207 lines
6.1 KiB
Bash
Executable file
207 lines
6.1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
# ============================
|
||
# === Konfiguration ========
|
||
# ============================
|
||
export VAULT_ADDR="http://127.0.0.1:22300"
|
||
: "${VAULT_ADMIN_TOKEN:?Set VAULT_ADMIN_TOKEN before running this archived script}"
|
||
|
||
APP_NAME="${1:-test}" # 1. Argument: App-Name
|
||
TARGET_USER="${2:-test}" # 2. Argument: System-User
|
||
|
||
ROLE_NAME="${APP_NAME}-pki-issue"
|
||
POLICY_NAME="pki-issue-${APP_NAME}"
|
||
AGENT_DIR="/home/${TARGET_USER}/.vault-agent-${APP_NAME}"
|
||
SERVICE_FILE="/home/${TARGET_USER}/.config/systemd/user/vault-agent-${APP_NAME}.service"
|
||
|
||
# PKI Mount (hier anpassen falls anders)
|
||
PKI_MOUNT="pki-test"
|
||
PKI_ROLE="nginx-${APP_NAME}"
|
||
DOMAIN="${APP_NAME}.example.com"
|
||
|
||
# ============================
|
||
# === Helper Funktionen =====
|
||
# ============================
|
||
log() { echo -e "\033[1;32m[INFO]\033[0m $*"; }
|
||
warn(){ echo -e "\033[1;33m[WARN]\033[0m $*"; }
|
||
err() { echo -e "\033[1;31m[ERROR]\033[0m $*" >&2; }
|
||
|
||
# ============================
|
||
# === 1. Policy ============
|
||
# ============================
|
||
log "Erstelle Vault-Policy: ${POLICY_NAME}"
|
||
cat >/tmp/policy.hcl <<EOF
|
||
path "${PKI_MOUNT}/issue/${PKI_ROLE}" {
|
||
capabilities = ["create", "update"]
|
||
}
|
||
path "auth/approle/role/${ROLE_NAME}/role-id" {
|
||
capabilities = ["read"]
|
||
}
|
||
path "auth/approle/role/${ROLE_NAME}/secret-id" {
|
||
capabilities = ["create", "update"]
|
||
}
|
||
path "auth/token/renew-self" {
|
||
capabilities = ["update"]
|
||
}
|
||
EOF
|
||
|
||
vault policy write "${POLICY_NAME}" /tmp/policy.hcl
|
||
rm /tmp/policy.hcl
|
||
|
||
# ============================
|
||
# === 2. AppRole ============
|
||
# ============================
|
||
log "Erstelle AppRole: ${ROLE_NAME}"
|
||
vault write "auth/approle/role/${ROLE_NAME}" \
|
||
policies="${POLICY_NAME}" \
|
||
secret_id_ttl=0 \
|
||
secret_id_num_uses=0 \
|
||
token_ttl=24h \
|
||
token_max_ttl=0 \
|
||
bind_secret_id=true
|
||
|
||
# ============================
|
||
# === 3. PKI Role ===========
|
||
# ============================
|
||
log "Erstelle PKI-Role: ${PKI_ROLE}"
|
||
vault write "${PKI_MOUNT}/roles/${PKI_ROLE}" \
|
||
allowed_domains="${DOMAIN}" \
|
||
allow_subdomains=true \
|
||
max_ttl="720h"
|
||
|
||
# ============================
|
||
# === 4. Credentials ========
|
||
# ============================
|
||
ROLE_ID=$(vault read -field=role_id "auth/approle/role/${ROLE_NAME}/role-id")
|
||
SECRET_ID=$(vault write -f -field=secret_id "auth/approle/role/${ROLE_NAME}/secret-id")
|
||
|
||
log "RoleID: ${ROLE_ID}"
|
||
log "SecretID: ${SECRET_ID}"
|
||
|
||
sudo -u "${TARGET_USER}" bash -c "
|
||
umask 077
|
||
mkdir -p '${AGENT_DIR}'
|
||
printf '%s\n' '${ROLE_ID}' > '${AGENT_DIR}/role_id'
|
||
printf '%s\n' '${SECRET_ID}' > '${AGENT_DIR}/secret_id'
|
||
chmod 600 '${AGENT_DIR}/role_id' '${AGENT_DIR}/secret_id'
|
||
"
|
||
|
||
# ============================
|
||
# === 5. Vault-Agent Config =
|
||
# ============================
|
||
log "Erstelle Vault-Agent-Konfiguration"
|
||
sudo -u "${TARGET_USER}" tee "${AGENT_DIR}/vault-agent.hcl" >/dev/null <<EOF
|
||
pid_file = "${AGENT_DIR}/pidfile"
|
||
|
||
auto_auth {
|
||
method "approle" {
|
||
config = {
|
||
role_id_file_path = "${AGENT_DIR}/role_id"
|
||
secret_id_file_path = "${AGENT_DIR}/secret_id"
|
||
}
|
||
}
|
||
|
||
sink "file" {
|
||
config = {
|
||
path = "${AGENT_DIR}/token"
