consul.sh (2354B)
1 #!/usr/bin/env bash 2 # 3 # Packer shell provisioner for HashiCorp Consul on Raspberry Pi 4 # https://learn.hashicorp.com/consul/datacenter-deploy/deployment-guide 5 6 # set -o errexit 7 # set -o nounset 8 set -o xtrace 9 10 cd "/home/${USERNAME}" 11 12 # Move uploaded tls files 13 mkdir -p /opt/consul/tls 14 mv /tmp/tls/* /opt/consul/tls/ 15 16 # Change ownership and permissions for tls certs 17 chown consul: /opt/consul/tls/*.pem 18 chmod 640 /opt/consul/tls/*.pem 19 chmod 644 /opt/consul/tls/dc1-{cli,client}* 20 chmod 644 /opt/consul/tls/consul-agent-ca.pem 21 22 # Create Consul config files 23 mkdir -p /etc/consul.d 24 rm -rf /etc/consul.d/* 25 26 cat << EOF > /etc/consul.d/consul.hcl 27 datacenter = "dc1" 28 data_dir = "/opt/consul" 29 encrypt = "$CONSUL_ENCRYPT" 30 31 retry_join = [ 32 $(printf '%s\n' $CONSUL_RETRY_JOIN) 33 ] 34 35 ports { 36 server = 8300 37 serf_lan = 8301 38 serf_wan = -1 39 http = -1 40 https = 8501 41 dns = 8600 42 } 43 44 addresses { 45 dns = "{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}" 46 } 47 48 # The address that should be bound to for internal cluster communications. 49 # If there are multiple private IPv4 addresses available, Consul will exit with an error at startup: 50 # - https://www.consul.io/docs/troubleshoot/common-errors 51 # - https://www.consul.io/docs/agent/options 52 bind_addr = "{{GetPrivateInterfaces | exclude \"type\" \"IPv6\" | include \"name\" \"eth0\" | attr \"address\" }}" 53 54 performance { 55 raft_multiplier = 5 56 } 57 58 ui_config { 59 enabled = true 60 } 61 62 tls { 63 defaults { 64 verify_incoming = false 65 verify_outgoing = true 66 ca_file = "/opt/consul/tls/consul-agent-ca.pem" 67 cert_file = "/opt/consul/tls/dc1-server-consul.pem" 68 key_file = "/opt/consul/tls/dc1-server-consul-key.pem" 69 } 70 71 # Auto-encrypt RPC 72 # "verify rpc only", because ui enabled 73 internal_rpc { 74 verify_incoming = true 75 verify_server_hostname = true 76 } 77 } 78 EOF 79 80 systemctl enable consul 81 82 # Configure .bashrc 83 cat << EOF >> .bashrc 84 85 complete -C /usr/bin/consul consul 86 87 export CONSUL_HTTP_ADDR="https://127.0.0.1:8501" 88 export CONSUL_CACERT="/opt/consul/tls/consul-agent-ca.pem" 89 export CONSUL_CLIENT_CERT="/opt/consul/tls/dc1-cli-consul.pem" 90 export CONSUL_CLIENT_KEY="/opt/consul/tls/dc1-cli-consul-key.pem" 91 EOF 92 93 if [[ "$CONSUL_SERVER" = true ]]; then 94 cat << EOF > /etc/consul.d/server.hcl 95 server = true 96 bootstrap_expect = 3 97 EOF 98 fi # endif CONSUL_SERVER