forked from Deuxfleurs/nixcfg
tlsproxy from pass; fix tls stuff
This commit is contained in:
parent
7c1444b714
commit
226fbabf65
5 changed files with 56 additions and 53 deletions
|
@ -5,7 +5,9 @@ YEAR=$(date +%Y)
|
||||||
|
|
||||||
cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
|
cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
|
||||||
|
|
||||||
for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
|
for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key \
|
||||||
|
consul$YEAR-client.crt consul$YEAR-client.key
|
||||||
|
do
|
||||||
if pass $PKI/$file >/dev/null; then
|
if pass $PKI/$file >/dev/null; then
|
||||||
write_pass $PKI/$file /var/lib/consul/pki/$file
|
write_pass $PKI/$file /var/lib/consul/pki/$file
|
||||||
cmd chown consul:root /var/lib/consul/pki/$file
|
cmd chown consul:root /var/lib/consul/pki/$file
|
||||||
|
@ -15,9 +17,12 @@ done
|
||||||
cmd systemctl restart consul
|
cmd systemctl restart consul
|
||||||
cmd sleep 10
|
cmd sleep 10
|
||||||
|
|
||||||
for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do
|
for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
|
||||||
|
consul$YEAR.crt consul$YEAR-client.crt consul$YEAR-client.key
|
||||||
|
do
|
||||||
if pass $PKI/$file >/dev/null; then
|
if pass $PKI/$file >/dev/null; then
|
||||||
write_pass $PKI/$file /var/lib/nomad/pki/$file
|
write_pass $PKI/$file /var/lib/nomad/pki/$file
|
||||||
|
cmd "chown \$(stat -c %u /var/lib/private/nomad) /var/lib/nomad/pki/$file"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
4
sshtool
4
sshtool
|
@ -20,7 +20,7 @@ else
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$ROOT_PASS" ]; then
|
if [ -z "$ROOT_PASS" ]; then
|
||||||
read -s -p "Enter remote root password: " ROOT_PASS
|
read -s -p "Enter remote sudo password: " ROOT_PASS
|
||||||
echo
|
echo
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -35,7 +35,7 @@ echo \$DEPLOYTOOL_ROOT_PASSWORD
|
||||||
EOG
|
EOG
|
||||||
chmod +x /tmp/deploytool_askpass
|
chmod +x /tmp/deploytool_askpass
|
||||||
export SUDO_ASKPASS=/tmp/deploytool_askpass
|
export SUDO_ASKPASS=/tmp/deploytool_askpass
|
||||||
sudo -A sh - <<EOEVERYTHING
|
sudo -A sh - <<'EOEVERYTHING'
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
12
tlsenv.sh
12
tlsenv.sh
|
@ -1,12 +0,0 @@
|
||||||
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
|
||||||
YEAR=$(date +%Y)
|
|
||||||
|
|
||||||
export NOMAD_ADDR=https://localhost:14646
|
|
||||||
export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
|
|
||||||
export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
|
|
||||||
export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
|
|
||||||
|
|
||||||
export CONSUL_HTTP_ADDR=https://localhost:8501
|
|
||||||
export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
|
|
||||||
export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
|
|
||||||
export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
|
|
47
tlsproxy
Executable file
47
tlsproxy
Executable file
|
@ -0,0 +1,47 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
# Enter proper cluster subdirectory
|
||||||
|
|
||||||
|
cd $(dirname $0)
|
||||||
|
|
||||||
|
CLUSTER="$1"
|
||||||
|
if [ ! -d "cluster/$CLUSTER" ]; then
|
||||||
|
echo "Usage: $0 <cluster name>"
|
||||||
|
echo "The cluster name must be the name of a subdirectory of cluster/"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
PREFIX="deuxfleurs/cluster/$CLUSTER"
|
||||||
|
|
||||||
|
# Do actual stuff
|
||||||
|
|
||||||
|
YEAR=$(date +%Y)
|
||||||
|
|
||||||
|
CERTDIR=$(mktemp -d)
|
||||||
|
|
||||||
|
_int() {
|
||||||
|
echo "Caught SIGINT signal!"
|
||||||
|
rm -rv $CERTDIR
|
||||||
|
kill -INT "$child1" 2>/dev/null
|
||||||
|
kill -INT "$child2" 2>/dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
trap _int SIGINT
|
||||||
|
|
||||||
|
pass $PREFIX/nomad$YEAR.crt > $CERTDIR/nomad.crt
|
||||||
|
pass $PREFIX/nomad$YEAR-client.crt > $CERTDIR/nomad-client.crt
|
||||||
|
pass $PREFIX/nomad$YEAR-client.key > $CERTDIR/nomad-client.key
|
||||||
|
pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
|
||||||
|
pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
|
||||||
|
pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key
|
||||||
|
|
||||||
|
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt &
|
||||||
|
child1=$!
|
||||||
|
|
||||||
|
socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt &
|
||||||
|
child2=$!
|
||||||
|
|
||||||
|
wait "$child1"
|
||||||
|
wait "$child2"
|
37
tlsproxy.sh
37
tlsproxy.sh
|
@ -1,37 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -xe
|
|
||||||
|
|
||||||
# Enter proper cluster subdirectory
|
|
||||||
|
|
||||||
cd $(dirname $0)
|
|
||||||
|
|
||||||
CLUSTER="$1"
|
|
||||||
if [ ! -d "cluster/$CLUSTER" ]; then
|
|
||||||
echo "Usage: $0 <cluster name>"
|
|
||||||
echo "The cluster name must be the name of a subdirectory of cluster/"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
cd cluster/$CLUSTER
|
|
||||||
|
|
||||||
# Do actual stuff
|
|
||||||
|
|
||||||
YEAR=$(date +%Y)
|
|
||||||
|
|
||||||
_int() {
|
|
||||||
echo "Caught SIGINT signal!"
|
|
||||||
kill -INT "$child1" 2>/dev/null
|
|
||||||
kill -INT "$child2" 2>/dev/null
|
|
||||||
}
|
|
||||||
|
|
||||||
trap _int SIGINT
|
|
||||||
|
|
||||||
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
|
|
||||||
child1=$!
|
|
||||||
|
|
||||||
socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
|
|
||||||
child2=$!
|
|
||||||
|
|
||||||
wait "$child1"
|
|
||||||
wait "$child2"
|
|
Loading…
Reference in a new issue