fix: working on infrastructure with Pulumi

Author: Dimy Jeannot

apps/clients/public/cli/v2alpha/oeco/docs/flow.md

@@ -73,7 +73,7 @@ sequenceDiagram
 
 ```
 
-## Traffic Flow Across Mesh
+## Traffic Flow Across Meshes
 Once client connection to mesh is established, all traffic no longer goes through edge-router (Ideally it does, revisit this)
 
 Now, .mesh urls are now available. For example: system.api.organization.mesh/v2alpha/connector

infrastructure/apps/workloads/private/edge/v2alpha/edge-router/communication-edge-router.tar.gz

@@ -1,29 +1,86 @@
 package main
 
 import (
+	"libs/private/go/infrastructure/v2alpha"
+	sdkv2alphalib "libs/public/go/sdk/v2alpha"
+
 	"github.com/pulumi/pulumi-fastly/sdk/v8/go/fastly"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
-	"libs/private/go/infrastructure/v2alpha"
 )
 
 func main() {
-
 	bounds := []sdkv2alphalib.Binding{}
 
 	infrastructure := infrastructurev2alphalib.NewInfrastructure(bounds)
 
-	//config := infrastructure.Config
-	//name := infrastructurev2alphalib.ShortenString(config.App.EnvironmentName+"-"+config.App.Name, 63)
+	// cnf := infrastructure.Config
+	// name := infrastructurev2alphalib.ShortenString(cnf.App.EnvironmentName+"-"+cnf.App.Name, 63)
+
+	// Create Config Store
+	// Create DNS Records
+	// Create
 
 	infrastructure.Run(func(ctx *pulumi.Context) error {
+		//exampleConfigstore, err := fastly.NewConfigstore(ctx, "config", &fastly.ConfigstoreArgs{
+		//	Name: pulumi.String("config"),
+		//})
+		//if err != nil {
+		//	return err
+		//}
+
+		// name := "api.system." + cnf.App.EnvironmentName + ".oeco.cloud"
+		name := "api.system.dev-1.oeco.cloud"
 
-		_, err := fastly.NewServiceVcl(ctx, "myservice", &fastly.ServiceVclArgs{
-			Name: pulumi.String("myawesometestservice"),
+		exampleConfigstore, err := fastly.NewConfigstore(ctx, "example", &fastly.ConfigstoreArgs{
+			Name: pulumi.String("my_config_store"),
 		})
 		if err != nil {
 			return err
 		}
-		return nil
 
+		pkg, err := fastly.GetPackageHash(ctx, &fastly.GetPackageHashArgs{
+			Filename: pulumi.StringRef("communication-edge-router.tar.gz"),
+		}, nil)
+		if err != nil {
+			return err
+		}
+
+		_, err = fastly.NewServiceCompute(ctx, name, &fastly.ServiceComputeArgs{
+			Name: pulumi.String(name + "1"),
+			// Activate: pulumi.Bool(true),
+			// Comment:  pulumi.String("Communication System Edge Router"),
+			Domains: fastly.ServiceComputeDomainArray{
+				&fastly.ServiceComputeDomainArgs{
+					Name: pulumi.String(name),
+				},
+			},
+			Package: &fastly.ServiceComputePackageArgs{
+				Filename:       pulumi.String("communication-edge-router.tar.gz"),
+				SourceCodeHash: pulumi.String(pkg.Hash),
+			},
+			ResourceLinks: fastly.ServiceComputeResourceLinkArray{
+				&fastly.ServiceComputeResourceLinkArgs{
+					Name:       pulumi.String("my_resource_link"),
+					ResourceId: exampleConfigstore.ID(),
+				},
+			},
+			ForceDestroy: pulumi.Bool(true),
