Add TLS to Nomad

configuration.nix

@@ -224,6 +224,15 @@ in
       enabled = true;
       network_interface = "wg0";
     };
+    tls = {
+      http = true;
+      rpc = true;
+      ca_file = "/var/lib/nomad/pki/nomad-ca.crt";
+      cert_file = "/var/lib/nomad/pki/nomad2021.crt";
+      key_file = "/var/lib/nomad/pki/nomad2021.key";
+      verify_server_hostname = true;
+      verify_https_client = true;
+    };
     plugin = [
       {
         docker = [

deploy.sh

@@ -10,6 +10,8 @@ fi
 
 TMP_PATH=/tmp/tmp-deploy-$(date +%s)
 
+YEAR=$(date +%Y)
+
 for NIXHOST in $NIXHOSTLIST; do
 	NIXHOST=${NIXHOST%.*}
 
@@ -23,13 +25,15 @@ for NIXHOST in $NIXHOSTLIST; do
 
 	echo "Sending NixOS config files"
 
-	ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH
+	ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH $TMP_PATH/pki
 	cat configuration.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
 	cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
 	cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
 
 	echo "Sending secret files"
-	test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/rclone.conf > /dev/null)
+	for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
+		test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
+	done
 
 	echo "Rebuilding NixOS"
 
@@ -38,7 +42,12 @@ set -ex
 
 cd $TMP_PATH
 mv configuration.nix node.nix site.nix /etc/nixos
+
 test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
+
+mkdir -p /var/lib/nomad/pki
+test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki
+
 nixos-rebuild switch
 EOF
 

env.sh

@@ -0,0 +1,7 @@
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+YEAR=$(date +%Y)
+
+export NOMAD_ADDR=https://localhost:14646
+export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
+export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
+export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key

genpki.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+
+set -xe
+
+cd $(dirname $0)
+
+mkdir -p secrets/pki
+cd secrets/pki
+
+YEAR=$(date +%Y)
+for APP in consul nomad; do
+	# 1. Create certificate authority
+	if [ ! -f $APP-ca.key ]; then
+		echo "Generating $APP CA keys..."
+		#openssl genpkey -algorithm ED25519 -out $APP-ca.key
+		openssl genrsa -out $APP-ca.key 4096
+
+		openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP"
+	fi
+
+	CERT="${APP}${YEAR}"
+
+	# 2. Create and sign certificates for inter-node communication
+	if [ ! -f $CERT.crt ]; then
+		echo "Generating $CERT agent keys..."
+		if [ ! -f $CERT.key ]; then
+			#openssl genpkey -algorithm ED25519 -out $CERT.key
+			openssl genrsa -out $CERT.key 4096
+		fi
+		openssl req -new -sha256 -key $CERT.key \
+			-subj "/C=FR/O=Deuxfleurs/CN=$APP" \
+			-out $CERT.csr
+		openssl req -in $CERT.csr -noout -text
+		openssl x509 -req -in $CERT.csr \
+			-extensions v3_req \
+			-extfile <(cat <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = FR
+O = Deuxfleurs
+CN = $APP
+
+[v3_req]
+keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = server.staging.$APP
+DNS.2 = client.staging.$APP
+DNS.3 = localhost
+DNS.4 = 127.0.0.1
+EOF
+	) \
+			-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
+			-out $CERT.crt -days 700
+		rm $CERT.csr
+	fi
+
+	# 3. Create client-only certificate used for the CLI
+	if [ ! -f $CERT-client.crt ]; then
+		echo "Generating $CERT client keys..."
+		if [ ! -f $CERT-client.key ]; then
+			#openssl genpkey -algorithm ED25519 -out $CERT-client.key
+			openssl genrsa -out $CERT-client.key 4096
+		fi
+		openssl req -new -sha256 -key $CERT-client.key \
+			-subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \
+			-out $CERT-client.csr
+		openssl req -in $CERT-client.csr -noout -text
+		openssl x509 -req -in $CERT-client.csr \
+			-extensions v3_req \
+			-extfile <(cat <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = FR
+O = Deuxfleurs
+CN = $APP-client
+
+[v3_req]
+keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = client.staging.$APP
+EOF
+	) \
+			-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
+			-out $CERT-client.crt -days 700
+		rm $CERT-client.csr
+	fi
+
+	if [ ! -f $CERT-client.p12 ]; then
+		openssl pkcs12 -export -out $CERT-client.p12 \
+			-in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
+	fi
+done

sslproxy.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+YEAR=$(date +%Y)
+
+socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt