMNAME' +if [[ $# -lt 3 ]] ; then + cat <<-EOF +USAGE (RAM in megabytes) + +create_vm VMNAME RAM CPUS +EOF exit 1 fi VMNAME=$1 - +RAM=$2 +CPUS=$3 # Directory where image files will be stored IMAGE_DIR=/var/lib/libvirt/images @@ -67,8 +72,8 @@ fi # setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking virt-install \ --name cloudinit-1 \ - --ram 2048 \ - --vcpus 1\ + --ram "$RAM" \ + --vcpus "$CPUS" \ --cpu host \ --arch x86_64 \ --os-type linux \ From 8f304d00ced42d93ee9b4a4bac88b86139099050 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 8 Dec 2020 16:34:24 +0100 Subject: [PATCH 10/15] Remove unused kitchen.yml files --- site-cookbooks/kosmos_kvm/kitchen.yml | 32 ---------------------- site-cookbooks/kosmos_zerotier/kitchen.yml | 32 ---------------------- 2 files changed, 64 deletions(-) delete mode 100644 site-cookbooks/kosmos_kvm/kitchen.yml delete mode 100644 site-cookbooks/kosmos_zerotier/kitchen.yml diff --git a/site-cookbooks/kosmos_kvm/kitchen.yml b/site-cookbooks/kosmos_kvm/kitchen.yml deleted file mode 100644 index e5bbf3c..0000000 --- a/site-cookbooks/kosmos_kvm/kitchen.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -driver: - name: vagrant - -## The forwarded_port port feature lets you connect to ports on the VM guest via -## localhost on the host. -## see also: https://www.vagrantup.com/docs/networking/forwarded_ports.html - -# network: -# - ["forwarded_port", {guest: 80, host: 8080}] - -provisioner: - name: chef_zero - - ## product_name and product_version specifies a specific Chef product and version to install. - ## see the Chef documentation for more details: https://docs.chef.io/config_yml_kitchen.html - # product_name: chef - # product_version: 15 - -verifier: - name: inspec - -platforms: - - name: ubuntu-18.04 - - name: centos-7 - -suites: - - name: default - verifier: - inspec_tests: - - test/integration/default - attributes: diff --git a/site-cookbooks/kosmos_zerotier/kitchen.yml b/site-cookbooks/kosmos_zerotier/kitchen.yml deleted file mode 100644 index e5bbf3c..0000000 --- a/site-cookbooks/kosmos_zerotier/kitchen.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -driver: - name: vagrant - -## The forwarded_port port feature lets you connect to ports on the VM guest via -## localhost on the host. -## see also: https://www.vagrantup.com/docs/networking/forwarded_ports.html - -# network: -# - ["forwarded_port", {guest: 80, host: 8080}] - -provisioner: - name: chef_zero - - ## product_name and product_version specifies a specific Chef product and version to install. - ## see the Chef documentation for more details: https://docs.chef.io/config_yml_kitchen.html - # product_name: chef - # product_version: 15 - -verifier: - name: inspec - -platforms: - - name: ubuntu-18.04 - - name: centos-7 - -suites: - - name: default - verifier: - inspec_tests: - - test/integration/default - attributes: From 6c907419aaa9324626e8904c06ae44d6f29fe3e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 8 Dec 2020 17:10:40 +0100 Subject: [PATCH 11/15] Set the VM name from the script argument --- site-cookbooks/kosmos_kvm/files/create_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_kvm/files/create_vm b/site-cookbooks/kosmos_kvm/files/create_vm index bdb0b81..9c86baa 100644 --- a/site-cookbooks/kosmos_kvm/files/create_vm +++ b/site-cookbooks/kosmos_kvm/files/create_vm @@ -71,7 +71,7 @@ fi # setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking virt-install \ - --name cloudinit-1 \ + --name "$VMNAME" \ --ram "$RAM" \ --vcpus "$CPUS" \ --cpu host \ From 7ceb9af3ed14408621faffda0bd4f252f34af2a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 9 Dec 2020 11:19:13 +0100 Subject: [PATCH 12/15] Rename the kosmos_kvm default recipe to host It makes it clear it is meant for KVM hosts --- nodes/centaurus.kosmos.org.json | 2 +- nodes/draco.kosmos.org.json | 2 +- site-cookbooks/kosmos_kvm/recipes/{default.rb => host.rb} | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) rename site-cookbooks/kosmos_kvm/recipes/{default.rb => host.rb} (98%) diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 3ba9afa..9740d3f 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -82,7 +82,7 @@ "role[postgresql_replica]", "role[discourse]", "role[drone]", - "recipe[kosmos_kvm]", + "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", "recipe[kosmos-postgresql::firewall_replicas]", "recipe[kosmos_zerotier::firewall]" diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index f2ce70d..116ce07 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -58,7 +58,7 @@ "recipe[kosmos_encfs]", "role[postgresql_replica]", "recipe[kosmos-bitcoin::source]", - "recipe[kosmos_kvm]", + "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", "recipe[kosmos-ipfs::firewall_swarm]", "recipe[kosmos-ipfs::firewall_public_gateway]", diff --git a/site-cookbooks/kosmos_kvm/recipes/default.rb b/site-cookbooks/kosmos_kvm/recipes/host.rb similarity index 98% rename from site-cookbooks/kosmos_kvm/recipes/default.rb rename to site-cookbooks/kosmos_kvm/recipes/host.rb index c5e5901..a89f7eb 100644 --- a/site-cookbooks/kosmos_kvm/recipes/default.rb +++ b/site-cookbooks/kosmos_kvm/recipes/host.rb @@ -1,6 +1,6 @@ # # Cookbook:: kosmos_kvm -# Recipe:: default +# Recipe:: host # # The MIT License (MIT) # From 6273271d40785c41fc1c26a0bf4f92f19d22d183 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 9 Dec 2020 15:42:19 +0100 Subject: [PATCH 13/15] Remove kosmos-bitcoin::source from draco Bitcoind runs inside a VM, not directly on the host --- nodes/draco.kosmos.org.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 116ce07..394291c 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -20,7 +20,6 @@ "kosmos_encfs", "kosmos_encfs::default", "kosmos-postgresql::replica", - "kosmos-bitcoin::source", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -57,7 +56,6 @@ "recipe[kosmos-base]", "recipe[kosmos_encfs]", "role[postgresql_replica]", - "recipe[kosmos-bitcoin::source]", "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", "recipe[kosmos-ipfs::firewall_swarm]", From 77ab77afe833aaccb99948d5bae1fa35edde5c43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 9 Dec 2020 15:42:49 +0100 Subject: [PATCH 14/15] Update the centaurus and draco nodes after Chef run --- nodes/centaurus.kosmos.org.json | 9 ++++++--- nodes/draco.kosmos.org.json | 13 ++++++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 9740d3f..59c6b79 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -31,6 +31,10 @@ "kosmos_discourse::default", "kosmos_drone", "kosmos_drone::default", + "kosmos_kvm::host", + "kosmos-ejabberd::firewall", + "kosmos-postgresql::firewall_replicas", + "kosmos_zerotier::firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -54,8 +58,7 @@ "nginx::commons_dir", "nginx::commons_script", "nginx::commons_conf", - "firewall::default", - "chef-sugar::default", + "kosmos-nginx::firewall", "backup::default", "logrotate::default", "kosmos-base::letsencrypt", @@ -87,4 +90,4 @@ "recipe[kosmos-postgresql::firewall_replicas]", "recipe[kosmos_zerotier::firewall]" ] -} +} \ No newline at end of file diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 394291c..f463aad 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "draco.kosmos.org", "os": "linux", - "os_version": "5.4.0-42-generic", + "os_version": "5.4.0-54-generic", "hostname": "draco", "ipaddress": "148.251.237.73", "roles": [ @@ -20,6 +20,14 @@ "kosmos_encfs", "kosmos_encfs::default", "kosmos-postgresql::replica", + "kosmos_kvm::host", + "kosmos-ejabberd::firewall", + "kosmos-ipfs::firewall_swarm", + "kosmos-ipfs::firewall_public_gateway", + "kosmos-postgresql::firewall_replicas", + "kosmos-bitcoin::firewall", + "kosmos_zerotier::firewall", + "kosmos-nginx::firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -35,7 +43,6 @@ "hostname::default", "firewall::default", "chef-sugar::default", - "ark::default", "build-essential::default" ], "platform": "ubuntu", @@ -65,4 +72,4 @@ "recipe[kosmos_zerotier::firewall]", "recipe[kosmos-nginx::firewall]" ] -} +} \ No newline at end of file From a92205bd65783b93cceebb2140d7ed8d6cdc18bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 9 Dec 2020 16:29:15 +0100 Subject: [PATCH 15/15] Fix the VM creation script Also join the zerotier network --- site-cookbooks/kosmos_kvm/files/create_vm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_kvm/files/create_vm b/site-cookbooks/kosmos_kvm/files/create_vm index 9c86baa..93375da 100644 --- a/site-cookbooks/kosmos_kvm/files/create_vm +++ b/site-cookbooks/kosmos_kvm/files/create_vm @@ -55,7 +55,9 @@ runcmd: # Enable serial console (for virsh) - systemctl enable serial-getty@ttyS0.service && systemctl start serial-getty@ttyS0.service - curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import - - if z=\$(curl -s 'https://install.zerotier.com/' | gpg"); then echo "$z" | sudo bash; fi + - curl -s -o /tmp/install_zerotier 'https://install.zerotier.com/' + - cat /tmp/install_zerotier | gpg && bash /tmp/install_zerotier + - zerotier-cli join 12ac4a1e719d706e EOS cat > meta-data <<-EOS