adding ipsec node cerd self generation and sign req to bastion

2019-03-29 17:57:21 +00:00 · 2019-03-29 17:57:21 +00:00 · ec5869cba8
parent 2b6992eec1
commit ec5869cba8
1 changed files with 44 additions and 6 deletions
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@ -3,7 +3,8 @@
 #
 # see: dh_installdeb(1)

-set -xe
+#set -xe
+set -Eeuxo pipefail

 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
@ -21,8 +22,6 @@ set -xe
 case "$1" in
    configure)

-
-     ## START gather all the info from the box and generate the variabels
        IFCONFIG="etc/network/interfaces"
        UDEVCONFIG="etc/udev/rules.d/70-persistent-net.rules"
        FRRCONFIG="etc/frr/frr.conf.wit"
@ -30,8 +29,14 @@ case "$1" in
        IPSECCONFIG="etc/ipsec.conf.wit"
        IPSECSECRETS="etc/ipsec.secrets"
        SYSCTLTWEAKS="etc/sysctl.d/10-frr.conf"
+        CAPATH=/etc/ipsec.d
+        CACURLURL="http://bastion"
+
+     ## START gather all the info from the box and generate the variabels
+        HOSTNAME=$(hostname)
        DOMAINNAME=$(hostname -d)

+
        dig_txt() {
            TMPDIG=$(dig txt +short $1)
            [ -z ${TMPDIG} ] && exit 2
@ -56,8 +61,15 @@ case "$1" in
        LOOPBACKv4=$(dig_a ${HOSTNAME})
        LOOPBACKv6=$(dig_aaaa ${HOSTNAME})
        NODEASN=$(dig_txt asn.${HOSTNAME})
+        ROOTCA=$(dig_txt ca.${HOSTNAME})


+        KEYFILE=${CAPATH}/private/${HOSTNAME}.key
+        REQFILE=${CAPATH}/reqs/${HOSTNAME}.req
+        CRTFILE=${CAPATH}/certs/${HOSTNAME}.crt
+        CRLFILE=${CAPATH}/crls/${CA}.crl
+        CAFILE=${CAPATH}/cacerts/${CA}.crt
+
     ## END variables


@ -331,7 +343,6 @@ case "$1" in

     ## START writing config files

-
      # set frr config
        sed -i \
                -e "s/^!!! FRR_IFS/$FRR_IFS/" \
@ -372,15 +383,42 @@ case "$1" in
 		: RSA ${HOSTNAME}.key
 	EOF

+
+      # do we already have a cert? if not, lets generate one and ask for signing
+
+        if [ ! -e $KEYFILE ]; then
+
+            pki --gen --type rsa --size 2048 --outform pem >${KEYFILE}
+            pki --req --in ${KEYFILE} --type rsa --digest sha512 --dn "C=US, O=Wit, CN=${CN}" --san "${CN}" --outform pem | curl --fail  -T - ${CURLURL}/reqs/${REQFILE##*/}
+
+            curl --fail -so  ${CAFILE}   ${CURLURL}/cacerts/${CAFILE##*/}
+            curl --fail -so  ${CRLFILE}  ${CURLURL}/crls/${CRLFILE##*/}
+
+
+            cat <<-EOF >/etc/cron.d/wit-net-config-pull-signed-cert
+			SHELL=/bin/bash
+			PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+			* * * * * root  curl --fail -so ${CRTFILE} ${CACURLURL}/certs/${CRTFILE##*/} 2>/dev/null && diff -s <(pki --keyid --type priv --in ${KEYFILE} 2>/dev/null) <(pki --keyid --type x509 --in ${CRTFILE} 2>/dev/null) >/dev/null && ipsec rereadall && ipsec rereadsecrets && ipsec purgecerts && ipsec purgecrls && ipsec reload && rm -f /etc/cron.d/wit-net-config-pull-signed-cert
+			## self delete after successfully pulling cert
+		EOF
+
+            ipsec rereadall
+            ipsec rereadsecrets
+            ipsec purgecerts
+            ipsec purgecrls
+            ipsec reload
+        fi
+
+
    ## END config file section


    ## START configuring services as we need it

+        systemctl enable strongswan || true       ## in case we kick-start or done have it enabled for some reason
        systemctl enable firewall
        systemctl restart firewall
-        systemctl restart ssh
-        systemctl reload strongswan || true       ## in case we kick-start or done have it enabled for some reason
        
        sysctl -p $SYSCTLTWEAKS