tlsproxy from pass; fix tls stuff

This commit is contained in:
Alex 2022-04-20 15:29:24 +02:00
parent 7c1444b714
commit 226fbabf65
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
5 changed files with 56 additions and 53 deletions

View file

@ -5,7 +5,9 @@ YEAR=$(date +%Y)
cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key \
consul$YEAR-client.crt consul$YEAR-client.key
do
if pass $PKI/$file >/dev/null; then if pass $PKI/$file >/dev/null; then
write_pass $PKI/$file /var/lib/consul/pki/$file write_pass $PKI/$file /var/lib/consul/pki/$file
cmd chown consul:root /var/lib/consul/pki/$file cmd chown consul:root /var/lib/consul/pki/$file
@ -15,9 +17,12 @@ done
cmd systemctl restart consul cmd systemctl restart consul
cmd sleep 10 cmd sleep 10
for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
consul$YEAR.crt consul$YEAR-client.crt consul$YEAR-client.key
do
if pass $PKI/$file >/dev/null; then if pass $PKI/$file >/dev/null; then
write_pass $PKI/$file /var/lib/nomad/pki/$file write_pass $PKI/$file /var/lib/nomad/pki/$file
cmd "chown \$(stat -c %u /var/lib/private/nomad) /var/lib/nomad/pki/$file"
fi fi
done done

View file

@ -20,7 +20,7 @@ else
fi fi
if [ -z "$ROOT_PASS" ]; then if [ -z "$ROOT_PASS" ]; then
read -s -p "Enter remote root password: " ROOT_PASS read -s -p "Enter remote sudo password: " ROOT_PASS
echo echo
fi fi
@ -35,7 +35,7 @@ echo \$DEPLOYTOOL_ROOT_PASSWORD
EOG EOG
chmod +x /tmp/deploytool_askpass chmod +x /tmp/deploytool_askpass
export SUDO_ASKPASS=/tmp/deploytool_askpass export SUDO_ASKPASS=/tmp/deploytool_askpass
sudo -A sh - <<EOEVERYTHING sudo -A sh - <<'EOEVERYTHING'
EOF EOF
} }

View file

@ -1,12 +0,0 @@
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
YEAR=$(date +%Y)
export NOMAD_ADDR=https://localhost:14646
export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
export CONSUL_HTTP_ADDR=https://localhost:8501
export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key

47
tlsproxy Executable file
View file

@ -0,0 +1,47 @@
#!/bin/sh
set -xe
# Enter proper cluster subdirectory
cd $(dirname $0)
CLUSTER="$1"
if [ ! -d "cluster/$CLUSTER" ]; then
echo "Usage: $0 <cluster name>"
echo "The cluster name must be the name of a subdirectory of cluster/"
exit 1
fi
PREFIX="deuxfleurs/cluster/$CLUSTER"
# Do actual stuff
YEAR=$(date +%Y)
CERTDIR=$(mktemp -d)
_int() {
echo "Caught SIGINT signal!"
rm -rv $CERTDIR
kill -INT "$child1" 2>/dev/null
kill -INT "$child2" 2>/dev/null
}
trap _int SIGINT
pass $PREFIX/nomad$YEAR.crt > $CERTDIR/nomad.crt
pass $PREFIX/nomad$YEAR-client.crt > $CERTDIR/nomad-client.crt
pass $PREFIX/nomad$YEAR-client.key > $CERTDIR/nomad-client.key
pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt &
child1=$!
socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt &
child2=$!
wait "$child1"
wait "$child2"

View file

@ -1,37 +0,0 @@
#!/bin/sh
set -xe
# Enter proper cluster subdirectory
cd $(dirname $0)
CLUSTER="$1"
if [ ! -d "cluster/$CLUSTER" ]; then
echo "Usage: $0 <cluster name>"
echo "The cluster name must be the name of a subdirectory of cluster/"
exit 1
fi
cd cluster/$CLUSTER
# Do actual stuff
YEAR=$(date +%Y)
_int() {
echo "Caught SIGINT signal!"
kill -INT "$child1" 2>/dev/null
kill -INT "$child2" 2>/dev/null
}
trap _int SIGINT
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
child1=$!
socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
child2=$!
wait "$child1"
wait "$child2"