nixcfg/genpki.sh

#!/bin/bash

set -xe

cd $(dirname $0)

mkdir -p secrets/pki
cd secrets/pki

YEAR=$(date +%Y)
for APP in consul nomad; do
	# 1. Create certificate authority
	if [ ! -f $APP-ca.key ]; then
		echo "Generating $APP CA keys..."
		#openssl genpkey -algorithm ED25519 -out $APP-ca.key
		openssl genrsa -out $APP-ca.key 4096

		openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP"
	fi

	CERT="${APP}${YEAR}"

	# 2. Create and sign certificates for inter-node communication
	if [ ! -f $CERT.crt ]; then
		echo "Generating $CERT agent keys..."
		if [ ! -f $CERT.key ]; then
			#openssl genpkey -algorithm ED25519 -out $CERT.key
			openssl genrsa -out $CERT.key 4096
		fi
		openssl req -new -sha256 -key $CERT.key \
			-subj "/C=FR/O=Deuxfleurs/CN=$APP" \
			-out $CERT.csr
		openssl req -in $CERT.csr -noout -text
		openssl x509 -req -in $CERT.csr \
			-extensions v3_req \
			-extfile <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
O = Deuxfleurs
CN = $APP

[v3_req]
keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = server.staging.$APP
DNS.2 = client.staging.$APP
DNS.3 = localhost
DNS.4 = 127.0.0.1
EOF
	) \
			-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
			-out $CERT.crt -days 700
		rm $CERT.csr
	fi

	# 3. Create client-only certificate used for the CLI
	if [ ! -f $CERT-client.crt ]; then
		echo "Generating $CERT client keys..."
		if [ ! -f $CERT-client.key ]; then
			#openssl genpkey -algorithm ED25519 -out $CERT-client.key
			openssl genrsa -out $CERT-client.key 4096
		fi
		openssl req -new -sha256 -key $CERT-client.key \
			-subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \
			-out $CERT-client.csr
		openssl req -in $CERT-client.csr -noout -text
		openssl x509 -req -in $CERT-client.csr \
			-extensions v3_req \
			-extfile <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
O = Deuxfleurs
CN = $APP-client

[v3_req]
keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = client.staging.$APP
EOF
	) \
			-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
			-out $CERT-client.crt -days 700
		rm $CERT-client.csr
	fi

	if [ ! -f $CERT-client.p12 ]; then
		openssl pkcs12 -export -out $CERT-client.p12 \
			-in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
	fi
done
Add TLS to Nomad 2021-12-30 18:27:32 +00:00			`#!/bin/bash`

			`set -xe`

			`cd $(dirname $0)`

			`mkdir -p secrets/pki`
			`cd secrets/pki`

			`YEAR=$(date +%Y)`
			`for APP in consul nomad; do`
			`# 1. Create certificate authority`
			`if [ ! -f $APP-ca.key ]; then`
			`echo "Generating $APP CA keys..."`
			`#openssl genpkey -algorithm ED25519 -out $APP-ca.key`
			`openssl genrsa -out $APP-ca.key 4096`

			`openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP"`
			`fi`

			`CERT="${APP}${YEAR}"`

			`# 2. Create and sign certificates for inter-node communication`
			`if [ ! -f $CERT.crt ]; then`
			`echo "Generating $CERT agent keys..."`
			`if [ ! -f $CERT.key ]; then`
			`#openssl genpkey -algorithm ED25519 -out $CERT.key`
			`openssl genrsa -out $CERT.key 4096`
			`fi`
			`openssl req -new -sha256 -key $CERT.key \`
			`-subj "/C=FR/O=Deuxfleurs/CN=$APP" \`
			`-out $CERT.csr`
			`openssl req -in $CERT.csr -noout -text`
			`openssl x509 -req -in $CERT.csr \`
			`-extensions v3_req \`
			`-extfile <(cat <<EOF`
			`[req]`
			`distinguished_name = req_distinguished_name`
			`req_extensions = v3_req`
			`prompt = no`

			`[req_distinguished_name]`
			`C = FR`
			`O = Deuxfleurs`
			`CN = $APP`

			`[v3_req]`
			`keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth`
			`subjectAltName = @alt_names`

			`[alt_names]`
			`DNS.1 = server.staging.$APP`
			`DNS.2 = client.staging.$APP`
			`DNS.3 = localhost`
			`DNS.4 = 127.0.0.1`
			`EOF`
			`) \`
			`-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \`
			`-out $CERT.crt -days 700`
			`rm $CERT.csr`
			`fi`

			`# 3. Create client-only certificate used for the CLI`
			`if [ ! -f $CERT-client.crt ]; then`
			`echo "Generating $CERT client keys..."`
			`if [ ! -f $CERT-client.key ]; then`
			`#openssl genpkey -algorithm ED25519 -out $CERT-client.key`
			`openssl genrsa -out $CERT-client.key 4096`
			`fi`
			`openssl req -new -sha256 -key $CERT-client.key \`
			`-subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \`
			`-out $CERT-client.csr`
			`openssl req -in $CERT-client.csr -noout -text`
			`openssl x509 -req -in $CERT-client.csr \`
			`-extensions v3_req \`
			`-extfile <(cat <<EOF`
			`[req]`
			`distinguished_name = req_distinguished_name`
			`req_extensions = v3_req`
			`prompt = no`

			`[req_distinguished_name]`
			`C = FR`
			`O = Deuxfleurs`
			`CN = $APP-client`

			`[v3_req]`
			`keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth`
			`subjectAltName = @alt_names`

			`[alt_names]`
			`DNS.1 = client.staging.$APP`
			`EOF`
			`) \`
			`-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \`
			`-out $CERT-client.crt -days 700`
			`rm $CERT-client.csr`
			`fi`

			`if [ ! -f $CERT-client.p12 ]; then`
			`openssl pkcs12 -export -out $CERT-client.p12 \`
			`-in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key`
			`fi`
			`done`