Add `preconfig` target to setup SSH on reverseproxy

`rake preconfig` must be the very first step in the deploy process

Add `preconfig` target to setup SSH on reverseproxy
`rake preconfig` must be the very first step in the deploy process
Antonio Terceiro
1 parent 77730dfe
Showing 6 changed files with 57 additions and 2 deletions Show diff stats
README.md
Rakefile
Vagrantfile
config/local/config.yaml
ssh_config.erb
utils/reverseproxy_ssh_setup
@@ -34,6 +34,7 @@ First you have to bring up the development virtual machines:
  
 ```bash
 $ vagrant up
+$ rake preconfig
 $ rake bootstrap_common
 ```
  
@@ -52,6 +53,17 @@ $ rake converge:$server                 # deploys only $server
 * TODO: document creation of `prod.yaml`.
 * TODO: document SSH configuration
  
+The very first step is
+
+```
+$ rake preconfig SPB_ENV=production
+```
+
+This will perform some initial configuration to the system that is required
+before doing the actual deployment.
+
+After that:
+
 ```bash
 $ rake SPB_ENV=production                   # deploys all servers
 $ rake nodes SPB_ENV=production             # lists all servers
@@ -35,7 +35,7 @@ task :test do
 end
  
 file 'ssh_config.erb'
-file 'config/local/ssh_config' => ['nodes.yaml', 'config/local/ips.yaml', 'ssh_config.erb'] do |t|
+file 'config/local/ssh_config' => ['nodes.yaml', 'config/local/ips.yaml', 'ssh_config.erb', 'Rakefile'] do |t|
   require 'erb'
   template = ERB.new(File.read('ssh_config.erb'))
   File.open(t.name, 'w') do |f|
@@ -50,3 +50,22 @@ unless ENV[&#39;nodeps&#39;]
   task 'converge:integration' => 'converge:database'
   task 'converge:social'      => 'converge:database'
 end
+
+$ALT_SSH_PORT = config.fetch('alt_ssh_port', 2222)
+
+$nodes.find { |n| n.hostname == 'reverseproxy' }.data['ssh_port'] = $ALT_SSH_PORT
+desc 'Makes configurations needed before the bootstrap phase'
+task :preconfig => ssh_config_file do
+  preconfig_file = "tmp/preconfig.#{$SPB_ENV}.stamp"
+  if File.exist?(preconfig_file)
+    puts "I: preconfig already done."
+    puts "I: delete #{preconfig_file} to force running again"
+  else
+    sh 'scp', '-F', ssh_config_file, 'utils/reverseproxy_ssh_setup', 'reverseproxy.unconfigured:/tmp'
+    sh 'ssh', '-F', ssh_config_file, 'reverseproxy.unconfigured', 'sudo', '/tmp/reverseproxy_ssh_setup', $ALT_SSH_PORT.to_s
+
+    File.open(preconfig_file, 'w') do |f|
+      f.puts($ALT_SSH_PORT)
+    end
+  end
+end
@@ -33,5 +33,9 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   end
   config.vm.define 'reverseproxy' do |reverseproxy|
     reverseproxy.vm.network 'private_network', ip: ips['reverseproxy']
+    if File.exist?('tmp/preconfig.local.stamp')
+      reverseproxy.ssh.port =  File.read('tmp/preconfig.local.stamp').strip.to_i
+      reverseproxy.ssh.host = ips['reverseproxy']
+    end
   end
 end
@@ -10,4 +10,4 @@ email_subject_prefix: &#39;[spb]&#39;
 lists_hostname: listas.softwarepublico.dev
 lists_admin: paulo@softwarelivre.org
 relay_hostname: relay.softwarepublico.dev
-
+alt_ssh_port: 5555
@@ -9,7 +9,13 @@ Host *
 <% $nodes.each do |node| %>
 Host <%= node.hostname %>
   Hostname <%= node.data['peers'][node.hostname] %>
+  Port <%= node.data.fetch('ssh_port', 22) %>
   IdentityFile <%=  (Dir.glob(".vagrant/machines/#{node.hostname}/*/private_key") + [File.expand_path('~/.vagrant.d/insecure_private_key')]).find { |f| File.exists?(f) }.tap { |f| File.expand_path(f) } %>
 <% end %>
  
+Host reverseproxy.unconfigured
+  Hostname <%= $nodes.first.data['peers']['reverseproxy'] %>
+  Port 22
+  IdentityFile <%=  (Dir.glob(".vagrant/machines/reverseproxy/*/private_key") + [File.expand_path('~/.vagrant.d/insecure_private_key')]).find { |f| File.exists?(f) }.tap { |f| File.expand_path(f) } %>
+
 # vim: ft=sshconfig
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -e
+
+port="$1"
+
+# switch SSH to port $port
+sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config
+
+# Tell SELinux to allow the new port
+semanage port -a -t ssh_port_t -p tcp "$port"
+
+# Restart SSH
