Enable TLS for Consul

This commit is contained in:
Alex 2021-12-30 20:56:13 +01:00
parent b00a8358b2
commit 5ea4cef294
No known key found for this signature in database
GPG key ID: EDABF9711E244EB1
6 changed files with 109 additions and 8 deletions

View file

@ -18,9 +18,12 @@ job "core" {
driver = "docker" driver = "docker"
config { config {
image = "lxpz/amd64_diplonat:2" image = "lxpz/amd64_diplonat:3"
network_mode = "host" network_mode = "host"
readonly_rootfs = true readonly_rootfs = true
volumes = [
"secrets:/etc/diplonat",
]
} }
restart { restart {
@ -30,11 +33,30 @@ job "core" {
mode = "delay" mode = "delay"
} }
template {
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
destination = "secrets/consul-ca.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template { template {
data = <<EOH data = <<EOH
DIPLONAT_REFRESH_TIME=60 DIPLONAT_REFRESH_TIME=60
DIPLONAT_EXPIRATION_TIME=300 DIPLONAT_EXPIRATION_TIME=300
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }} DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
DIPLONAT_CONSUL_URL=https://localhost:8501
DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt
DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
RUST_LOG=debug RUST_LOG=debug
EOH EOH
destination = "secrets/env" destination = "secrets/env"

View file

@ -14,10 +14,13 @@ job "frontend" {
driver = "docker" driver = "docker"
config { config {
image = "lxpz/amd64_tricot:25" image = "lxpz/amd64_tricot:27"
network_mode = "host" network_mode = "host"
readonly_rootfs = true readonly_rootfs = true
ports = [ "http_port", "https_port", "admin_port" ] ports = [ "http_port", "https_port", "admin_port" ]
volumes = [
"secrets:/etc/tricot",
]
} }
resources { resources {
@ -32,11 +35,30 @@ job "frontend" {
mode = "delay" mode = "delay"
} }
template {
data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
destination = "secrets/consul-ca.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.crt\" }}"
destination = "secrets/consul-client.crt"
}
template {
data = "{{ key \"secrets/consul/consul-client.key\" }}"
destination = "secrets/consul-client.key"
}
template { template {
data = <<EOH data = <<EOH
TRICOT_NODE_NAME={{ env "attr.unique.hostname" }} TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
TRICOT_ENABLE_COMPRESSION=true TRICOT_ENABLE_COMPRESSION=true
TRICOT_CONSUL_HOST=https://localhost:8501
TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt
TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
RUST_LOG=tricot=trace RUST_LOG=tricot=trace
EOH EOH
destination = "secrets/env" destination = "secrets/env"

View file

@ -200,8 +200,19 @@ in
datacenter = "staging"; datacenter = "staging";
ui = true; ui = true;
bind_addr = public_ip; bind_addr = public_ip;
addresses.http = "0.0.0.0";
ports.http = -1;
addresses.https = "0.0.0.0";
ports.https = 8501;
retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ]; retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ];
ca_file = "/var/lib/consul/pki/consul-ca.crt";
cert_file = "/var/lib/consul/pki/consul2021.crt";
key_file = "/var/lib/consul/pki/consul2021.key";
verify_incoming = true;
verify_outgoing = true;
verify_server_hostname = true;
}; };
services.nomad.enable = true; services.nomad.enable = true;
@ -219,7 +230,13 @@ in
http = public_ip; http = public_ip;
serf = public_ip; serf = public_ip;
}; };
consul.address = "127.0.0.1:8500"; consul = {
address = "localhost:8501";
ca_file = "/var/lib/nomad/pki/consul2021.crt";
cert_file = "/var/lib/nomad/pki/consul2021-client.crt";
key_file = "/var/lib/nomad/pki/consul2021-client.key";
ssl = true;
};
client = { client = {
enabled = true; enabled = true;
network_interface = "wg0"; network_interface = "wg0";

View file

@ -31,7 +31,9 @@ for NIXHOST in $NIXHOSTLIST; do
cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
echo "Sending secret files" echo "Sending secret files"
for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do for SECRET in rclone.conf \
pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \
pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null) test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
done done
@ -45,10 +47,28 @@ mv configuration.nix node.nix site.nix /etc/nixos
test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf) test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
mkdir -p /var/lib/nomad/pki mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki
if [ -f pki/consul-ca.crt ]; then
cp pki/consul* /var/lib/nomad/pki
mv pki/consul* /var/lib/consul/pki
chown -R consul:root /var/lib/consul/pki
fi
if [ -f pki/nomad-ca.crt ]; then
mv pki/nomad* /var/lib/nomad/pki
fi
nixos-rebuild switch nixos-rebuild switch
# Save up-to-date Consul client certificates in Consul itself
export CONSUL_HTTP_ADDR=https://localhost:8501
export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt
consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt
consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key
EOF EOF
ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh

5
env.sh
View file

@ -5,3 +5,8 @@ export NOMAD_ADDR=https://localhost:14646
export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
export CONSUL_HTTP_ADDR=https://localhost:8501
export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key

View file

@ -2,4 +2,19 @@
YEAR=$(date +%Y) YEAR=$(date +%Y)
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt _int() {
echo "Caught SIGINT signal!"
kill -INT "$child1" 2>/dev/null
kill -INT "$child2" 2>/dev/null
}
trap _int SIGINT
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
child1=$!
socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
child2=$!
wait "$child1"
wait "$child2"