add scripts

Author: jasoncolburne

src/core-switch/patch/keystone.conf.patch

@@ -0,0 +1,27 @@
+--- /etc/keystone/keystone.conf.sample	2022-05-30 07:01:55.016379255 -0300
++++ /etc/keystone/keystone.conf	2022-05-30 07:50:14.820486765 -0300
+@@ -41,13 +41,13 @@
+ # is set by default. In larger deployments, it is recommended that you set this
+ # to a reasonable number to prevent operations like listing all users and
+ # projects from placing an unnecessary load on the system. (integer value)
+-#list_limit = <None>
++list_limit = 100
+ 
+ # If set to true, strict password length checking is performed for password
+ # manipulation. If a password exceeds the maximum length, the operation will
+ # fail with an HTTP 403 Forbidden error. If set to false, passwords are
+ # automatically truncated to the maximum length. (boolean value)
+-#strict_password_check = false
++strict_password_check = true
+ 
+ # If set to true, then the server will return information in HTTP responses
+ # that may allow an unauthenticated or authenticated user to get more
+@@ -663,7 +663,7 @@
+ # Deprecated group/name - [DEFAULT]/sql_connection
+ # Deprecated group/name - [DATABASE]/sql_connection
+ # Deprecated group/name - [sql]/connection
+-#connection = <None>
++connection = postgresql+psycopg2:///keystone
+ 
+ # The SQLAlchemy connection string to use to connect to the slave database.
+ # (string value)

src/core-switch/scripts/deploy-ldap.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/bash
+
+set -euo pipefail
+
+OLD_PWD=$(pwd)
+
+echo "ensure ~/ldap-admin-passphrase.txt and ~/ldap-admin-passphrase-verify.txt exist and match"
+if [[ ! -f ~/ldap-admin-passphrase.txt ]]; then
+  echo "  ie:"
+  echo "  $ echo -n \"passphrase\" > ~/ldap-admin-passphrase.txt"
+  exit 1
+fi
+sha256sum ~/ldap-admin-passphrase.txt | sed s/passphrase/passphrase-verify/ | sha256sum -c --quiet
+
+sudo apt-get -y install slapd ldap-utils
+
+ADMIN_PASSPHRASE=$(cat ~/ldap-admin-passphrase.txt)
+echo "configuring ldap basedn, users and groups"
+sudo ldapadd -x -D cn=admin,dc=homelab -w $ADMIN_PASSPHRASE -f ~/install/ldap/basedn.ldif
+sudo ldapadd -x -D cn=admin,dc=homelab -w $ADMIN_PASSPHRASE -f ~/install/ldap/ldap-users.ldif
+sudo ldapadd -x -D cn=admin,dc=homelab -w $ADMIN_PASSPHRASE -f ~/install/ldap/ldap-groups.ldif
+echo "deleting ~/ldap-admin-passphrase.txt to ensure security"
+rm ~/ldap-admin-passphrase.txt ~/ldap-admin-passphrase-verify.txt
+echo "generating ldap server key/cert"
+echo -n passphrase > passphrase.tmp
+sudo openssl genrsa -aes128 -out /etc/ssl/private/ldap_server.key -passout file:passphrase.tmp 4096
+sudo openssl rsa -in /etc/ssl/private/ldap_server.key -out /etc/ssl/private/ldap_server.key  -passin file:passphrase.tmp
+rm passphrase.tmp
+sudo openssl req -new -days 3650 -key /etc/ssl/private/ldap_server.key -out /etc/ssl/private/ldap_server.csr
+sudo openssl x509 -in /etc/ssl/private/ldap_server.csr -out /etc/ssl/private/ldap_server.crt -req -signkey /etc/ssl/private/ldap_server.key -days 3650
+sudo cp /etc/ssl/private/ldap_server.{key,crt} /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/
+sudo chown -R openldap:openldap /etc/ldap/sasl2
+echo "installing ldap tls/sasl"
+sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/install/ldap/ldapssl.ldif
+sudo echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf
+echo "disabling anonymous ldap binding"
+sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/install/ldap/disableanonymous.ldif
+echo "disabling cleartexty ldap binding"
+sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/install/ldap/disablecleartextbind.ldif
+
+echo "restarting slapd"
+sudo systemctl restart slapd
+
+cd $OLD_PWD

