Enable TLS for Consul
This commit is contained in:
parent
b00a8358b2
commit
5ea4cef294
6 changed files with 109 additions and 8 deletions
|
@ -18,9 +18,12 @@ job "core" {
|
||||||
driver = "docker"
|
driver = "docker"
|
||||||
|
|
||||||
config {
|
config {
|
||||||
image = "lxpz/amd64_diplonat:2"
|
image = "lxpz/amd64_diplonat:3"
|
||||||
network_mode = "host"
|
network_mode = "host"
|
||||||
readonly_rootfs = true
|
readonly_rootfs = true
|
||||||
|
volumes = [
|
||||||
|
"secrets:/etc/diplonat",
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
restart {
|
restart {
|
||||||
|
@ -30,11 +33,30 @@ job "core" {
|
||||||
mode = "delay"
|
mode = "delay"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
|
||||||
|
destination = "secrets/consul-ca.crt"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
|
||||||
|
destination = "secrets/consul-client.crt"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/consul/consul-client.key\" }}"
|
||||||
|
destination = "secrets/consul-client.key"
|
||||||
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<EOH
|
data = <<EOH
|
||||||
DIPLONAT_REFRESH_TIME=60
|
DIPLONAT_REFRESH_TIME=60
|
||||||
DIPLONAT_EXPIRATION_TIME=300
|
DIPLONAT_EXPIRATION_TIME=300
|
||||||
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
|
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
|
||||||
|
DIPLONAT_CONSUL_URL=https://localhost:8501
|
||||||
|
DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt
|
||||||
|
DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
|
||||||
|
DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
|
||||||
RUST_LOG=debug
|
RUST_LOG=debug
|
||||||
EOH
|
EOH
|
||||||
destination = "secrets/env"
|
destination = "secrets/env"
|
||||||
|
|
|
@ -14,10 +14,13 @@ job "frontend" {
|
||||||
driver = "docker"
|
driver = "docker"
|
||||||
|
|
||||||
config {
|
config {
|
||||||
image = "lxpz/amd64_tricot:25"
|
image = "lxpz/amd64_tricot:27"
|
||||||
network_mode = "host"
|
network_mode = "host"
|
||||||
readonly_rootfs = true
|
readonly_rootfs = true
|
||||||
ports = [ "http_port", "https_port", "admin_port" ]
|
ports = [ "http_port", "https_port", "admin_port" ]
|
||||||
|
volumes = [
|
||||||
|
"secrets:/etc/tricot",
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
resources {
|
resources {
|
||||||
|
@ -32,11 +35,30 @@ job "frontend" {
|
||||||
mode = "delay"
|
mode = "delay"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
|
||||||
|
destination = "secrets/consul-ca.crt"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
|
||||||
|
destination = "secrets/consul-client.crt"
|
||||||
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = "{{ key \"secrets/consul/consul-client.key\" }}"
|
||||||
|
destination = "secrets/consul-client.key"
|
||||||
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<EOH
|
data = <<EOH
|
||||||
TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
|
TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
|
||||||
TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
|
TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
|
||||||
TRICOT_ENABLE_COMPRESSION=true
|
TRICOT_ENABLE_COMPRESSION=true
|
||||||
|
TRICOT_CONSUL_HOST=https://localhost:8501
|
||||||
|
TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt
|
||||||
|
TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
|
||||||
|
TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
|
||||||
RUST_LOG=tricot=trace
|
RUST_LOG=tricot=trace
|
||||||
EOH
|
EOH
|
||||||
destination = "secrets/env"
|
destination = "secrets/env"
|
||||||
|
|
|
@ -200,8 +200,19 @@ in
|
||||||
datacenter = "staging";
|
datacenter = "staging";
|
||||||
ui = true;
|
ui = true;
|
||||||
bind_addr = public_ip;
|
bind_addr = public_ip;
|
||||||
addresses.http = "0.0.0.0";
|
|
||||||
|
ports.http = -1;
|
||||||
|
addresses.https = "0.0.0.0";
|
||||||
|
ports.https = 8501;
|
||||||
|
|
||||||
retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ];
|
retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ];
|
||||||
|
|
||||||
|
ca_file = "/var/lib/consul/pki/consul-ca.crt";
|
||||||
|
cert_file = "/var/lib/consul/pki/consul2021.crt";
|
||||||
|
key_file = "/var/lib/consul/pki/consul2021.key";
|
||||||
|
verify_incoming = true;
|
||||||
|
verify_outgoing = true;
