Support for encryption, updated README

Author: blackandred

.rkd/makefile.yaml

@@ -39,10 +39,30 @@ tasks:
             "--role":
                 help: "Limit to a given role"
                 required: False
+            "--host":
+                help: "Host name or group name"
+                required: True
+            "--vault":
+                help: "Ask for vault passwords"
+                action: store_true
         steps: |
             if [[ $ARG_ROLE ]]; then
                 ARG_ARGS="$ARG_ARGS -t $ARG_ROLE"
             fi
 
-            ansible-playbook ./playbooks/$ARG_PLAYBOOK -i inventory/hosts.cfg ${ARG_ARGS}
+            if [[ $ARG_VAULT ]]; then
+                ARG_ARGS="$ARG_ARGS --ask-vault-pass"
+            fi
+
+            ansible-playbook ./playbooks/$ARG_PLAYBOOK -i inventory/hosts.cfg --limit=${ARG_HOST} ${ARG_ARGS}
 
+
+    :node:encrypt-first-time:
+        description: Perform a partial disk encryption on freshly installed OS
+        arguments:
+            "--args":
+                help: "Additional Ansible commandline arguments"
+                required: False
+            "host":
+                help: "Host name or group name"
+        steps: ansible-playbook ./playbooks/encrypt-disks.yml --limit=$ARG_HOST -i inventory/hosts.cfg ${ARG_ARGS}

.templates/inventory/group_vars/all.yaml

@@ -1,4 +1,91 @@
 
+docker_dependent_services: ['project']
+
+#
+# Encryption role settings
+#
+# instead of overriding hooks override this to adjust hooks
+enc_directories_to_map:
+    - { dst: "/project", name: "project" }
+    - { dst: "/root", name: "root" }
+    - { dst: "/var/log", name: "var-log" }
+enc_notify_systemd_service: "project"
+
+# https://github.com/zwiazeksyndykalistowpolski/server-secure-storage
+default_role_encryption:
+    enc_file: /storage                # path, where all of the data will be stored
+    enc_file_size: 17160M             # examples: 256M, 20G, 500G
+    enc_mount_name: storage           # mount name, should be a-z, lower case, without special letters
+    enc_mount_path: /mnt/storage      # mount path
+    enc_file_filesystem: ext4         # any filesystem supported by mkfs (and supported by the operating system)
+    enc_hidden_volume_size: "16900M"  # ~17 GB
+    enc_filesystem_create_if_not_exists: yes
+    hide_sensitive_output: no
+
+    #enc_passphrase: "test123"
+    #enc_hidden_volume_passphrase: "hidden123"
+
+    # tcplay settings
+    hashing_algorithm: whirlpool
+    encryption_algorithm: AES-256-XTS
+
+    hook_pre_mount: ""
+    hook_post_mount: >
+        set -x;
+
+        mkdir -p /mnt/storage/docker/volumes /var/lib/docker;
+
+        {% for directory in enc_directories_to_map %}
+        BACKUP=false;
+
+        if [[ -d "{{ directory.dst }}" ]]; then
+            rm -rf "{{ directory.dst }}.2";
+            mv "{{ directory.dst }}" "{{ directory.dst }}.2";
+            BACKUP=true;
+        fi;
+
+        mkdir -p "{{ directory.dst }}";
+        mount -o bind "/mnt/storage/{{ directory.name }}" "{{ directory.dst }}" || exit 1;
+
+        if [[ "${BACKUP}" == "true" ]]; then
+            mv "{{ directory.dst }}.2/*" "{{ directory.dst }}/";
+            mv "{{ directory.dst }}.2/.*" "{{ directory.dst }}/" || true;
+            rmdir "{{ directory.dst }}.2" || true;
+        fi;
+        {% endfor %}
+
+        mount -o bind /mnt/storage/docker /var/lib/docker || exit 1;
+        mount --bind /var/lib/docker/plugins /var/lib/docker/plugins || true;
+        mount --make-private /var/lib/docker/plugins || true;
+
+        {% if enc_notify_systemd_service %}
+        if [[ -f /etc/systemd/system/{{ enc_notify_systemd_service }}.service ]]; then
+            sudo systemctl restart docker;
+            sleep 5;
+            sudo systemctl restart project;
+        fi;
+        {% endif %}
+
+    hook_pre_unmount: >
+        {% if enc_notify_systemd_service %}
+        if [[ -f /etc/systemd/system/{{ enc_notify_systemd_service }}.service ]]; then
+            sudo systemctl disable docker;
+            sudo systemctl disable project;
+
+            sudo systemctl stop project;
+            sudo systemctl stop docker;
+        fi;
+        {% endif %}
+
+        umount /var/lib/docker/plugins || true;
+        umount /var/lib/docker || true;
+
+        {% for directory in enc_directories_to_map %}
+        umount "{{ directory.dst }}" || true;
+        {% endfor %}
+
+    hook_post_unmount: ""
+
 # https://github.com/zwiazeksyndykalistowpolski/server-multi-user
 default_role_users:
     technical_entrypoint: "/project/make.sh"