src/core-switch/scripts/deploy-openstack-yoga-service.sh

@@ -0,0 +1,184 @@
+#!/usr/bin/bash
+
+set -euxo pipefail
+
+OLD_PWD=$(pwd)
+
+sudo ~/install/scripts/install-dependencies/$SERVICE.sh
+
+sudo mkdir -p \
+  /etc/$SERVICE \
+  /var/lib/$SERVICE/venv \
+  /var/lib/$SERVICE/src \
+  /var/lib/$SERVICE/patch \
+  /var/log/$SERVICE \
+  /run/uwsgi/$SERVICE
+
+mkdir -p ~/src/openstack
+
+cd ~/src/openstack
+[[ -d $SERVICE ]] || git clone https://opendev.org/openstack/$SERVICE.git -b stable/yoga
+
+sudo rm -rf /var/lib/$SERVICE/src/$SERVICE
+sudo cp -R ~/src/openstack/$SERVICE /var/lib/$SERVICE/src
+sudo cp -R ~/install/patch/$SERVICE* /var/lib/$SERVICE/patch
+
+# this is actually flawed but we won't see a problem
+if rg -qF $SERVICE /etc/passwd
+then
+  echo "skipping user $SERVICE creation"
+else
+  sudo useradd \
+    --home-dir "/var/lib/$SERVICE" \
+    --create-home \
+    --system \
+    --shell /bin/false \
+    $SERVICE
+fi
+
+echo "SELECT 'CREATE DATABASE $SERVICE' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '$SERVICE')\gexec" | sudo -u postgres psql -q
+sudo -u postgres psql -q << PLPGSQL
+DO
+\$do\$
+BEGIN
+  IF NOT EXISTS (
+    SELECT FROM pg_catalog.pg_roles
+    WHERE  rolname = '$SERVICE') THEN
+
+    CREATE ROLE $SERVICE LOGIN;
+  END IF;
+END
+\$do\$;
+PLPGSQL
+sudo -u postgres psql -q -c "GRANT ALL PRIVILEGES ON DATABASE $SERVICE TO $SERVICE;"
+
+sudo chown -R $SERVICE:$SERVICE /etc/$SERVICE
+sudo chown -R $SERVICE:$SERVICE /var/lib/$SERVICE
+sudo chown -R $SERVICE:$SERVICE /var/log/$SERVICE
+
+if [[ $SERVICE_ADMIN_PORT != disabled ]]
+then
+  HOST=$(hostname)
+  SERVICE_ADMIN_PASSPHRASE=$(dd if=/dev/urandom bs=32 count=1 | base64)
+  cat > ~/.openrc-admin << EOF
+export OS_PROJECT_DOMAIN_NAME=Default
+export OS_USER_DOMAIN_NAME=Default
+export OS_PROJECT_NAME=admin
+export OS_USERNAME=admin
+export OS_PASSWORD=$SERVICE_ADMIN_PASSPHRASE
+export OS_AUTH_URL=http://$HOST:35357/v3
+export OS_IDENTITY_API_VERSION=3
+export OS_IMAGE_API_VERSION=2
+EOF
+else
+  # gross
+  SERVICE_ADMIN_PASSPHRASE=
+fi
+
+sudo -u $SERVICE SERVICE=$SERVICE SERVICE_PORT=$SERVICE_PORT SERVICE_ADMIN_PASSPHRASE=$SERVICE_ADMIN_PASSPHRASE ~/install/scripts/install-openstack-yoga-service.sh
+
+# prepare for uwsgi and nginx configuration
+
+sudo usermod -G www-data $SERVICE
+
+sudo systemctl stop nginx