|
||||||
|
verify_server_hostname = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nomad.enable = true;
|
services.nomad.enable = true;
|
||||||
|
@ -219,7 +230,13 @@ in
|
||||||
http = public_ip;
|
http = public_ip;
|
||||||
serf = public_ip;
|
serf = public_ip;
|
||||||
};
|
};
|
||||||
consul.address = "127.0.0.1:8500";
|
consul = {
|
||||||
|
address = "localhost:8501";
|
||||||
|
ca_file = "/var/lib/nomad/pki/consul2021.crt";
|
||||||
|
cert_file = "/var/lib/nomad/pki/consul2021-client.crt";
|
||||||
|
key_file = "/var/lib/nomad/pki/consul2021-client.key";
|
||||||
|
ssl = true;
|
||||||
|
};
|
||||||
client = {
|
client = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
network_interface = "wg0";
|
network_interface = "wg0";
|
||||||
|
|
26
deploy.sh
26
deploy.sh
|
@ -31,7 +31,9 @@ for NIXHOST in $NIXHOSTLIST; do
|
||||||
cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
|
cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
|
||||||
|
|
||||||
echo "Sending secret files"
|
echo "Sending secret files"
|
||||||
for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
|
for SECRET in rclone.conf \
|
||||||
|
pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \
|
||||||
|
pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
|
||||||
test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
|
test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -45,10 +47,28 @@ mv configuration.nix node.nix site.nix /etc/nixos
|
||||||
|
|
||||||
test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
|
test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
|
||||||
|
|
||||||
mkdir -p /var/lib/nomad/pki
|
mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
|
||||||
test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki
|
|
||||||
|
if [ -f pki/consul-ca.crt ]; then
|
||||||
|
cp pki/consul* /var/lib/nomad/pki
|
||||||
|
mv pki/consul* /var/lib/consul/pki
|
||||||
|
chown -R consul:root /var/lib/consul/pki
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f pki/nomad-ca.crt ]; then
|
||||||
|
mv pki/nomad* /var/lib/nomad/pki
|
||||||
|
fi
|
||||||
|
|
||||||
nixos-rebuild switch
|
nixos-rebuild switch
|
||||||
|
|
||||||
|
# Save up-to-date Consul client certificates in Consul itself
|
||||||
|
export CONSUL_HTTP_ADDR=https://localhost:8501
|
||||||
|
export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
|
||||||
|
export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
|
||||||
|
export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
|
||||||
|
consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt
|
||||||
|
consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt
|
||||||
|
consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh
|
ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh
|
||||||
|
|
5
env.sh
5
env.sh
|
@ -5,3 +5,8 @@ export NOMAD_ADDR=https://localhost:14646
|
||||||
export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
|
export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
|
||||||
export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
|
export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
|
||||||
export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
|
export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
|
||||||
|
|
||||||
|
export CONSUL_HTTP_ADDR=https://localhost:8501
|
||||||
|
export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
|
||||||
|
export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
|
||||||
|
export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
|
||||||
|
|
17
sslproxy.sh
17
sslproxy.sh
|
@ -2,4 +2,19 @@
|
||||||
|
|
||||||
YEAR=$(date +%Y)
|
YEAR=$(date +%Y)
|
||||||
|
|
||||||
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt
|
_int() {
|
||||||
|
echo "Caught SIGINT signal!"
|
||||||
|
kill -INT "$child1" 2>/dev/null
|
||||||
|
kill -INT "$child2" 2>/dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
trap _int SIGINT
|
||||||
|
|
||||||
|
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
|
||||||
|
child1=$!
|
||||||
|
|
||||||
|
socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
|
||||||
|
child2=$!
|
||||||
|
|
||||||
|
wait "$child1"
|
||||||
|
wait "$child2"
|
||||||
|
|
Loading…
Reference in a new issue