Merge pull request #50 from sorenisanerd/dev

Merge dev branch

Author: sorenisanerd

.github/workflows/build.yml

@@ -41,6 +41,24 @@ jobs:
                               dl/mangos.tools_*.tar.zst
       - name: Decompress and stage tools
         run: mkdir mkosi.tools ; tar -x --zstd -f dl/mangos.tools_*.tar.zst -C mkosi.tools
+      - uses: dsaltares/fetch-gh-release-asset@master
+        id: pkgs-fetch
+        with:
+          repo: ${{ github.repository_owner }}/mangos-tools
+          version: latest
+          file: 'mangos-packages_.*\.tar\.zst.*'
+          regex: true
+          target: 'dl/'
+      - name: Verify packages signature
+        env:
+          tag: ${{ steps.pkgs-fetch.outputs.version }}
+        run: |
+          cosign verify-blob  --bundle dl/mangos-packages_*.tar.zst.sigbundle \
+                              --certificate-identity "${{ github.server_url }}/${{ github.repository_owner }}/mangos-tools/.github/workflows/build.yml@refs/tags/${tag}" \
+                              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+                              dl/mangos-packages_*.tar.zst
+      - name: Decompress and stage packages
+        run: mkdir mkosi.packages ; tar -x --zstd -f dl/mangos-packages_*.tar.zst -C mkosi.packages
       - name: Inject key and cert
         env:
           MANGOS_CERT: ${{ vars.MANGOS_CERT }}
@@ -60,12 +78,15 @@ jobs:
           cat <<EOF > mkosi.key
           $MANGOS_KEY
           EOF
+      - name: Download Hashistack
+        run: |
+          ./hashiext-download.sh
       - name: Run mkosi
         env:
           profiles: ${{ matrix.profiles }}
           MANGOS_GITHUB_URL: ${{ github.server_url }}/${{ github.repository }}
         run: |
-          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles}"
+          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles},hashistack"
           mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles},installer"
       - name: List built artifacts
         run: find out/

.github/workflows/pr.yml

@@ -38,16 +38,37 @@ jobs:
                               dl/mangos.tools_*.tar.zst
       - name: Decompress and stage tools
         run: mkdir mkosi.tools ; tar -x --zstd -f dl/mangos.tools_*.tar.zst -C mkosi.tools
+      - uses: dsaltares/fetch-gh-release-asset@master
+        id: pkgs-fetch
+        with:
+          repo: ${{ github.repository_owner }}/mangos-tools
+          version: latest
+          file: 'mangos-packages_.*\.tar\.zst.*'
+          regex: true
+          target: 'dl/'
+      - name: Verify packages signature
+        env:
+          tag: ${{ steps.pkgs-fetch.outputs.version }}
+        run: |
+          cosign verify-blob  --bundle dl/mangos-packages_*.tar.zst.sigbundle \
+                              --certificate-identity "${{ github.server_url }}/${{ github.repository_owner }}/mangos-tools/.github/workflows/build.yml@refs/tags/${tag}" \
+                              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+                              dl/mangos-packages_*.tar.zst
+      - name: Decompress and stage packages
+        run: mkdir mkosi.packages ; tar -x --zstd -f dl/mangos-packages_*.tar.zst -C mkosi.packages
       - name: Generate key
         run: |
           #!/bin/sh
           mkosi genkey
+      - name: Download Hashistack
+        run: |
+          ./hashiext-download.sh
       - name: Run mkosi
         env:
           profiles: ${{ matrix.profiles }}
           MANGOS_GITHUB_URL: ${{ github.server_url }}/${{ github.repository }}
         run: |
-          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles}"
+          mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles},hashistack"
           mkosi -E RUNNER_ENVIRONMENT --debug --profile= --profile="${profiles},installer"
       - name: List built artifacts
         run: find out/

