calvinverse / base.vm.linux Goto Github PK

Because otherwise, we can't just grab the disk. See here: https://blogs.msdn.microsoft.com/virtual_pc_guy/2015/02/11/copying-the-vhd-of-a-generation-2-linux-vmand-not-booting-afterwards/

So that all logs are by default send to the log server

Now that Vault can create credentials for Influx we should put authentication on Influx and provide Telegraf with a username and password. Use the same method as for logs being pushed to RabbitMQ

Allow user / client SSH certificates so that we don't have to use the admin password.
Also add host verification so that the user / client can verify that they are signed in with a sensible host.

Put these in a file in sorted order so that for the next build we can identify if any new packages were installed.

See here for the correct way to preseed the secure boot part:

https://askubuntu.com/a/959314/736501

Because it has per service metadata

Instead of executing consul-template directly in the service we should run it via a shell script. That shell script should take the following steps:

• Run consul-template in once only mode to generate the environment variable holding the vault key. If it's not there then just continue. If the key is there then write the key to an environment value / file. Then remove the key from the consul k-v so that it won't be there next time.
• Run consul-template in continuous mode using the new environment variable
• If a change is detected in the consul k-v value for the key then restart the service

Allow creating a VM in Azure

Because it's more efficient according to: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Best-Practices-for-running-Linux-on-Hyper-V

There doesn't seem to be any documentation but the PR is here: hashicorp/consul-template#1153

The systemd daemon for Consul-Template doesn't have the appropriate retry configurations set so there are potential situations where Consul-Template will crash and not be restarted.

Because there might be sensitive information in those files

Because enabling unbound during a Packer run is error prone for some reason.

So if the machine doesn't get an IP address fast enough Consul dies

This should allow us to reconnect to Vault after the host has restarted.

Because all resources made from the image will need both

So that nobody knows what the password is. But allow users to connect with SSH certificates if required.

That way we can change the configuration information in a newer version of the resource without breaking the old versions of the resource

Once this is installed we can then use it as the basis for the provisioning system

To ensure that internal certs are recognized as valid we should allow importing certs in the system CA store.

That way derived builds don't need to provide a provisioning script

Because they expire you have to authenticate the machines each time the machine restarts or consul-template falls over. This is fine if you have automatic authentication but if you don't then you also don't get any logs which is not great.

Currently the code is based on an AD PKI system so we need to adjust it so that it works with Azure PKI capabilities.

Add the name of the service on the VM as the 'service' global tag so that all metrics have a tag with the service name.

So that we can do distributed tracing: https://opentelemetry.io/