From bd4b8406ddf02f6223fc1f508c4102d42765ead7 Mon Sep 17 00:00:00 2001
From: Jesse Luehrs <doy@tozt.net>
Date: Tue, 16 Oct 2018 04:25:09 -0400
Subject: support managing algo instances

---
 bin/helpers/algo-config.diff | 45 +++++++++++++++++++++++++++++++++
 bin/helpers/launch-algo      | 60 ++++++++++++++++++++++++++++++++++++++++++++
 bin/launch                   |  4 +--
 bin/terminate                |  2 +-
 4 files changed, 108 insertions(+), 3 deletions(-)
 create mode 100644 bin/helpers/algo-config.diff
 create mode 100755 bin/helpers/launch-algo

(limited to 'bin')

diff --git a/bin/helpers/algo-config.diff b/bin/helpers/algo-config.diff
new file mode 100644
index 0000000..662b165
--- /dev/null
+++ b/bin/helpers/algo-config.diff
@@ -0,0 +1,45 @@
+diff --git i/config.cfg w/config.cfg
+index d61e404..003308a 100644
+--- i/config.cfg
++++ w/config.cfg
+@@ -3,8 +3,11 @@
+ # Add as many users as you want for your VPN server here.
+ # Credentials will be generated for each one.
+ users:
+-  - dan
+-  - jack
++  - hush
++  - bishamon
++  - phone
++  - tozt
++  - mail
+ 
+ # NOTE: If your usernames have leading 0's, like "000dan", you have to escape them
+ 
+@@ -26,7 +29,7 @@ wireguard_port: 51820
+ # - https://github.com/trailofbits/algo/issues/216
+ # - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu
+ # - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
+-#max_mss: 1316
++max_mss: 1316
+ 
+ # StrongSwan log level
+ # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
+@@ -82,7 +85,7 @@ VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}"
+ CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
+ 
+ # Block traffic between connected clients
+-BetweenClients_DROP: true
++BetweenClients_DROP: false
+ 
+ congrats:
+   common: |
+@@ -113,7 +116,7 @@ cloud_providers:
+   digitalocean:
+     size: s-1vcpu-1gb
+     image: "ubuntu-18-04-x64"
+-    floating_ip: false
++    floating_ip: "165.227.249.213"
+   # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
+   # Warning: the Algo script will take approximately 6 minutes longer to complete.
+   # Also note that the documented AWS minimum permissions aren't sufficient.
diff --git a/bin/helpers/launch-algo b/bin/helpers/launch-algo
new file mode 100755
index 0000000..06260b7
--- /dev/null
+++ b/bin/helpers/launch-algo
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -eu
+set -o pipefail
+
+script_path="$(realpath "$(dirname "$0")")"
+secrets_bin="${script_path}/../secrets"
+
+"$secrets_bin" open
+
+cd /mnt/algo/algo
+git reset --hard
+git clean -dfx
+git pull
+git apply "${script_path}/algo-config.diff"
+
+# using tmpdir as a virtualenv because the tozt-secrets filesystem is too small
+# to hold the whole python installation
+envdir="$(mktemp --tmpdir -d launch-algo.XXXXXXXXXX)"
+cleanup() {
+    if perl -e'exit 1 unless $ARGV[0] =~ m{^/tmp/launch-algo.*$}' "$envdir"; then
+        rm -rf "$envdir"
+    fi
+
+    cd
+    "$secrets_bin" close
+}
+trap cleanup EXIT
+
+python2 -m virtualenv --python="$(command -v python2)" "$envdir"
+set +eu
+# shellcheck disable=SC1090
+. "$envdir"/bin/activate
+set -eu
+
+logfile="/mnt/algo/algo-log-$(date +%s).log"
+latest_logfile=/mnt/algo/algo-log-latest.log
+touch "$logfile"
+ln -sf "$(basename "$logfile")" "$latest_logfile"
+echo "Logging to $latest_logfile"
+
+echo "Installing dependencies..."
+python -m pip install -U pip >> "$logfile"
+python -m pip install -r requirements.txt >> "$logfile"
+echo "done."
+
+echo "Running Ansible..."
+do_token=$(cat /mnt/algo/algo-digitalocean)
+ansible-playbook main.yml -e "
+    provider=digitalocean
+    server_name=algo
+    ondemand_cellular=false
+    ondemand_wifi=false
+    local_dns=false
+    ssh_tunneling=true
+    windows=false
+    store_cakey=true
+    region=nyc3
+    do_token=$do_token
+" >> "$logfile"
+echo "done."
diff --git a/bin/launch b/bin/launch
index 1bbd8dc..50c2b72 100755
--- a/bin/launch
+++ b/bin/launch
@@ -3,8 +3,8 @@ set -eu
 set -o pipefail
 
 case "$1" in
-    tozt)
-        "$(dirname "$0")"/helpers/launch-tozt
+    tozt|algo)
+        "$(dirname "$0")/helpers/launch-$1"
         ;;
     *)
         echo "unknown host $1" >&2
diff --git a/bin/terminate b/bin/terminate
index 2805abb..7631206 100755
--- a/bin/terminate
+++ b/bin/terminate
@@ -3,7 +3,7 @@ set -eu
 set -o pipefail
 
 case "$1" in
-    tozt)
+    tozt|algo)
         doctl compute droplet delete "$1"
         ;;
     *)
-- 
cgit v1.2.3-54-g00ecf