aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2021-12-30 20:56:13 +0100
committerAlex Auvolat <alex@adnab.me>2021-12-30 20:56:13 +0100
commit5ea4cef2946a71467c519db803cd1c31f1ffff20 (patch)
tree5eb1f5ddd1f06650511f1b1442d50112427b0fa6
parentb00a8358b20ac99912bacafd8fee5466da257e67 (diff)
downloadnixcfg-5ea4cef2946a71467c519db803cd1c31f1ffff20.tar.gz
nixcfg-5ea4cef2946a71467c519db803cd1c31f1ffff20.zip
Enable TLS for Consul
-rw-r--r--app/core/deploy/core.hcl24
-rw-r--r--app/frontend/deploy/frontend-tricot.hcl24
-rw-r--r--configuration.nix21
-rwxr-xr-xdeploy.sh26
-rw-r--r--env.sh5
-rwxr-xr-xsslproxy.sh17
6 files changed, 109 insertions, 8 deletions
diff --git a/app/core/deploy/core.hcl b/app/core/deploy/core.hcl
index fd4176a..f57f21d 100644
--- a/app/core/deploy/core.hcl
+++ b/app/core/deploy/core.hcl
@@ -18,9 +18,12 @@ job "core" {
driver = "docker"
config {
- image = "lxpz/amd64_diplonat:2"
+ image = "lxpz/amd64_diplonat:3"
network_mode = "host"
readonly_rootfs = true
+ volumes = [
+ "secrets:/etc/diplonat",
+ ]
}
restart {
@@ -31,10 +34,29 @@ job "core" {
}
template {
+ data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
+ destination = "secrets/consul-ca.crt"
+ }
+
+ template {
+ data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+ destination = "secrets/consul-client.crt"
+ }
+
+ template {
+ data = "{{ key \"secrets/consul/consul-client.key\" }}"
+ destination = "secrets/consul-client.key"
+ }
+
+ template {
data = <<EOH
DIPLONAT_REFRESH_TIME=60
DIPLONAT_EXPIRATION_TIME=300
DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }}
+DIPLONAT_CONSUL_URL=https://localhost:8501
+DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt
+DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt
+DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key
RUST_LOG=debug
EOH
destination = "secrets/env"
diff --git a/app/frontend/deploy/frontend-tricot.hcl b/app/frontend/deploy/frontend-tricot.hcl
index 4e35d0d..d20ff40 100644
--- a/app/frontend/deploy/frontend-tricot.hcl
+++ b/app/frontend/deploy/frontend-tricot.hcl
@@ -14,10 +14,13 @@ job "frontend" {
driver = "docker"
config {
- image = "lxpz/amd64_tricot:25"
+ image = "lxpz/amd64_tricot:27"
network_mode = "host"
readonly_rootfs = true
ports = [ "http_port", "https_port", "admin_port" ]
+ volumes = [
+ "secrets:/etc/tricot",
+ ]
}
resources {
@@ -33,10 +36,29 @@ job "frontend" {
}
template {
+ data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
+ destination = "secrets/consul-ca.crt"
+ }
+
+ template {
+ data = "{{ key \"secrets/consul/consul-client.crt\" }}"
+ destination = "secrets/consul-client.crt"
+ }
+
+ template {
+ data = "{{ key \"secrets/consul/consul-client.key\" }}"
+ destination = "secrets/consul-client.key"
+ }
+
+ template {
data = <<EOH
TRICOT_NODE_NAME={{ env "attr.unique.hostname" }}
TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
TRICOT_ENABLE_COMPRESSION=true
+TRICOT_CONSUL_HOST=https://localhost:8501
+TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt
+TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt
+TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key
RUST_LOG=tricot=trace
EOH
destination = "secrets/env"
diff --git a/configuration.nix b/configuration.nix
index 205eb6d..6fbfb3f 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -200,8 +200,19 @@ in
datacenter = "staging";
ui = true;
bind_addr = public_ip;
- addresses.http = "0.0.0.0";
+
+ ports.http = -1;
+ addresses.https = "0.0.0.0";
+ ports.https = 8501;
+
retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ];
+
+ ca_file = "/var/lib/consul/pki/consul-ca.crt";
+ cert_file = "/var/lib/consul/pki/consul2021.crt";
+ key_file = "/var/lib/consul/pki/consul2021.key";
+ verify_incoming = true;
+ verify_outgoing = true;
+ verify_server_hostname = true;
};
services.nomad.enable = true;
@@ -219,7 +230,13 @@ in
http = public_ip;
serf = public_ip;
};
- consul.address = "127.0.0.1:8500";
+ consul = {
+ address = "localhost:8501";
+ ca_file = "/var/lib/nomad/pki/consul2021.crt";
+ cert_file = "/var/lib/nomad/pki/consul2021-client.crt";
+ key_file = "/var/lib/nomad/pki/consul2021-client.key";
+ ssl = true;
+ };
client = {
enabled = true;
network_interface = "wg0";
diff --git a/deploy.sh b/deploy.sh
index a4f18c1..1354fd3 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -31,7 +31,9 @@ for NIXHOST in $NIXHOSTLIST; do
cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
echo "Sending secret files"
- for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
+ for SECRET in rclone.conf \
+ pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \
+ pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
done
@@ -45,10 +47,28 @@ mv configuration.nix node.nix site.nix /etc/nixos
test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
-mkdir -p /var/lib/nomad/pki
-test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki
+mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
+
+if [ -f pki/consul-ca.crt ]; then
+ cp pki/consul* /var/lib/nomad/pki
+ mv pki/consul* /var/lib/consul/pki
+ chown -R consul:root /var/lib/consul/pki
+fi
+
+if [ -f pki/nomad-ca.crt ]; then
+ mv pki/nomad* /var/lib/nomad/pki
+fi
nixos-rebuild switch
+
+# Save up-to-date Consul client certificates in Consul itself
+export CONSUL_HTTP_ADDR=https://localhost:8501
+export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
+export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
+export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
+consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt
+consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt
+consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key
EOF
ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh
diff --git a/env.sh b/env.sh
index 80812d4..8681e8c 100644
--- a/env.sh
+++ b/env.sh
@@ -5,3 +5,8 @@ export NOMAD_ADDR=https://localhost:14646
export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
+
+export CONSUL_HTTP_ADDR=https://localhost:8501
+export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
+export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
+export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
diff --git a/sslproxy.sh b/sslproxy.sh
index 4f529fe..aa0006a 100755
--- a/sslproxy.sh
+++ b/sslproxy.sh
@@ -2,4 +2,19 @@
YEAR=$(date +%Y)
-socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt
+_int() {
+ echo "Caught SIGINT signal!"
+ kill -INT "$child1" 2>/dev/null
+ kill -INT "$child2" 2>/dev/null
+}
+
+trap _int SIGINT
+
+socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
+child1=$!
+
+socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
+child2=$!
+
+wait "$child1"
+wait "$child2"