Enable TLS for Consul

1 files changed, 23 insertions, 3 deletions

diff --git a/deploy.sh b/deploy.sh
index a4f18c1..1354fd3 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -31,7 +31,9 @@ for NIXHOST in $NIXHOSTLIST; do
 	cat node/$NIXHOST.site.nix | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/site.nix > /dev/null
 
 	echo "Sending secret files"
-	for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
+	for SECRET in rclone.conf \
+		pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \
+		pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do
 		test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null)
 	done
 
@@ -45,10 +47,28 @@ mv configuration.nix node.nix site.nix /etc/nixos
 
 test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf)
 
-mkdir -p /var/lib/nomad/pki
-test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki
+mkdir -p /var/lib/nomad/pki /var/lib/consul/pki
+
+if [ -f pki/consul-ca.crt ]; then
+	cp pki/consul* /var/lib/nomad/pki
+	mv pki/consul* /var/lib/consul/pki
+	chown -R consul:root /var/lib/consul/pki
+fi
+
+if [ -f pki/nomad-ca.crt ]; then
+	mv pki/nomad* /var/lib/nomad/pki
+fi
 
 nixos-rebuild switch
+
+# Save up-to-date Consul client certificates in Consul itself
+export CONSUL_HTTP_ADDR=https://localhost:8501
+export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt
+export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt
+export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key
+consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt
+consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt
+consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key
 EOF
 
 	ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh