registry and vault related stuff (#18)

mgmt/registry/README.md

@@ -0,0 +1,35 @@
+# registry
+
+On gcp. Installed at registry.mobiledgex.net
+
+maven, docker registry and file server.
+They are run as docker containers.
+
+## auth/
+
+credentials, certificates, etc.
+
+## gen-cert-registry-mobiledgex.sh
+
+get letsencrypt certs for registry
+
+## run-docker-registry.sh
+
+docker registry runs at port 5000.
+
+## gen-htpasswd.sh
+
+generate htpasswd for use with the above docker registry container image
+
+## run-gohttpserver.sh
+
+https file server at 8000.
+
+## run-nexus-simple.sh
+
+maven repo at 8081, but exposed via https at 443 via nginx proxy below.
+
+## run-nginx-nexus-proxy.sh
+
+TLS termination for nexus at 443.
+

mgmt/registry/gen-htpasswd.sh

@@ -0,0 +1,2 @@
+docker run --entrypoint htpasswd registry:2 -Bbn bob Keon >> auth/htpasswd
+docker run --entrypoint htpasswd registry:2 -Bbn mobiledgex sandhill >> auth/htpasswd

mgmt/registry/run-docker-registry.sh

@@ -0,0 +1,15 @@
+docker run -d \
+       -p 5000:5000 \
+       --restart=always \
+       --name docker-registry \
+       -v `pwd`/auth:/auth \
+       -v /home/bob/docker-registry:/var/lib/registry \
+       -e "REGISTRY_AUTH=htpasswd" \
+       -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
+       -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
+       -v `pwd`/certs:/certs \
+       -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/fullchain.cer \
+       -e REGISTRY_HTTP_TLS_KEY=/certs/registry.mobiledgex.net.key \
+       registry:2
+
+#docker run -d -p 5000:5000 --restart always --name registry registry:2

mgmt/registry/run-gohttpserver.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker run -d --rm -p 8000:8000 -v /home/bob/certs:/certs -v /home/bob/files-repo:/app/public --name gohttpserver codeskyblue/gohttpserver ./gohttpserver --root /app/public --auth-type http --auth-http mobiledgex:sandhill --cors --upload --delete --title mobiledgex --cert=/certs/cert.pem --key=/certs/key.pem

mgmt/registry/run-nexus-simple.sh

@@ -0,0 +1 @@
+docker run -d -p 8081:8081 -v /home/bob/nexus:/sonatype-work  --name nexus sonatype/nexus:oss

mgmt/registry/run-nginx-nexus-proxy.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker run -d --restart always --net host --name nginx-nexus-proxy -v /home/bob/auth/nginx-nexus:/etc/nginx nginx

mgmt/vault/README.md

@@ -0,0 +1,29 @@
+# Vault
+
+On gcp.
+
+Installed in vault.mobiledgex.net.
+
+## first time run
+
+```
+docker-compose up -d --build
+```
+
+Builds the docker images of consul and vault.
+
+## certificates
+
+```
+gen-cert-vault-moiledgex.sh
+```
+
+
+## HTTPS
+
+Nginx at 443
+
+```
+run-nginx-vault-proxy.sh
+```
+

mgmt/vault/consul/Dockerfile

@@ -0,0 +1,32 @@
+# base image
+FROM alpine:3.7
+
+# set consul version
+ENV CONSUL_VERSION 1.2.1
+
+# create a new directory
+RUN mkdir /consul
+
+# download dependencies
+RUN apk --no-cache add \
+      bash \
+      ca-certificates \
+      wget
+
+# download and set up consul
+RUN wget --quiet --output-document=/tmp/consul.zip https://releases.hashicorp.com/consul/${CONSUL_VERSION}/consul_${CONSUL_VERSION}_linux_amd64.zip && \
+    unzip /tmp/consul.zip -d /consul && \
+    rm -f /tmp/consul.zip && \
+    chmod +x /consul/consul
+
+# update PATH
+ENV PATH="PATH=$PATH:$PWD/consul"
+
+# add the config file
+COPY ./config/consul-config.json /consul/config/config.json
+
+# expose ports
+EXPOSE 8300 8400 8500 8600
+
+# run consul
+ENTRYPOINT ["consul"]

mgmt/vault/consul/config/consul-config.json

@@ -0,0 +1,9 @@
+{
+  "datacenter": "localhost",
+  "data_dir": "/consul/data",
+  "log_level": "DEBUG",
+  "ui": true,
+  "ports": {
+    "dns": 53
+  }
+}

mgmt/vault/docker-compose.yml

@@ -0,0 +1,43 @@
+version: '3.6'
+
+services:
+
+  vault:
+    build:
+      context: ./vault
+      dockerfile: Dockerfile
+    ports:
+      - 8200:8200
+    volumes:
+      - ./vault/config:/vault/config
+      - ./vault/policies:/vault/policies
+      - ./vault/data:/vault/data
+      - ./vault/logs:/vault/logs
+    environment:
+      - VAULT_ADDR=http://127.0.0.1:8200
+    command: server -config=/vault/config/vault-config.json
+    cap_add:
+      - IPC_LOCK
+    depends_on:
+      - consul
+
+  consul:
+    build:
+      context: ./consul
+      dockerfile: Dockerfile
+    ports:
+      - 8500:8500
+    command: agent -server -bind 0.0.0.0 -client 0.0.0.0 -bootstrap-expect 1 -config-file=/consul/config/config.json
+    volumes:
+      - ./consul/config/consul-config.json:/consul/config/config.json
+      - ./consul/data:/consul/data
+
+  consul-worker:
+    build:
+      context: ./consul
+      dockerfile: Dockerfile
+    command: agent -server -join consul -config-file=/consul/config/config.json
+    volumes:
+      - ./consul/config/consul-config.json:/consul/config/config.json
+    depends_on:
+      - consul

mgmt/vault/run-nginx-vault-proxy.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+docker run -d --restart always --net host --name nginx-vault-proxy -v /home/bob/auth/nginx-vault:/etc/nginx nginx

mgmt/vault/vault/Dockerfile

@@ -0,0 +1,32 @@
+# base image
+FROM alpine:3.7
+
+# set vault version
+ENV VAULT_VERSION 0.10.3
+
+# create a new directory
+RUN mkdir /vault
+
+# download dependencies
+RUN apk --no-cache add \
+      bash \
+      ca-certificates \
+      wget
+
+# download and set up vault
+RUN wget --quiet --output-document=/tmp/vault.zip https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip && \
+    unzip /tmp/vault.zip -d /vault && \
+    rm -f /tmp/vault.zip && \
+    chmod +x /vault
+
+# update PATH
+ENV PATH="PATH=$PATH:$PWD/vault"
+
+# add the config file
+COPY ./config/vault-config.json /vault/config/vault-config.json
+
+# expose port 8200
+EXPOSE 8200
+
+# run vault
+ENTRYPOINT ["vault"]

mgmt/vault/vault/config/vault-config.json

@@ -0,0 +1,15 @@
+{
+  "backend": {
+    "consul": {
+      "address": "consul:8500",
+      "path": "vault/"
+    }
+  },
+  "listener": {
+    "tcp":{
+      "address": "0.0.0.0:8200",
+      "tls_disable": 1
+    }
+  },
+  "ui": true
+}

mgmt/vault/vault/policies/app-policy.json

@@ -0,0 +1,7 @@
+{
+  "path": {
+    "secret/data/app/*": {
+      "policy": "read"
+    }
+  }
+}