commit 865ec587328c1343b0917441ac6f2328a2a7090a Author: Marcus Young Date: Tue Apr 11 08:58:37 2017 -0500 Initial commit - not workign as-is diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29 diff --git a/vault/init.sls b/vault/init.sls new file mode 100644 index 0000000..4e06771 --- /dev/null +++ b/vault/init.sls @@ -0,0 +1,18 @@ +vault packages: + pkg.installed: + - names: + - jq + - unzip + +download vault: + cmd.run: + - name: curl --silent -L https://releases.hashicorp.com/vault/{{ pillar['pkgs']['vault_version'] }}/vault_{{ pillar['pkgs']['vault_version'] }}_linux_amd64.zip -o /tmp/vault.zip + - unless: test -e /tmp/vault.zip + +install vault: + cmd.run: + - name: unzip /tmp/vault.zip -d /usr/local/bin && chmod 0755 /usr/local/bin/vault && chown root:root /usr/local/bin/vault + - require: + - cmd: download vault + - pkg: unzip + - unless: test -e /usr/local/bin/vault diff --git a/vault/server.sls b/vault/server.sls new file mode 100644 index 0000000..2f085bd --- /dev/null +++ b/vault/server.sls @@ -0,0 +1,41 @@ +#TODO only do this if bool param 'self_signed_cert: true' +/usr/local/bin/self-cert-gen.sh: + file.managed: + - source: salt://vault/templates/cert-gen.sh.jinja + - template: jinja + - user: root + - group: root + - mode: 644 + +#TODO only do this if bool param 'self_signed_cert: true' +#TODO parameterize localhost and 'vault' password +generate SSL certs: + cmd.run: + - name: bash /usr/local/bin/cert-gen.sh localhost vault + - cwd: /etc/vault + - require: + - file: /usr/local/bin/self-cert-gen.sh + +/etc/vault/config/server.hcl: + file.managed: + - source: salt://vault/templates/server.hcl.jinja + - template: jinja + - user: root + - group: root + - mode: 644 + +/etc/init/vault.conf: + file.managed: + - source: salt://vault/templates/vault.conf.jinja + - template: jinja + - user: root + - group: root + - mode: 644 + +vault: + service.running: + - enable: True + - require: + - cmd: generate SSL certs #todo only if bool present + - file: /etc/vault/config/server.hcl + - file: /etc/init/vault.conf diff --git a/vault/templates/cert-gen.sh.jinja b/vault/templates/cert-gen.sh.jinja new file mode 100644 index 0000000..5091f34 --- /dev/null +++ b/vault/templates/cert-gen.sh.jinja @@ -0,0 +1,133 @@ +#!/usr/bin/env bash + +### + # Check for root name. + ## +root=$1 +shift +if [[ -z "$root" ]]; then + echo "you must pass 2 arguments; first for root name, second for child name" + exit +fi + +### + # Check for child name + ## +child=$1 +if [[ -z "$child" ]]; then + echo "you must pass 2 arguments; first for root name ($root), second for child name" + exit +fi + +### + # Use the child name as the password because Java Keystore requires it + ## +pw="$child" + +### + # Generate the root certificate + ## +root_key="$root.key" +root_pem="$root.pem" +root_key_nopass="$root-nopass.key" +# TODO parameterize +root_subj="/C=US/ST=TN/L=Nashville/O=Fixme/OU=Ops/CN=$root\_ca" +root_p12="$root.p12" + +### + # Generate the root private key + ## +if [[ -e "$root_key" ]]; then + echo "$root_key already exits" +else + echo "generate $root_key" + openssl genrsa -aes256 -passout pass:"$pw" -out "$root_key" 4096 +fi + +### + # Genereate the the root privacy enhanced email (PEM) + ## +if [[ -e "$root_pem" ]]; then + echo "$root_pem already exits" +else + echo "generate $root_pem" + openssl req -new -x509 -days 3652 -key "$root_key" -out "$root_pem" -passin pass:"$pw" -subj "$root_subj" +fi + +### + # Generate the root public key (P12) + ## +if [[ -e "$root_p12" ]]; then + echo "$root_p12 already exits" +else + echo "generate $root_p12" + openssl pkcs12 -export -in "$root_pem" -inkey "$root_key" -passin pass:"$pw" -passout pass:"$pw" -out "$root_p12" \ + -name "$root" +fi + +### + # Generate the child certificate + ## +child_name="${root}_${child}" +child_key="$child_name.key" +child_pem="$child_name.pem" +child_csr="$child_name.csr" +child_subj="/C=US/ST=TN/L=Nashville/O=Stratasan/OU=Ops/CN=$child_name" +child_p12="$child_name.p12" +child_jks="$child_name.jks" + +### + # Generate the child private key + ## +if [[ -e "$child_key" ]]; then + echo "$child_key already exits" +else + echo "generate $child_key" + openssl genrsa -aes256 -passout pass:"$pw" -out "$child_key" 4096 +fi + +### + # Genereate the the child privacy enhanced email (PEM) + ## +if [[ -e "$child_pem" ]]; then + echo "$child_pem already exits" +else + echo "generate $child_csr" + openssl req -new -key "$child_key" -passin pass:"$pw" -out "$child_csr" -subj "$child_subj" + echo "generate $child_pem" + openssl x509 -req -days 36524 -in "$child_csr" -CA "$root_pem" -CAkey "$root_key" -passin pass:"$pw" -set_serial 1 \ + -out "$child_pem" +fi + +### + # Generate the child public key (P12) + ## +if [[ -e "$child_p12" ]]; then + echo "$child_p12 already exits" +else + echo "generate $child_p12" + openssl pkcs12 -export -in "$child_pem" -inkey "$child_key" -passin pass:"$pw" -passout pass:"$pw" -out "$child_p12" \ + -certfile "$root_pem" -caname "$root" -name "$child_name" +fi + +### + # Generate the Java Keystore (JKS) + ## +if [[ -e "$child_jks" ]]; then + echo "$child_jks already exits" +else + keytool="keytool" + if [[ -n $(command -v $keytool) ]]; then + echo "generate $child_jks with $root trustedCertEntry" + $keytool -importcert -trustcacerts -noprompt -file "$root_pem" -destkeystore "$child_jks" -storepass "$pw" \ + -alias "$root" -v + echo "supplement $child_jks with $child PrivateKeyEntry" + $keytool -importkeystore -destkeystore "$child_jks" -storepass "$pw" -srckeystore "$child_p12" \ + -srcstoretype pkcs12 -srcstorepass "$pw" -alias "$child_name" -v + else + echo "$keytool is not installed" + fi +fi + +echo "Generating version of '$root_key' without password as '$root_key_nopass'." +openssl rsa -in "$root_key" -out "$root_key_nopass" -passin pass:"$pw" diff --git a/vault/templates/server.hcl.jinja b/vault/templates/server.hcl.jinja new file mode 100644 index 0000000..2f8de6a --- /dev/null +++ b/vault/templates/server.hcl.jinja @@ -0,0 +1,16 @@ +#todo parameterize +backend "s3" { + bucket = "fixme" +} + +# TODO parameterize +listener "tcp" { + address = "0.0.0.0:8200" + tls_disable = 0 #todo - only include if bool from server.sls found + tls_cert_file = "/etc/vault/localhost.pem" #todo - only include if bool from server.sls found + tls_key_file = "/etc/vault/localhost-nopass.key" #todo - only include if bool from server.sls found +} + +#todo parameterize +default_lease_ttl="4380h" +max_lease_ttl="43800h" diff --git a/vault/templates/vault.conf.jinja b/vault/templates/vault.conf.jinja new file mode 100644 index 0000000..174db28 --- /dev/null +++ b/vault/templates/vault.conf.jinja @@ -0,0 +1,19 @@ +description "Vault server" + +start on (runlevel [345] and started network) +stop on (runlevel [!345] or stopping network) + +respawn + +script + if [ -f "/etc/service/vault" ]; then + . /etc/service/vault + fi + + # Make sure to use all our CPUs, because Vault can block a scheduler thread + export GOMAXPROCS=`nproc` + + exec /usr/local/bin/vault server \ + -config="/etc/vault/config/server.hcl" \ + >>/var/log/vault.log 2>&1 +end script