+			//ProductEnablement: &fastly.ServiceComputeProductEnablementArgs{
+			//	Fanout:     pulumi.Bool(true),
+			//	Websockets: pulumi.Bool(true),
+			//},
+			//ResourceLinks: fastly.ServiceComputeResourceLinkArray{
+			//	&fastly.ServiceComputeResourceLinkArgs{
+			//		Name:       pulumi.String("string"),
+			//		ResourceId: pulumi.String("string"),
+			//		LinkId:     pulumi.String("string"),
+			//	},
+			//},
+			//VersionComment: pulumi.String("Managed with Pulumi: Organization: " + ctx.Organization() + "; Project: " + ctx.Project() + "; Stack: " + ctx.Stack()),
+		})
+		if err != nil {
+			return err
+		}
+		return nil
 	})
 }

infrastructure/apps/workloads/private/edge/v2alpha/edge-router/main.go

@@ -0,0 +1,5 @@
+app:
+  name: 'edge-v2alpha-edge-router'
+  version: 'v2.0.0'
+  environmentName: 'local-1'
+  environmentType: 'local'

infrastructure/apps/workloads/private/edge/v2alpha/edge-router/spec.yaml

@@ -1,6 +1,17 @@
 # Allow port 6477 and 4222 on this server as it actually listens on ports
 
-# Install Nebula client using TUN device
+- Install Nebula client using TUN device
+- Route all traffic through TUN device except for what is on port 6477
+- Bind port 4222 to TUN device
+- Bind port 6477 to eth0 device
+
+run as nonroot
+
+- Download binary
+- Untar
+- chmod +x
+copy spec.yaml
+- Mount block storagedrive and backup drive
 
 # Allow Fastly to connect via mTLS
 

infrastructure/apps/workloads/private/event/v2alpha/event-multiplexer/README.md

@@ -0,0 +1 @@
+{environment: [workloads-public-mesh-v2alpha-lighthouse/lighthouse], config: {'workloads-public-mesh-v2alpha-lighthouse:publicKey': ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVJUmm/xu38+qrMM3aMEWYI3oNNKVTn0+vF656S5RbTzlf4ZCBKqtX4qb1hDqsmgbYxZ0m8cRM0IrOnpQ6gAbQs7ddsDtSnzTekx9uvX/9z8hBklKRr93pLgT+yp5z2sQaHQ97TVfZjyeC+2utSnpWd12zHhIGd1R8QaROkjY9ho6CHnW1SEdSuY7Wh+Ye6Ho5fMtf3zBpjg3jFnWxagEBrj6tJber8EFh9Ge+dVXQAwkjql8yOpKrumq0NlJXZo5zs4ulkkh7ibT0Z4dQDea5ZTe7Sq6CM3YdsVgBrgVY4N+QRWZEfaSIU/GHht3q4sx+ZBPK5ObAqjXiIooT3X8j dimy@jeannotfamily.com, 'workloads-public-mesh-v2alpha-lighthouse:caCrt': "-----BEGIN NEBULA CERTIFICATE-----\nCkYKFE9wZW4gRWNvc3lzdGVtcywgSW5jKJXh5bsGMJXI6soGOiBPBg+axf0/kr+2\nJFR5zoIprGzUMux1e4Xn8r2LNXtb4UABEkB3XmbVDDYyBQJP9yDz23O7tGCBpmQg\n+SjO6MZf61dHcywoKHcsoI7hJGAH45pxMLSjdqrgizpUBa/fQ8eJhY0E\n-----END NEBULA CERTIFICATE-----", 'workloads-public-mesh-v2alpha-lighthouse:hostCrt': "-----BEGIN NEBULA CERTIFICATE-----\nCn0KH2xvY2FsLTEtbWVzaC12MmFscGhhLWxpZ2h0aG91c2USCoHIoYUMgP7//w8o\nyuHluwYwlMjqygY6IFje4h+K3O69JE0f7uVNlM+08XwKFMYqDiZ8QHLrW3M3SiBt\n2p/vFggWouJBA7f+BaoZGCNpuwpzek4eVuLSEeR/whJApDqwoYs43/iuIQbjEKGh\nrqZXM99yFdD9twC4Y10PTuON6liEUlmBIXYqmW5nnuQvYpinosBpwaQR1Tdaa7tx\nAw==\n-----END NEBULA CERTIFICATE-----", 'workloads-public-mesh-v2alpha-lighthouse:hostKey': "-----BEGIN NEBULA X25519 PRIVATE KEY-----\nfUpncxjrNYaBDR/lhDOUtbMqw4qIW1zbBwKGaB764yo=\n-----END NEBULA X25519 PRIVATE KEY-----"}}

infrastructure/apps/workloads/public/mesh/v2alpha/lighthouse/Pulumi.dev-1.yaml

