diff options
| author | Alex Auvolat <alex@adnab.me> | 2021-12-30 20:56:13 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2021-12-30 20:56:13 +0100 |
| commit | 5ea4cef2946a71467c519db803cd1c31f1ffff20 (patch) | |
| tree | 5eb1f5ddd1f06650511f1b1442d50112427b0fa6 | |
| parent | b00a8358b20ac99912bacafd8fee5466da257e67 (diff) | |
| download | nixcfg-5ea4cef2946a71467c519db803cd1c31f1ffff20.tar.gz nixcfg-5ea4cef2946a71467c519db803cd1c31f1ffff20.zip | |
Enable TLS for Consul
| -rw-r--r-- | app/core/deploy/core.hcl | 24 | ||||
| -rw-r--r-- | app/frontend/deploy/frontend-tricot.hcl | 24 | ||||
| -rw-r--r-- | configuration.nix | 21 | ||||
| -rwxr-xr-x | deploy.sh | 26 | ||||
| -rw-r--r-- | env.sh | 5 | ||||
| -rwxr-xr-x | sslproxy.sh | 17 |
6 files changed, 109 insertions, 8 deletions
diff --git a/app/core/deploy/core.hcl b/app/core/deploy/core.hcl index fd4176a..f57f21d 100644 --- a/app/core/deploy/core.hcl +++ b/app/core/deploy/core.hcl @@ -18,9 +18,12 @@ job "core" { driver = "docker" config { - image = "lxpz/amd64_diplonat:2" + image = "lxpz/amd64_diplonat:3" network_mode = "host" readonly_rootfs = true + volumes = [ + "secrets:/etc/diplonat", + ] } restart { @@ -31,10 +34,29 @@ job "core" { } template { + data = "{{ key \"secrets/consul/consul-ca.crt\" }}" + destination = "secrets/consul-ca.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.crt\" }}" + destination = "secrets/consul-client.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.key\" }}" + destination = "secrets/consul-client.key" + } + + template { data = <<EOH DIPLONAT_REFRESH_TIME=60 DIPLONAT_EXPIRATION_TIME=300 DIPLONAT_CONSUL_NODE_NAME={{ env "attr.unique.hostname" }} +DIPLONAT_CONSUL_URL=https://localhost:8501 +DIPLONAT_CONSUL_CA_CERT=/etc/diplonat/consul-ca.crt +DIPLONAT_CONSUL_CLIENT_CERT=/etc/diplonat/consul-client.crt +DIPLONAT_CONSUL_CLIENT_KEY=/etc/diplonat/consul-client.key RUST_LOG=debug EOH destination = "secrets/env" diff --git a/app/frontend/deploy/frontend-tricot.hcl b/app/frontend/deploy/frontend-tricot.hcl index 4e35d0d..d20ff40 100644 --- a/app/frontend/deploy/frontend-tricot.hcl +++ b/app/frontend/deploy/frontend-tricot.hcl @@ -14,10 +14,13 @@ job "frontend" { driver = "docker" config { - image = "lxpz/amd64_tricot:25" + image = "lxpz/amd64_tricot:27" network_mode = "host" readonly_rootfs = true ports = [ "http_port", "https_port", "admin_port" ] + volumes = [ + "secrets:/etc/tricot", + ] } resources { @@ -33,10 +36,29 @@ job "frontend" { } template { + data = "{{ key \"secrets/consul/consul-ca.crt\" }}" + destination = "secrets/consul-ca.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.crt\" }}" + destination = "secrets/consul-client.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.key\" }}" + destination = "secrets/consul-client.key" + } + + template { data = <<EOH TRICOT_NODE_NAME={{ env "attr.unique.hostname" }} TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me TRICOT_ENABLE_COMPRESSION=true +TRICOT_CONSUL_HOST=https://localhost:8501 +TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt +TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt +TRICOT_CONSUL_CLIENT_KEY=/etc/tricot/consul-client.key RUST_LOG=tricot=trace EOH destination = "secrets/env" diff --git a/configuration.nix b/configuration.nix index 205eb6d..6fbfb3f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -200,8 +200,19 @@ in datacenter = "staging"; ui = true; bind_addr = public_ip; - addresses.http = "0.0.0.0"; + + ports.http = -1; + addresses.https = "0.0.0.0"; + ports.https = 8501; + retry_join = [ "10.42.0.2" "10.42.0.21" "10.42.0.22" "10.42.0.23" ]; + + ca_file = "/var/lib/consul/pki/consul-ca.crt"; + cert_file = "/var/lib/consul/pki/consul2021.crt"; + key_file = "/var/lib/consul/pki/consul2021.key"; + verify_incoming = true; + verify_outgoing = true; + verify_server_hostname = true; }; services.nomad.enable = true; @@ -219,7 +230,13 @@ in http = public_ip; serf = public_ip; }; - consul.address = "127.0.0.1:8500"; + consul = { + address = "localhost:8501"; + ca_file = "/var/lib/nomad/pki/consul2021.crt"; + cert_file = "/var/lib/nomad/pki/consul2021-client.crt"; + key_file = "/var/lib/nomad/pki/consul2021-client.key"; + ssl = true; + }; client = { enabled = true; network_interface = "wg0"; @@ -31,7 +31,9 @@ for NIXHOST in $NIXHOSTLIST; do cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null echo "Sending secret files" - for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do + for SECRET in rclone.conf \ + pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \ + pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null) done @@ -45,10 +47,28 @@ mv configuration.nix node.nix site.nix /etc/nixos test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf) -mkdir -p /var/lib/nomad/pki -test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki +mkdir -p /var/lib/nomad/pki /var/lib/consul/pki + +if [ -f pki/consul-ca.crt ]; then + cp pki/consul* /var/lib/nomad/pki + mv pki/consul* /var/lib/consul/pki + chown -R consul:root /var/lib/consul/pki +fi + +if [ -f pki/nomad-ca.crt ]; then + mv pki/nomad* /var/lib/nomad/pki +fi nixos-rebuild switch + +# Save up-to-date Consul client certificates in Consul itself +export CONSUL_HTTP_ADDR=https://localhost:8501 +export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt +export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt +export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key +consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt +consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt +consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key EOF ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh @@ -5,3 +5,8 @@ export NOMAD_ADDR=https://localhost:14646 export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key + +export CONSUL_HTTP_ADDR=https://localhost:8501 +export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt +export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt +export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key diff --git a/sslproxy.sh b/sslproxy.sh index 4f529fe..aa0006a 100755 --- a/sslproxy.sh +++ b/sslproxy.sh @@ -2,4 +2,19 @@ YEAR=$(date +%Y) -socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt +_int() { + echo "Caught SIGINT signal!" + kill -INT "$child1" 2>/dev/null + kill -INT "$child2" 2>/dev/null +} + +trap _int SIGINT + +socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt & +child1=$! + +socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt & +child2=$! + +wait "$child1" +wait "$child2" |