From a8181a5f29b4af3a336a850edaa31c718aa87479 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Tue, 22 Mar 2022 16:39:33 -0700
Subject: [PATCH] WIP: Set up step-ca

Unsure of the best way to setup bootstrapping the system. Do I run an
ansible playbook to generate certificates offline and then bootstrap
with that? Can I bring it online after and schedule with Nomad?
---
 nomad/ansible_hosts.yml | 10 ++++++++++
 nomad/ca/.gitignore     |  1 +
 nomad/ca/Makefile       | 19 +++++++++++++++++++
 nomad/ca/setup-ca.yml   | 35 +++++++++++++++++++++++++++++++++++
 4 files changed, 65 insertions(+)
 create mode 100644 nomad/ca/.gitignore
 create mode 100644 nomad/ca/Makefile
 create mode 100644 nomad/ca/setup-ca.yml

diff --git a/nomad/ansible_hosts.yml b/nomad/ansible_hosts.yml
index 3935b21..2211707 100644
--- a/nomad/ansible_hosts.yml
+++ b/nomad/ansible_hosts.yml
@@ -13,6 +13,12 @@ all:
               group: "bin"
               mode: "0755"
               read_only: false
+            - name: step-ca-data
+              path: /srv/volumes/step-ca-data
+              owner: "root"
+              group: "bin"
+              mode: "0700"
+              read_only: false
           # consul_auto_encrypt:
           #   enabled: true
           #   dns_san: ["services.thefij"]
@@ -31,3 +37,7 @@ all:
     vault_instances:
       children:
         servers: {}
+    ca_servers:
+      hosts:
+        nomad0.thefij:
+          step_path: /srv/volumes/step-ca-data
diff --git a/nomad/ca/.gitignore b/nomad/ca/.gitignore
new file mode 100644
index 0000000..8448df2
--- /dev/null
+++ b/nomad/ca/.gitignore
@@ -0,0 +1 @@
+step_path
diff --git a/nomad/ca/Makefile b/nomad/ca/Makefile
new file mode 100644
index 0000000..ce65d0a
--- /dev/null
+++ b/nomad/ca/Makefile
@@ -0,0 +1,19 @@
+STEPPATH ?= ./step_path
+
+.PHONY: bootstrap
+bootstrap: $(STEPPATH)/config/ca.json
+
+$(STEPPATH)/config/ca.json:
+	env STEPPATH=$(STEPPATH) \
+		step ca init \
+		--ssh \
+		--deployment-type standalone \
+		--name TheFij \
+		--dns ca.thefij.rocks \
+		--address 0.0.0.0:9443 \
+		--provisioner ian@iamthefij.com
+
+.PHONY: run
+run: $(STEPPATH)/config/ca.json
+	env STEPPATH=$(STEPPATH) \
+		step-ca $(STEPPATH)/config/ca.json
diff --git a/nomad/ca/setup-ca.yml b/nomad/ca/setup-ca.yml
new file mode 100644
index 0000000..63adca8
--- /dev/null
+++ b/nomad/ca/setup-ca.yml
@@ -0,0 +1,35 @@
+---
+- name: Set up CA
+  hosts: ca_servers
+  become: true
+
+  tasks:
+    - name: Create step_path
+      file:
+        path: "{{ step_path }}"
+        state: directory
+        owner: root
+        mode: "0700"
+
+    - name: Install step-ca
+      include_role:
+        name: maxhoesel.smallstep.step_ca
+      vars:
+        step_ca_name: TheFij CA
+        step_ca_root_password: ...
+        step_ca_intermediate_password: ...
+        step_cli_steppath: "{{ step_path }}"
+
+    - name: Read fingerprint
+      command: "step-cli certificate fingerprint {{ step_path }}/certs/root_ca.crt"
+      register: root_ca_fp
+
+- name: Bootstrap other hosts
+  hosts: servers
+
+  tasks:
+    - name: Boostrap hosts to trust CA
+      include_role:
+        name: maxhoesel.smallstep.step_bootstrap_host
+      vars:
+        step_bootstrap_ca_url: http