README.md

@@ -1,12 +1,21 @@
 RiotKit Universal Node
 ======================
 
-Turns a typical cheap virtual node into a dockerized applications environment. Natively integrates with RiotKit's Harbor 2+ for webservices deployment.
+Turns a typical cheap virtual node into a dockerized applications environment node. Natively integrates with RiotKit's Harbor 2+ for webservices deployment.
+
+Installs docker, docker-compose, adds users, configures logs rotation, configures security.
 
 First time setup
 ----------------
 
 ```bash
+# setup a repository
+git clone git@github.com:riotkit-org/infrastructure-harbor-universal-node.git
+
+cd infrastructure-harbor-universal-node
+$(./setup-venv.sh)
+
+# set INVENTORY_GIT_URL to a URL of your repository that contains Ansible inventory with hosts.cfg, host_vars/, group_vars/
 cp .env-dist .env
 nano .env
 
@@ -35,3 +44,76 @@ This set of playbooks needs to run at least on this specification:
 - HDD: 20-40 GB SSD (including OS)
 - OS: Ubuntu 16.04+ or latest Debian Stable or Latest Armbian
 - Host type: Physical ARM or KVM
+
+Usage documentation
+===================
+
+Operating
+---------
+
+Each operation is performed using RKD (RiotKit-Do) using `rkd` command.
+It is recommended to work in a virtual env using `$(./setup-venv.sh)` wrapper - for stability and reproducibility.
+
+Design - concept
+----------------
+
+The architecture requires that the Ansible Inventory (list of SSH hosts with variables per host to customize deployment roles) should be placed
+in a separate repository, and the url should be in `.env` at `INVENTORY_GIT_URL` variable.
+
+Thanks to this concept we can leave this *Universal Node Repository* at github, and all the secrets and personalized settings
+have separated in other, private repository - to update *Universal Node Repository* we can just do `git pull`. It can be also forked
+into private repository for full customization.
+
+How to create inventory repository?
+-----------------------------------
+
+Inventory structure should consist of:
+
+**hosts.cfg (example)**
+
+```bash
+[disasterrecovery]
+recovery.example.internal
+
+```
+
+**group_vars/all**
+
+This file should be actually created from template by executing command `rkd :copy-host-defaults` first time.
+In it you can define deployment settings globally for EACH HOST.
+
+**host_vars/recovery.example.internal.yaml (example name)**
+
+There you should define `ansible_ssh_user`, `ansible_ssh_pass`, `ansible_sudo_pass` and/or private key path.
+In this file you can also overwrite deployment settings for this host.
+
+When in `group_vars/all` there is a section for example `default_role_encryption` then you can create a `role_encryption` in `host_vars/recovery.example.internal.yaml`.
+The values will be MERGED together, the section would not replace original one but will merge all values recursively.
+
+**ENCRYPTION**
+
+Each host file in host_vars can be encrypted with a different Ansible Vault key, Ansible supports this.
+With this combination you can divide access to multiple admins handling administration of different servers.
+
+*TIP: Keep hosts.cfg with minimum of information (only group names and host names) to keep it unencrypted, so you will not have to enter password twice*
+
+**Adding this inventory repository**
+
+```bash
+# set url in INVENTORY_GIT_URL
+nano .env
+```
+
+Deploying
+---------
+
+```bash
+# perform a partial disk encryption (optional)
+rkd :encrypt-first-time recovery.example.internal
+
