From 0c99c0b5b2dcee40f153aa653d1fd6ea99b39f1f Mon Sep 17 00:00:00 2001 From: Asara Date: Sat, 5 Nov 2022 22:11:23 -0400 Subject: [PATCH] Update ansible --- ansible/ansible.cfg | 7 ++- ansible/group_vars/haproxy/main.yml | 2 +- ansible/requirements.txt | 38 +++++++++------- ansible/roles/common/tasks/main.yml | 4 +- ansible/roles/consul/tasks/main.yml | 2 +- ansible/roles/consul/templates/consul.hcl.j2 | 4 +- ansible/roles/consul_server/tasks/main.yml | 2 +- .../consul_server/templates/consul.hcl.j2 | 4 +- ansible/roles/k3s/tasks/main.yml | 6 +-- .../lego/templates/amarpreet@minhas.io.key.j2 | 2 +- ansible/roles/lego/templates/defaults | 10 ++--- .../roles/nomad_client/templates/nomad.hcl.j2 | 4 +- .../roles/nomad_server/templates/nomad.hcl.j2 | 4 +- .../roles/vault_server/templates/vault.hcl.j2 | 2 +- docker/satdress/Dockerfile | 19 ++++++++ docker/satdress/files/MaskedName_Root_CA.crt | 43 +++++++++++++++++++ 16 files changed, 112 insertions(+), 41 deletions(-) create mode 100644 docker/satdress/Dockerfile create mode 100755 docker/satdress/files/MaskedName_Root_CA.crt diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 56018d1..2884182 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -13,8 +13,8 @@ poll_interval = 15 transport = smart remote_port = 22 gathering = smart -stdout_callback = skippy -callback_whitelist = timer +stdout_callback = default +callbacks_enabled = timer timeout = 10 remote_user = cfgmgmt private_key_file = ~/personal/keys/cfgmgmt @@ -29,3 +29,6 @@ become_user = root [diff] always = True + +[hashi_vault_collection] +token_validate = True diff --git a/ansible/group_vars/haproxy/main.yml b/ansible/group_vars/haproxy/main.yml index b4dc900..43f50f2 100644 --- a/ansible/group_vars/haproxy/main.yml +++ b/ansible/group_vars/haproxy/main.yml @@ -1,4 +1,4 @@ --- lego_email_address: amarpreet@minhas.io -letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['account_id'] }}" +letsencrypt_account_id: "{{ lookup('hashi_vault', 'secret=kv/data/acme:account_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" ... diff --git a/ansible/requirements.txt b/ansible/requirements.txt index 50a0701..76323dc 100644 --- a/ansible/requirements.txt +++ b/ansible/requirements.txt @@ -1,16 +1,22 @@ -ansible==2.9.12 -certifi==2020.6.20 -cffi==1.14.2 -chardet==3.0.4 -cryptography==3.0 -docker==4.3.1 -hvac==0.10.5 -idna==2.10 -Jinja2==2.11.2 -MarkupSafe==1.1.1 -pycparser==2.20 -PyYAML==5.3.1 -requests==2.24.0 -six==1.15.0 -urllib3==1.25.10 -websocket-client==0.57.0 +ansible==6.5.0 +ansible-core==2.13.5 +certifi==2022.9.24 +cffi==1.15.1 +chardet==5.0.0 +charset-normalizer==2.1.1 +cryptography==38.0.3 +docker==6.0.1 +hvac==1.0.2 +idna==3.4 +Jinja2==3.1.2 +MarkupSafe==2.1.1 +packaging==21.3 +pycparser==2.21 +pyhcl==0.4.4 +pyparsing==3.0.9 +PyYAML==6.0 +requests==2.28.1 +resolvelib==0.8.1 +six==1.16.0 +urllib3==1.26.12 +websocket-client==1.4.2 diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 1c91678..949bcdf 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -1,4 +1,4 @@ --- -- include: "{{ ansible_os_family }}_pki.yml" -- include: "{{ ansible_os_family }}.yml" +- include_tasks: "{{ ansible_os_family }}_pki.yml" +- include_tasks: "{{ ansible_os_family }}.yml" ... diff --git a/ansible/roles/consul/tasks/main.yml b/ansible/roles/consul/tasks/main.yml index 8ebc556..c8d427f 100644 --- a/ansible/roles/consul/tasks/main.yml +++ b/ansible/roles/consul/tasks/main.yml @@ -1,3 +1,3 @@ --- -- include: "{{ ansible_os_family }}.yml" +- include_tasks: "{{ ansible_os_family }}.yml" ... diff --git a/ansible/roles/consul/templates/consul.hcl.j2 b/ansible/roles/consul/templates/consul.hcl.j2 index 7ef3f08..aec55a5 100644 --- a/ansible/roles/consul/templates/consul.hcl.j2 +++ b/ansible/roles/consul/templates/consul.hcl.j2 @@ -3,7 +3,7 @@ primary_datacenter = "{{ main_dc_name }}" domain = "{{ consul_domain }}" node_name = "{{ inventory_hostname_short }}" -encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}" +encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" verify_incoming = false verify_outgoing = true @@ -32,6 +32,6 @@ acl { default_policy = "deny" enable_token_persistence = true tokens { - default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}" + default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" } } diff --git a/ansible/roles/consul_server/tasks/main.yml b/ansible/roles/consul_server/tasks/main.yml index 8ebc556..c8d427f 100644 --- a/ansible/roles/consul_server/tasks/main.yml +++ b/ansible/roles/consul_server/tasks/main.yml @@ -1,3 +1,3 @@ --- -- include: "{{ ansible_os_family }}.yml" +- include_tasks: "{{ ansible_os_family }}.yml" ... diff --git a/ansible/roles/consul_server/templates/consul.hcl.j2 b/ansible/roles/consul_server/templates/consul.hcl.j2 index f81b0fc..52e9ed1 100644 --- a/ansible/roles/consul_server/templates/consul.hcl.j2 +++ b/ansible/roles/consul_server/templates/consul.hcl.j2 @@ -6,7 +6,7 @@ server = true bootstrap_expect = 3 ui = true -encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['gossip'] }}" +encrypt = "{{ lookup('hashi_vault', 'secret=kv/data/consul:gossip ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" verify_outgoing = true verify_server_hostname = true @@ -49,6 +49,6 @@ acl { default_policy = "deny" enable_token_persistence = true tokens { - default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['server-acl-token'] }}" + default = "{{ lookup('hashi_vault', 'secret=kv/data/consul:server-acl-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" } } diff --git a/ansible/roles/k3s/tasks/main.yml b/ansible/roles/k3s/tasks/main.yml index cc6d954..8d2a43c 100644 --- a/ansible/roles/k3s/tasks/main.yml +++ b/ansible/roles/k3s/tasks/main.yml @@ -1,7 +1,7 @@ --- -- include: get_k3s.yml -- include: server.yml +- include_tasks: get_k3s.yml +- include_tasks: server.yml when: k3s_role == "server" -- include: clients.yml +- include_tasks: clients.yml when: k3s_role == "client" ... diff --git a/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 b/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 index f0d1e15..8eef0b0 100644 --- a/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 +++ b/ansible/roles/lego/templates/amarpreet@minhas.io.key.j2 @@ -1 +1 @@ -{{ lookup('hashi_vault', 'secret=kv/data/acme:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['private_key'] }} +{{ lookup('hashi_vault', 'secret=kv/data/acme:private_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} diff --git a/ansible/roles/lego/templates/defaults b/ansible/roles/lego/templates/defaults index 6357fae..a3427c7 100644 --- a/ansible/roles/lego/templates/defaults +++ b/ansible/roles/lego/templates/defaults @@ -1,5 +1,5 @@ -export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_user'] }} -export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['api_key'] }} -export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['access_key'] }} -export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['secret_key'] }} -export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['hosted_zone_id'] }} +export NAMECHEAP_API_USER={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_user ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} +export NAMECHEAP_API_KEY={{ lookup('hashi_vault', 'secret=kv/data/namecheap:api_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} +export AWS_ACCESS_KEY_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:access_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} +export AWS_SECRET_ACCESS_KEY={{ lookup('hashi_vault', 'secret=kv/data/aws:secret_key ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} +export AWS_HOSTED_ZONE_ID={{ lookup('hashi_vault', 'secret=kv/data/aws:hosted_zone_id ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }} diff --git a/ansible/roles/nomad_client/templates/nomad.hcl.j2 b/ansible/roles/nomad_client/templates/nomad.hcl.j2 index 4d1b262..afeb3cf 100644 --- a/ansible/roles/nomad_client/templates/nomad.hcl.j2 +++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2 @@ -14,13 +14,13 @@ client { } consul { - token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-client'] }}" + token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" } vault { enabled = true ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" - token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}" + token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" address = "https://vault.service.{{ consul_domain }}:8200" create_from_role = "nomad-cluster" unwrap_token = true diff --git a/ansible/roles/nomad_server/templates/nomad.hcl.j2 b/ansible/roles/nomad_server/templates/nomad.hcl.j2 index b73a29c..dca0bbc 100644 --- a/ansible/roles/nomad_server/templates/nomad.hcl.j2 +++ b/ansible/roles/nomad_server/templates/nomad.hcl.j2 @@ -9,14 +9,14 @@ server { vault { enabled = true ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" - token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['vault-token'] }}" + token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" address = "https://vault.service.{{ consul_domain }}:8200" create_from_role = "nomad-cluster" unwrap_token = true } consul { - token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl-server'] }}" + token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" } tls { diff --git a/ansible/roles/vault_server/templates/vault.hcl.j2 b/ansible/roles/vault_server/templates/vault.hcl.j2 index 4902e96..54203e1 100644 --- a/ansible/roles/vault_server/templates/vault.hcl.j2 +++ b/ansible/roles/vault_server/templates/vault.hcl.j2 @@ -18,5 +18,5 @@ cluster_addr = "https://{{ ansible_default_ipv4.address }}:8201" storage "consul" { address = "localhost:8500" path = "vault/" - token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:data ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt')['consul-acl'] }}" + token = "{{ lookup('hashi_vault', 'secret=kv/data/vault:consul-acl ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" } diff --git a/docker/satdress/Dockerfile b/docker/satdress/Dockerfile new file mode 100644 index 0000000..a76598e --- /dev/null +++ b/docker/satdress/Dockerfile @@ -0,0 +1,19 @@ +FROM golang:alpine + +RUN apk add --no-cache ca-certificates git && \ + go install -tags 'postgres' github.com/golang-migrate/migrate/v4/cmd/migrate@latest && \ + mkdir -p ${GOPATH}/src/git.minhas.io/asara && \ + cd ${GOPATH}/src/git.minhas.io/asara && \ + git clone https://git.minhas.io/asara/sudoscientist-go-backend && \ + cd ${GOPATH}/src/git.minhas.io/asara/sudoscientist-go-backend && \ + go mod init && go get && go build -o /go/bin/sudoscientist-go-backend main.go && \ + mv /go/bin/* /usr/local/bin/ && \ + rm -rf /go/src && \ + apk del git + +# Copy masked.name root cert +COPY files/MaskedName_Root_CA.crt /usr/local/share/ca-certificates/MaskedName_Root_CA.crt + +# update ca certs +RUN update-ca-certificates 2>/dev/null +CMD ["/usr/local/bin/sudoscientist-go-backend"] diff --git a/docker/satdress/files/MaskedName_Root_CA.crt b/docker/satdress/files/MaskedName_Root_CA.crt new file mode 100755 index 0000000..31f76a9 --- /dev/null +++ b/docker/satdress/files/MaskedName_Root_CA.crt @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyMzEyWhcNMzAw +ODI3MTkyMzQyWjAWMRQwEgYDVQQDEwttYXNrZWQubmFtZTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMI7oR+KHvvznfnaAXDMO5qpSTCAYCyfjFEohYJf +lOcnLONXb3f6sP5d1eltL+UTq0RVU5UP0aNW7hqDTa41MRw0JCDtB68yKdYq2hZf +97gA+lj3MEJU6RTAKLrg75GRh/AbNEIgwvPuHKW6hMbtwOyM9DFU//W3xpusalXy +RMFzAHfSDj9ci+UygUt9HINWd/SmMGG/8PghaRhfE44wRFMqYezeliIt2JIs43BV +7HqG0Oev9WPeXmiaZUYKQetHiQqR14Mxiv1IGzCmwwN+9b4tZtZTa58oM5dPXfbb +lrELQE5OsPaNtMtER3MgxovDN3VSCGH/O/GyaEWVanY5UF8CAwEAAaN7MHkwDgYD +VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBY8jW3fDVUp +URt1prhmDMjkVikgMB8GA1UdIwQYMBaAFBY8jW3fDVUpURt1prhmDMjkVikgMBYG +A1UdEQQPMA2CC21hc2tlZC5uYW1lMA0GCSqGSIb3DQEBCwUAA4IBAQAWQz4d3QzE +W8NGA16ZPamlVubOLB5DtZz2qrSrn3DeObLIDShInV3qtRlDx9HYJLTCA75Ket0J +NTsyMcTy2txd4I8hgdF30XJeEciN9wZ0mKEeP/YKDwe8V2XwWq4XYkDechlWHpZo +PfWcoLprKwVUI4HzaqkNmwcmMUI4xAsC+SLe1mrebseKm49oOwdQs/oPVLK+0nEp +RvD0aOvohILIa/2ZtKczvhB/L3fo5pg9Ex/0JDBdDHIedMabD3qn8Idse+P5Dfwa +Ju2Ctyb+n1TTPxRDMxs2cFbA5irr+2ARJd8jtGS+1fyxogjOWS1RR523F+qIS3su +KibGel+gFPpq +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUM52uhXSeTCim1pmzucm/cnIgNp8wDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyNzAwWhcNMjUw +ODI4MTkyNzMwWjAtMSswKQYDVQQDEyJtYXNrZWQubmFtZSBJbnRlcm1lZGlhdGUg +QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8LuGo+As +ICYWdJjBCY0snF/X+jF1tdcrQzNiRKESEb5dsDiy979bugCblPQDQ+g5WGqXX4pj +UyZZE3ZwhOufISlGK0ow1aMjqS+pFlQ85KRD/jUtLPRUJuQF+m2YwId/Mg6/B7Qk +d166uJkNxS+MGZCi2OYXeoivnOY7Q0Kj/0vIbc5Vt3kCRVg2ljLSQhoBd+85AHMR +jeRjZMeYEYF2HTVwrg4DrC/r00MVtDcNqs6+M7YZ/rzny73GvfJWfWoB1C4piZlg +fvUcSDL5HAhjiu5cSeIR7DTuVx7t4PoK6AqUkPygDtq1ZaLybXT7X6d072dR5AXO +nWFLPaaGJ979iwIDAQABo4IBADCB/TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/ +BAUwAwEB/zAdBgNVHQ4EFgQUIkhVYBaK9CcvXG8FM2jKVZ16oZAwHwYDVR0jBBgw +FoAUFjyNbd8NVSlRG3WmuGYMyORWKSAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUF +BzAChjVodHRwOi8vdmF1bHQuY29sdW1iaWEubWFza2VkLm5hbWU6ODIwMC92MS9w +a2lfcm9vdC9jYTBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vdmF1bHQuY29sdW1i +aWEubWFza2VkLm5hbWU6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJKoZIhvcNAQEL +BQADggEBAK6HMgR+hpwjZCmf5NszDSHr7dYKZXP4LrcHPWs94nLM33UZ572ubGHs +dKjRw8YD0cncrsypsYmEgR57U+DHkys394wkb7UOwy1Zvd5IIRXdP0cDylz0QzqM +APnQYN+ismkoljhk9ey0Qbo3CmPjM+UQcAxuZQtA4M+riC1+jkude1uYL0szC6Y9 +4KetfvbNkedSaV5yJaRKCBhRcC4/GjpBG/odQ/5AfBPAFjZqhcIJWBrVYbTQVC79 +hMA1iwWJPmT9LsjMSUfxFTPzxRnNXQiKFz5kT2OiS1nqh8aOcyU9YC928pkifNJV +KokuDezJFM7ie3d+EcBk1V9lHwOWdto= +-----END CERTIFICATE-----