Compare commits
5 Commits
ddad272b98
...
25139b514c
Author | SHA1 | Date | |
---|---|---|---|
25139b514c | |||
57b7985009 | |||
3883cb4d66 | |||
e5b92f212c | |||
148644110b |
44
cluster.sh
44
cluster.sh
@ -35,9 +35,7 @@ if [ ! -f "$CLUSTER_DEFINITION" ]; then
|
||||
export LXD_CLUSTER_PASSWORD="$(gpg --gen-random --armor 1 14)"
|
||||
export SOVEREIGN_STACK_MAC_ADDRESS="CHANGE_ME_REQUIRED"
|
||||
export PROJECT_NAME="public"
|
||||
export REGISTRY_URL="http://$(hostname).$(resolvectl status | grep 'DNS Domain:' | awk '{ print $3 }'):5000"
|
||||
export REGISTRY_USERNAME="CHANGE_ME"
|
||||
export REGISTRY_PASSWORD="CHANGE_ME"
|
||||
#export REGISTRY_URL="https://index.docker.io/v1/"
|
||||
|
||||
EOL
|
||||
|
||||
@ -112,15 +110,15 @@ else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# # if the disk is loop-based, then we assume the / path exists.
|
||||
# if [ "$DISK_TO_USE" != loop ]; then
|
||||
# # ensure we actually have that disk/partition on the system.
|
||||
# if ssh "ubuntu@$FQDN" lsblk | grep -q "$DISK_TO_USE"; then
|
||||
# echo "ERROR: We could not the disk you specified. Please run this command again and supply a different disk."
|
||||
# echo "NOTE: You can always specify on the command line by adding the '--disk=/dev/sdd', for example."
|
||||
# exit 1
|
||||
# fi
|
||||
# fi
|
||||
# if the disk is loop-based, then we assume the / path exists.
|
||||
if [ "$DISK_TO_USE" != loop ]; then
|
||||
# ensure we actually have that disk/partition on the system.
|
||||
if ssh "ubuntu@$FQDN" lsblk | grep -q "$DISK_TO_USE"; then
|
||||
echo "ERROR: We could not the disk you specified. Please run this command again and supply a different disk."
|
||||
echo "NOTE: You can always specify on the command line by adding the '--disk=/dev/sdd', for example."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# The MGMT Plane IP is the IP address that the LXD API binds to, which happens
|
||||
# to be the same as whichever SSH connection you're coming in on.
|
||||
@ -148,21 +146,27 @@ if ! command -v lxc >/dev/null 2>&1; then
|
||||
fi
|
||||
|
||||
ssh -t "ubuntu@$FQDN" "
|
||||
# set host firewall policy.
|
||||
# allow LXD API from management network.
|
||||
# sudo ufw allow from ${IP_OF_MGMT_MACHINE}/32 proto tcp to $MGMT_PLANE_IP port 8443
|
||||
set -ex
|
||||
|
||||
# enable it.
|
||||
# if sudo ufw status | grep -q 'Status: inactive'; then
|
||||
# sudo ufw enable
|
||||
# fi
|
||||
# install ufw and allow SSH.
|
||||
sudo apt update
|
||||
sudo apt upgrade -y
|
||||
sudo apt install ufw htop dnsutils nano -y
|
||||
sudo ufw allow ssh
|
||||
sudo ufw allow 8443/tcp comment 'allow LXD management'
|
||||
|
||||
# install lxd as a snap if it's not installed. We only really use the LXC part of this package.
|
||||
# enable the host firewall
|
||||
if sudo ufw status | grep -q 'Status: inactive'; then
|
||||
sudo ufw enable
|
||||
fi
|
||||
|
||||
# install lxd as a snap if it's not installed.
|
||||
if ! snap list | grep -q lxd; then
|
||||
sudo snap install lxd --candidate
|
||||
sleep 4
|
||||
fi
|
||||
"
