hashipi

Raspberry Pi home lab with Nomad and OpenBao
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | Pull requests |Archive | README

bootstrap.sh (4131B)

      1 #!/usr/bin/env bash
      2 #
      3 # Packer shell provisioner for Arch Linux on Raspberry Pi
      4 #
      5 # set -o errexit
      6 # set -o nounset
      7 set -o xtrace
      8 
      9 # Set hostname
     10 echo "${HOSTNAME}" > /etc/hostname
     11 
     12 # Resolve hostname
     13 cat << EOF > /etc/hosts
     14 127.0.0.1        localhost
     15 ::1              localhost ip6-localhost ip6-loopback
     16 ff02::1          ip6-allnodes
     17 ff02::2          ip6-allrouters
     18 
     19 127.0.1.1        $HOSTNAME
     20 EOF
     21 
     22 # Add HashiCorp repository
     23 wget -O- https://apt.releases.hashicorp.com/gpg \
     24  | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
     25 echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" \
     26  | tee /etc/apt/sources.list.d/hashicorp.list
     27 
     28 # Install packages
     29 apt-get update
     30 DEBIAN_FRONTEND=noninteractive apt-get install -y jq podman cloud-init curl \
     31  "nomad=${NOMAD_VERSION}-1"
     32 
     33 curl -L -o openbao.deb "https://github.com/openbao/openbao/releases/download/v${BAO_VERSION}/bao_${BAO_VERSION}_linux_${ARCHITECTURE}.deb"
     34 apt install ./openbao.deb
     35 
     36 # Configure insecure local registry
     37 cat << EOF > /etc/containers/registries.conf
     38 unqualified-search-registries = ['127.0.0.1:5000', 'haproxy.lan:5000', 'docker.io']
     39 
     40 [[registry]]
     41 location = "127.0.0.1:5000"
     42 insecure = true
     43 [[registry]]
     44 location = "haproxy.lan:5000"
     45 insecure = true
     46 EOF
     47 
     48 # Set up no-password sudo
     49 rm /etc/sudoers.d/010_pi-nopasswd
     50 echo '%sudo ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/010_all-nopasswd
     51 
     52 # Enable ssh and disable password auth
     53 touch /boot/ssh
     54 sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
     55 
     56 # Delete default user pi
     57 /usr/sbin/userdel -r pi
     58 
     59 # Create user
     60 /usr/sbin/useradd -m "${USERNAME}"
     61 /usr/sbin/usermod -aG sudo "${USERNAME}"
     62 
     63 # Setup ssh keys
     64 mkdir -p "/home/${USERNAME}/.ssh"
     65 touch "/home/${USERNAME}/.ssh/authorized_keys"
     66 echo -e "${AUTHORIZED_KEYS}" > "/home/${USERNAME}/.ssh/authorized_keys"
     67 
     68 chown -R $USERNAME "/home/${USERNAME}/.ssh"
     69 chmod 700 "/home/${USERNAME}/.ssh"
     70 chmod 600 "/home/${USERNAME}/.ssh/authorized_keys"
     71 
     72 # Add cloud-init configuration for first boot
     73 # https://cloudinit.readthedocs.io/en/latest/reference/yaml_examples/disk_setup.html
     74 cat << EOF > /etc/cloud/cloud.cfg.d/99_hashipi_cloudinit.cfg
     75 #cloud-config
     76 
     77 # Growpart is enabled by default on the root partition
     78 #growpart:
     79 #  mode: auto
     80 #  devices: [\"/\"]
     81 #  ignore_growroot_disabled: false
     82 
     83 # Resize filesystem to use all available space on partition
     84 resize_rootfs: noblock
     85 
     86 # Disable network configuration
     87 network: {config: disabled}
     88 EOF
     89 
     90 # Install script to report CPU temp
     91 # https://github.com/TwiN/gatus?tab=readme-ov-file#external-endpoints
     92 cat <<EOF > /usr/local/bin/gatus-report-cpu-temp.sh
     93 #!/usr/bin/env bash
     94 
     95 # Check CPU temperature
     96 # https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-class-thermal
     97 
     98 TOKEN=$GATUS_EXTERNAL_ENDPOINT_TOKEN
     99 ENDPOINT=infra_cputemp-$(hostname)
    100 
    101 EOF
    102 # don't interpret the variables in the rest of the script
    103 cat <<'EOF' >> /usr/local/bin/gatus-report-cpu-temp.sh
    104 if [[ $(cat /sys/class/thermal/thermal_zone0/temp) -gt 60000 ]]
    105 then
    106   echo "❌cpu temperature is above 60°C"
    107   curl -s -H "Authorization: Bearer $TOKEN" \
    108     -XPOST "https://up.in0rdr.ch/api/v1/endpoints/$ENDPOINT/external?success=false"
    109 else
    110   echo "✔ all fine, cpu temperature is below 60°C"
    111   curl -s -H "Authorization: Bearer $TOKEN" \
    112     -XPOST "https://up.in0rdr.ch/api/v1/endpoints/$ENDPOINT/external?success=true"
    113 fi
    114 EOF
    115 
    116 chmod +x /usr/local/bin/gatus-report-cpu-temp.sh
    117 
    118 cat <<EOF > /etc/systemd/system/gatus-report-cpu-temp.timer
    119 [Unit]
    120 Description=Report CPU temp to Gatus
    121 
    122 [Timer]
    123 Unit=gatus-report-cpu-temp.service
    124 # run 5min after unit started
    125 OnActiveSec=1min
    126 # afterwards, run timer every 45min
    127 OnUnitActiveSec=5min
    128 
    129 [Install]
    130 WantedBy=timers.target
    131 EOF
    132 
    133 cat <<EOF > /etc/systemd/system/gatus-report-cpu-temp.service
    134 [Unit]
    135 Description=Report CPU temp to Gatus
    136 
    137 [Service]
    138 Type=oneshot
    139 ExecStart=/bin/sh -c '/usr/local/bin/gatus-report-cpu-temp.sh'
    140 
    141 [Install]
    142 WantedBy=multi-user.target
    143 EOF
    144 
    145 systemctl daemon-reload
    146 systemctl enable gatus-report-cpu-temp.timer
    147 systemctl start gatus-report-cpu-temp.timer