Enable TLS for Consul

2021-12-30 20:56:13 +01:00 · 2021-12-30 20:56:13 +01:00 · 5ea4cef294
commit 5ea4cef294
parent b00a8358b2
6 changed files with 109 additions and 8 deletions
--- a/app/core/deploy/core.hcl
+++ b/app/core/deploy/core.hcl
@ -18,9 +18,12 @@ job "core" {
      driver = "docker"

      config {
-        image = "lxpz/amd64_diplonat:2"
+        image = "lxpz/amd64_diplonat:3"
        network_mode = "host"
        readonly_rootfs = true
+        volumes = [
+          "secrets:/etc/diplonat",
+        ]
      }

      restart {
@ -30,11 +33,30 @@ job "core" {
        mode     = "delay"
      }

+      template {
+        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
+        destination = "secrets/consul-ca.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "secrets/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "secrets/consul-client.key"
+      }
+
      template {
        data = <<EOH
 DIPLONAT_REFRESH_TIME=60
 DIPLONAT_EXPIRATION_TIME=300
 DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
+DIPLONAT_CONSUL_URL=https://localhost:8501
+DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt
+DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
+DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
 RUST_LOG=debug
 EOH
        destination = "secrets/env"
--- a/app/frontend/deploy/frontend-tricot.hcl
+++ b/app/frontend/deploy/frontend-tricot.hcl
@ -14,10 +14,13 @@ job "frontend" {
      driver = "docker"

      config {
-        image = "lxpz/amd64_tricot:25"
+        image = "lxpz/amd64_tricot:27"
        network_mode = "host"
        readonly_rootfs = true
        ports = [ "http_port", "https_port", "admin_port" ]
+        volumes = [
+          "secrets:/etc/tricot",
+        ]
      }

      resources {
@ -32,11 +35,30 @@ job "frontend" {
        mode     = "delay"
      }

+      template {
+        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
+        destination = "secrets/consul-ca.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+        destination = "secrets/consul-client.crt"
+      }
+
+      template {
+        data = "{{ key \"secrets/consul/consul-client.key\" }}"
+        destination = "secrets/consul-client.key"
+      }
+
      template {
        data = <<EOH
 TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
 TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
 TRICOT_ENABLE_COMPRESSION=true
+TRICOT_CONSUL_HOST=https://localhost:8501
+TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt
+TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
+TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
 RUST_LOG=tricot=trace
 EOH
        destination = "secrets/env"
--- a/configuration.nix
+++ b/configuration.nix
@ -200,8 +200,19 @@ in
    datacenter = "staging";
    ui = true;
    bind_addr = public_ip;
-    addresses.http = "0.0.0.0";
+
+    ports.http = -1;
+    addresses.https = "0.0.0.0";
+    ports.https = 8501;
+
    retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ];
+
+    ca_file = "/var/lib/consul/pki/consul-ca.crt";
+    cert_file = "/var/lib/consul/pki/consul2021.crt";
+    key_file = "/var/lib/consul/pki/consul2021.key";
+    verify_incoming = true;
+    verify_outgoing = true;
+    verify_server_hostname = true;
  };

  services.nomad.enable = true;
@ -219,7 +230,13 @@ in
      http = public_ip;
      serf = public_ip;
    };
-    consul.address = "127.0.0.1:8500";
+    consul = {
+      address = "localhost:8501";
+      ca_file = "/var/lib/nomad/pki/consul2021.crt";
+      cert_file = "/var/lib/nomad/pki/consul2021-client.crt";
+      key_file = "/var/lib/nomad/pki/consul2021-client.key";
+      ssl = true;
+    };
    client = {
      enabled = true;
      network_interface = "wg0";
--- a/deploy.sh
+++ b/deploy.sh
@ -31,7 +31,9 @@ for NIXHOST in $NIXHOSTLIST; do
 	cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null

 	echo "Sending secret files"
-	for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
+	for SECRET in rclone.conf \
+		pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \
+		pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
 		test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
 	done

@ -45,10 +47,28 @@ mv configuration.nix node.nix site.nix /etc/nixos

 test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)

-mkdir -p /var/lib/nomad/pki
-test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki
+mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
+
+if [ -f pki/consul-ca.crt ]; then
+	cp pki/consul* /var/lib/nomad/pki
+	mv pki/consul* /var/lib/consul/pki
+	chown -R consul:root /var/lib/consul/pki
+fi
+
+if [ -f pki/nomad-ca.crt ]; then
+	mv pki/nomad* /var/lib/nomad/pki
+fi

 nixos-rebuild switch
+
+# Save up-to-date Consul client certificates in Consul itself
+export CONSUL_HTTP_ADDR=https://localhost:8501
+export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
+export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
+export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
+consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt
+consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt
+consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key
 EOF

 	ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh
--- a/env.sh
+++ b/env.sh
@ -5,3 +5,8 @@ export NOMAD_ADDR=https://localhost:14646
 export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
 export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
 export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
+
+export CONSUL_HTTP_ADDR=https://localhost:8501
+export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
+export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
+export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
--- a/sslproxy.sh
+++ b/sslproxy.sh
@ -2,4 +2,19 @@

 YEAR=$(date +%Y)

-socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt
+_int() {
+  echo "Caught SIGINT signal!"
+  kill -INT "$child1" 2>/dev/null
+  kill -INT "$child2" 2>/dev/null
+}
+
+trap _int SIGINT
+
+socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
+child1=$!
+
+socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
+child2=$!
+
+wait "$child1"
+wait "$child2"