|
||||
|
||||
# if the DATA_PLANE_MACVLAN_INTERFACE is not specified, then we 'll
|
||||
# just attach VMs to the network interface used for for the default route.
|
||||
if [ -z "$DATA_PLANE_MACVLAN_INTERFACE" ]; then
|
||||
|
@ -107,3 +107,4 @@ export REMOTE_CERT_BASE_DIR="$REMOTE_HOME/.certs"
|
||||
|
||||
# this space is for OS, docker images, etc. DOES NOT INCLUDE USER DATA.
|
||||
export ROOT_DISK_SIZE_GB=20
|
||||
export REGISTRY_URL="https://index.docker.io/v1/"
|
||||
|
48
deploy.sh
48
deploy.sh
@ -175,34 +175,34 @@ source "$CLUSTER_DEFINITION"
|
||||
|
||||
# if the registry URL isn't defined, then we just use the upstream dockerhub.
|
||||
# recommended to run a registry cache on your management machine though.
|
||||
if [ -n "$REGISTRY_URL" ]; then
|
||||
# if [ -n "$REGISTRY_URL" ]; then
|
||||
|
||||
cat > "$CLUSTER_PATH/registry.yml" <<EOL
|
||||
version: 0.1
|
||||
http:
|
||||
addr: 0.0.0.0:5000
|
||||
host: ${REGISTRY_URL}
|
||||
# cat > "$CLUSTER_PATH/registry.yml" <<EOL
|
||||
# version: 0.1
|
||||
# http:
|
||||
# addr: 0.0.0.0:5000
|
||||
# host: ${REGISTRY_URL}
|
||||
|
||||
proxy:
|
||||
remoteurl: ${REGISTRY_URL}
|
||||
username: ${REGISTRY_USERNAME}
|
||||
password: ${REGISTRY_PASSWORD}
|
||||
EOL
|
||||
# proxy:
|
||||
# remoteurl: ${REGISTRY_URL}
|
||||
# username: ${REGISTRY_USERNAME}
|
||||
# password: ${REGISTRY_PASSWORD}
|
||||
# EOL
|
||||
|
||||
# enable docker swarm mode so we can support docker stacks.
|
||||
if docker info | grep -q "Swarm: inactive"; then
|
||||
docker swarm init
|
||||
fi
|
||||
# # enable docker swarm mode so we can support docker stacks.
|
||||
# if docker info | grep -q "Swarm: inactive"; then
|
||||
# docker swarm init
|
||||
# fi
|
||||
|
||||
mkdir -p "${CACHES_DIR}/registry_images"
|
||||
# mkdir -p "${CACHES_DIR}/registry_images"
|
||||
|
||||
# run a docker registry pull through cache on the management machine.
|
||||
if [ "$DEPLOY_MGMT_REGISTRY" = true ]; then
|
||||
if ! docker stack list | grep -q registry; then
|
||||
docker stack deploy -c management/registry_mirror.yml registry
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
# # run a docker registry pull through cache on the management machine.
|
||||
# if [ "$DEPLOY_MGMT_REGISTRY" = true ]; then
|
||||
# if ! docker stack list | grep -q registry; then
|
||||
# docker stack deploy -c management/registry_mirror.yml registry
|
||||
# fi
|
||||
# fi
|
||||
# fi
|
||||
|
||||
|
||||
# this is our password generation mechanism. Relying on GPG for secure password generation
|
||||
@ -492,7 +492,7 @@ export PRIMARY_WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
|
||||
|
||||
stub_site_definition
|
||||
|
||||
# bring the vms up under the primary domain name.
|
||||
# bring the VMs up under the primary domain name.
|
||||
instantiate_vms
|
||||
|
||||
# let's stub out the rest of our site definitions, if any.
|
||||
|
@ -26,23 +26,6 @@ EOF
|
||||
|
||||
fi
|
||||
|
||||
function prepare_host {
|
||||
# scan the remote machine and install it's identity in our SSH known_hosts file.
|
||||
ssh-keyscan -H -t ecdsa "$FQDN" >> "$SSH_HOME/known_hosts"
