135 lines
2.8 KiB
Ruby
135 lines
2.8 KiB
Ruby
# Create directories
|
|
%w( certs howto misc policies tokens ).each do |d|
|
|
directory "/etc/consul.d/#{d}" do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '0755'
|
|
end
|
|
end
|
|
|
|
# deploy certificates
|
|
if node['consul']['manager']
|
|
encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca-key.pem' do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '0444'
|
|
|
|
source 'files/etc/consul.d/certs/consul-agent-ca-key.pem'
|
|
password ENV['ITAMAE_PASSWORD']
|
|
end
|
|
|
|
encrypted_remote_file '/etc/consul.d/certs/dc1-server-consul-1-key.pem' do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '0444'
|
|
|
|
source 'files/etc/consul.d/certs/dc1-server-consul-1-key.pem'
|
|
password ENV['ITAMAE_PASSWORD']
|
|
end
|
|
|
|
encrypted_remote_file '/etc/consul.d/certs/dc1-server-consul-1.pem' do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '0444'
|
|
|
|
source 'files/etc/consul.d/certs/dc1-server-consul-1.pem'
|
|
password ENV['ITAMAE_PASSWORD']
|
|
end
|
|
end
|
|
|
|
encrypted_remote_file '/etc/consul.d/certs/consul-agent-ca.pem' do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '0444'
|
|
|
|
source 'files/etc/consul.d/certs/consul-agent-ca.pem'
|
|
password ENV['ITAMAE_PASSWORD']
|
|
end
|
|
|
|
# Deploy configs
|
|
if node['consul']['manager']
|
|
SRC = 'consul-server.hcl.erb'
|
|
else
|
|
SRC = 'consul-agent.hcl.erb'
|
|
end
|
|
|
|
template '/etc/consul.d/consul.hcl' do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '644'
|
|
|
|
variables(manager: node['consul']['manager'],
|
|
manager_hosts: node['consul']['manager_hosts'],
|
|
ipaddr: node['consul']['ipaddr'],
|
|
encrypt: node['consul']['encrypt'],
|
|
token: node['consul']['token'],
|
|
)
|
|
|
|
source "templates/etc/consul.d/#{SRC}"
|
|
|
|
notifies :restart, 'service[consul]'
|
|
end
|
|
|
|
# Deploy server specific config
|
|
template '/etc/consul.d/server.hcl' do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '644'
|
|
|
|
variables(server_token: node['consul']['server_token'])
|
|
|
|
notifies :restart, 'service[consul]'
|
|
end
|
|
|
|
%w( 01-bootstrap.sh 02-policy.sh ).each do |sh|
|
|
remote_file("/etc/consul.d/howto/#{sh}") {
|
|
owner 'root'
|
|
group 'root'
|
|
mode '0755'
|
|
}
|
|
end
|
|
|
|
%w( anonymous nodes nomad-policy vault-service-registration ).each do |policy|
|
|
remote_file("/etc/consul.d/policies/#{policy}.hcl") {
|
|
owner 'root'
|
|
group 'root'
|
|
mode '0644'
|
|
}
|
|
end
|
|
|
|
# misc
|
|
directory '/var/log/consul/' do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '0755'
|
|
end
|
|
|
|
remote_file '/etc/systemd/system/consul.service' do
|
|
owner 'root'
|
|
group 'root'
|
|
mode '0644'
|
|
|
|
notifies :restart, 'service[consul]'
|
|
end
|
|
|
|
remote_file '/etc/consul.d/service-consul.json' do
|
|
owner 'consul'
|
|
group 'consul'
|
|
mode '644'
|
|
end
|
|
|
|
service 'consul' do
|
|
action [:enable, :start]
|
|
end
|
|
|
|
# iptables settings here:
|
|
%w( 8300/tcp 8301/tcp 8301/udp 8500/tcp 8502/tcp ).each do |port|
|
|
execute "ufw allow #{port}" do
|
|
user 'root'
|
|
|
|
not_if "LANG=c ufw status | grep #{port}"
|
|
|
|
notifies :run, 'execute[ufw reload-or-enable]'
|
|
end
|
|
end
|