From 226fbabf655656f16ca883c8489a2360abdb8367 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Wed, 20 Apr 2022 15:29:24 +0200
Subject: [PATCH] tlsproxy from pass; fix tls stuff

---
 deploy_pki  |  9 +++++++--
 sshtool     |  4 ++--
 tlsenv.sh   | 12 ------------
 tlsproxy    | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 tlsproxy.sh | 37 -------------------------------------
 5 files changed, 56 insertions(+), 53 deletions(-)
 delete mode 100644 tlsenv.sh
 create mode 100755 tlsproxy
 delete mode 100755 tlsproxy.sh

diff --git a/deploy_pki b/deploy_pki
index 8cbd456..167ac50 100755
--- a/deploy_pki
+++ b/deploy_pki
@@ -5,7 +5,9 @@ YEAR=$(date +%Y)
 
 cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
 
-for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
+for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key \
+	consul$YEAR-client.crt consul$YEAR-client.key
+do
 	if pass $PKI/$file >/dev/null; then
 		write_pass $PKI/$file /var/lib/consul/pki/$file
 		cmd chown consul:root /var/lib/consul/pki/$file
@@ -15,9 +17,12 @@ done
 cmd systemctl restart consul
 cmd sleep 10
 
-for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do
+for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
+	consul$YEAR.crt consul$YEAR-client.crt consul$YEAR-client.key
+do
 	if pass $PKI/$file >/dev/null; then
 		write_pass $PKI/$file /var/lib/nomad/pki/$file
+		cmd "chown \$(stat -c %u /var/lib/private/nomad) /var/lib/nomad/pki/$file"
 	fi
 done
 
diff --git a/sshtool b/sshtool
index 1396c87..58b00ef 100755
--- a/sshtool
+++ b/sshtool
@@ -20,7 +20,7 @@ else
 fi
 
 if [ -z "$ROOT_PASS" ]; then
-	read -s -p "Enter remote root password: " ROOT_PASS
+	read -s -p "Enter remote sudo password: " ROOT_PASS
 	echo
 fi
 
@@ -35,7 +35,7 @@ echo \$DEPLOYTOOL_ROOT_PASSWORD
 EOG
 chmod +x /tmp/deploytool_askpass
 export SUDO_ASKPASS=/tmp/deploytool_askpass
-sudo -A sh - <<EOEVERYTHING
+sudo -A sh - <<'EOEVERYTHING'
 EOF
 }
 
diff --git a/tlsenv.sh b/tlsenv.sh
deleted file mode 100644
index 8681e8c..0000000
--- a/tlsenv.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-YEAR=$(date +%Y)
-
-export NOMAD_ADDR=https://localhost:14646
-export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
-export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
-export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
-
-export CONSUL_HTTP_ADDR=https://localhost:8501
-export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
-export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
-export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
diff --git a/tlsproxy b/tlsproxy
new file mode 100755
index 0000000..7546b81
--- /dev/null
+++ b/tlsproxy
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+set -xe
+
+# Enter proper cluster subdirectory
+
+cd $(dirname $0)
+
+CLUSTER="$1"
+if [ ! -d "cluster/$CLUSTER" ]; then
+	echo "Usage: $0 <cluster name>"
+	echo "The cluster name must be the name of a subdirectory of cluster/"
+	exit 1
+fi
+
+PREFIX="deuxfleurs/cluster/$CLUSTER"
+
+# Do actual stuff
+
+YEAR=$(date +%Y)
+
+CERTDIR=$(mktemp -d)
+
+_int() {
+  echo "Caught SIGINT signal!"
+  rm -rv $CERTDIR
+  kill -INT "$child1" 2>/dev/null
+  kill -INT "$child2" 2>/dev/null
+}
+
+trap _int SIGINT
+
+pass $PREFIX/nomad$YEAR.crt > $CERTDIR/nomad.crt
+pass $PREFIX/nomad$YEAR-client.crt > $CERTDIR/nomad-client.crt
+pass $PREFIX/nomad$YEAR-client.key > $CERTDIR/nomad-client.key
+pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
+pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
+pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key
+
+socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt &
+child1=$!
+
+socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt &
+child2=$!
+
+wait "$child1"
+wait "$child2"
diff --git a/tlsproxy.sh b/tlsproxy.sh
deleted file mode 100755
index a893872..0000000
--- a/tlsproxy.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/sh
-
-set -xe
-
-# Enter proper cluster subdirectory
-
-cd $(dirname $0)
-
-CLUSTER="$1"
-if [ ! -d "cluster/$CLUSTER" ]; then
-	echo "Usage: $0 <cluster name>"
-	echo "The cluster name must be the name of a subdirectory of cluster/"
-	exit 1
-fi
-
-cd cluster/$CLUSTER
-
-# Do actual stuff
-
-YEAR=$(date +%Y)
-
-_int() {
-  echo "Caught SIGINT signal!"
-  kill -INT "$child1" 2>/dev/null
-  kill -INT "$child2" 2>/dev/null
-}
-
-trap _int SIGINT
-
-socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
-child1=$!
-
-socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
-child2=$!
-
-wait "$child1"
-wait "$child2"