Add mechanism for copying certificates to other servers.

2023-03-07 15:09:25 +00:00 · 2023-03-07 15:09:25 +00:00 · 021d064552
parent 42d811b01f
commit 021d064552
7 changed files with 43 additions and 0 deletions
--- a/pillar/secrets/certificates.sls.sample
+++ b/pillar/secrets/certificates.sls.sample
@ -0,0 +1,9 @@
 certificates:
  ssh_key: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
    DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
    EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE==
    -----END OPENSSH PRIVATE KEY-----
--- a/pillar/top.sls
+++ b/pillar/top.sls
@ -1,4 +1,6 @@
 base:
  'hedwig.lunch.org.uk':
    - secrets/certificates
  'scabbers.lunch.org.uk':
    - secrets/dnsapi
    - secrets/gitea
--- a/states/certificates/certificates_id_ed25519.pub
+++ b/states/certificates/certificates_id_ed25519.pub
@ -0,0 +1 @@
 command="/usr/bin/rrsync -ro /var/lib/dehydrated/certs",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBYX4DObffj3doqTEy5XawgEH2QT3WzAtHtUfrRhaWA jim@lunch.org.uk
--- a/states/certificates/client.sls
+++ b/states/certificates/client.sls
@ -0,0 +1,23 @@
 certificates_client:
  pkg.installed:
  - pkgs:
    - rsync
 var_local_certificates_dir:
  file.directory:
    - name: /var/local/certificates
    - user: root
    - group: root
    - mode: 0700
 certificates_key:
  file.managed:
    - name: /var/local/certificates/certificates_id_e25519
    - mode: 0600
    - contents_pillar: certificates:ssh_key
 client_cron:
  file.managed:
    - name: /etc/cron.daily/certificates
    - source: salt://certificates/client_cron.daily
    - mode: '0755'
--- a/states/certificates/client_cron.daily
+++ b/states/certificates/client_cron.daily
@ -0,0 +1,2 @@
 #!/bin/sh
 exec rsync -a -e "ssh -i /var/local/certificates/certificates_id_e25519 -o StrictHostKeyChecking=no" root@scabbers.lunch.org.uk:/ /var/local/certificates/
--- a/states/certificates/init.sls
+++ b/states/certificates/init.sls
@ -3,6 +3,7 @@ dehydrated:
  - pkgs:
    - dehydrated
    - dnsutils
    - rsync
 dehydrated_domains:
  file.managed:
@ -46,3 +47,7 @@ dehydrated_logrotate:
    - source: salt://certificates/dehydrated/logrotate
    - mode: '0644'
 server_key:
  ssh_auth.present:
    - user: root
    - source: salt://certificates/certificates_id_ed25519.pub
--- a/states/top.sls
+++ b/states/top.sls
@ -3,6 +3,7 @@ base:
    - common
  'hedwig.lunch.org.uk':
    - certificates/client
    - debian
    - fail2ban
    - firewalls/hedwig
		`@ -0,0 +1 @@`
							`command="/usr/bin/rrsync -ro /var/lib/dehydrated/certs",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBYX4DObffj3doqTEy5XawgEH2QT3WzAtHtUfrRhaWA jim@lunch.org.uk`
		`@ -0,0 +1,2 @@`
							`#!/bin/sh`
							`exec rsync -a -e "ssh -i /var/local/certificates/certificates_id_e25519 -o StrictHostKeyChecking=no" root@scabbers.lunch.org.uk:/ /var/local/certificates/`