diff --git a/base/packages/common.sls b/base/packages/common.sls index 55860a9..812b959 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -33,6 +33,7 @@ common-installed: - python-dev - python-pyinotify - python-m2crypto + - python3-m2crypto - lockfile-progs - virt-what - ntp diff --git a/base/pki/ca.sls b/base/pki/ca.sls new file mode 100644 index 0000000..74a251e --- /dev/null +++ b/base/pki/ca.sls @@ -0,0 +1,51 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +salt-minion: + service.running: + - enable: True + - listen: + - file: /etc/salt/minion.d/signing_policies.conf + +/etc/salt/minion.d/signing_policies.conf: + file.managed: + - source: salt://base/pki/signing_policies.conf + +/etc/pki/issued_certs: + file.directory + +/etc/pki/ca.key: + x509.private_key_managed: + - bits: 4096 + - backup: True + - require: + - file: /etc/pki + +/etc/pki/ca.crt: + x509.certificate_managed: + - signing_private_key: /etc/pki/ca.key + - CN: tumor.chaos + - C: DE + - ST: Berlin + - L: Berlin + - basicConstraints: "critical CA:true" + - keyUsage: "critical cRLSign, keyCertSign" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid,issuer:always + - days_valid: 3650 + - days_remaining: 0 + - backup: True + - require: + - file: /etc/pki + - x509: /etc/pki/ca.key + +mine.send: + module.run: + - func: x509.get_pem_entries + - kwargs: + glob_path: /etc/pki/ca.crt + - onchanges: + - x509: /etc/pki/ca.crt + + diff --git a/base/pki/cert.sls b/base/pki/cert.sls new file mode 100644 index 0000000..5e8bb78 --- /dev/null +++ b/base/pki/cert.sls @@ -0,0 +1,10 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +/usr/local/share/ca-certificates: + file.directory + +/usr/local/share/ca-certificates/intca.crt: + x509.pem_managed: + - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} diff --git a/base/pki/host.sls b/base/pki/host.sls new file mode 100644 index 0000000..9a66fb0 --- /dev/null +++ b/base/pki/host.sls @@ -0,0 +1,21 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +/etc/pki/private.key: + x509.private_key_managed: + - bits: 4096 + - backup: True + - require: + - file: /etc/pki + +/etc/pki/public.crt: + x509.certificate_managed: + - ca_server: tumor.chaos + - signing_policy: host + - public_key: /etc/pki/private.key + - CN: {{ grains['fqdn'] }} + - days_remaining: 30 + - backup: True + - require: + - x509: /etc/pki/private.key diff --git a/base/pki/init.sls b/base/pki/init.sls new file mode 100644 index 0000000..3eb548c --- /dev/null +++ b/base/pki/init.sls @@ -0,0 +1,10 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +include: + - .cert + - .host + +/etc/pki: + file.directory diff --git a/base/pki/signing_policies.conf b/base/pki/signing_policies.conf new file mode 100644 index 0000000..85b94fe --- /dev/null +++ b/base/pki/signing_policies.conf @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +x509_signing_policies: + host: + #- minions: 'host' + - signing_private_key: /etc/pki/ca.key + - signing_cert: /etc/pki/ca.crt + - C: DE + - ST: Berlin + - L: Berlin + - basicConstraints: "critical CA:false" + - keyUsage: "critical keyEncipherment" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid,issuer:always + - days_valid: 360 + - copypath: /etc/pki/issued_certs/ diff --git a/top.sls b/top.sls index 67ce156..0cf7ce5 100644 --- a/top.sls +++ b/top.sls @@ -1,8 +1,13 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + base: '*': #- base - sysctl - base.packages.common + - base.pki 'cpuarch:aarch64': - match: grain - base.packages.arch.arm @@ -13,6 +18,10 @@ base: - haproxy - prometheus - grafana + #- kubernetes + 'tumor*': + - base.pki.ca + #'ebin*': # - ceph # - ceph.osd