|
||||
|
||||
# create a directory to store backup archives. This is on all new vms.
|
||||
ssh "$FQDN" mkdir -p "$REMOTE_HOME/backups"
|
||||
|
||||
# if this execution is for btcpayserver, then we run the stub/btcpay setup script
|
||||
# but only if it hasn't been executed before.
|
||||
if [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
|
||||
if [ "$(ssh "$BTCPAY_FQDN" [[ ! -f "$REMOTE_HOME/btcpay.complete" ]]; echo $?)" -eq 0 ]; then
|
||||
./btcpayserver/stub_btcpay_setup.sh
|
||||
fi
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
ssh-keygen -f "$SSH_HOME/known_hosts" -R "$FQDN"
|
||||
|
||||
# if the machine doesn't exist, we create it.
|
||||
@ -55,7 +38,33 @@ if ! lxc list --format csv | grep -q "$LXD_VM_NAME"; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
./provision_lxc.sh
|
||||
./stub_lxc_profile.sh "$LXD_VM_NAME"
|
||||
|
||||
# now let's create a new VM to work with.
|
||||
lxc init --profile="$LXD_VM_NAME" "$VM_NAME" "$LXD_VM_NAME" --vm
|
||||
|
||||
# let's PIN the HW address for now so we don't exhaust IP
|
||||
# and so we can set DNS internally.
|
||||
lxc config set "$LXD_VM_NAME" "volatile.enp5s0.hwaddr=$MAC_ADDRESS_TO_PROVISION"
|
||||
lxc config device override "$LXD_VM_NAME" root size="${ROOT_DISK_SIZE_GB}GB"
|
||||
|
||||
lxc start "$LXD_VM_NAME"
|
||||
|
||||
./wait_for_lxc_ip.sh "$LXD_VM_NAME"
|
||||
|
||||
fi
|
||||
|
||||
# scan the remote machine and install it's identity in our SSH known_hosts file.
|
||||
ssh-keyscan -H -t ecdsa "$FQDN" >> "$SSH_HOME/known_hosts"
|
||||
|
||||
# create a directory to store backup archives. This is on all new vms.
|
||||
ssh "$FQDN" mkdir -p "$REMOTE_HOME/backups"
|
||||
|
||||
# if this execution is for btcpayserver, then we run the stub/btcpay setup script
|
||||
# but only if it hasn't been executed before.
|
||||
if [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
|
||||
if [ "$(ssh "$BTCPAY_FQDN" [[ ! -f "$REMOTE_HOME/btcpay.complete" ]]; echo $?)" -eq 0 ]; then
|
||||
./btcpayserver/stub_btcpay_setup.sh
|
||||
fi
|
||||
fi
|
||||
|
||||
prepare_host
|
||||
|
@ -1,18 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -eu
|
||||
cd "$(dirname "$0")"
|
||||
|
||||
./stub_lxc_profile.sh "$LXD_VM_NAME"
|
||||
|
||||
# now let's create a new VM to work with.
|
||||
lxc init --profile="$LXD_VM_NAME" "$VM_NAME" "$LXD_VM_NAME" --vm
|
||||
|
||||
# let's PIN the HW address for now so we don't exhaust IP
|
||||
# and so we can set DNS internally.
|
||||
lxc config set "$LXD_VM_NAME" "volatile.enp5s0.hwaddr=$MAC_ADDRESS_TO_PROVISION"
|
||||
lxc config device override "$LXD_VM_NAME" root size="${ROOT_DISK_SIZE_GB}GB"
|
||||
|
||||
lxc start "$LXD_VM_NAME"
|
||||
|
||||
./wait_for_lxc_ip.sh "$LXD_VM_NAME"
|
@ -1,29 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -eu
|
||||
|
||||
DDNS_STRING=
|
||||
|
||||
# for the www stack, we register only the domain name so our URLs look like https://$DOMAIN_NAME
|
||||
if [ "$VIRTUAL_MACHINE" = www ] || [ "$VIRTUAL_MACHINE" = certonly ]; then
|
||||
DDNS_STRING="@"
|
||||
else
|
||||
DDNS_STRING="$DDNS_HOST"