+# provision with users, firewall settings, etc. - a regular deployment
+rkd :deploy prepare-machine.yml --host recovery.example.internal --vault
+
+# update operating system with careful
+rkd :deploy update-machines.yml --host recovery.example.internal --vault
+```

playbooks/encrypt-disks.yml

@@ -0,0 +1,30 @@
+#
+# ENCRYPTION PLAYBOOK
+# ===================
+#   Setup an optional partial disk encryption.
+#   WARNING: Make a backup of target folders that would be mounted, there is a high risk of loosing data when setting up
+#            a fresh encryption.
+#
+
+
+- hosts: all
+  gather_facts: no
+  roles:
+      - role: blackandred.server_ssh_fallback_port
+        when: ssh_fallback_port is defined and ssh_fallback_port > 0
+        vars:
+            fallback_ssh_port: "{{ ssh_fallback_port }}"
+
+
+- hosts: all
+  gather_facts: yes
+  tasks:
+      - name: Encryption role
+        when: role_encryption is defined
+        block:
+          - name: Include required vars
+            set_fact:
+            args: "{{ default_role_encryption | combine(role_encryption | default({}), recursive=True) }}"
+
+          - include_role: name=blackandred.server_secure_storage
+            tags: encryption

playbooks/prepare-machine.yml

@@ -1,3 +1,10 @@
+#
+# PREPARE MACHINES PLAYBOOK
+# =========================
+#   Prepares a complete setup for each machine - including users, firewall, docker, journald
+#
+
+
 #
 # Make sure we still know the port, even when we changed the port for security reasons on previous runs
 #

playbooks/update-machines.yml

@@ -1,5 +1,5 @@
 #
-# UPDATE MACHINE PLAYBOOK
+# UPDATE MACHINES PLAYBOOK
 # =======================
 #  Performs packages upgrade on target machine. Considers a fact that docker daemon could be corrupted after update
 #  and will attempt to restart it with all dependent services
@@ -41,22 +41,34 @@
         shell: "dpkg -s docker-ce | grep -i version | awk '{print $2}'"
         register: docker_version_after
 
-      - name: Stop dependent services
-        become: yes
-        systemd:
-            name: "{{ item }}"
-            state: stopped
-        with_items: "{{ docker_dependent_services }}"
+      - set_fact:
+            should_rescue_services_after_docker_update: "{{ docker_version_after.stdout != docker_version_before.stdout }}"
 
-      - name: Restart docker daemon
-        become: yes
-        systemd:
-            name: docker
-            state: restarted
+      - debug:
+          var: docker_version_after
 
-      - name: Bring dependent services back
-        become: yes
-        systemd:
-            name: "{{ item }}"
-            state: started
-        with_items: "{{ docker_dependent_services }}"
+      - debug:
+          var: docker_version_before
+
+      - name: Rescue
+        when: should_rescue_services_after_docker_update
+        block:
+            - name: Stop dependent services
+              become: yes
+              systemd:
+                  name: "{{ item }}"
+                  state: stopped
+              with_items: "{{ docker_dependent_services }}"
+
+            - name: Restart docker daemon
+              become: yes
+              systemd:
+                  name: docker
+                  state: restarted
+
+            - name: Bring dependent services back
+              become: yes
+              systemd:
+                  name: "{{ item }}"
+                  state: started
+              with_items: "{{ docker_dependent_services }}"

requirements.txt

@@ -1 +1 @@
-rkd==2.1.4
+rkd>=2.1.4, <2.2