.

2021-09-25 14:09:55 +02:00
parent 283c7afd62
commit 0a1dbb5971
11 changed files with 283 additions and 6 deletions
--- a/salt/states/rmt/certs.sls
+++ b/salt/states/rmt/certs.sls
@@ -0,0 +1,87 @@
+Create the ca cnf file:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-ca.cnf
+    - source: salt://rmt/files/rmt-ca.cnf
+    - user: root
+    - group: root
+    - mode: "0600"
+
+
+Create rmt CA key:
+  x509.private_key_managed:
+    - name: /etc/rmt/ssl/rmt-ca.key
+    - passphrase: {{ pillar['rmt']['ca_passphrase'] }}
+    - bits: 2048
+    - owner: root
+    - group: root
+    - mode: "0600"
+
+Create rmt CA certificate:
+  cmd.run:
+    - name: openssl req -config rmt-ca.cnf -key rmt-ca.key -new -x509 -days 3650 -sha256 -out rmt-ca.crt -passin pass:{{ pillar['rmt']['ca_passphrase'] }}
+    - cwd: /etc/rmt/ssl
+    - onchanges:
+      - file: Create the ca cnf file
+
+Set permission on CA Certificate:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-ca.crt
+    - replace: False
+    - user: root
+    - group: nginx
+    - mode: "0640"
+  
+Create rmt-server key:
+  x509.private_key_managed:
+    - name: /etc/rmt/ssl/rmt-server.key
+    - bits: 2048
+    - owner: root
+    - group: root
+    - mode: "0600"
+
+Create the server cnf file:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-server.cnf
+    - source: salt://rmt/files/rmt-server.cnf.jinja
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: "0600"
+
+Create the rmt-server signing request:
+  cmd.run:
+    - name: openssl req -new -key rmt-server.key -config rmt-server.cnf -out rmt-server.csr
+    - cwd: /etc/rmt/ssl
+    - onchanges:
+      - file: Create the server cnf file
+
+Set permission on rmt-server singing request:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-server.csr
+    - replace: False
+    - user: root
+    - group: root
+    - mode: "0600"
+
+Create the rmt-server certificate:
+  cmd.run:
+    - name: openssl x509 -req -in rmt-server.csr -CA rmt-ca.crt -CAkey rmt-ca.key -CAcreateserial -out rmt-server.crt -days 3650 -sha256 -passin pass:{{ pillar['rmt']['ca_passphrase'] }}
+    - cwd: /etc/rmt/ssl
+    - onchanges:
+      - cmd: Create the rmt-server signing request
+
+Set permission on rmt-server certificate:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-server.crt
+    - replace: False
+    - user: root
+    - group: root
+    - mode: "0600"
+
+Set permission on rmt CA serial:
+  file.managed:
+    - name: /etc/rmt/ssl/rmt-ca.srl
+    - replace: False
+    - user: root
+    - group: root
+    - mode: "0600"
--- a/salt/states/rmt/files/rmt-ca.cnf
+++ b/salt/states/rmt/files/rmt-ca.cnf
@@ -0,0 +1,41 @@
+[ca]
+default_ca                     = CA_default
+
+[CA_default]
+default_bits                   = 2048
+x509_extensions                = v3_ca
+default_days                   = 3650
+default_md                     = default
+policy                         = policy_optional
+copy_extensions                = copy
+unique_subject                 = no
+
+[policy_optional]
+countryName                    = optional
+stateOrProvinceName            = optional
+localityName                   = optional
+organizationName               = optional
+organizationalUnitName         = optional
+commonName                     = optional
+emailAddress                   = optional
+
+###############################################
+
+[req]
+default_bits                   = 2048
+distinguished_name             = req_distinguished_name
+x509_extensions                = v3_ca
+string_mask                    = utf8only
+prompt                         = no
+
+[v3_ca]
+basicConstraints               = critical, CA:true
+nsComment                      = "RMT Generated CA Certificate"
+nsCertType                     = sslCA
+keyUsage                       = cRLSign, keyCertSign
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid:always,issuer
+
+###############################################
+[ req_distinguished_name ]
+CN                             = RMT Certificate Authority
--- a/salt/states/rmt/files/rmt-server.cnf.jinja
+++ b/salt/states/rmt/files/rmt-server.cnf.jinja
@@ -0,0 +1,33 @@
+[req]
+default_bits                   = 2048
+distinguished_name             = req_distinguished_name
+x509_extensions                = v3_server_sign
+string_mask                    = utf8only
+prompt                         = no
+req_extensions                 = v3_req
+
+[v3_server_sign]
+basicConstraints               = CA:false
+nsComment                      = "RMT Generated Server Certificate"
+nsCertType                     = server
+keyUsage                       = digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage               = serverAuth, clientAuth
+subjectKeyIdentifier           = hash
+authorityKeyIdentifier         = keyid,issuer:always
+subjectAltName                 = @alt_names
+
+[v3_req]
+basicConstraints               = CA:false
+keyUsage                       = digitalSignature, keyEncipherment, keyAgreement
+subjectAltName                 = @alt_names
+
+[req_distinguished_name]
+CN                             = localhost
+
+[alt_names]
+DNS.0                          = localhost
+DNS.1                          = rmt.{{ pillar['network']['domain'] }}
+IP.0                           = {{ pillar['network']['ip'] }}
+{% for vlan in pillar['network']['vlan'] -%}
+IP.{{ loop.index }}                           = {{ vlan['address'] }}
+{% endfor -%}
--- a/salt/states/rmt/init.sls
+++ b/salt/states/rmt/init.sls
@@ -0,0 +1,12 @@
+Install rmt:
+  pkg.installed:
+    - name: rmt-server
+
+include: 
+  - rmt.certs
+
+Create rmt MariaDB user:
+  mysql.user:
+    - name: rmt
+    - host: localhost
+    - password: {{ pillar['rmt']['mysql_password'] }}