forked from Deuxfleurs/nixcfg
Add TLS to Nomad
This commit is contained in:
parent
230c1d727b
commit
b00a8358b2
5 changed files with 136 additions and 2 deletions
|
@ -224,6 +224,15 @@ in
|
||||||
enabled = true;
|
enabled = true;
|
||||||
network_interface = "wg0";
|
network_interface = "wg0";
|
||||||
};
|
};
|
||||||
|
tls = {
|
||||||
|
http = true;
|
||||||
|
rpc = true;
|
||||||
|
ca_file = "/var/lib/nomad/pki/nomad-ca.crt";
|
||||||
|
cert_file = "/var/lib/nomad/pki/nomad2021.crt";
|
||||||
|
key_file = "/var/lib/nomad/pki/nomad2021.key";
|
||||||
|
verify_server_hostname = true;
|
||||||
|
verify_https_client = true;
|
||||||
|
};
|
||||||
plugin = [
|
plugin = [
|
||||||
{
|
{
|
||||||
docker = [
|
docker = [
|
||||||
|
|
13
deploy.sh
13
deploy.sh
|
@ -10,6 +10,8 @@ fi
|
||||||
|
|
||||||
TMP_PATH=/tmp/tmp-deploy-$(date +%s)
|
TMP_PATH=/tmp/tmp-deploy-$(date +%s)
|
||||||
|
|
||||||
|
YEAR=$(date +%Y)
|
||||||
|
|
||||||
for NIXHOST in $NIXHOSTLIST; do
|
for NIXHOST in $NIXHOSTLIST; do
|
||||||
NIXHOST=${NIXHOST%.*}
|
NIXHOST=${NIXHOST%.*}
|
||||||
|
|
||||||
|
@ -23,13 +25,15 @@ for NIXHOST in $NIXHOSTLIST; do
|
||||||
|
|
||||||
echo "Sending NixOS config files"
|
echo "Sending NixOS config files"
|
||||||
|
|
||||||
ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH
|
ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH $TMP_PATH/pki
|
||||||
cat configuration.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
|
cat configuration.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null
|
||||||
cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
|
cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/node.nix > /dev/null
|
||||||
cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
|
cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
|
||||||
|
|
||||||
echo "Sending secret files"
|
echo "Sending secret files"
|
||||||
test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/rclone.conf > /dev/null)
|
for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
|
||||||
|
test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
|
||||||
|
done
|
||||||
|
|
||||||
echo "Rebuilding NixOS"
|
echo "Rebuilding NixOS"
|
||||||
|
|
||||||
|
@ -38,7 +42,12 @@ set -ex
|
||||||
|
|
||||||
cd $TMP_PATH
|
cd $TMP_PATH
|
||||||
mv configuration.nix node.nix site.nix /etc/nixos
|
mv configuration.nix node.nix site.nix /etc/nixos
|
||||||
|
|
||||||
test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
|
test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
|
||||||
|
|
||||||
|
mkdir -p /var/lib/nomad/pki
|
||||||
|
test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki
|
||||||
|
|
||||||
nixos-rebuild switch
|
nixos-rebuild switch
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
|
7
env.sh
Normal file
7
env.sh
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||||
|
YEAR=$(date +%Y)
|
||||||
|
|
||||||
|
export NOMAD_ADDR=https://localhost:14646
|
||||||
|
export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
|
||||||
|
export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
|
||||||
|
export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
|
104
genpki.sh
Executable file
104
genpki.sh
Executable file
|
@ -0,0 +1,104 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
cd $(dirname $0)
|
||||||
|
|
||||||
|
mkdir -p secrets/pki
|
||||||
|
cd secrets/pki
|
||||||
|
|
||||||
|
YEAR=$(date +%Y)
|
||||||
|
for APP in consul nomad; do
|
||||||
|
# 1. Create certificate authority
|
||||||
|
if [ ! -f $APP-ca.key ]; then
|
||||||
|
echo "Generating $APP CA keys..."
|
||||||
|
#openssl genpkey -algorithm ED25519 -out $APP-ca.key
|
||||||
|
openssl genrsa -out $APP-ca.key 4096
|
||||||
|
|
||||||
|
openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP"
|
||||||
|
fi
|
||||||
|
|
||||||
|
CERT="${APP}${YEAR}"
|
||||||
|
|
||||||
|
# 2. Create and sign certificates for inter-node communication
|
||||||
|
if [ ! -f $CERT.crt ]; then
|
||||||
|
echo "Generating $CERT agent keys..."
|
||||||
|
if [ ! -f $CERT.key ]; then
|
||||||
|
#openssl genpkey -algorithm ED25519 -out $CERT.key
|
||||||
|
openssl genrsa -out $CERT.key 4096
|
||||||
|
fi
|
||||||
|
openssl req -new -sha256 -key $CERT.key \
|
||||||
|
-subj "/C=FR/O=Deuxfleurs/CN=$APP" \
|
||||||
|
-out $CERT.csr
|
||||||
|
openssl req -in $CERT.csr -noout -text
|
||||||
|
openssl x509 -req -in $CERT.csr \
|
||||||
|
-extensions v3_req \
|
||||||
|
-extfile <(cat <<EOF
|
||||||
|
[req]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
req_extensions = v3_req
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
C = FR
|
||||||
|
O = Deuxfleurs
|
||||||
|
CN = $APP
|
||||||
|
|
||||||
|
[v3_req]
|
||||||
|
keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = server.staging.$APP
|
||||||
|
DNS.2 = client.staging.$APP
|
||||||
|
DNS.3 = localhost
|
||||||
|
DNS.4 = 127.0.0.1
|
||||||
|
EOF
|
||||||
|
) \
|
||||||
|
-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
|
||||||
|
-out $CERT.crt -days 700
|
||||||
|
rm $CERT.csr
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 3. Create client-only certificate used for the CLI
|
||||||
|
if [ ! -f $CERT-client.crt ]; then
|
||||||
|
echo "Generating $CERT client keys..."
|
||||||
|
if [ ! -f $CERT-client.key ]; then
|
||||||
|
#openssl genpkey -algorithm ED25519 -out $CERT-client.key
|
||||||
|
openssl genrsa -out $CERT-client.key 4096
|
||||||
|
fi
|
||||||
|
openssl req -new -sha256 -key $CERT-client.key \
|
||||||
|
-subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \
|
||||||
|
-out $CERT-client.csr
|
||||||
|
openssl req -in $CERT-client.csr -noout -text
|
||||||
|
openssl x509 -req -in $CERT-client.csr \
|
||||||
|
-extensions v3_req \
|
||||||
|
-extfile <(cat <<EOF
|
||||||
|
[req]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
req_extensions = v3_req
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
C = FR
|
||||||
|
O = Deuxfleurs
|
||||||
|
CN = $APP-client
|
||||||
|
|
||||||
|
[v3_req]
|
||||||
|
keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = client.staging.$APP
|
||||||
|
EOF
|
||||||
|
) \
|
||||||
|
-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
|
||||||
|
-out $CERT-client.crt -days 700
|
||||||
|
rm $CERT-client.csr
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f $CERT-client.p12 ]; then
|
||||||
|
openssl pkcs12 -export -out $CERT-client.p12 \
|
||||||
|
-in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
|
||||||
|
fi
|
||||||
|
done
|
5
sslproxy.sh
Executable file
5
sslproxy.sh
Executable file
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
YEAR=$(date +%Y)
|
||||||
|
|
||||||
|
socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt
|
Loading…
Reference in a new issue