This repository contains all infrastructure automation code that we use to set up and configure servers, virtual machines, and applications for Kosmos hosted services. Chef cookbooks are written in Ruby, and based on [Chef Infra resources](https://docs.chef.io/resources/). Some cookbooks contain integration test suites based on [Test Kitchen](https://docs.chef.io/workstation/kitchen/). Note: Manual configuration of servers and applications is highly discouraged, and can be overwritten or lost without notice! ## Setup ### Install Chef Workstation * macOS, Windows, RHEL, Ubuntu: https://docs.chef.io/workstation/install_workstation/ * Arch Linux: https://aur.archlinux.org/packages/chef-workstation #### rbenv If you use rbenv to manage Ruby versions on your system, install the [rbenv-chef-workstation](https://github.com/docwhat/rbenv-chef-workstation) plugin. ### Install gem dependencies Clone this repository, `cd` into it, and run: bundle install ## Common tasks ### Bootstrap a new host server knife zero bootstrap root@server-name.kosmos.org --run-list "role[base],role[kvm_host]" --secret-file .chef/encrypted_data_bag_secret ### Bootstrap a new VM knife zero bootstrap ubuntu@zerotier-ip-address -x ubuntu --sudo --run-list "role[base],role[kvm_guest]" --secret-file .chef/encrypted_data_bag_secret ### Run Chef Zero on a host server knife zero converge -p2222 name:server-name.kosmos.org ### Run Chef Zero on a VM knife zero converge -a knife_zero.host name:vm-name-23 ### Update Chef Client on a server: knife zero converge name:dev.kosmos.org --client-version 15.3.14 ## Managing cookbooks Cookbooks are managed via Berkshelf. Run `berks --help` for command help. Install cookbooks listed in Berksfile: berks install Vendor installed cookbooks to the `cookbooks/` dir: berks vendor cookbooks/ --delete ## "Expired" TLS certificates If you encounter expired TLS certificates during a Chef run (e.g. for remote files), the issue is likely that the certificate has been issued by Let's Encrypt and Chef is still using its own, outdated CA cert store (see [here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for example). As a hotfix, you can manually remove the "DST Root CA X3" cert from `/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge.