diff options
author | Alex Auvolat <alex@adnab.me> | 2022-04-20 15:29:24 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-04-20 15:29:24 +0200 |
commit | 226fbabf655656f16ca883c8489a2360abdb8367 (patch) | |
tree | 2983e42a4cdccc408f2added26d9df21342fdd7a | |
parent | 7c1444b7143710066f5173119a529c3b5e101300 (diff) | |
download | nixcfg-226fbabf655656f16ca883c8489a2360abdb8367.tar.gz nixcfg-226fbabf655656f16ca883c8489a2360abdb8367.zip |
tlsproxy from pass; fix tls stuff
-rwxr-xr-x | deploy_pki | 9 | ||||
-rwxr-xr-x | sshtool | 4 | ||||
-rw-r--r-- | tlsenv.sh | 12 | ||||
-rwxr-xr-x | tlsproxy | 47 | ||||
-rwxr-xr-x | tlsproxy.sh | 37 |
5 files changed, 56 insertions, 53 deletions
@@ -5,7 +5,9 @@ YEAR=$(date +%Y) cmd mkdir -p /var/lib/nomad/pki /var/lib/consul/pki -for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key consul$YEAR-client.crt consul$YEAR-client.key; do +for file in consul-ca.crt consul$YEAR.crt consul$YEAR.key \ + consul$YEAR-client.crt consul$YEAR-client.key +do if pass $PKI/$file >/dev/null; then write_pass $PKI/$file /var/lib/consul/pki/$file cmd chown consul:root /var/lib/consul/pki/$file @@ -15,9 +17,12 @@ done cmd systemctl restart consul cmd sleep 10 -for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key; do +for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \ + consul$YEAR.crt consul$YEAR-client.crt consul$YEAR-client.key +do if pass $PKI/$file >/dev/null; then write_pass $PKI/$file /var/lib/nomad/pki/$file + cmd "chown \$(stat -c %u /var/lib/private/nomad) /var/lib/nomad/pki/$file" fi done @@ -20,7 +20,7 @@ else fi if [ -z "$ROOT_PASS" ]; then - read -s -p "Enter remote root password: " ROOT_PASS + read -s -p "Enter remote sudo password: " ROOT_PASS echo fi @@ -35,7 +35,7 @@ echo \$DEPLOYTOOL_ROOT_PASSWORD EOG chmod +x /tmp/deploytool_askpass export SUDO_ASKPASS=/tmp/deploytool_askpass -sudo -A sh - <<EOEVERYTHING +sudo -A sh - <<'EOEVERYTHING' EOF } diff --git a/tlsenv.sh b/tlsenv.sh deleted file mode 100644 index 8681e8c..0000000 --- a/tlsenv.sh +++ /dev/null @@ -1,12 +0,0 @@ -SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -YEAR=$(date +%Y) - -export NOMAD_ADDR=https://localhost:14646 -export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt -export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt -export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key - -export CONSUL_HTTP_ADDR=https://localhost:8501 -export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt -export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt -export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key diff --git a/tlsproxy b/tlsproxy new file mode 100755 index 0000000..7546b81 --- /dev/null +++ b/tlsproxy @@ -0,0 +1,47 @@ +#!/bin/sh + +set -xe + +# Enter proper cluster subdirectory + +cd $(dirname $0) + +CLUSTER="$1" +if [ ! -d "cluster/$CLUSTER" ]; then + echo "Usage: $0 <cluster name>" + echo "The cluster name must be the name of a subdirectory of cluster/" + exit 1 +fi + +PREFIX="deuxfleurs/cluster/$CLUSTER" + +# Do actual stuff + +YEAR=$(date +%Y) + +CERTDIR=$(mktemp -d) + +_int() { + echo "Caught SIGINT signal!" + rm -rv $CERTDIR + kill -INT "$child1" 2>/dev/null + kill -INT "$child2" 2>/dev/null +} + +trap _int SIGINT + +pass $PREFIX/nomad$YEAR.crt > $CERTDIR/nomad.crt +pass $PREFIX/nomad$YEAR-client.crt > $CERTDIR/nomad-client.crt +pass $PREFIX/nomad$YEAR-client.key > $CERTDIR/nomad-client.key +pass $PREFIX/consul$YEAR.crt > $CERTDIR/consul.crt +pass $PREFIX/consul$YEAR-client.crt > $CERTDIR/consul-client.crt +pass $PREFIX/consul$YEAR-client.key > $CERTDIR/consul-client.key + +socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=$CERTDIR/nomad-client.crt,key=$CERTDIR/nomad-client.key,cafile=$CERTDIR/nomad.crt & +child1=$! + +socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=$CERTDIR/consul-client.crt,key=$CERTDIR/consul-client.key,cafile=$CERTDIR/consul.crt & +child2=$! + +wait "$child1" +wait "$child2" diff --git a/tlsproxy.sh b/tlsproxy.sh deleted file mode 100755 index a893872..0000000 --- a/tlsproxy.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh - -set -xe - -# Enter proper cluster subdirectory - -cd $(dirname $0) - -CLUSTER="$1" -if [ ! -d "cluster/$CLUSTER" ]; then - echo "Usage: $0 <cluster name>" - echo "The cluster name must be the name of a subdirectory of cluster/" - exit 1 -fi - -cd cluster/$CLUSTER - -# Do actual stuff - -YEAR=$(date +%Y) - -_int() { - echo "Caught SIGINT signal!" - kill -INT "$child1" 2>/dev/null - kill -INT "$child2" 2>/dev/null -} - -trap _int SIGINT - -socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt & -child1=$! - -socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt & -child2=$! - -wait "$child1" -wait "$child2" |