+systemctl restart sshd
...	...	@@ -34,6 +34,7 @@ First you have to bring up the development virtual machines:
34	34
35	35	```bash
36	36	$ vagrant up
	37	+$ rake preconfig
37	38	$ rake bootstrap_common
38	39	```
39	40
...	...	@@ -52,6 +53,17 @@ $ rake converge:$server # deploys only $server
52	53	* TODO: document creation of `prod.yaml`.
53	54	* TODO: document SSH configuration
54	55
	56	+The very first step is
	57	+
	58	+```
	59	+$ rake preconfig SPB_ENV=production
	60	+```
	61	+
	62	+This will perform some initial configuration to the system that is required
	63	+before doing the actual deployment.
	64	+
	65	+After that:
	66	+
55	67	```bash
56	68	$ rake SPB_ENV=production # deploys all servers
57	69	$ rake nodes SPB_ENV=production # lists all servers
...	...
...	...	@@ -35,7 +35,7 @@ task :test do
35	35	end
36	36
37	37	file 'ssh_config.erb'
38		-file 'config/local/ssh_config' => ['nodes.yaml', 'config/local/ips.yaml', 'ssh_config.erb'] do \|t\|
	38	+file 'config/local/ssh_config' => ['nodes.yaml', 'config/local/ips.yaml', 'ssh_config.erb', 'Rakefile'] do \|t\|
39	39	require 'erb'
40	40	template = ERB.new(File.read('ssh_config.erb'))
41	41	File.open(t.name, 'w') do \|f\|
...	...	@@ -50,3 +50,22 @@ unless ENV['nodeps']
50	50	task 'converge:integration' => 'converge:database'
51	51	task 'converge:social' => 'converge:database'
52	52	end
	53	+
	54	+$ALT_SSH_PORT = config.fetch('alt_ssh_port', 2222)
	55	+
	56	+$nodes.find { \|n\| n.hostname == 'reverseproxy' }.data['ssh_port'] = $ALT_SSH_PORT
	57	+desc 'Makes configurations needed before the bootstrap phase'
	58	+task :preconfig => ssh_config_file do
	59	+ preconfig_file = "tmp/preconfig.#{$SPB_ENV}.stamp"
	60	+ if File.exist?(preconfig_file)
	61	+ puts "I: preconfig already done."
	62	+ puts "I: delete #{preconfig_file} to force running again"
	63	+ else
	64	+ sh 'scp', '-F', ssh_config_file, 'utils/reverseproxy_ssh_setup', 'reverseproxy.unconfigured:/tmp'
	65	+ sh 'ssh', '-F', ssh_config_file, 'reverseproxy.unconfigured', 'sudo', '/tmp/reverseproxy_ssh_setup', $ALT_SSH_PORT.to_s
	66	+
	67	+ File.open(preconfig_file, 'w') do \|f\|
	68	+ f.puts($ALT_SSH_PORT)
	69	+ end
	70	+ end
	71	+end
...	...
...	...	@@ -33,5 +33,9 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do \|config\|
33	33	end
34	34	config.vm.define 'reverseproxy' do \|reverseproxy\|
35	35	reverseproxy.vm.network 'private_network', ip: ips['reverseproxy']
	36	+ if File.exist?('tmp/preconfig.local.stamp')
	37	+ reverseproxy.ssh.port = File.read('tmp/preconfig.local.stamp').strip.to_i
	38	+ reverseproxy.ssh.host = ips['reverseproxy']
	39	+ end
36	40	end
37	41	end
...	...
...	...	@@ -10,4 +10,4 @@ email_subject_prefix: '[spb]'
10	10	lists_hostname: listas.softwarepublico.dev
11	11	lists_admin: paulo@softwarelivre.org
12	12	relay_hostname: relay.softwarepublico.dev
13		-
	13	+alt_ssh_port: 5555
...	...
...	...	@@ -9,7 +9,13 @@ Host *
9	9	<% $nodes.each do \|node\| %>
10	10	Host <%= node.hostname %>
11	11	Hostname <%= node.data['peers'][node.hostname] %>
	12	+ Port <%= node.data.fetch('ssh_port', 22) %>
12	13	IdentityFile <%= (Dir.glob(".vagrant/machines/#{node.hostname}/*/private_key") + [File.expand_path('~/.vagrant.d/insecure_private_key')]).find { \|f\| File.exists?(f) }.tap { \|f\| File.expand_path(f) } %>
13	14	<% end %>
14	15
	16	+Host reverseproxy.unconfigured
	17	+ Hostname <%= $nodes.first.data['peers']['reverseproxy'] %>
	18	+ Port 22
	19	+ IdentityFile <%= (Dir.glob(".vagrant/machines/reverseproxy/*/private_key") + [File.expand_path('~/.vagrant.d/insecure_private_key')]).find { \|f\| File.exists?(f) }.tap { \|f\| File.expand_path(f) } %>
	20	+
15	21	# vim: ft=sshconfig
...	...
...	...	@@ -0,0 +1,14 @@
	1	+#!/bin/sh
	2	+
	3	+set -e
	4	+
	5	+port="$1"
	6	+
	7	+# switch SSH to port $port
	8	+sed -i -e 's/^#\?\sPort\s[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config
	9	+
	10	+# Tell SELinux to allow the new port
	11	+semanage port -a -t ssh_port_t -p tcp "$port"
	12	+
	13	+# Restart SSH
	14	+systemctl restart sshd
...	...