|
||
}
|
||
}
|
||
}
|
||
|
||
template {
|
||
source = "${AGENT_DIR}/cert.tpl"
|
||
destination = "${AGENT_DIR}/${APP_NAME}.pem"
|
||
command = "${AGENT_DIR}/bin/vault-agent-post.sh"
|
||
}
|
||
EOF
|
||
|
||
# ============================
|
||
# === 6. Template ===========
|
||
# ============================
|
||
log "Erstelle Cert-Template"
|
||
sudo -u "${TARGET_USER}" tee "${AGENT_DIR}/cert.tpl" >/dev/null <<EOF
|
||
{{ with secret "${PKI_MOUNT}/issue/${PKI_ROLE}" "common_name=${DOMAIN}" }}
|
||
{{ .Data.certificate }}
|
||
{{ .Data.private_key }}
|
||
{{ .Data.issuing_ca }}
|
||
{{ end }}
|
||
EOF
|
||
|
||
# ============================
|
||
# === 7. Post-Skript ========
|
||
# ============================
|
||
log "Erstelle Post-Skript"
|
||
sudo -u "${TARGET_USER}" mkdir -p "${AGENT_DIR}/bin"
|
||
sudo -u "${TARGET_USER}" tee "${AGENT_DIR}/bin/vault-agent-post.sh" >/dev/null <<'EOF'
|
||
#!/usr/bin/env bash
|
||
set -e
|
||
echo "[Post-Skript] Neues Zertifikat generiert: $(date)"
|
||
# Beispiel: Nginx reload
|
||
if systemctl is-active --quiet nginx; then
|
||
sudo systemctl reload nginx
|
||
fi
|
||
EOF
|
||
sudo -u "${TARGET_USER}" chmod +x "${AGENT_DIR}/bin/vault-agent-post.sh"
|
||
|
||
# ============================
|
||
# === 8. Systemd Service ====
|
||
# ============================
|
||
log "Erstelle systemd Service-Datei"
|
||
sudo -u "${TARGET_USER}" mkdir -p "/home/${TARGET_USER}/.config/systemd/user"
|
||
sudo -u "${TARGET_USER}" tee "${SERVICE_FILE}" >/dev/null <<EOF
|
||
[Unit]
|
||
Description=Vault Agent (${APP_NAME}) - issue & rotate TLS certs
|
||
Wants=network-online.target
|
||
After=network-online.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
WorkingDirectory=${AGENT_DIR}
|
||
Environment=VAULT_ADDR=${VAULT_ADDR}
|
||
ExecStart=/usr/bin/vault agent -config=${AGENT_DIR}/vault-agent.hcl
|
||
Restart=on-failure
|
||
RestartSec=5s
|
||
|
||
[Install]
|
||
WantedBy=default.target
|
||
EOF
|
||
|
||
# ============================
|
||
# === 9. Service starten ====
|
||
# ============================
|
||
log "Aktiviere linger für ${TARGET_USER}"
|
||
loginctl enable-linger "${TARGET_USER}" || true
|
||
|
||
log "Versuche systemd --user Service zu starten"
|
||
if sudo -u "${TARGET_USER}" XDG_RUNTIME_DIR=/run/user/$(id -u ${TARGET_USER}) systemctl --user daemon-reload 2>/dev/null; then
|
||
sudo -u "${TARGET_USER}" XDG_RUNTIME_DIR=/run/user/$(id -u ${TARGET_USER}) systemctl --user enable --now "vault-agent-${APP_NAME}.service"
|
||
sudo -u "${TARGET_USER}" XDG_RUNTIME_DIR=/run/user/$(id -u ${TARGET_USER}) systemctl --user status "vault-agent-${APP_NAME}.service" --no-pager
|
||
else
|
||
warn "systemctl --user nicht verfügbar – weiche auf systemweiten Service aus"
|
||
|
||
SYSTEM_SERVICE="/etc/systemd/system/vault-agent-${APP_NAME}.service"
|
||
sudo tee "${SYSTEM_SERVICE}" >/dev/null <<EOF
|
||
[Unit]
|
||
Description=Vault Agent (${APP_NAME}) - system service
|
||
Wants=network-online.target
|
||
After=network-online.target
|
||
|
||
[Service]
|
||
User=${TARGET_USER}
|
||
WorkingDirectory=${AGENT_DIR}
|
||
Environment=VAULT_ADDR=${VAULT_ADDR}
|
||
ExecStart=/usr/bin/vault agent -config=${AGENT_DIR}/vault-agent.hcl
|
||
Restart=on-failure
|
||
RestartSec=5s
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
EOF
|
||
|
||
sudo systemctl daemon-reload
|
||
sudo systemctl enable --now "vault-agent-${APP_NAME}.service"
|
||
sudo systemctl status "vault-agent-${APP_NAME}.service" --no-pager
|
||
fi
|
||
|
||
log "SUCCESS: Vault Agent für ${APP_NAME} eingerichtet!"
|