jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

adding ipsec node cerd self generation and sign req to bastion

This commit is contained in:
toby 2019-03-29 17:57:21 +00:00
parent 2b6992eec1
commit ec5869cba8
1 changed files with 44 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
debian/wit-network-config.postinst vendored
View File

@ -3,7 +3,8 @@
# #
# see: dh_installdeb(1) # see: dh_installdeb(1)
set -xe #set -xe
set -Eeuxo pipefail
# summary of how this script can be called: # summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version> # * <postinst> `configure' <most-recently-configured-version>
@ -21,8 +22,6 @@ set -xe
case "$1" in case "$1" in
configure) configure)
## START gather all the info from the box and generate the variabels
IFCONFIG="etc/network/interfaces" IFCONFIG="etc/network/interfaces"
UDEVCONFIG="etc/udev/rules.d/70-persistent-net.rules" UDEVCONFIG="etc/udev/rules.d/70-persistent-net.rules"
FRRCONFIG="etc/frr/frr.conf.wit" FRRCONFIG="etc/frr/frr.conf.wit"
@ -30,8 +29,14 @@ case "$1" in
IPSECCONFIG="etc/ipsec.conf.wit" IPSECCONFIG="etc/ipsec.conf.wit"
IPSECSECRETS="etc/ipsec.secrets" IPSECSECRETS="etc/ipsec.secrets"
SYSCTLTWEAKS="etc/sysctl.d/10-frr.conf" SYSCTLTWEAKS="etc/sysctl.d/10-frr.conf"
CAPATH=/etc/ipsec.d
CACURLURL="http://bastion"
## START gather all the info from the box and generate the variabels
HOSTNAME=$(hostname)
DOMAINNAME=$(hostname -d) DOMAINNAME=$(hostname -d)
dig_txt() { dig_txt() {
TMPDIG=$(dig txt +short $1) TMPDIG=$(dig txt +short $1)
[ -z ${TMPDIG} ] && exit 2 [ -z ${TMPDIG} ] && exit 2
@ -56,8 +61,15 @@ case "$1" in
LOOPBACKv4=$(dig_a ${HOSTNAME}) LOOPBACKv4=$(dig_a ${HOSTNAME})
LOOPBACKv6=$(dig_aaaa ${HOSTNAME}) LOOPBACKv6=$(dig_aaaa ${HOSTNAME})
NODEASN=$(dig_txt asn.${HOSTNAME}) NODEASN=$(dig_txt asn.${HOSTNAME})
ROOTCA=$(dig_txt ca.${HOSTNAME})
KEYFILE=${CAPATH}/private/${HOSTNAME}.key
REQFILE=${CAPATH}/reqs/${HOSTNAME}.req
CRTFILE=${CAPATH}/certs/${HOSTNAME}.crt
CRLFILE=${CAPATH}/crls/${CA}.crl
CAFILE=${CAPATH}/cacerts/${CA}.crt
## END variables ## END variables
@ -331,7 +343,6 @@ case "$1" in
## START writing config files ## START writing config files
# set frr config # set frr config
sed -i \ sed -i \
-e "s/^!!! FRR_IFS/$FRR_IFS/" \ -e "s/^!!! FRR_IFS/$FRR_IFS/" \
@ -372,15 +383,42 @@ case "$1" in
: RSA ${HOSTNAME}.key : RSA ${HOSTNAME}.key
EOF EOF
# do we already have a cert? if not, lets generate one and ask for signing
if [ ! -e $KEYFILE ]; then
pki --gen --type rsa --size 2048 --outform pem >${KEYFILE}
pki --req --in ${KEYFILE} --type rsa --digest sha512 --dn "C=US, O=Wit, CN=${CN}" --san "${CN}" --outform pem | curl --fail -T - ${CURLURL}/reqs/${REQFILE##*/}
curl --fail -so ${CAFILE} ${CURLURL}/cacerts/${CAFILE##*/}
curl --fail -so ${CRLFILE} ${CURLURL}/crls/${CRLFILE##*/}
cat <<-EOF >/etc/cron.d/wit-net-config-pull-signed-cert
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
* * * * * root curl --fail -so ${CRTFILE} ${CACURLURL}/certs/${CRTFILE##*/} 2>/dev/null && diff -s <(pki --keyid --type priv --in ${KEYFILE} 2>/dev/null) <(pki --keyid --type x509 --in ${CRTFILE} 2>/dev/null) >/dev/null && ipsec rereadall && ipsec rereadsecrets && ipsec purgecerts && ipsec purgecrls && ipsec reload && rm -f /etc/cron.d/wit-net-config-pull-signed-cert
## self delete after successfully pulling cert
EOF
ipsec rereadall
ipsec rereadsecrets
ipsec purgecerts
ipsec purgecrls
ipsec reload
fi
## END config file section ## END config file section
## START configuring services as we need it ## START configuring services as we need it
systemctl enable strongswan || true ## in case we kick-start or done have it enabled for some reason
systemctl enable firewall systemctl enable firewall
systemctl restart firewall systemctl restart firewall
systemctl restart ssh
systemctl reload strongswan || true ## in case we kick-start or done have it enabled for some reason
sysctl -p $SYSCTLTWEAKS sysctl -p $SYSCTLTWEAKS