diff options
author | Alex Auvolat <alex@adnab.me> | 2021-12-30 19:27:32 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2021-12-30 19:27:32 +0100 |
commit | b00a8358b20ac99912bacafd8fee5466da257e67 (patch) | |
tree | df81c06567cbae31098ac77f41c9c11d67b9cc79 | |
parent | 230c1d727b951e032603a5c776f540003829bff6 (diff) | |
download | nixcfg-b00a8358b20ac99912bacafd8fee5466da257e67.tar.gz nixcfg-b00a8358b20ac99912bacafd8fee5466da257e67.zip |
Add TLS to Nomad
-rw-r--r-- | configuration.nix | 9 | ||||
-rwxr-xr-x | deploy.sh | 13 | ||||
-rw-r--r-- | env.sh | 7 | ||||
-rwxr-xr-x | genpki.sh | 104 | ||||
-rwxr-xr-x | sslproxy.sh | 5 |
5 files changed, 136 insertions, 2 deletions
diff --git a/configuration.nix b/configuration.nix index 649e7e8..205eb6d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -224,6 +224,15 @@ in enabled = true; network_interface = "wg0"; }; + tls = { + http = true; + rpc = true; + ca_file = "/var/lib/nomad/pki/nomad-ca.crt"; + cert_file = "/var/lib/nomad/pki/nomad2021.crt"; + key_file = "/var/lib/nomad/pki/nomad2021.key"; + verify_server_hostname = true; + verify_https_client = true; + }; plugin = [ { docker = [ @@ -10,6 +10,8 @@ fi TMP_PATH=/tmp/tmp-deploy-$(date +%s) +YEAR=$(date +%Y) + for NIXHOST in $NIXHOSTLIST; do NIXHOST=${NIXHOST%.*} @@ -23,13 +25,15 @@ for NIXHOST in $NIXHOSTLIST; do echo "Sending NixOS config files" - ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH + ssh -F ssh_config $SSH_DEST mkdir -p $TMP_PATH $TMP_PATH/pki cat configuration.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/configuration.nix > /dev/null cat node/$NIXHOST.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/node.nix > /dev/null cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null echo "Sending secret files" - test -f secrets/rclone.conf && (cat secrets/rclone.conf | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/rclone.conf > /dev/null) + for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do + test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null) + done echo "Rebuilding NixOS" @@ -38,7 +42,12 @@ set -ex cd $TMP_PATH mv configuration.nix node.nix site.nix /etc/nixos + test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf) + +mkdir -p /var/lib/nomad/pki +test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki + nixos-rebuild switch EOF @@ -0,0 +1,7 @@ +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +YEAR=$(date +%Y) + +export NOMAD_ADDR=https://localhost:14646 +export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt +export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt +export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key diff --git a/genpki.sh b/genpki.sh new file mode 100755 index 0000000..be10f6f --- /dev/null +++ b/genpki.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +set -xe + +cd $(dirname $0) + +mkdir -p secrets/pki +cd secrets/pki + +YEAR=$(date +%Y) +for APP in consul nomad; do + # 1. Create certificate authority + if [ ! -f $APP-ca.key ]; then + echo "Generating $APP CA keys..." + #openssl genpkey -algorithm ED25519 -out $APP-ca.key + openssl genrsa -out $APP-ca.key 4096 + + openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP" + fi + + CERT="${APP}${YEAR}" + + # 2. Create and sign certificates for inter-node communication + if [ ! -f $CERT.crt ]; then + echo "Generating $CERT agent keys..." + if [ ! -f $CERT.key ]; then + #openssl genpkey -algorithm ED25519 -out $CERT.key + openssl genrsa -out $CERT.key 4096 + fi + openssl req -new -sha256 -key $CERT.key \ + -subj "/C=FR/O=Deuxfleurs/CN=$APP" \ + -out $CERT.csr + openssl req -in $CERT.csr -noout -text + openssl x509 -req -in $CERT.csr \ + -extensions v3_req \ + -extfile <(cat <<EOF +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = FR +O = Deuxfleurs +CN = $APP + +[v3_req] +keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = server.staging.$APP +DNS.2 = client.staging.$APP +DNS.3 = localhost +DNS.4 = 127.0.0.1 +EOF + ) \ + -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \ + -out $CERT.crt -days 700 + rm $CERT.csr + fi + + # 3. Create client-only certificate used for the CLI + if [ ! -f $CERT-client.crt ]; then + echo "Generating $CERT client keys..." + if [ ! -f $CERT-client.key ]; then + #openssl genpkey -algorithm ED25519 -out $CERT-client.key + openssl genrsa -out $CERT-client.key 4096 + fi + openssl req -new -sha256 -key $CERT-client.key \ + -subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \ + -out $CERT-client.csr + openssl req -in $CERT-client.csr -noout -text + openssl x509 -req -in $CERT-client.csr \ + -extensions v3_req \ + -extfile <(cat <<EOF +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = FR +O = Deuxfleurs +CN = $APP-client + +[v3_req] +keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = client.staging.$APP +EOF + ) \ + -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \ + -out $CERT-client.crt -days 700 + rm $CERT-client.csr + fi + + if [ ! -f $CERT-client.p12 ]; then + openssl pkcs12 -export -out $CERT-client.p12 \ + -in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key + fi +done diff --git a/sslproxy.sh b/sslproxy.sh new file mode 100755 index 0000000..4f529fe --- /dev/null +++ b/sslproxy.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +YEAR=$(date +%Y) + +socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt |