fix: working on infrastructure with Pulumi

Author: Dimy Jeannot

go.work

@@ -22,6 +22,7 @@ use (
 	./infrastructure/apps/workloads/private/edge/v2alpha/edge-router
 	./infrastructure/apps/workloads/private/event/v2alpha/event-multiplexer
 	./infrastructure/apps/workloads/public/mesh/v2alpha/lighthouse
+	./infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority
 
 	// Partner libraries
 	// ===================================

infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority/.eslintrc.json

@@ -0,0 +1,10 @@
+{
+  "extends": ["../../../../../../.eslintrc.json"],
+  "ignorePatterns": ["!**/*"],
+  "overrides": [
+    {
+      "files": ["*.yaml", "*.yml"],
+      "rules": {}
+    }
+  ]
+}

infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: workloads-public-cryptography-v2alpha-account-authority
+description: An Account Authority
+runtime: go

infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority/README.md

@@ -0,0 +1 @@
+#

infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority/cloud-init.go

@@ -0,0 +1,87 @@
+package main
+
+import (
+	"fmt"
+	infrastructurev2alphalib "libs/private/go/infrastructure/v2alpha"
+)
+
+func cloudinit(key, caCrt, hostCrt, hostKey, version string) string {
+	_caCrt := infrastructurev2alphalib.WriteIndentedMultilineText(caCrt)
+	_hostCrt := infrastructurev2alphalib.WriteIndentedMultilineText(hostCrt)
+	_hostKey := infrastructurev2alphalib.WriteIndentedMultilineText(hostKey)
+
+	return fmt.Sprintf(
+		`#cloud-config
+package_update: true
+package_upgrade: true
+users:
+  - default
+  - name: notroot
+    groups: sudo
+    sudo:
+      - ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    lock_passwd: true
+    ssh_authorized_keys:
+      - %s
+write_files:
+  - path: /etc/motd
+    content: |
+      Welcome to your Lighthouse!
+  - content: |
+      [Unit]
+      Description=Lighthouse Service
+      ConditionPathExists=/opt/app
+      After=network.target
+       
+      [Service]
+      Type=simple
+      User=notroot
+      Group=notroot
+      LimitNOFILE=1024
+      
+      Restart=on-failure
+      RestartSec=10
+      startLimitIntervalSec=60
+      
+      WorkingDirectory=/opt
+      ExecStart=/opt/app
+      
+      # make sure log directory exists and owned by syslog
+      #PermissionsStartOnly=true
+      #ExecStartPre=/bin/mkdir -p /var/log/app
+      #ExecStartPre=/bin/chown syslog:adm /var/log/app
+      #ExecStartPre=/bin/chmod 755 /var/log/app
+      #SyslogIdentifier=app
+       
+      [Install]
+      WantedBy=multi-user.target
+    path: /lib/systemd/system/lighthouse.service
+    permissions: '0755'
+    defer: true
+  - path: /etc/nebula/ca.crt
+    content: |
+%s
+  - path: /etc/nebula/host.crt
+    content: |
+%s
+  - path: /etc/nebula/host.key
+    content: |
+%s
+
+packages:
+  - polkitd
+
+runcmd:
+  - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
+  - echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+  - echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
+  - echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
+  - systemctl restart sshd
+  - curl -L https://github.com/openecosystems/ecosystem/releases/download/apps-workloads-public-mesh-v2alpha-lighthouse/devel/apps-workloads-public-mesh-v2alpha-lighthouse_%s_Linux_x86_64.tar.gz | tar zx --strip-components=1 --directory /opt
+  - chmod +x /opt/app
+  - sudo systemctl enable lighthouse.service
+  - sudo systemctl start lighthouse.service
+
+`, key, _caCrt, _hostCrt, _hostKey, version)
+}

infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority/go.mod

@@ -0,0 +1,97 @@
+module infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority
+
+go 1.23
+
+require (
+	github.com/dirien/pulumi-vultr/sdk/v2 v2.21.1
+	github.com/pulumi/pulumi/sdk/v3 v3.137.0
+)
+
+require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/charmbracelet/bubbles v0.16.1 // indirect
+	github.com/charmbracelet/bubbletea v0.25.0 // indirect
+	github.com/charmbracelet/lipgloss v0.7.1 // indirect
+	github.com/cheggaaa/pb v1.0.29 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/djherbis/times v1.5.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/fatih/color v1.14.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-git/v5 v5.12.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/glog v1.2.1 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/hcl/v2 v2.17.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-localereader v0.0.1 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/muesli/reflow v0.3.0 // indirect
+	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/opentracing/basictracer-go v1.1.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pgavlin/fx v0.1.6 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/term v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
+	github.com/pulumi/esc v0.9.1 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
+	github.com/santhosh-tekuri/jsonschema/v5 v5.0.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/spf13/cobra v1.7.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
+	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
+	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/zclconf/go-cty v1.13.2 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
+	golang.org/x/crypto v0.27.0 // indirect
+	golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect
+	golang.org/x/mod v0.18.0 // indirect
+	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.25.0 // indirect
+	golang.org/x/term v0.24.0 // indirect
+	golang.org/x/text v0.18.0 // indirect
+	golang.org/x/tools v0.22.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/grpc v1.66.1 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	lukechampine.com/frand v1.4.2 // indirect
+
+)

infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority/main.go

@@ -0,0 +1,98 @@
+package main
+
+import (
+	"encoding/base64"
+	"libs/private/go/infrastructure/v2alpha"
+	"libs/public/go/sdk/v2alpha"
+
+	"github.com/dirien/pulumi-vultr/sdk/v2/go/vultr"
+	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
+)
+
+func main() {
+	bounds := []sdkv2alphalib.Binding{}
+
+	infrastructure := infrastructurev2alphalib.NewInfrastructure(bounds)
+
+	cnf := infrastructure.Config
+	name := infrastructurev2alphalib.ShortenString(cnf.App.EnvironmentName+"-"+cnf.App.Name, 63)
+
+	infrastructure.Run(func(ctx *pulumi.Context) error {
+		cfg := config.New(ctx, "")
+		version := cfg.Require("version")
+		publicKey := cfg.Require("publicKey")
+		caCrt := cfg.Require("caCrt")
+		hostCrt := cfg.Require("hostCrt")
+		hostKey := cfg.Require("hostKey")
+
+		script, err := vultr.NewStartupScript(ctx, name, &vultr.StartupScriptArgs{
+			Name:   pulumi.String(name + "-startup-script"),
+			Script: pulumi.String(base64.StdEncoding.EncodeToString([]byte(cloudinit(publicKey, caCrt, hostCrt, hostKey, version)))),
+			Type:   pulumi.String("boot"),
+		})
+		if err != nil {
+			return err
+		}
+
+		firewallGroup, err := vultr.NewFirewallGroup(ctx, "AccountAuthorityInbound", &vultr.FirewallGroupArgs{
+			Description: pulumi.String("Account Authority Firewall Group"),
+		})
+		if err != nil {
+			return err
+		}
+
+		_, err = vultr.NewFirewallRule(ctx, "22/tcp", &vultr.FirewallRuleArgs{
+			FirewallGroupId: firewallGroup.ID(),
+			Protocol:        pulumi.String("tcp"),
+			IpType:          pulumi.String("v4"),
+			Subnet:          pulumi.String("0.0.0.0"),
+			SubnetSize:      pulumi.Int(0),
+			Port:            pulumi.String("22"),
+			Notes:           pulumi.String("22/tcp/v4"),
+		})
+		if err != nil {
+			return err
+		}
+
+		_, err = vultr.NewFirewallRule(ctx, "ICMP", &vultr.FirewallRuleArgs{
+			FirewallGroupId: firewallGroup.ID(),
+			Protocol:        pulumi.String("icmp"),
+			IpType:          pulumi.String("v4"),
+			Subnet:          pulumi.String("0.0.0.0"),
+			SubnetSize:      pulumi.Int(0),
+			Notes:           pulumi.String("ICMP/v4"),
+		})
+		if err != nil {
+			return err
+		}
+
+		_, err = vultr.NewInstance(ctx, name, &vultr.InstanceArgs{
+			ActivationEmail: pulumi.Bool(false),
+			Backups:         pulumi.String("enabled"),
+			BackupsSchedule: &vultr.InstanceBackupsScheduleArgs{
+				Type: pulumi.String("daily"),
+			},
+			DdosProtection:    pulumi.Bool(false),
+			DisablePublicIpv4: pulumi.Bool(false),
+			EnableIpv6:        pulumi.Bool(false),
+			FirewallGroupId:   firewallGroup.ID(),
+			Hostname:          pulumi.String(name),
+			Label:             pulumi.String(name),
+			OsId:              pulumi.Int(2136),                // "Debian 12 x64 (bookworm)"
+			Plan:              pulumi.String("vhp-1c-1gb-amd"), // AMD High Performance
+			Region:            pulumi.String("lax"),
+			ScriptId:          script.ID(),
+			Tags: pulumi.StringArray{
+				pulumi.String("system:cryptography"),
+				pulumi.String("language:golang"),
+				pulumi.String("cycle:public"),
+				pulumi.String("version:v2alpha"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+}

infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority/project.json

@@ -0,0 +1,17 @@
+{
+  "name": "infrastructure-apps-workloads-public-cryptography-v2alpha-account-authority",
+  "$schema": "../../../../../../../node_modules/nx/schemas/project-schema.json",
+  "projectType": "application",
+  "sourceRoot": "infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority",
+  "targets": {
+
+  },
+  "tags": [
+    "type:infrastructure",
+    "cycle:public",
+    "language:golang",
+    "system:cryptography",
+    "version:v2alpha",
+    "exposure:internal"
+  ]
+}

infrastructure/apps/workloads/public/cryptography/v2alpha/account-authority/spec.yaml

@@ -0,0 +1,5 @@
+app:
+  name: 'cryptography-v2alpha-account-authority'
+  version: 'v2.0.0'
+  environmentName: 'local-1'
+  environmentType: 'local'

infrastructure/env/dev-1.properties

@@ -0,0 +1 @@
+apps/workloads/private/event/v2alpha/event-multiplexer=0.33.1-devel