|
||||
fi
|
||||
|
||||
# wait for DNS to get setup. Pass in the IP address of the actual VPS.
|
||||
MACHINE_IP="$(docker-machine ip "$FQDN")"
|
||||
DDNS_SLEEP_SECONDS=60
|
||||
while true; do
|
||||
# we test the www CNAME here so we can be assured the underlying has corrected.
|
||||
if [[ "$(getent hosts "$FQDN" | awk '{ print $1 }')" == "$MACHINE_IP" ]]; then
|
||||
echo ""
|
||||
echo "SUCCESS: The DNS appears to be configured correctly."
|
||||
|
||||
echo "INFO: Waiting $DDNS_SLEEP_SECONDS seconds to allow cached DNS records to expire."
|
||||
sleep "$DDNS_SLEEP_SECONDS";
|
||||
break;
|
||||
fi
|
||||
|
||||
printf "." && sleep 2;
|
||||
done
|
@ -60,11 +60,6 @@ for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
|
||||
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
|
||||
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
|
||||
@ -89,30 +84,30 @@ done
|
||||
|
||||
./stop_docker_stacks.sh
|
||||
|
||||
if [ "$DEPLOY_ONION_SITE" = true ]; then
|
||||
# ensure the tor image is built
|
||||
docker build -t tor:latest ./tor
|
||||
# if [ "$DEPLOY_ONION_SITE" = true ]; then
|
||||
# # ensure the tor image is built
|
||||
# docker build -t tor:latest ./tor
|
||||
|
||||
# if the tor folder doesn't exist, we provision a new one. Otherwise you need to restore.
|
||||
# this is how we generate a new torv3 endpoint.
|
||||
if ! ssh "$PRIMARY_WWW_FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
|
||||
ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_HOME/tor"
|
||||
TOR_CONFIG_PATH="$(pwd)/tor/torrc-init"
|
||||
export TOR_CONFIG_PATH="$TOR_CONFIG_PATH"
|
||||
docker stack deploy -c ./tor.yml torstack
|
||||
sleep 20
|
||||
docker stack rm torstack
|
||||
sleep 20
|
||||
fi
|
||||
# # if the tor folder doesn't exist, we provision a new one. Otherwise you need to restore.
|
||||
# # this is how we generate a new torv3 endpoint.
|
||||
# if ! ssh "$PRIMARY_WWW_FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
|
||||
# ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_HOME/tor"
|
||||
# TOR_CONFIG_PATH="$(pwd)/tor/torrc-init"
|
||||
# export TOR_CONFIG_PATH="$TOR_CONFIG_PATH"
|
||||
# docker stack deploy -c ./tor.yml torstack
|
||||
# sleep 20
|
||||
# docker stack rm torstack
|
||||
# sleep 20
|
||||
# fi
|
||||
|
||||
ONION_ADDRESS="$(ssh "$PRIMARY_WWW_FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
|
||||
export ONION_ADDRESS="$ONION_ADDRESS"
