Stackit: deploy wire-server

.github/workflows/custom-artifact.yml

@@ -48,7 +48,7 @@ jobs:
       - name: Build and upload wire-server-deploy container
         run: |
           container_image=$(nix-build --no-out-link -A container)
-          skopeo copy --dest-creds "$DOCKER_LOGIN" \
+          skopeo copy --retry-times 10 --dest-creds "$DOCKER_LOGIN" \
             docker-archive:"$container_image" \
             "docker://quay.io/wire/wire-server-deploy:${{ steps.upload_name.outputs.UPLOAD_NAME }}"
         env:

.github/workflows/offline.yml

@@ -51,7 +51,7 @@ jobs:
         run: |
           container_image=$(nix-build --no-out-link -A container)
 
-          skopeo copy --dest-creds "$DOCKER_LOGIN" \
+          skopeo copy --retry-times 10 --dest-creds "$DOCKER_LOGIN" \
             docker-archive:"$container_image" \
             "docker://quay.io/wire/wire-server-deploy:${{ steps.upload_name.outputs.UPLOAD_NAME }}"
         env:
@@ -68,5 +68,3 @@ jobs:
         run: (cd terraform/examples/wire-server-deploy-offline-hetzner ; terraform init && terraform destroy -auto-approve)
         env:
           HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}'
-
-

ansible/ansible.cfg

@@ -11,7 +11,8 @@ gathering               = smart
 host_key_checking       = no
 
 interpreter_python      = /usr/bin/python3
-
+timeout                 = 30
 
 [privilege_escalation]
 become                  = yes
+become_timeout          = 30

ansible/hetzner-single-deploy.yml

@@ -1,9 +1,9 @@
 - hosts: all
   become: true
   vars:
-    artifact_hash: d8fe36747614968ea73ebd43d47b99364c52f9c1
+    artifact_hash: 3a18fae3106968b48b5a3b35f1bd0817ca4e5569
     ubuntu_version: 22.04.5
-    ssh_pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPTGTo1lTqd3Ym/75MRyQvj8xZINO/GI6FzfIadSe5c [email protected]"
+    ssh_pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvYwUBNBINxRAJWO+zSzDWhmp1he65zW7RTVgKUatku0q3NvIpYFCFbu99EsGRm6fkC5tikT6ucbft+BXbCf5RRo3od4QdmwSTZtE0lyDHGczJCohwDVTMj2vAG7V9f6u/qPu8Pw0nbQTeIyx27B9XDZjCPnvb3nBh6vP7nb5dKTEGW83brtu9rM0sqeovZicxME+PiAHJCHkijE4w1IcMEjuaBBMsSnwOp3C3L1LVc+CJDvjMGiuNquNy+GBmP1R/3vZFXyblrtQfSLo9p39QIDhpwvRS465iaMo7mdWw7RQ9oOwFKCHHzd96zlQFHWzILfgHvFyRyB5b7GZ+bX1tYi9y66JbmCvhD/oSdjQ5EU+UKGdjqklcrnLdvrZq+YFYi1pyeRcLG/5OE+5C0IpH1aOHIeXI4Dq8HDqj4HWO6yvlEXTBrNcl0MI77hd77mT5vfhq8tBKoQdrY4IAjHB/bDhojL67qDcnGX42vsOzOzO+GZA1X9g+//0ehb3e8j/XP1u0qnlzApN+8ete5uR8sqlvWMoJfH62mmthEpIrCAuUpoBSiuNY5eM4arB6Jg3M6avcOjuTGEXEU0QVRhmISAPsTNsyc6KudTl/a3Z8IEMli8jhllENEROITsi4NJyeaCTVrGmqMbndUJObQluSmI+TaKDKJDv6aIZQox6iyQ=="
   tasks:
   - name: set ipv4 forward
     sysctl:
@@ -41,6 +41,7 @@
       - telnet
       - python3-lxml
       - qemu
+      - lxc
       - qemu-kvm
       - qemu-utils
       - libvirt-clients
@@ -50,7 +51,7 @@
   - name: generate german locales
     locale_gen:
       name: de_DE.UTF-8
-      state: present
+      state: present    
   - name: generate us locales
     locale_gen:
       name: en_US.UTF-8
@@ -100,8 +101,8 @@
       src: files/hetzner_server_sshd_config
       dest: /etc/ssh/sshd_config
       mode: 0644
-      owner: root
-      group: root
+      owner: ubuntu
+      group: ubuntu
     notify: sshd | restart
   - name: stop and disable dnsmasq service
     service:
@@ -148,8 +149,8 @@
       src: files/hetzner_server_nftables.conf.j2
       dest: /etc/nftables.conf
       mode: 0750
-      owner: root
-      group: root
+      owner: ubuntu
+      group: ubuntu
     notify: nftables | restart
     when: not nft_deployed.stat.exists
   - name: add local file flag after nftables deployment