+sudo rm -f /etc/nginx/sites-enabled/default
+
+sudo mkdir /var/log/nginx/$SERVICE
+sudo chown www-data:www-data /var/log/nginx/$SERVICE
+sudo mkdir /var/www/$SERVICE
+
+# uwsgi
+
+if [[ $SERVICE_ADMIN_PORT != disabled ]]
+then
+  sudo bash -c "cat > /etc/uwsgi/apps-available/$SERVICE-admin.ini" << EOF
+[uwsgi]
+master = true
+plugin = python3
+thunder-lock = true
+processes = 5
+threads = 2
+chmod-socket = 660
+chown-socket = $SERVICE:www-data
+
+name = $SERVICE
+uid = $SERVICE
+gid = www-data
+
+chdir = /var/www/$SERVICE/  
+virtualenv = /var/lib/$SERVICE/venv
+wsgi-file = /var/lib/$SERVICE/venv/bin/$SERVICE-wsgi-admin
+
+no-orphans = true
+vacuum = true
+EOF
+
+  sudo ln -s /etc/uwsgi/apps-{available,enabled}/$SERVICE-admin.ini
+fi
+
+sudo bash -c "cat > /etc/uwsgi/apps-available/$SERVICE.ini" << EOF
+[uwsgi]
+master = true
+plugin = python3
+thunder-lock = true
+processes = 3  
+threads = 2  
+chmod-socket = 660
+chown-socket = $SERVICE:www-data
+
+name = $SERVICE
+uid = $SERVICE
+gid = www-data
+
+chdir = /var/www/$SERVICE/
+virtualenv = /var/lib/$SERVICE/venv
+wsgi-file = /var/lib/$SERVICE/venv/bin/$SERVICE-wsgi-public
+
+no-orphans = true
+vacuum = true
+EOF
+
+sudo ln -s /etc/uwsgi/apps-{available,enabled}/$SERVICE.ini
+
+sudo systemctl restart uwsgi
+
+# nginx
+
+sudo bash -c "cat > /etc/nginx/sites-available/$SERVICE.conf" << EOF
+server {
+    listen      $SERVICE_PORT;
+    access_log  /var/log/nginx/$SERVICE/access.log;
+    error_log   /var/log/nginx/$SERVICE/error.log;
+
+    location / {
+        uwsgi_pass    unix:///run/uwsgi/app/$SERVICE/socket;
+        include       uwsgi_params;
+    }
+}
+EOF
+
+[[ $SERVICE_ADMIN_PORT == disabled ]] || sudo bash -c "cat >> /etc/nginx/sites-available/$SERVICE.conf" << EOF
+server {
+    listen      $SERVICE_ADMIN_PORT;
+    access_log  /var/log/nginx/$SERVICE/access.log;
+    error_log   /var/log/nginx/$SERVICE/error.log;
+
+    location / {
+        uwsgi_pass    unix:///run/uwsgi/app/$SERVICE-admin/socket;
+        include       uwsgi_params;
+    }
+}
+EOF
+
+sudo ln -s /etc/nginx/sites-{available,enabled}/$SERVICE.conf
+sudo sed -i "s/worker_processes auto/worker_processes 6/" /etc/nginx/nginx.conf
+
+sudo systemctl restart nginx
+
+# cleanup
+
+sudo rm -rf /var/lib/$SERVICE/src
+sudo rm -rf /var/lib/$SERVICE/patch
+
+cd $OLD_PWD

