rhizogenes/infra-reference
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
10 commits 2 branches 0 tags 93 KiB
Find a file
Exact
onalyrg 257375f5f7
 improve GPG key renewal
2025-11-06 21:08:38 +01:00
data bits of config and generators for GPG key renewal 2025-10-20 19:47:46 +02:00
generators improve GPG key renewal 2025-11-06 21:08:38 +01:00
.gitignore infra first commit 2024-08-21 14:41:19 +02:00
COPYING initial commit 2024-08-21 14:40:53 +02:00
gen_ca.txt new CA with nameConstraints, new certs using the new CA 2025-02-19 19:19:00 +01:00
gen_gpg.txt improve GPG key renewal 2025-11-06 21:08:38 +01:00
LICENSE initial commit 2024-08-21 14:40:53 +02:00
README.md infra first commit 2024-08-21 14:41:19 +02:00
TODO.txt infra first commit 2024-08-21 14:41:19 +02:00

README.md

infra-reference

Partial description of the Rhizogenes infrastructure. Complementary to the ansible inventory. Used to generate some of the static files present in the ansible inventory, such as TLS certificates and DKIM keys. Might be used in the future to generate zone files, nagios object configuration files, netfilter/iptables rules, etc.

Prerequisites

Note: The CA is not included in this repo. To use the TLS generators you either need to have a copy of the CA already or create a new CA.

  • bash
  • jq
  • openssl -- needed for the tls-related gen_*.sh scripts
  • rsync -- needed for the push_*.sh and copy_*.sh scripts
  • ansible-vault (ansible-core) -- needed for the push_*.sh and copy_*.sh scripts
  • opendkim-genkey (opendkim-tools) -- needed for the gen_dkim.sh script
  • ssh client -- needed for the gen_sshfp_machine.sh and push_*.sh scripts

Cheatsheet

regenerate a TLS CA

See doc in gen_ca.txt.

regenerate a TLS certificate / a whole set of TLS certificates

generators# ./gen_one.sh g02 nginx

generators# ./gen_machine.sh g02

regenerate a DKIM keypair

generators# ./gen_dkim.sh rhizogen.es.eu.org

regenerate TLSA records

generators# ./gen_tlsa_machine.sh g02

regenerate SSHFP records

generators# ./gen_sshfp_machine.sh g02

Structure

.
├── data/                          : input data for generators
│   ├── *.json			   : json files describing the infrastructure
│   │                                as a set of variables fed into generators
│   └── tls/			   : tls-specific data
│       ├── *.crl		   : tracked crl files
│       └── openssl.*.cnf	   : openssl configuration templates
├── generated/			   : generated files, those are not kept within the repository
│   │                                and are not meant to be pushed
│   ├── dkim/
│   ├── gpg/
│   └── example/		   : generated files of the CA "example"
│       ├── certs/		   : generated certs. CA pubkey should be copied here.
│       │   └── *.crt
│       ├── cnf/
│       ├── crl/		   : contains links to tracked crl files
│       ├── newcerts/
│       ├── private/		   : generated keys and pems. CA key should be copied here.
│       │   └── *.{key,pem}
│       └── serial*
└── generators/			   : generators scripts. Working dir.