forked from canonical/landscape-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloud-init.yaml
142 lines (128 loc) · 5.79 KB
/
cloud-init.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
## template: jinja
#cloud-config
# SET OUR VARIABLES
# =================
# Choose which channel of self-hosted Landscape you wish to deploy: stable|beta|edge
{% set CHANNEL = 'stable' %}
# Ubuntu Pro token (leave blank for Ubuntu Pro instances on Azure, AWS, or Google Cloud)
{% set TOKEN = '' %}
# Assuming you use SSL from LetsEncrypt, follow these steps on your Ubuntu workstation
# replace landscape.yourdomain.com with the domain name you will use for Landscape
# sudo snap install certbot --classic
# sudo certbot -d landscape.yourdomain.com --manual --preferred-challenges dns certonly
# The value for SSL_CERT below is the output of:
# sudo base64 -w 0 /etc/letsencrypt/live/landscape.yourdomain.com/fullchain.pem
{% set SSL_CERT = 'SELFSIGNED' %}
# The value for SSL_KEY below is the output of:
# sudo base64 -w 0 /etc/letsencrypt/live/landscape.yourdomain.com/privkey.pem
{% set SSL_KEY = 'SELFSIGNED' %}
# SMTP credentials (Sendgrid customers should use the "apikey" as the username, and the actual API key as the password)
{% set SMTP_HOST = '' %}
{% set SMTP_PORT = '' %}
{% set SMTP_USERNAME = '' %}
{% set SMTP_PASSWORD = '' %}
# SMTP_USE_TLS is `yes` if TLS is needed
# Google (SMTP_HOST=smtp.google.com SMTP_PORT=587) and Sendgrid (SMTP_HOST=smtp.sendgrid.net SMTP_PORT=465) customers should use TLS
{% set SMTP_USE_TLS = 'yes' %}
# =========================
# END OF SETTING VARIABLES
packages:
- iptables
- iptables-persistent
- snapd
- ubuntu-advantage-tools
{% if SMTP_USE_TLS|lower == 'yes' %}
- curl
{% endif %}
package_update: true
package_upgrade: true
package_reboot_if_required: true
snap:
commands:
- ['install', 'juju', '--classic']
runcmd:
- lxd init --auto
- /bin/bash /tmp/networking.sh
- su ubuntu -c 'juju bootstrap localhost lxdlandscape'
- su ubuntu -c "juju set-model-constraints arch=$(dpkg --print-architecture)"
- su ubuntu -c "juju deploy landscape-scalable --channel {{ CHANNEL }}"
{% if SSL_KEY != "SELFSIGNED" %}
- su ubuntu -c "juju config haproxy ssl_cert='{{ SSL_CERT }}' ssl_key='{{ SSL_KEY }}'"
{% endif %}
- /bin/bash /home/ubuntu/iptables_haproxy.sh
{% if SMTP_HOST %}
- |
su ubuntu -c "juju deploy postfix-relay \
--config smtp_auth_password='{{ SMTP_PASSWORD }}' \
--config smtp_auth_username='{{ SMTP_USERNAME }}' \
{% if SMTP_USE_TLS|lower == 'yes' %}
--config ssl_ca=$(curl -s https://www.thawte.com/roots/thawte_Primary_Root_CA.pem | base64 | tr -d '\n') \
{% endif %}
--config relayhost='[{{ SMTP_HOST }}]:{{ SMTP_PORT }}'"
- su ubuntu -c "juju add-relation postfix-relay landscape-server"
{% endif %}
- /bin/bash /tmp/juju_containers_active_check.sh
- echo "Cloud-init completed successfully"
write_files:
- path: /tmp/networking.sh
owner: 'ubuntu:ubuntu'
permissions: '0755'
defer: true
content: |
#!/bin/bash
echo "$(date +'%Y-%m-%d %H:%M:%S'): networking.sh started"
read -r INTERFACE < <(ip -4 route ls | awk '$1=="default"{x=$5}END{print x}')
su ubuntu -c "lxc network set lxdbr0 bridge.mtu=$(ip link show $INTERFACE | awk '/mtu/ {print $5}')"
iptables -I FORWARD 1 -i lxdbr0 -o $INTERFACE -j ACCEPT -m comment --comment "Permit LXD bridge to $INTERFACE"
iptables -I FORWARD 1 -i $INTERFACE -o lxdbr0 -j ACCEPT -m comment --comment "Permit $INTERFACE to LXD bridge"
iptables -I INPUT 1 -i lxdbr0 -j ACCEPT -m comment --comment "Permit incoming on lxdbr0"
iptables -I OUTPUT 1 -o lxdbr0 -j ACCEPT -m comment --comment "Permit outgoing on lxdbr0"
netfilter-persistent save
echo "$(date +'%Y-%m-%d %H:%M:%S'): networking.sh completed"
- path: /home/ubuntu/iptables_haproxy.sh
owner: 'ubuntu:ubuntu'
permissions: '0755'
defer: true
content: |
#!/bin/bash
echo "$(date +'%Y-%m-%d %H:%M:%S'): iptables_haproxy.sh started - waiting for all containers to be assigned an IP"
iptables -t nat -L --line-numbers | grep 'haproxy' | awk -F '' '{print $1}' | sort -rn | xargs -I {} iptables -t nat -D PREROUTING {}
read -r HAPROXY_INSTANCE_NUMBER < <(su - ubuntu -c "juju status --format=json | awk -F'haproxy/' '{print substr(\$2,1,1)}'")
su ubuntu -c "juju wait-for application --timeout=15m haproxy --logging-config="juju.plugins.waitfor=TRACE" --debug"
read -r HAPROXY_UNIT_IP < <(su ubuntu -c "juju run --unit haproxy/$HAPROXY_INSTANCE_NUMBER 'network-get public --ingress-address=true'")
read -r INTERFACE INTERFACE_IP < <(ip -4 route ls | awk '$1=="default"{x=$5" "$9}END{print x}')
for PORT in 443 80; do
iptables -t nat -I PREROUTING -i $INTERFACE -p tcp -d $INTERFACE_IP --dport $PORT -j DNAT --to-destination $HAPROXY_UNIT_IP:$PORT -m comment --comment haproxy
done
netfilter-persistent save
echo "$(date +'%Y-%m-%d %H:%M:%S'): iptables_haproxy.sh completed"
- path: /tmp/juju_containers_active_check.sh
owner: 'ubuntu:ubuntu'
permissions: '0755'
defer: true
content: |
#!/bin/bash
while true; do
juju_status=$(su ubuntu -c "juju status --format json")
countA=$(echo "$juju_status" | grep -o '\"application-status\":' | wc -l)
countB=$(echo "$juju_status" | grep -o '\"application-status\":{\"current\":\"active\"' | wc -l)
countError=$(echo "$juju_status" | grep -o '\"application-status\":{\"current\":\"error\"' | wc -l)
if [ "$countError" -ge 1 ]; then
echo "Errors present in `juju status` output"
exit 1
fi
if [ $countA -eq $countB ]; then
echo "$(date +'%Y-%m-%d %H:%M:%S'): All Juju containers are in an active state"
break
else
echo "$(date +'%Y-%m-%d %H:%M:%S'): Waiting for all containers to be in an active state"
sleep 10
su ubuntu -c "juju status"
fi
done
ubuntu_advantage:
{% if TOKEN %}
token: {{ TOKEN }}
{% endif %}
enable:
- livepatch