From ec5869cba89563a03d91e7cf40f7fa2dbb01053c Mon Sep 17 00:00:00 2001
From: toby <toby@wit.com>
Date: Fri, 29 Mar 2019 17:57:21 +0000
Subject: [PATCH] adding ipsec node cerd self generation and sign req to
 bastion

---
 debian/wit-network-config.postinst | 50 ++++++++++++++++++++++++++----
 1 file changed, 44 insertions(+), 6 deletions(-)

diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst
index 16be6ab..c118dcc 100755
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@@ -3,7 +3,8 @@
 #
 # see: dh_installdeb(1)
 
-set -xe
+#set -xe
+set -Eeuxo pipefail
 
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
@@ -21,8 +22,6 @@ set -xe
 case "$1" in
     configure)
 
-
-     ## START gather all the info from the box and generate the variabels
         IFCONFIG="etc/network/interfaces"
         UDEVCONFIG="etc/udev/rules.d/70-persistent-net.rules"
         FRRCONFIG="etc/frr/frr.conf.wit"
@@ -30,8 +29,14 @@ case "$1" in
         IPSECCONFIG="etc/ipsec.conf.wit"
         IPSECSECRETS="etc/ipsec.secrets"
         SYSCTLTWEAKS="etc/sysctl.d/10-frr.conf"
+        CAPATH=/etc/ipsec.d
+        CACURLURL="http://bastion"
+
+     ## START gather all the info from the box and generate the variabels
+        HOSTNAME=$(hostname)
         DOMAINNAME=$(hostname -d)
 
+
         dig_txt() {
             TMPDIG=$(dig txt +short $1)
             [ -z ${TMPDIG} ] && exit 2
@@ -56,8 +61,15 @@ case "$1" in
         LOOPBACKv4=$(dig_a ${HOSTNAME})
         LOOPBACKv6=$(dig_aaaa ${HOSTNAME})
         NODEASN=$(dig_txt asn.${HOSTNAME})
+        ROOTCA=$(dig_txt ca.${HOSTNAME})
 
 
+        KEYFILE=${CAPATH}/private/${HOSTNAME}.key
+        REQFILE=${CAPATH}/reqs/${HOSTNAME}.req
+        CRTFILE=${CAPATH}/certs/${HOSTNAME}.crt
+        CRLFILE=${CAPATH}/crls/${CA}.crl
+        CAFILE=${CAPATH}/cacerts/${CA}.crt
+
      ## END variables
 
 
@@ -331,7 +343,6 @@ case "$1" in
 
      ## START writing config files
 
-
       # set frr config
         sed -i \
                 -e "s/^!!! FRR_IFS/$FRR_IFS/" \
@@ -372,15 +383,42 @@ case "$1" in
 		: RSA ${HOSTNAME}.key
 	EOF
 
+
+      # do we already have a cert? if not, lets generate one and ask for signing
+
+        if [ ! -e $KEYFILE ]; then
+
+            pki --gen --type rsa --size 2048 --outform pem >${KEYFILE}
+            pki --req --in ${KEYFILE} --type rsa --digest sha512 --dn "C=US, O=Wit, CN=${CN}" --san "${CN}" --outform pem | curl --fail  -T - ${CURLURL}/reqs/${REQFILE##*/}
+
+            curl --fail -so  ${CAFILE}   ${CURLURL}/cacerts/${CAFILE##*/}
+            curl --fail -so  ${CRLFILE}  ${CURLURL}/crls/${CRLFILE##*/}
+
+
+            cat <<-EOF >/etc/cron.d/wit-net-config-pull-signed-cert
+			SHELL=/bin/bash
+			PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+			* * * * * root  curl --fail -so ${CRTFILE} ${CACURLURL}/certs/${CRTFILE##*/} 2>/dev/null && diff -s <(pki --keyid --type priv --in ${KEYFILE} 2>/dev/null) <(pki --keyid --type x509 --in ${CRTFILE} 2>/dev/null) >/dev/null && ipsec rereadall && ipsec rereadsecrets && ipsec purgecerts && ipsec purgecrls && ipsec reload && rm -f /etc/cron.d/wit-net-config-pull-signed-cert
+			## self delete after successfully pulling cert
+		EOF
+
+            ipsec rereadall
+            ipsec rereadsecrets
+            ipsec purgecerts
+            ipsec purgecrls
+            ipsec reload
+        fi
+
+
     ## END config file section
 
 
     ## START configuring services as we need it
 
+        systemctl enable strongswan || true       ## in case we kick-start or done have it enabled for some reason
         systemctl enable firewall
         systemctl restart firewall
-        systemctl restart ssh
-        systemctl reload strongswan || true       ## in case we kick-start or done have it enabled for some reason
         
         sysctl -p $SYSCTLTWEAKS