From 021d0645524ca02fdb6748cca1a79c767586d068 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Tue, 7 Mar 2023 15:09:25 +0000 Subject: [PATCH] Add mechanism for copying certificates to other servers. --- pillar/secrets/certificates.sls.sample | 9 ++++++++ pillar/top.sls | 2 ++ .../certificates/certificates_id_ed25519.pub | 1 + states/certificates/client.sls | 23 +++++++++++++++++++ states/certificates/client_cron.daily | 2 ++ states/certificates/init.sls | 5 ++++ states/top.sls | 1 + 7 files changed, 43 insertions(+) create mode 100644 pillar/secrets/certificates.sls.sample create mode 100644 states/certificates/certificates_id_ed25519.pub create mode 100644 states/certificates/client.sls create mode 100644 states/certificates/client_cron.daily diff --git a/pillar/secrets/certificates.sls.sample b/pillar/secrets/certificates.sls.sample new file mode 100644 index 0000000..0d3aee6 --- /dev/null +++ b/pillar/secrets/certificates.sls.sample @@ -0,0 +1,9 @@ +certificates: + ssh_key: | + -----BEGIN OPENSSH PRIVATE KEY----- + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB + CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC + DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD + EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE== + -----END OPENSSH PRIVATE KEY----- diff --git a/pillar/top.sls b/pillar/top.sls index 33ea091..2c384f9 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -1,4 +1,6 @@ base: + 'hedwig.lunch.org.uk': + - secrets/certificates 'scabbers.lunch.org.uk': - secrets/dnsapi - secrets/gitea diff --git a/states/certificates/certificates_id_ed25519.pub b/states/certificates/certificates_id_ed25519.pub new file mode 100644 index 0000000..550acad --- /dev/null +++ b/states/certificates/certificates_id_ed25519.pub @@ -0,0 +1 @@ +command="/usr/bin/rrsync -ro /var/lib/dehydrated/certs",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBYX4DObffj3doqTEy5XawgEH2QT3WzAtHtUfrRhaWA jim@lunch.org.uk diff --git a/states/certificates/client.sls b/states/certificates/client.sls new file mode 100644 index 0000000..4e2ad92 --- /dev/null +++ b/states/certificates/client.sls @@ -0,0 +1,23 @@ +certificates_client: + pkg.installed: + - pkgs: + - rsync + +var_local_certificates_dir: + file.directory: + - name: /var/local/certificates + - user: root + - group: root + - mode: 0700 + +certificates_key: + file.managed: + - name: /var/local/certificates/certificates_id_e25519 + - mode: 0600 + - contents_pillar: certificates:ssh_key + +client_cron: + file.managed: + - name: /etc/cron.daily/certificates + - source: salt://certificates/client_cron.daily + - mode: '0755' diff --git a/states/certificates/client_cron.daily b/states/certificates/client_cron.daily new file mode 100644 index 0000000..61539ca --- /dev/null +++ b/states/certificates/client_cron.daily @@ -0,0 +1,2 @@ +#!/bin/sh +exec rsync -a -e "ssh -i /var/local/certificates/certificates_id_e25519 -o StrictHostKeyChecking=no" root@scabbers.lunch.org.uk:/ /var/local/certificates/ diff --git a/states/certificates/init.sls b/states/certificates/init.sls index 21dc3bd..6ddbfcb 100644 --- a/states/certificates/init.sls +++ b/states/certificates/init.sls @@ -3,6 +3,7 @@ dehydrated: - pkgs: - dehydrated - dnsutils + - rsync dehydrated_domains: file.managed: @@ -46,3 +47,7 @@ dehydrated_logrotate: - source: salt://certificates/dehydrated/logrotate - mode: '0644' +server_key: + ssh_auth.present: + - user: root + - source: salt://certificates/certificates_id_ed25519.pub diff --git a/states/top.sls b/states/top.sls index 63a406a..f8c5342 100644 --- a/states/top.sls +++ b/states/top.sls @@ -3,6 +3,7 @@ base: - common 'hedwig.lunch.org.uk': + - certificates/client - debian - fail2ban - firewalls/hedwig