diff --git a/ignition/base-install-docker.bu b/ignition/base-install-docker.bu index bb81750..2739f4d 100644 --- a/ignition/base-install-docker.bu +++ b/ignition/base-install-docker.bu @@ -28,7 +28,7 @@ systemd: [Unit] Description=Install Docker CE Wants=network-online.target - After=network-online.target + After=ignition-start-config.service Before=zincati.service ConditionPathExists=!/var/lib/%N.stamp diff --git a/ignition/base-install-docker.ign b/ignition/base-install-docker.ign index 1b57003..e91d783 100644 --- a/ignition/base-install-docker.ign +++ b/ignition/base-install-docker.ign @@ -39,7 +39,7 @@ "systemd": { "units": [ { - "contents": "[Unit]\nDescription=Install Docker CE\nWants=network-online.target\nAfter=network-online.target\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/curl --output-dir \"/etc/yum.repos.d\" --remote-name https://download.docker.com/linux/fedora/docker-ce.repo\nExecStart=/usr/bin/rpm-ostree override remove moby-engine containerd runc docker-cli --install docker-ce\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl enable docker.service\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target", + "contents": "[Unit]\nDescription=Install Docker CE\nWants=network-online.target\nAfter=ignition-start-config.service\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/curl --output-dir \"/etc/yum.repos.d\" --remote-name https://download.docker.com/linux/fedora/docker-ce.repo\nExecStart=/usr/bin/rpm-ostree override remove moby-engine containerd runc docker-cli --install docker-ce\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl enable docker.service\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target", "enabled": true, "name": "rpm-ostree-install-docker-ce.service" } diff --git a/ignition/base-install-supporting-services.bu b/ignition/base-install-supporting-services.bu index 3d42c1e..e41ddc2 100644 --- a/ignition/base-install-supporting-services.bu +++ b/ignition/base-install-supporting-services.bu @@ -1,5 +1,5 @@ # Depends on base-install-docker -# Installs Komodo Periphery, Telegraf and Certbot +# Installs Komodo Periphery, Telegraf, sops and step-ca variant: fcos version: 1.6.0 @@ -10,7 +10,14 @@ storage: name: core group: name: docker + # Create sops config directory + - path: /var/home/core/.config/sops/age + user: + name: core + group: + name: core files: + # Configure telegraf - path: /var/docker/.supporting-services/telegraf/telegraf.conf user: name: core @@ -18,6 +25,7 @@ storage: name: docker contents: source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/telegraf.conf + # Add docker compose file - path: /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/docker-compose.yml user: name: core @@ -25,6 +33,7 @@ storage: name: docker contents: source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/docker-compose.yml + # Add .env file - path: /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/.env user: name: core @@ -32,15 +41,21 @@ storage: name: docker contents: source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/.env + - path: /var/home/core/.bashrc + append: + # Add step alias + - inline: "alias step='docker run --rm -v /var/home/core:/home/step -e STEPPATH=/home/step/.step smallstep/step-cli step'" + # Add sops alias + - inline: "alias sops='docker run --rm -it -v /var/home/core:/root -v /var/docker:/var/docker ghcr.io/getsops/sops:v3.11.0'" systemd: units: - # Install supporting services - - name: rpm-ostree-install-supporting-services.service + # Bootstrap step-ca + - name: bootstrap-step-ca.service enabled: true contents: | [Unit] - Description=Install Supporting Services + Description=Bootstrap step-ca Wants=network-online.target After=rpm-ostree-install-docker-ce.service Before=zincati.service @@ -49,7 +64,7 @@ systemd: [Service] Type=oneshot RemainAfterExit=yes - ExecStart=/usr/bin/docker compose -p "supporting-services" --env-file /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/.env -f /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/docker-compose.yml up -d + ExecStart=/usr/bin/docker run --rm -v ${HOME}:/home/step -e STEPPATH=/home/step/.step smallstep/step-cli step ca bootstrap --team mtls --team-url "https://mrmeeb.co.uk/step/<>" ExecStart=/usr/bin/touch /var/lib/%N.stamp [Install] diff --git a/ignition/base-install-supporting-services.ign b/ignition/base-install-supporting-services.ign index 236cc26..b9558e2 100644 --- a/ignition/base-install-supporting-services.ign +++ b/ignition/base-install-supporting-services.ign @@ -12,6 +12,15 @@ "user": { "name": "core" } + }, + { + "group": { + "name": "core" + }, + "path": "/var/home/core/.config/sops/age", + "user": { + "name": "core" + } } ], "files": [ @@ -50,15 +59,28 @@ "contents": { "source": "https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/.env" } + }, + { + "path": "/var/home/core/.bashrc", + "append": [ + { + "compression": "", + "source": "data:,alias%20step%3D'docker%20run%20--rm%20-v%20%2Fvar%2Fhome%2Fcore%3A%2Fhome%2Fstep%20-e%20STEPPATH%3D%2Fhome%2Fstep%2F.step%20smallstep%2Fstep-cli%20step'" + }, + { + "compression": "", + "source": "data:,alias%20sops%3D'docker%20run%20--rm%20-it%20-v%20%2Fvar%2Fhome%2Fcore%3A%2Froot%20-v%20%2Fvar%2Fdocker%3A%2Fvar%2Fdocker%20ghcr.io%2Fgetsops%2Fsops%3Av3.11.0'" + } + ] } ] }, "systemd": { "units": [ { - "contents": "[Unit]\nDescription=Install Supporting Services\nWants=network-online.target\nAfter=rpm-ostree-install-docker-ce.service\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker compose -p \"supporting-services\" --env-file /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/.env -f /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/docker-compose.yml up -d\nExecStart=/usr/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target", + "contents": "[Unit]\nDescription=Bootstrap step-ca\nWants=network-online.target\nAfter=rpm-ostree-install-docker-ce.service\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker run --rm -v ${HOME}:/home/step -e STEPPATH=/home/step/.step smallstep/step-cli step ca bootstrap --team mtls --team-url \"https://mrmeeb.co.uk/step/\u003c\u003e\"\nExecStart=/usr/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target", "enabled": true, - "name": "rpm-ostree-install-supporting-services.service" + "name": "bootstrap-step-ca.service" } ] } diff --git a/ignition/base.bu b/ignition/base.bu index 2f88576..9532814 100644 --- a/ignition/base.bu +++ b/ignition/base.bu @@ -2,6 +2,7 @@ variant: fcos version: 1.6.0 storage: files: + # Make the device wary of updating, and do maintenance early in the weekend mornings - path: /etc/zincati/config.d/51-rollout-wariness.toml contents: inline: | @@ -19,6 +20,48 @@ storage: systemd: units: + # Disable SSH (so Ansible waits until config has completed before continuing) + - name: ignition-start-config.service + enabled: true + contents: | + [Unit] + Description=Block SSH during configuration + After=network-online.target + Before=zincati.service + ConditionPathExists=!/var/lib/%N.stamp + + [Service] + Type=oneshot + RemainAfterExit=yes + ExecStart=/usr/bin/systemctl stop sshd + ExecStart=/usr/bin/systemctl disable sshd + ExecStart=/usr/bin/touch /var/lib/%N.stamp + ExecStart=/usr/bin/echo "SSH currently disabled until configuration completes" | /usr/bin/tee /etc/issue.d/35-ssh-blocked.issue + ExecStart=/usr/bin/systemctl restart getty@tty1 + + [Install] + WantedBy=multi-user.target + # Enable SSH once configuration has finished so Ansible can continue + - name: ignition-finish-config.service + enabled: true + contents: | + [Unit] + Description=Enable SSH after configuration + After=zincati.service + ConditionPathExists=!/var/lib/%N.stamp + + [Service] + Type=oneshot + RemainAfterExit=yes + ExecStart=/usr/bin/systemctl start sshd + ExecStart=/usr/bin/systemctl enable sshd + ExecStart=/usr/bin/touch /var/lib/%N.stamp + ExecStart=/usr/bin/rm /etc/issue.d/35-ssh-blocked.issue + ExecStart=/usr/bin/systemctl restart getty@tty1 + + [Install] + WantedBy=multi-user.target + # Install qemu-guest-agent - name: rpm-ostree-install-qemu-guest-agent.service enabled: true @@ -26,7 +69,7 @@ systemd: [Unit] Description=Install QEMU Guest Agent Wants=network-online.target - After=network-online.target + After=ignition-start-config.service Before=zincati.service ConditionPathExists=!/var/lib/%N.stamp diff --git a/ignition/base.ign b/ignition/base.ign index 98a0977..c4b70fa 100644 --- a/ignition/base.ign +++ b/ignition/base.ign @@ -23,7 +23,17 @@ "systemd": { "units": [ { - "contents": "[Unit]\nDescription=Install QEMU Guest Agent\nWants=network-online.target\nAfter=network-online.target\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree install qemu-guest-agent\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target", + "contents": "[Unit]\nDescription=Block SSH during configuration\nAfter=network-online.target\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl stop sshd\nExecStart=/usr/bin/systemctl disable sshd\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/echo \"SSH currently disabled until configuration completes\" | /usr/bin/tee /etc/issue.d/35-ssh-blocked.issue\nExecStart=/usr/bin/systemctl restart getty@tty1\n\n[Install]\nWantedBy=multi-user.target\n", + "enabled": true, + "name": "ignition-start-config.service" + }, + { + "contents": "[Unit]\nDescription=Enable SSH after configuration\nAfter=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl start sshd\nExecStart=/usr/bin/systemctl enable sshd\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/rm /etc/issue.d/35-ssh-blocked.issue\nExecStart=/usr/bin/systemctl restart getty@tty1\n\n[Install]\nWantedBy=multi-user.target\n", + "enabled": true, + "name": "ignition-finish-config.service" + }, + { + "contents": "[Unit]\nDescription=Install QEMU Guest Agent\nWants=network-online.target\nAfter=ignition-start-config.service\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree install qemu-guest-agent\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target", "enabled": true, "name": "rpm-ostree-install-qemu-guest-agent.service" }