WIP: Set up step-ca

Unsure of the best way to setup bootstrapping the system. Do I run an
ansible playbook to generate certificates offline and then bootstrap
with that? Can I bring it online after and schedule with Nomad?
This commit is contained in:
IamTheFij 2022-03-22 16:39:33 -07:00
parent d38c6059f4
commit a8181a5f29
4 changed files with 65 additions and 0 deletions

View File

@ -13,6 +13,12 @@ all:
group: "bin" group: "bin"
mode: "0755" mode: "0755"
read_only: false read_only: false
- name: step-ca-data
path: /srv/volumes/step-ca-data
owner: "root"
group: "bin"
mode: "0700"
read_only: false
# consul_auto_encrypt: # consul_auto_encrypt:
# enabled: true # enabled: true
# dns_san: ["services.thefij"] # dns_san: ["services.thefij"]
@ -31,3 +37,7 @@ all:
vault_instances: vault_instances:
children: children:
servers: {} servers: {}
ca_servers:
hosts:
nomad0.thefij:
step_path: /srv/volumes/step-ca-data

1
nomad/ca/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
step_path

19
nomad/ca/Makefile Normal file
View File

@ -0,0 +1,19 @@
STEPPATH ?= ./step_path
.PHONY: bootstrap
bootstrap: $(STEPPATH)/config/ca.json
$(STEPPATH)/config/ca.json:
env STEPPATH=$(STEPPATH) \
step ca init \
--ssh \
--deployment-type standalone \
--name TheFij \
--dns ca.thefij.rocks \
--address 0.0.0.0:9443 \
--provisioner ian@iamthefij.com
.PHONY: run
run: $(STEPPATH)/config/ca.json
env STEPPATH=$(STEPPATH) \
step-ca $(STEPPATH)/config/ca.json

35
nomad/ca/setup-ca.yml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Set up CA
hosts: ca_servers
become: true
tasks:
- name: Create step_path
file:
path: "{{ step_path }}"
state: directory
owner: root
mode: "0700"
- name: Install step-ca
include_role:
name: maxhoesel.smallstep.step_ca
vars:
step_ca_name: TheFij CA
step_ca_root_password: ...
step_ca_intermediate_password: ...
step_cli_steppath: "{{ step_path }}"
- name: Read fingerprint
command: "step-cli certificate fingerprint {{ step_path }}/certs/root_ca.crt"
register: root_ca_fp
- name: Bootstrap other hosts
hosts: servers
tasks:
- name: Boostrap hosts to trust CA
include_role:
name: maxhoesel.smallstep.step_bootstrap_host
vars:
step_bootstrap_ca_url: http