aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-04-20 15:29:24 +0200
committerAlex Auvolat <alex@adnab.me>2022-04-20 15:29:24 +0200
commit226fbabf655656f16ca883c8489a2360abdb8367 (patch)
tree2983e42a4cdccc408f2added26d9df21342fdd7a
parent7c1444b7143710066f5173119a529c3b5e101300 (diff)
downloadnixcfg-226fbabf655656f16ca883c8489a2360abdb8367.tar.gz
nixcfg-226fbabf655656f16ca883c8489a2360abdb8367.zip
tlsproxy from pass; fix tls stuff
-rwxr-xr-xdeploy_pki9
-rwxr-xr-xsshtool4
-rw-r--r--tlsenv.sh12
-rwxr-xr-xtlsproxy47
-rwxr-xr-xtlsproxy.sh37
5 files changed, 56 insertions, 53 deletions
diff --git a/deploy_pki b/deploy_pki
index 8cbd456..167ac50 100755
--- a/deploy_pki
+++ b/deploy_pki
@@ -5,7 +5,9 @@ YEAR=$(date +%Y)
cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
-for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do
+for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key \
+ consul$YEAR-client.crt consul$YEAR-client.key
+do
if pass $PKI/$file >/dev/null; then
write_pass $PKI/$file /var/lib/consul/pki/$file
cmd chown consul:root /var/lib/consul/pki/$file
@@ -15,9 +17,12 @@ done
cmd systemctl restart consul
cmd sleep 10
-for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do
+for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
+ consul$YEAR.crt consul$YEAR-client.crt consul$YEAR-client.key
+do
if pass $PKI/$file >/dev/null; then
write_pass $PKI/$file /var/lib/nomad/pki/$file
+ cmd "chown \$(stat -c %u /var/lib/private/nomad) /var/lib/nomad/pki/$file"
fi
done
diff --git a/sshtool b/sshtool
index 1396c87..58b00ef 100755
--- a/sshtool
+++ b/sshtool
@@ -20,7 +20,7 @@ else
fi
if [ -z "$ROOT_PASS" ]; then
- read -s -p "Enter remote root password: " ROOT_PASS
+ read -s -p "Enter remote sudo password: " ROOT_PASS
echo
fi
@@ -35,7 +35,7 @@ echo \$DEPLOYTOOL_ROOT_PASSWORD
EOG
chmod +x /tmp/deploytool_askpass
export SUDO_ASKPASS=/tmp/deploytool_askpass
-sudo -A sh - <<EOEVERYTHING
+sudo -A sh - <<'EOEVERYTHING'
EOF
}
diff --git a/tlsenv.sh b/tlsenv.sh
deleted file mode 100644
index 8681e8c..0000000
--- a/tlsenv.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-YEAR=$(date +%Y)
-
-export NOMAD_ADDR=https://localhost:14646
-export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt
-export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt
-export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key
-
-export CONSUL_HTTP_ADDR=https://localhost:8501
-export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt
-export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt
-export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key
diff --git a/tlsproxy b/tlsproxy
new file mode 100755
index 0000000..7546b81
--- /dev/null
+++ b/tlsproxy
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+set -xe
+
+# Enter proper cluster subdirectory
+
+cd $(dirname $0)
+
+CLUSTER="$1"
+if [ ! -d "cluster/$CLUSTER" ]; then
+ echo "Usage: $0 <cluster name>"
+ echo "The cluster name must be the name of a subdirectory of cluster/"
+ exit 1
+fi
+
+PREFIX="deuxfleurs/cluster/$CLUSTER"
+
+# Do actual stuff
+
+YEAR=$(date +%Y)
+
+CERTDIR=$(mktemp -d)
+
+_int() {
+ echo "Caught SIGINT signal!"
+ rm -rv $CERTDIR
+ kill -INT "$child1" 2>/dev/null
+ kill -INT "$child2" 2>/dev/null
+}
+
+trap _int SIGINT
+
+pass $PREFIX/nomad$YEAR.crt > $CERTDIR/nomad.crt
+pass $PREFIX/nomad$YEAR-client.crt > $CERTDIR/nomad-client.crt
+pass $PREFIX/nomad$YEAR-client.key > $CERTDIR/nomad-client.key
+pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt
+pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt
+pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key
+
+socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt &
+child1=$!
+
+socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt &
+child2=$!
+
+wait "$child1"
+wait "$child2"
diff --git a/tlsproxy.sh b/tlsproxy.sh
deleted file mode 100755
index a893872..0000000
--- a/tlsproxy.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/sh
-
-set -xe
-
-# Enter proper cluster subdirectory
-
-cd $(dirname $0)
-
-CLUSTER="$1"
-if [ ! -d "cluster/$CLUSTER" ]; then
- echo "Usage: $0 <cluster name>"
- echo "The cluster name must be the name of a subdirectory of cluster/"
- exit 1
-fi
-
-cd cluster/$CLUSTER
-
-# Do actual stuff
-
-YEAR=$(date +%Y)
-
-_int() {
- echo "Caught SIGINT signal!"
- kill -INT "$child1" 2>/dev/null
- kill -INT "$child2" 2>/dev/null
-}
-
-trap _int SIGINT
-
-socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt &
-child1=$!
-
-socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt &
-child2=$!
-
-wait "$child1"
-wait "$child2"