|
||||
# ONION_ADDRESS="$(ssh "$PRIMARY_WWW_FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
|
||||
# export ONION_ADDRESS="$ONION_ADDRESS"
|
||||
|
||||
# # Since we run a separate ghost process, we create a new directory and symlink it to the original
|
||||
# if ! ssh "$PRIMARY_WWW_FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
|
||||
# ssh "$PRIMARY_WWW_FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
|
||||
# fi
|
||||
fi
|
||||
# # # Since we run a separate ghost process, we create a new directory and symlink it to the original
|
||||
# # if ! ssh "$PRIMARY_WWW_FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
|
||||
# # ssh "$PRIMARY_WWW_FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
|
||||
# # fi
|
||||
# fi
|
||||
|
||||
# nginx gets deployed first since it "owns" the docker networks of downstream services.
|
||||
./stub/nginx_yml.sh
|
||||
|
@ -50,6 +50,8 @@ done
|
||||
|
||||
|
||||
if docker stack list --format "{{.Name}}" | grep -q reverse-proxy; then
|
||||
sleep 2
|
||||
|
||||
docker stack rm reverse-proxy
|
||||
|
||||
if [ "$STOP_SERVICES" = true ]; then
|
||||
|
@ -114,13 +114,22 @@ EOL
|
||||
EOL
|
||||
fi
|
||||
|
||||
# let's iterate over BTCPAY_ALT_NAMES and generate our SERVER_NAMES for btcpay server.
|
||||
BTCPAY_SERVER_NAMES="$BTCPAY_USER_FQDN"
|
||||
if [ -n "$BTCPAY_ALT_NAMES" ]; then
|
||||
# let's stub out the rest of our site definitions, if any.
|
||||
for ALT_NAME in ${BTCPAY_ALT_NAMES//,/ }; do
|
||||
BTCPAY_SERVER_NAMES="$BTCPAY_SERVER_NAMES $ALT_NAME.$DOMAIN_NAME"
|
||||
done
|
||||
fi
|
||||
|
||||
# BTCPAY server http->https redirect
|
||||
cat >>"$NGINX_CONF_PATH" <<EOL
|
||||
# http://${BTCPAY_USER_FQDN} redirect to https://${BTCPAY_USER_FQDN}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name ${BTCPAY_USER_FQDN};
|
||||
server_name ${BTCPAY_SERVER_NAMES};
|
||||
return 301 https://${BTCPAY_USER_FQDN}\$request_uri;
|
||||
}
|
||||
|
||||
@ -180,14 +189,8 @@ EOL
|
||||
|
||||
server_name ${DOMAIN_NAME};
|
||||
|
||||
# catch all; send request to ${WWW_FQDN}
|
||||
location / {
|
||||
return 301 https://${WWW_FQDN}\$request_uri;
|
||||
}
|
||||
|
||||
EOL
|
||||
|
||||
|
||||
if [ "$DEPLOY_NOSTR_RELAY" = true ]; then
|
||||
cat >>"$NGINX_CONF_PATH" <<EOL
|
||||
# We return a JSON object with name/pubkey mapping per NIP05.
|
||||
@ -203,6 +206,11 @@ EOL
|
||||
fi
|
||||
|
||||
cat >>"$NGINX_CONF_PATH" <<EOL
|
||||
|
||||
# catch all; send request to ${WWW_FQDN}
|
||||
location / {
|
||||
return 301 https://${WWW_FQDN}\$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
#access_log /var/log/nginx/ghost-access.log;
|
||||
@ -211,7 +219,7 @@ EOL
|
||||
EOL
|
||||
|
||||
cat >>"$NGINX_CONF_PATH" <<EOL
|
||||
# https server block for https://${BTCPAY_USER_FQDN}
|
||||
# https server block for https://${BTCPAY_SERVER_NAMES}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
|
||||
@ -219,7 +227,7 @@ EOL
|
||||
ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
|
||||
ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
|
||||
|
||||
server_name ${BTCPAY_USER_FQDN};
|
||||
server_name ${BTCPAY_SERVER_NAMES};
|
||||
|
||||
# Route everything to the real BTCPay server
|
||||
location / {
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
set -eu
|
||||
cd "$(dirname "$0")"
|
||||
|
||||
# let's check to ensure the management machine is on the Baseline ubuntu 21.04
|
||||
@ -16,6 +16,10 @@ fi
|
||||
|
||||
sudo apt-get update
|
||||
|
||||
# TODO REVIEW management machine software requirements
|
||||
# is docker-ce actually needed here? prefer to move docker registry
|
||||
# to a host on SERVERS LAN so that it can operate
|
||||
# TODO document which dependencies are required by what software, e.g., trezor, docker, etc.
|
||||
sudo apt-get install -y wait-for-it dnsutils rsync sshfs curl gnupg \
|
||||
apt-transport-https ca-certificates lsb-release \
|
||||
docker-ce-cli docker-ce containerd.io docker-compose-plugin \
|
||||
|
Loading…
Reference in New Issue
Block a user