Add mechanism for copying certificates to other servers.

2023-03-07 15:09:25 +00:00 · 2023-03-07 15:09:25 +00:00 · 021d064552
parent 42d811b01f
commit 021d064552
7 changed files with 43 additions and 0 deletions
--- a/pillar/secrets/certificates.sls.sample
+++ b/pillar/secrets/certificates.sls.sample
@ -0,0 +1,9 @@
+certificates:
+  ssh_key: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+    BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
+    CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
+    DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+    EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE==
+    -----END OPENSSH PRIVATE KEY-----
--- a/pillar/top.sls
+++ b/pillar/top.sls
@ -1,4 +1,6 @@
 base:
+  'hedwig.lunch.org.uk':
+    - secrets/certificates
  'scabbers.lunch.org.uk':
    - secrets/dnsapi
    - secrets/gitea
--- a/states/certificates/certificates_id_ed25519.pub
+++ b/states/certificates/certificates_id_ed25519.pub
@ -0,0 +1 @@
+command="/usr/bin/rrsync -ro /var/lib/dehydrated/certs",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBYX4DObffj3doqTEy5XawgEH2QT3WzAtHtUfrRhaWA jim@lunch.org.uk
--- a/states/certificates/client.sls
+++ b/states/certificates/client.sls
@ -0,0 +1,23 @@
+certificates_client:
+  pkg.installed:
+  - pkgs:
+    - rsync
+
+var_local_certificates_dir:
+  file.directory:
+    - name: /var/local/certificates
+    - user: root
+    - group: root
+    - mode: 0700
+
+certificates_key:
+  file.managed:
+    - name: /var/local/certificates/certificates_id_e25519
+    - mode: 0600
+    - contents_pillar: certificates:ssh_key
+
+client_cron:
+  file.managed:
+    - name: /etc/cron.daily/certificates
+    - source: salt://certificates/client_cron.daily
+    - mode: '0755'
--- a/states/certificates/client_cron.daily
+++ b/states/certificates/client_cron.daily
@ -0,0 +1,2 @@
+#!/bin/sh
+exec rsync -a -e "ssh -i /var/local/certificates/certificates_id_e25519 -o StrictHostKeyChecking=no" root@scabbers.lunch.org.uk:/ /var/local/certificates/
--- a/states/certificates/init.sls
+++ b/states/certificates/init.sls
@ -3,6 +3,7 @@ dehydrated:
  - pkgs:
    - dehydrated
    - dnsutils
+    - rsync

 dehydrated_domains:
  file.managed:
@ -46,3 +47,7 @@ dehydrated_logrotate:
    - source: salt://certificates/dehydrated/logrotate
    - mode: '0644'

+server_key:
+  ssh_auth.present:
+    - user: root
+    - source: salt://certificates/certificates_id_ed25519.pub
--- a/states/top.sls
+++ b/states/top.sls
@ -3,6 +3,7 @@ base:
    - common
  
  'hedwig.lunch.org.uk':
+    - certificates/client
    - debian
    - fail2ban
    - firewalls/hedwig
				`@ -0,0 +1 @@`
				`command="/usr/bin/rrsync -ro /var/lib/dehydrated/certs",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBYX4DObffj3doqTEy5XawgEH2QT3WzAtHtUfrRhaWA jim@lunch.org.uk`