@@ -1,3 +1,3 @@
-name: workloads-private-event-v2alpha-event-multiplexer
-description: An event multiplexer
+name: workloads-public-mesh-v2alpha-lighthouse
+description: A lighthouse
 runtime: go

infrastructure/apps/workloads/public/mesh/v2alpha/lighthouse/Pulumi.lighthouse.yaml

@@ -5,7 +5,32 @@ Copy over
 - server.crt
 - server.key
 
+create new nonroot user
+
+run everything as nonroot
 
 mv ca.crt /etc/nebula/ca.crt
 mv server.crt /etc/nebula/host.crt
-mv server.key /etc/nebula/host.key
+mv server.key /etc/nebula/host.key
+
+download and untar lighthouse.tar.gz
+chmod +x lighthouse
+add script to run on startup
+
+
+Open firewall 4242/udp
+
+pulumi config set version
+cat /path/to/id.pub | pulumi config set publicKey
+cat /path/to/ca.crt | pulumi config set caCrt
+
+
+./nebula-cert ca -name "Open Ecosystems, Inc"
+./nebula-cert sign -name "local-1-mesh-v2alpha-lighthouse" -ip "192.168.100.1/24"
+./nebula-cert sign -name "local-1-event-v2alpha-event-multiplexer" -ip "192.168.100.5/24" -groups "multiplexers,ssh"
+
+cat ca.crt | pulumi config set caCrt
+cat local-1-mesh-v2alpha-lighthouse.crt | pulumi config set hostCrt
+cat local-1-mesh-v2alpha-lighthouse.key | pulumi config set hostKey
+
+./nebula-cert sign -name "configuration-v2alpha-configuration" -ip "192.168.100.9/24" -groups "connectors"

infrastructure/apps/workloads/public/mesh/v2alpha/lighthouse/Pulumi.yaml

@@ -0,0 +1,107 @@
+#cloud-config
+package_update: true
+package_upgrade: true
+users:
+  - default
+  - name: notroot
+    groups:
+      - sudo
+    sudo:
+      - ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+	lock_passwd: true
+    ssh_authorized_keys:
+      - %s
+
+write_files:
+  - path: /etc/motd
+    content: |
+      Welcome to your Lighthouse!
+  - path: /etc/nebula/ca.crt
+    content: |
+      %s
+  - path: /etc/nebula/host.crt
+    content: |
+      %s
+  - path: /etc/nebula/host.key
+    content: |
+      %s
+
+runcmd:
+  - curl -L https://github.com/openecosystems/ecosystem/releases/download/apps-workloads-public-mesh-v2alpha-lighthouse%2Fdevel/apps-workloads-public-mesh-v2alpha-lighthouse_%s_Linux_x86_64.tar.gz | tar zx --strip-components=1 --directory /opt
+  - chmod +x /opt/app
+
+
+#cloud-config
+package_update: true
+package_upgrade: true
+users:
+  - default
+  - name: notroot
+    groups:
+      - sudo
+    sudo:
+      - ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    lock_passwd: true
+    ssh_authorized_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVJUmm/xu38+qrMM3aMEWYI3oNNKVTn0+vF656S5RbTzlf4ZCBKqtX4qb1hDqsmgbYxZ0m8cRM0IrOnpQ6gAbQs7ddsDtSnzTekx9uvX/9z8hBklKRr93pLgT+yp5z2sQaHQ97TVfZjyeC+2utSnpWd12zHhIGd1R8QaROkjY9ho6CHnW1SEdSuY7Wh+Ye6Ho5fMtf3zBpjg3jFnWxagEBrj6tJber8EFh9Ge+dVXQAwkjql8yOpKrumq0NlJXZo5zs4ulkkh7ibT0Z4dQDea5ZTe7Sq6CM3YdsVgBrgVY4N+QRWZEfaSIU/GHht3q4sx+ZBPK5ObAqjXiIooT3X8j dimy@jeannotfamily.com
+write_files:
+  - path: /etc/motd
+    content: |
+      Welcome to your Lighthouse!
+  - content: |
+      [Unit]
+      Description=Lighthouse Service
+      ConditionPathExists=/opt/app
+      After=network.target
+      [Service]
+      Type=simple
+      User=notroot
+      Group=notroot
+      LimitNOFILE=1024
+      Restart=on-failure
+      RestartSec=10
+      startLimitIntervalSec=60
+      WorkingDirectory=/opt
+      ExecStart=/opt/app
+      # make sure log directory exists and owned by syslog
+      PermissionsStartOnly=true
+      ExecStartPre=/bin/mkdir -p /var/log/app
+      ExecStartPre=/bin/chown syslog:adm /var/log/app
+      ExecStartPre=/bin/chmod 755 /var/log/app
+      SyslogIdentifier=app
+      [Install]
+      WantedBy=multi-user.target
+    path: /lib/systemd/system/lighthouse.service
+    permissions: '0755'
+    defer: true
+  - path: /etc/nebula/ca.crt
+    content: |
+        -----BEGIN NEBULA CERTIFICATE-----
+        CkYKFE9wZW4gRWNvc3lzdGVtcywgSW5jKJXh5bsGMJXI6soGOiBPBg+axf0/kr+2
+        JFR5zoIprGzUMux1e4Xn8r2LNXtb4UABEkB3XmbVDDYyBQJP9yDz23O7tGCBpmQg
+        +SjO6MZf61dHcywoKHcsoI7hJGAH45pxMLSjdqrgizpUBa/fQ8eJhY0E
+        -----END NEBULA CERTIFICATE-----
+  - path: /etc/nebula/host.crt
+    content: |
+        -----BEGIN NEBULA CERTIFICATE-----
+        Cn0KH2xvY2FsLTEtbWVzaC12MmFscGhhLWxpZ2h0aG91c2USCoHIoYUMgP7//w8o
+        yuHluwYwlMjqygY6IFje4h+K3O69JE0f7uVNlM+08XwKFMYqDiZ8QHLrW3M3SiBt
+        2p/vFggWouJBA7f+BaoZGCNpuwpzek4eVuLSEeR/whJApDqwoYs43/iuIQbjEKGh
+        rqZXM99yFdD9twC4Y10PTuON6liEUlmBIXYqmW5nnuQvYpinosBpwaQR1Tdaa7tx
+        Aw==
+        -----END NEBULA CERTIFICATE-----
+  - path: /etc/nebula/host.key
+    content: |
+        -----BEGIN NEBULA X25519 PRIVATE KEY-----
+        fUpncxjrNYaBDR/lhDOUtbMqw4qIW1zbBwKGaB764yo=
+        -----END NEBULA X25519 PRIVATE KEY-----
+runcmd:
+  - sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
+  - echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+  - systemctl restart sshd
+  - curl -L https://github.com/openecosystems/ecosystem/releases/download/apps-workloads-public-mesh-v2alpha-lighthouse/devel/apps-workloads-public-mesh-v2alpha-lighthouse_0.33.1-devel_Linux_x86_64.tar.gz | tar zx --strip-components=1 --directory /opt
+  - chmod +x /opt/app
+  - systemctl enable lighthouse.service
+  - systemctl start lighthouse.service