hashiext-download.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+VAULT_VERSION=${VAULT_VERSION:-latest}
+CONSUL_VERSION=${CONSUL_VERSION:-latest}
+NOMAD_VERSION=${NOMAD_VERSION:-latest}
+CONSUL_TEMPLATE_VERSION=${CONSUL_TEMPLATE_VERSION:-latest}
+TERRAFORM_VERSION=${TERRAFORM_VERSION:-latest}
+
+get_latest_version() {
+    curl -s "https://api.github.com/repos/hashicorp/$1/releases/latest" | jq .name -r
+}
+
+download() {
+    local name="$1"
+    local version="$2"
+
+    if [ "${version}" = "latest" ]; then
+        version=$(get_latest_version "$name")
+    fi
+
+    version="${version#v}"
+
+    origdir="$(pwd)"
+    tmpdir=$(mktemp -d)
+    cd "$tmpdir" || exit 1
+
+    local url="https://releases.hashicorp.com/${name}/${version}/${name}_${version}_linux_amd64.zip"
+    local fname="${url##*/}"
+    wget -O "${fname}" "${url}"
+
+    sha256sums=https://releases.hashicorp.com/${name}/${version}/${name}_${version}_SHA256SUMS
+    sha256sums_sig=https://releases.hashicorp.com/${name}/${version}/${name}_${version}_SHA256SUMS.sig
+
+    wget -O SHA256SUMS "${sha256sums}"
+    wget -O SHA256SUMS.sig "${sha256sums_sig}"
+
+    if ! gpg --verify --no-default-keyring --keyring ${origdir}/resources/hashicorp-signing-key.72D7468F.gpg SHA256SUMS.sig SHA256SUMS
+    then
+        echo "GPG signature verification failed!"
+        exit 1
+    fi
+
+    echo "Verifying checksums..."
+    if ! grep -E "${fname}$" SHA256SUMS | sha256sum -c
+    then
+        echo "Checksum verification failed!"
+        exit 1
+    fi
+    mv "${fname}" "${origdir}"
+    cd "${origdir}"
+    rm -rf "${tmpdir}"
+}
+
+for tool in terraform vault nomad consul consul-template ; do
+    v="${tool^^}_VERSION"
+    v="${v//-/_}"
+    mkdir -p mkosi.images/${tool}/bin
+    if [ -f "mkosi.images/${tool}/bin/${tool}" ]
+    then
+        echo "Binary mkosi.images/${tool}/bin/${tool} already exists, skipping download/unzip"
+        continue
+    fi
+    download "$tool" "${!v}"
+    unzip ${tool}_*.zip -d mkosi.images/${tool}/bin ${tool}
+done

mkosi.conf

@@ -31,6 +31,7 @@ Environment=MANGOS_GITHUB_URL
 
 [Config]
 Profiles=verity-full,secureboot
+Dependencies=initrd,base
 
 [Include]
 Include=%D/resources/common-kernel

mkosi.images/base/mkosi.conf

@@ -60,11 +60,18 @@ Packages=
 
     gdisk
     pciutils
-    lshw
+    curl
+    jq
 
 ExtraTrees=%D/sshd-keygen:/usr/lib/sshd-keygen
            %D/[email protected]:/usr/lib/systemd/system/
            %D/sshd-keygen.target:/usr/lib/systemd/system/
            %D/resources/sysupdate.d:/usr/lib/sysupdate.d
+           %D/resources/mangosctl.sh:/usr/bin/mangosctl
            %D/mangos-sd-gh-proxy.py:/usr/bin/mangos-sd-gh-proxy
+           %D/resources/sysupdate.consul.d:/usr/lib/sysupdate.consul.d
+           %D/resources/sysupdate.consul-template.d:/usr/lib/sysupdate.consul-template.d
+           %D/resources/sysupdate.nomad.d:/usr/lib/sysupdate.nomad.d
+           %D/resources/sysupdate.terraform.d:/usr/lib/sysupdate.terraform.d
+           %D/resources/sysupdate.vault.d:/usr/lib/sysupdate.vault.d
 

mkosi.images/base/mkosi.conf.d/hashistack.conf

@@ -0,0 +1,11 @@
+[Match]
+Profiles=hashistack
+
+[Content]
+ExtraTrees=%D/resources/mangosctl.sh:/usr/bin/mangosctl
+           %D/resources/sysupdate.consul.d:/usr/lib/sysupdate.consul.d
+           %D/resources/sysupdate.consul-template.d:/usr/lib/sysupdate.consul-template.d
+           %D/resources/sysupdate.nomad.d:/usr/lib/sysupdate.nomad.d
+           %D/resources/sysupdate.terraform.d:/usr/lib/sysupdate.terraform.d
+           %D/resources/sysupdate.vault.d:/usr/lib/sysupdate.vault.d
+

mkosi.images/base/mkosi.extra/etc/hostname

@@ -0,0 +1 @@
+node-????-????

mkosi.images/base/mkosi.extra/usr/lib/repart.d/40-var-tmp.conf

@@ -2,5 +2,6 @@
 Type=tmp
 Format=xfs
 Encrypt=tpm2
-SizeMinBytes=5G
+SizeMinBytes=2G
+SizeMaxBytes=4G
 FactoryReset=on

mkosi.images/base/mkosi.extra/usr/lib/sysusers.d/mangos-docker.conf

@@ -0,0 +1,7 @@
+# 0-99 are centrally allocated by Debian(/Ubuntu)
+# 100-999 are "dynamically allocated system ids". We start at 501.
+#Type	Name	ID	GECOS	Home directory	Shell
+g		docker  501 -
+u		nomad	502	Nomad   /var/lib/nomad	/bin/false
+u		vault	503	Vault   /var/lib/vault	/bin/false
+u		consul	504	Consul  /var/lib/consul	/bin/false