A collection of scripts for standing up Linode infra. It's only been tested to run Fedora 28+ VMs.
This script is meant to be submitted as a StackScript on the Linode platform. It takes the following parameters:
GIT_REPO
: The git repository where second stage scripts can be pulled.GIT_BRANCH
: The git repository branch where second stage scripts can be pulled.GIT_ACCESS_KEY64
: A base64 encoded RSA private key to download the git repo.VAULT_PASSWORD
: The password that can be used to decrypt vault files (ie. ansible-vault)
It will download the private git repo and then execute a second stage script within the repo named "stage2.sh". It is assumed that subsequent changes will be delegated to configuration management (ie. ansible, puppet, chef, etc.).
This is the second stage bootstrap script, intended to setup configuration management. It will accept three parameters (GIT_REPO
, GIT_BRANCH
, LINODE_ID
), install ansible, and kick off ansible-pull.
This is the common ansible playbook for all hosts that pull this repo via ansible-pull. At the very least, it will configure SSH and install a cronjob to ensure future ansible-pulls. For something more specific, ansible-pull allows yaml files named after the hostname (which will override local.yml).
Some additional tasks: set timezone, SSH daemon config hardening, public SSH CA Key install, non-root user added, /etc/issue install.
Instead of installing public keys in each user's authorized_keys, local.yml will install a public CA key under /etc/ssh/ca.pub
. Users can login using ssh keys that are signed by this CA. There are great write-ups on this page and this page, but once you have created a CA key, add the public portion to your templates/ca.pub.
$ ssh-keygen -C CA -f ca
This sets up a certificate authority for signing certificates. You should have two files, ca (the private key) and ca.pub (the public key). Make sure to lock-down access to your ca file (ie. 0400 permissions, root ownership).
$ ssh-keygen -s ca -I mjeromin -V +1w -z 1 -n root,mjeromin id_rsa.pub
This command uses the private CA key stored in the ca file to sign the public portion of the user SSH keypair, id_rsa.pub. The certificate ID will be mjeromin (named after the user ID), the signature is valid for 1 week, the signature serial number is "1", and the certificate is valid for login to usernames (aka. principals): root and mjeromin -- assuming principals have been enabled in sshd_config. There are other ways we can apply restrictions on the usage of signed keys, take a look at this page or the man page.
Using Linode API v4, this script will provision VM instances based on YAML configuration found in a file named config.yml in the same directory. An example is included as filename config.yml.example. However, you can use a different filename for your configuration. For example:
./provision_instances.py --config dev.yml
ssh [email protected] [id: linodexxxxxxxx]
Current instances: 1
- linodexxxxxxxx
Using Linode API v4, this script will help list details of public images, instance types, and regions.
contrib/config-helper.sh [images|sizes|regions]
images: prints a list of public images.
sizes: prints a collection of Linode Types, including pricing and specifications.
regions: prints the regions available for Linode services.