From 5ea4cef2946a71467c519db803cd1c31f1ffff20 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 30 Dec 2021 20:56:13 +0100 Subject: Enable TLS for Consul --- app/core/deploy/core.hcl | 24 +++++++++++++++++++++++- app/frontend/deploy/frontend-tricot.hcl | 24 +++++++++++++++++++++++- configuration.nix | 21 +++++++++++++++++++-- deploy.sh | 26 +++++++++++++++++++++++--- env.sh | 5 +++++ sslproxy.sh | 17 ++++++++++++++++- 6 files changed, 109 insertions(+), 8 deletions(-) diff --git a/app/core/deploy/core.hcl b/app/core/deploy/core.hcl index fd4176a..f57f21d 100644 --- a/app/core/deploy/core.hcl +++ b/app/core/deploy/core.hcl @@ -18,9 +18,12 @@ job "core" { driver = "docker" config { - image = "lxpz/amd64_diplonat:2" + image = "lxpz/amd64_diplonat:3" network_mode = "host" readonly_rootfs = true + volumes = [ + "secrets:/etc/diplonat", + ] } restart { @@ -30,11 +33,30 @@ job "core" { mode = "delay" } + template { + data = "{{ key \"secrets/consul/consul-ca.crt\" }}" + destination = "secrets/consul-ca.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.crt\" }}" + destination = "secrets/consul-client.crt" + } + + template { + data = "{{ key \"secrets/consul/consul-client.key\" }}" + destination = "secrets/consul-client.key" + } + template { data = < /dev/null echo "Sending secret files" - for SECRET in rclone.conf pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do + for SECRET in rclone.conf \ + pki/consul-ca.crt pki/consul$YEAR.crt pki/consul$YEAR.key pki/consul$YEAR-client.crt pki/consul$YEAR-client.key \ + pki/nomad-ca.crt pki/nomad$YEAR.crt pki/nomad$YEAR.key; do test -f secrets/$SECRET && (cat secrets/$SECRET | ssh -F ssh_config $SSH_DEST tee $TMP_PATH/$SECRET > /dev/null) done @@ -45,10 +47,28 @@ mv configuration.nix node.nix site.nix /etc/nixos test -f rclone.conf && (mv rclone.conf /root; chmod 600 /root/rclone.conf) -mkdir -p /var/lib/nomad/pki -test -f pki/nomad-ca.crt && mv -v pki/nomad* /var/lib/nomad/pki +mkdir -p /var/lib/nomad/pki /var/lib/consul/pki + +if [ -f pki/consul-ca.crt ]; then + cp pki/consul* /var/lib/nomad/pki + mv pki/consul* /var/lib/consul/pki + chown -R consul:root /var/lib/consul/pki +fi + +if [ -f pki/nomad-ca.crt ]; then + mv pki/nomad* /var/lib/nomad/pki +fi nixos-rebuild switch + +# Save up-to-date Consul client certificates in Consul itself +export CONSUL_HTTP_ADDR=https://localhost:8501 +export CONSUL_CACERT=/var/lib/consul/pki/consul-ca.crt +export CONSUL_CLIENT_CERT=/var/lib/consul/pki/consul$YEAR-client.crt +export CONSUL_CLIENT_KEY=/var/lib/consul/pki/consul$YEAR-client.key +consul kv put secrets/consul/consul-ca.crt - < /var/lib/consul/pki/consul-ca.crt +consul kv put secrets/consul/consul-client.crt - < /var/lib/consul/pki/consul$YEAR-client.crt +consul kv put secrets/consul/consul-client.key - < /var/lib/consul/pki/consul$YEAR-client.key EOF ssh -t -F ssh_config $SSH_DEST sudo sh $TMP_PATH/deploy.sh diff --git a/env.sh b/env.sh index 80812d4..8681e8c 100644 --- a/env.sh +++ b/env.sh @@ -5,3 +5,8 @@ export NOMAD_ADDR=https://localhost:14646 export NOMAD_CACERT=$SCRIPT_DIR/secrets/pki/nomad-ca.crt export NOMAD_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.crt export NOMAD_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/nomad$YEAR-client.key + +export CONSUL_HTTP_ADDR=https://localhost:8501 +export CONSUL_CACERT=$SCRIPT_DIR/secrets/pki/consul-ca.crt +export CONSUL_CLIENT_CERT=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.crt +export CONSUL_CLIENT_KEY=$SCRIPT_DIR/secrets/pki/consul$YEAR-client.key diff --git a/sslproxy.sh b/sslproxy.sh index 4f529fe..aa0006a 100755 --- a/sslproxy.sh +++ b/sslproxy.sh @@ -2,4 +2,19 @@ YEAR=$(date +%Y) -socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt +_int() { + echo "Caught SIGINT signal!" + kill -INT "$child1" 2>/dev/null + kill -INT "$child2" 2>/dev/null +} + +trap _int SIGINT + +socat -dd tcp4-listen:4646,reuseaddr,fork openssl:localhost:14646,cert=secrets/pki/nomad$YEAR-client.crt,key=secrets/pki/nomad$YEAR-client.key,cafile=secrets/pki/nomad$YEAR.crt & +child1=$! + +socat -dd tcp4-listen:8500,reuseaddr,fork openssl:localhost:8501,cert=secrets/pki/consul$YEAR-client.crt,key=secrets/pki/consul$YEAR-client.key,cafile=secrets/pki/consul$YEAR.crt & +child2=$! + +wait "$child1" +wait "$child2" -- cgit v1.2.3