bin/autodeploy.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC2087
 set -Eeuo pipefail
-
+set -x
 msg() {
   echo >&2 -e "${1-}"
 }
@@ -81,9 +81,9 @@ parse_params "$@"
 ARTIFACT_HASH="${ARTIFACT_HASH:-5c06158547bc57846eadaa2be5c813ec43be9b59}"
 TARGET_SYSTEM="${TARGET_SYSTEM:-wiab-autodeploy.wire.link}"
 FORCE_REDEPLOY="${FORCE_REDEPLOY:-0}"
-SUBDOMAINS="account assets coturn federator inbucket nginz-https nginz-ssl sft teams webapp"
+SUBDOMAINS=""
 SSH_PORT=22
-SSH_USER=root
+SSH_USER=ubuntu
 DEMO_USER=demo
 SCRIPT_DIR=/home/"$DEMO_USER"/wire-server-deploy
 DO_SYSTEM_CLEANUP=false
@@ -160,18 +160,18 @@ remote_deployment() {
   }
   cd $SCRIPT_DIR &>/dev/null || exit 1
 
-  bash bin/offline-vm-setup.sh
-  msg ""
-  while sudo virsh list --all | grep -Fq running; do
-    sleep 20
-    msg "INFO: VM deployment still in progress ..."
-  done
-  sleep 20
-  msg ""
-  msg "INFO: VM deployment done. Starting all VMs:"
-  msg ""
-  for VM in $(sudo virsh list --all --name); do sudo virsh start "$VM"; done
-  sleep 60
+  #bash bin/offline-vm-stackit.sh
+  # msg ""
+  # while sudo virsh list --all | grep -Fq running; do
+  #   sleep 20
+  #   msg "INFO: VM deployment still in progress ..."
+  # done
+  # sleep 20
+  # msg ""
+  # msg "INFO: VM deployment done. Starting all VMs:"
+  # msg ""
+  # for VM in $(sudo virsh list --all --name); do sudo virsh start "$VM"; done
+  # sleep 60
 
   msg ""
   msg "INFO: Setting up offline environment (this will take a while)."
@@ -202,6 +202,7 @@ ansnode3 ansible_host=192.168.122.33
 
 [all:vars]
 ansible_user = $DEMO_USER
+ansible_ssh_common_args = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'
 
 [cassandra:vars]
 cassandra_network_interface = enp1s0
@@ -417,7 +418,7 @@ if [ "$DO_SYSTEM_CLEANUP" = true ] && [ "$FORCE_REDEPLOY" = 1 ]; then
 fi
 
 msg "INFO: Commencing Wire-in-a-box deployment on $TARGET_SYSTEM."
-preprovision_hetzner
+#preprovision_hetzner
 ssh -p "$SSH_PORT" -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -o ServerAliveCountMax=10 "$DEMO_USER"@webapp."$TARGET_SYSTEM" "bash -s" <<EOT
 # Making relevant vars and functions available to remote shell via SSH
 $(declare -p DEMO_USER TARGET_SYSTEM SCRIPT_DIR)

bin/offline-secrets.sh

@@ -63,6 +63,11 @@ team-settings:
     # container is pre-seeded
     # It is just the empty "{}" json hashmap
     configJson: "e30K"
+background-worker:
+  secrets:
+    rabbitmq:
+      username: wire-server
+      password: verysecurepassword
 EOF
 
 fi

bin/offline-vm-stackit-setup_old.sh

@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+msg() {
+  echo >&2 -e "${1-}"
+}
+
+if [[ $EUID -eq 0 ]]; then
+  msg "Please don't run me as root" 1>&2
+  exit 1
+fi
+
+trap cleanup SIGINT SIGTERM ERR EXIT
+
+usage() {
+  cat <<EOF
+Usage: $(basename "${BASH_SOURCE[0]}") [-h] [-v] [--deploy-container name]
+
+Non-interactive script for deploying a standard set of Ubuntu Server containers using LXC.
+All containers are created with static IPs from the default LXC bridge (lxdbr0: 10.0.3.0/24).
+
+Available options:
+-h, --help                Print this help and exit
+-v, --verbose             Print debug info
+--deploy-container name   Deploy a single Ubuntu container
+EOF
+  exit
+}
+
+cleanup() {
+  trap - SIGINT SIGTERM ERR EXIT
+}
+die() {
+  local msg=$1
+  local code=${2-1} # default exit status 1
+  msg "$msg"
+  exit "$code"
+}
+
+parse_params() {
+  while :; do
+    case "${1-}" in
+    -h | --help) usage ;;
+    -v | --verbose) set -x ;;
+    --deploy-container) ;;
+    -?*) die "Unknown option: $1" ;;
+    *) break ;;
+    esac
+    shift
+  done
+  return 0
+}
+
+parse_params "$@"
+
+CONTAINER_NAME=(assethost kubenode1 kubenode2 kubenode3 ansnode1 ansnode2 ansnode3)
+CONTAINER_IP=(10.0.3.10 10.0.3.21 10.0.3.22 10.0.3.23 10.0.3.31 10.0.3.32 10.0.3.33)
+CONTAINER_RAM=(4096 8192 8192 8192 8192 8192 8192)
+CONTAINER_CPU=(2 6 6 6 4 4 4)
+
+if [[ -f "$HOME/.ssh/authorized_keys" && -s "$HOME/.ssh/authorized_keys" ]]; then
+  SSH_KEY=$(head -n 1 "$HOME/.ssh/authorized_keys")
+else
+  read -r -p "No SSH key found; please enter a valid SSH key: " SSH_KEY
+fi
+
+msg ""
+msg "Including the following SSH Key for container deployment:"
+msg "$SSH_KEY"
+msg ""
+
+# Ensure the default storage pool exists
+msg "Checking storage pool configuration..."
+if ! lxc storage list | grep -q "default"; then
+  msg "Default storage pool not found. Creating it..."
+  lxc storage create default dir
+else
+  msg "Default storage pool already exists."
+fi
+
+# Ensure the default profile has a root device configured
+msg "Checking default profile configuration..."
+if ! lxc profile show default | grep -q "root"; then
+  msg "Root device missing in default profile. Adding it..."
+  lxc profile device add default root disk path=/ pool=default
+else
+  msg "Default profile is correctly configured."
+fi
+
+# Ensure the default network exists
+msg "Checking network configuration..."
+if ! lxc network list | grep -q "lxdbr0"; then
+  msg "Default network lxdbr0 not found. Creating it..."
+  lxc network create lxdbr0
+  lxc network set lxdbr0 ipv4.address 10.0.3.1/24
+  lxc network set lxdbr0 ipv4.nat true
+  lxc network set lxdbr0 ipv6.address none
+else
+  msg "Default network lxdbr0 already exists."
+fi
+
+create_container() {
+  local name=$1
+  local ip=$2
+  local ram=$3
+  local cpu=$4
+
+  msg "Creating container: $name"
+  lxc launch ubuntu-daily:jammy "$name"  --storage default
+
+  msg "Configuring container resources..."
+  lxc config set "$name" limits.memory "${ram}MB"
+  lxc config set "$name" limits.cpu "$cpu"
+
+  msg "Attaching network and configuring static IP: $ip"
+  lxc network attach lxdbr0 "$name" eth0
+  lxc config device set "$name" eth0 ipv4.address "$ip"
+
+  msg "Creating demo user and adding SSH key..."
+  lxc exec "$name" -- bash -c "
+    if ! id -u demo > /dev/null 2>&1; then
+      adduser --disabled-password --gecos '' demo
+      usermod -aG sudo demo
+    fi
+    mkdir -p /home/demo/.ssh
+    echo \"$SSH_KEY\" > /home/demo/.ssh/authorized_keys
+    chown -R demo:demo /home/demo/.ssh
+    chmod 600 /home/demo/.ssh/authorized_keys
+  "
+
+  msg "Starting container..."
+  lxc restart "$name"
+}
+
+for ((i = 0; i < ${#CONTAINER_NAME[@]}; i++)); do
+  if lxc list | grep -q "${CONTAINER_NAME[i]}"; then
+    msg "Container ${CONTAINER_NAME[i]} already exists. Skipping..."
+    continue
+  else
+    create_container "${CONTAINER_NAME[i]}" "${CONTAINER_IP[i]}" "${CONTAINER_RAM[i]}" "${CONTAINER_CPU[i]}"
+  fi
+done