commit 413395d442f1aa63f7b6e64bb1db882cd7ac67cf
parent aaf584c1b956357ff93e44c7b7d5be9a81e5204f
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date: Sat, 5 Aug 2023 23:39:53 +0200
feat: add Gatus
Diffstat:
3 files changed, 193 insertions(+), 0 deletions(-)
diff --git a/README.md b/README.md
@@ -4,6 +4,14 @@ This repo contains some snippets to build containers with Packer.
The notes in this Readme do not follow a particular structure, but should help using the scripts.
+## Build Templates
+
+List templates (from `man lxc-create`):
+
+```
+/usr/share/lxc/templates/lxc-download -l
+```
+
## Build Instructions
For instance, to build the MariaDB image with debug logs:
@@ -11,6 +19,13 @@ For instance, to build the MariaDB image with debug logs:
$ PACKER_LOG=1 packer build mariadb-lxc.json
```
+For some newer, hcl-based Packer configurations, it is necessary to supply
+extra variables through var files or the `-var` input flag:
+
+```bash
+packer build -var "gatus_tls_nfs_server=server:/share" gatus-lxc.pkr.hcl
+```
+
### Suggested Build Order
The following sequence of builds allows you to spin up a small Nextcloud installation.
diff --git a/gatus-lxc.pkr.hcl b/gatus-lxc.pkr.hcl
@@ -0,0 +1,41 @@
+
+variable "manifest" {
+ type = string
+ default = "manifest.json"
+}
+
+source "lxc" "gatus" {
+ config_file = "config/lxc-config"
+ template_name = "download"
+ template_parameters = ["--dist", "Debian", "--release", "Bullseye", "--arch", "armv7l"]
+}
+
+variable "gatus_tls_nfs_server" {
+ type = string
+ description = "The NFS mount server for TLS certificates"
+}
+
+build {
+ sources = ["source.lxc.gatus"]
+
+ provisioner "shell" {
+ script = "scripts/timezone.sh"
+ }
+
+ provisioner "shell" {
+ script = "scripts/gatus.sh"
+ environment_vars = [
+ "GATUS_TLS_NFS_SERVER=${var.gatus_tls_nfs_server}"
+ ]
+ }
+
+}
+
+packer {
+ required_plugins {
+ lxc = {
+ version = ">= 1.0.2"
+ source = "github.com/hashicorp/lxc"
+ }
+ }
+}
diff --git a/scripts/gatus.sh b/scripts/gatus.sh
@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o xtrace
+
+# Prepare environment
+export DEBIAN_FRONTEND=noninteractive
+GATUS_BUILD_DIR=/opt/gatus
+GATUS_TLS_DIR=/etc/nginx/tls
+GATUS_CONFIG_PATH=/etc/gatus.yaml
+
+mkdir -p $GATUS_BUILD_DIR
+mkdir -p $GATUS_TLS_DIR
+
+# Prepare Gatus user/group
+useradd -M -r gatus
+
+# Update system
+apt-get install -y apt-utils
+apt-get update && apt-get upgrade -y
+apt-get install -y curl nginx nfs-common
+
+# Install Go (https://go.dev/doc/install)
+cd $GATUS_BUILD_DIR
+curl -Lo go.tar.gz https://go.dev/dl/go1.20.7.linux-armv6l.tar.gz
+tar -C /usr/local -xf go.tar.gz
+export PATH=$PATH:/usr/local/go/bin
+
+# Download Gatus
+GATUS_VERSION=5.5.1
+curl -Lo gatus.tar.gz https://github.com/TwiN/gatus/archive/refs/tags/v$GATUS_VERSION.tar.gz
+tar -xf gatus.tar.gz
+
+# Build Gatus
+cd gatus-$GATUS_VERSION
+CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o gatus .
+
+# Install Gatus
+mv gatus /usr/bin/gatus
+
+# Configure Gatus (https://github.com/TwiN/gatus/tree/master#usage)
+cat <<EOF > $GATUS_CONFIG_PATH
+web:
+ address: 127.0.0.1
+endpoints:
+ - name: website # Name of your endpoint, can be anything
+ url: "https://twin.sh/health"
+ interval: 5m # Duration to wait between every status check (default: 60s)
+ conditions:
+ - "[STATUS] == 200" # Status must be 200
+ - "[BODY].status == UP" # The json path "$.status" must be equal to UP
+ - "[RESPONSE_TIME] < 300" # Response time must be under 300ms
+EOF
+
+# Create Gatus Systemd service
+# https://aur.archlinux.org/cgit/aur.git/tree/gatus.service?h=gatus
+cat <<EOF > /etc/systemd/system/gatus.service
+[Unit]
+Description=Automated service health dashboard
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=gatus
+Group=gatus
+ExecStart=/usr/bin/gatus web.address
+Environment=GATUS_CONFIG_PATH=$GATUS_CONFIG_PATH
+Restart=on-failure
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+DevicePolicy=closed
+ReadWritePaths=/var/lib/gatus
+ProtectSystem=strict
+ProtectHome=read-only
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+ProtectClock=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectHome=yes
+CapabilityBoundingSet=CAP_NET_RAW
+AmbientCapabilities=CAP_NET_RAW
+UMask=0077
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Mount TLS certificate
+cat <<EOF >> /etc/fstab
+$GATUS_TLS_NFS_SERVER $GATUS_TLS_DIR nfs rw 0 0
+EOF
+
+# Configure Nginx reverse proxy
+cat <<EOF > /etc/nginx/conf.d/gatus.conf
+server {
+ listen 443 ssl;
+
+ ssl_certificate $GATUS_TLS_DIR/fullchain.pem;
+ ssl_certificate_key $GATUS_TLS_DIR/privkey.pem;
+
+ location / {
+ proxy_pass http://127.0.0.1:8080;
+ proxy_set_header Host \$host;
+ proxy_set_header X-Real-IP \$remote_addr;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto \$scheme;
+ }
+}
+EOF
+
+# Allow Gatus to read config file
+chown gatus: $GATUS_CONFIG_PATH
+
+# Enable Gatus and Nginx
+systemctl enable gatus
+systemctl enable nginx
