|
|
@ -143,48 +143,25 @@ SystemMaxFileSize=2M |
|
|
|
EOF |
|
|
|
fi |
|
|
|
|
|
|
|
# CA et certifs avec mkcert |
|
|
|
|
|
|
|
echo -e "\n #### mkcert\n" |
|
|
|
DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools |
|
|
|
|
|
|
|
mkdir -p /root/mkcert |
|
|
|
cd /root/mkcert |
|
|
|
if [ ! -f mkcert ]; then |
|
|
|
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert |
|
|
|
chmod +x mkcert |
|
|
|
mkdir -p /etc/letsencrypt/local/ |
|
|
|
export CAROOT=/etc/letsencrypt/local/ |
|
|
|
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/ |
|
|
|
cd "${CAROOT}" |
|
|
|
cat > "${CAROOT}/kaz.sns.cnf" <<EOF |
|
|
|
[ req ] |
|
|
|
prompt = no |
|
|
|
distinguished_name = dn |
|
|
|
req_extensions = req_ext |
|
|
|
|
|
|
|
[ dn ] |
|
|
|
CN = *.kaz.sns |
|
|
|
emailAddress = admin@kaz.sns |
|
|
|
O = KAZ |
|
|
|
OU = Dev |
|
|
|
L = Vannes |
|
|
|
ST = France |
|
|
|
C = FR |
|
|
|
|
|
|
|
[ req_ext ] |
|
|
|
subjectAltName = @alt_names |
|
|
|
|
|
|
|
[alt_names] |
|
|
|
DNS.0 = *.kaz.sns |
|
|
|
EOF |
|
|
|
openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout kaz.sns.key -out kaz.sns.csr -config kaz.sns.cnf |
|
|
|
/root/mkcert/mkcert -csr "${CAROOT}/kaz.sns.csr" # cert et clé dans /etc/letsencrypt/local/ |
|
|
|
# CA et certifs avec smallstep |
|
|
|
|
|
|
|
mkdir -p /etc/letsencrypt/live/kaz.sns/ |
|
|
|
ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem |
|
|
|
ln -s ../../local/kaz.sns.key /etc/letsencrypt/live/kaz.sns/privkey.pem |
|
|
|
fi |
|
|
|
echo -e "\n #### smallstep\n" |
|
|
|
cd /tmp |
|
|
|
wget "https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.24.4/step-cli_0.24.4_amd64.deb" |
|
|
|
dpkg -i step-cli_0.24.4_amd64.deb |
|
|
|
echo "password" > /root/ca-passwordfile |
|
|
|
step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" |
|
|
|
|
|
|
|
mkdir -p /root/tls |
|
|
|
cp /root/.step/certs/root_ca.crt /root/tls/ |
|
|
|
cp /root/.step/secrets/root_ca_key /root/tls/ |
|
|
|
step crypto change-pass /root/tls/root_ca_key --no-password --insecure --password-file="/root/ca-passwordfile" --force |
|
|
|
|
|
|
|
step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure |
|
|
|
|
|
|
|
mkdir -p /etc/letsencrypt/live/kaz.sns/ |
|
|
|
ln -sf /root/tls/wildcard.crt /etc/letsencrypt/live/kaz.sns/fullchain.pem |
|
|
|
ln -sf /root/tls/wildcard.key /etc/letsencrypt/live/kaz.sns/privkey.pem |
|
|
|
|
|
|
|
# Cache docker registry |
|
|
|
echo "proxy: |
|
|
@ -219,10 +196,10 @@ auth: |
|
|
|
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root |
|
|
|
|
|
|
|
# crypto keys |
|
|
|
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/ |
|
|
|
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/ |
|
|
|
cp -ar /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/ |
|
|
|
cp -ar /etc/letsencrypt /root/snster-kaz/mica/infra/ |
|
|
|
cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-a/kaz1/ |
|
|
|
cp -ar /root/tls /etc/letsencrypt /root/snster-kaz/hoster-b/kaz2/ |
|
|
|
cp -ar /root/tls /root/snster-kaz/isp-a/home/ |
|
|
|
cp -ar /root/tls /root/snster-kaz/mica/infra/ |
|
|
|
|
|
|
|
|
|
|
|
# On lie le filesystem de kaz-prod dans le /kaz de la VM pour le dév |
|
|
|