src/core-switch/scripts/deploy-openstack-yoga.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+set -euxo pipefail
+
+SERVICE=keystone SERVICE_PORT=5000 SERVICE_ADMIN_PORT=35357 ~/install/scripts/deploy-openstack-yoga-service.sh

src/core-switch/scripts/install-dependencies/keystone.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/bash
+
+set -euo pipefail
+
+apt-get -y install \
+  python3-pip \
+  python3-venv \
+  python3-dev \
+  memcached \
+  postgresql \
+  libpq-dev \
+  nginx \
+  uwsgi \
+  uwsgi-plugin-python3 \
+  libldap2-dev \
+  libsasl2-dev \
+  python3-openstackclient

src/core-switch/scripts/install-openstack-yoga-service.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/bash
+
+set -euxo pipefail
+
+OLD_PWD=$(pwd)
+
+cd ~/src/$SERVICE
+git switch -c debian-bullseye
+
+tox -e genconfig
+tox -e genpolicy
+# tox -e docs
+# tox -e protection
+
+cp -R etc/* /etc/$SERVICE
+patch -o /etc/$SERVICE/$SERVICE.conf /etc/$SERVICE/$SERVICE.conf.sample < ~/patch/$SERVICE.conf.patch
+
+python3 -m venv /var/lib/$SERVICE/venv
+. /var/lib/$SERVICE/venv/bin/activate
+
+pip install -r requirements.txt
+# requirements for our setup
+pip install psycopg2
+python3 setup.py install
+
+$SERVICE-manage db_sync
+$SERVICE-manage fernet_setup
+$SERVICE-manage credential_setup
+
+# this is very keystone specific and will need to be abstracted
+$SERVICE-manage bootstrap \
+  --bootstrap-password $SERVICE_ADMIN_PASSPHRASE \
+  --bootstrap-admin-url http://$(hostname):$SERVICE_PORT/v3/ \
+  --bootstrap-internal-url http://$(hostname):$SERVICE_PORT/v3/ \
+  --bootstrap-public-url http://$(hostname):$SERVICE_PORT/v3/ \
+  --bootstrap-region-id RegionOne
+
+deactivate
+
+cd $OLD_PWD

src/core-switch/scripts/provision-for-package-development.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+
+sudo apt-get -y install build-essential fakeroot devscripts ripgrep
+if rg -q 'debian unstable main' /etc/apt/sources.list
+then
+  echo "found unstable sources, continuing"
+else
+  echo "did not find unstable sources, patching sources.list"
+  sudo sh -c "echo >> /etc/apt/sources.list"
+  sudo sh -c "echo 'deb-src http://httpredir.debian.org/debian unstable main' >> /etc/apt/sources.list"
+fi
+sudo apt-get update

src/core-switch/scripts/provision.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/bash
+
+set -euo pipefail
+
+OLD_PWD=$(pwd)
+
+echo "removing cd-rom from apt sources"
+sudo cp ~/install/sources.list /etc/apt/
+echo "upgrading operating system"
+sudo apt update
+sudo apt upgrade
+echo "installing required packages"
+sudo apt -y install \
+  unzip \
+  net-tools \
+  bridge-utils \
+# clevis-tpm2 clevis-luks clevis-dracut
+
+echo "installing optional packages"
+sudo apt -y install zsh git ripgrep && chsh -s $(which zsh) || true
+
+echo
+
+echo "deploying user config for $USER"
+cd ~
+unzip install/ssh.zip
+
+echo "deploying system config"
+cd /
+
+sudo systemctl stop networking
+echo "installing amd firmware"
+sudo unzip ~/install/amd.zip
+echo "deploying new networking configuration"
+sudo unzip -o ~/install/networking.zip
+echo "deploying new sshd configuration"
+sudo unzip -o ~/install/sshd.zip
+echo "deploying new grub configuration"
+sudo unzip -o ~/install/grub.zip
+sudo systemctl start networking
+echo "updating boot images"
+sudo update-initramfs -c -k all
+echo "updating grub"
+sudo update-grub
+
+echo "installing sme kernel"
+cd ~
+unzip install/kernel.zip
+cd 5.10.0-14-sme-amd64
+sudo apt install ./linux-image-sme-amd64_5.10.113-1_amd64.deb ./linux-image-5.10.0-14-sme-amd64_5.10.113-1_amd64.deb
+
+cd ~
+rm -rf 5.10.0-14-sme-amd64
+
+echo "disabling iscsi"
+sudo systemctl --now disable iscsid.service
+
+echo "to complete provisioning, reboot now."
+
+cd $OLD_PWD