hashipi

Raspberry Pi Test Cluster for HashiCorp Vault, Nomad and Consul
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | README

consul.sh (2354B)


      1 #!/usr/bin/env bash
      2 #
      3 # Packer shell provisioner for HashiCorp Consul on Raspberry Pi
      4 # https://learn.hashicorp.com/consul/datacenter-deploy/deployment-guide
      5 
      6 # set -o errexit
      7 # set -o nounset
      8 set -o xtrace
      9 
     10 cd "/home/${USERNAME}"
     11 
     12 # Move uploaded tls files
     13 mkdir -p /opt/consul/tls
     14 mv /tmp/tls/* /opt/consul/tls/
     15 
     16 # Change ownership and permissions for tls certs
     17 chown consul: /opt/consul/tls/*.pem
     18 chmod 640 /opt/consul/tls/*.pem
     19 chmod 644 /opt/consul/tls/dc1-{cli,client}*
     20 chmod 644 /opt/consul/tls/consul-agent-ca.pem
     21 
     22 # Create Consul config files
     23 mkdir -p /etc/consul.d
     24 rm -rf /etc/consul.d/*
     25 
     26 cat << EOF > /etc/consul.d/consul.hcl
     27 datacenter = "dc1"
     28 data_dir = "/opt/consul"
     29 encrypt = "$CONSUL_ENCRYPT"
     30 
     31 retry_join = [
     32   $(printf '%s\n' $CONSUL_RETRY_JOIN)
     33 ]
     34 
     35 ports {
     36   server = 8300
     37   serf_lan = 8301
     38   serf_wan = -1
     39   http = -1
     40   https = 8501
     41   dns = 8600
     42 }
     43 
     44 addresses {
     45   dns = "{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}"
     46 }
     47 
     48 # The address that should be bound to for internal cluster communications.
     49 # If there are multiple private IPv4 addresses available, Consul will exit with an error at startup:
     50 # - https://www.consul.io/docs/troubleshoot/common-errors
     51 # - https://www.consul.io/docs/agent/options
     52 bind_addr = "{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}"
     53 
     54 performance {
     55   raft_multiplier = 5
     56 }
     57 
     58 ui_config {
     59   enabled = true
     60 }
     61 
     62 tls {
     63   defaults {
     64     verify_incoming = false
     65     verify_outgoing = true
     66     ca_file = "/opt/consul/tls/consul-agent-ca.pem"
     67     cert_file = "/opt/consul/tls/dc1-server-consul.pem"
     68     key_file = "/opt/consul/tls/dc1-server-consul-key.pem"
     69   }
     70 
     71   # Auto-encrypt RPC
     72   # "verify rpc only", because ui enabled
     73   internal_rpc {
     74     verify_incoming = true
     75     verify_server_hostname = true
     76   }
     77 }
     78 EOF
     79 
     80 systemctl enable consul
     81 
     82 # Configure .bashrc
     83 cat << EOF >> .bashrc
     84 
     85 complete -C /usr/bin/consul consul
     86 
     87 export CONSUL_HTTP_ADDR="https://127.0.0.1:8501"
     88 export CONSUL_CACERT="/opt/consul/tls/consul-agent-ca.pem"
     89 export CONSUL_CLIENT_CERT="/opt/consul/tls/dc1-cli-consul.pem"
     90 export CONSUL_CLIENT_KEY="/opt/consul/tls/dc1-cli-consul-key.pem"
     91 EOF
     92 
     93 if [[ "$CONSUL_SERVER" = true ]]; then
     94 cat << EOF > /etc/consul.d/server.hcl
     95 server           = true
     96 bootstrap_expect = 3
     97 EOF
     98 fi # endif CONSUL_SERVER