Merge branch 'develop' into dist/risotto/risotto-2.8.0/develop

This commit is contained in:
Emmanuel Garette 2020-11-09 07:48:49 +01:00
commit 10df7f69cf
8 changed files with 189 additions and 0 deletions

1
db/lemur.sql Normal file
View File

@ -0,0 +1 @@
CREATE EXTENSION pg_trgm;

29
dicos/50_lemur.xml Normal file
View File

@ -0,0 +1,29 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<files>
<service>lemur</service>
<file name='/etc/lemur/lemur.conf.py' mkdir='True'/>
<file name='/etc/eole/eole-db.d/lemur.yml'/>
<file name='/etc/nginx/web.d/lemur.conf' source='nginx-lemur.conf'/>
</files>
<variables>
<family name='lemur'>
<variable name='lemur_secret' type='password' description="Secret pour Lemur" auto_save="True"/>
<variable name='lemur_token_secret' type='password' description="Token secret pour Lemur" auto_save="True"/>
<variable name='lemur_encrypt_keys' type='password' description="Encrypt keys pour Lemur" auto_save="True"/>
<variable name='lemur_db_name' type='string' description="Nom de la base de donnée de Lemur" mode="expert">
<value>lemur</value>
</variable>
<variable name='lemur_db_user' type='string' description="Nom de l'utilisateur de la base de donnée de Lemur" mode="expert">
<value>lemur</value>
</variable>
<variable name='lemur_admin_password' type='password' description="Mot de passe de l'utilisateur admin de Lemur" auto_save="True"/>
</family>
</variables>
<constraints>
<fill name='gen_random_base64' target='lemur_secret'/>
<fill name='gen_random_base64' target='lemur_token_secret'/>
<fill name='gen_random_base64' target='lemur_encrypt_keys'/>
<fill name='gen_random' target='lemur_admin_password'/>
</constraints>
</creole>

6
funcs/lemur.py Normal file
View File

@ -0,0 +1,6 @@
from secrets import token_bytes as _token_bytes
from base64 import urlsafe_b64encode as _urlsafe_b64encode
def gen_random_base64():
return _urlsafe_b64encode(_token_bytes(32)).decode()

12
lemur.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Lemur
After=postgresql.service
[Service]
ExecStart=/usr/bin/lemur start -b 127.0.0.1:8002 -c /etc/lemur/lemur.conf.py
User=lemur
Group=lemur
[Install]
WantedBy=multi-user.target

18
posttemplate/03-lemur Executable file
View File

@ -0,0 +1,18 @@
#!/bin/bash
set -e
# install unrelease python modules
pip3 install alembic-autogenerate-enums==0.0.2 asyncpool==1.0 certsrv==2.1.1 cryptography==3.1.1 dnspython3==1.15.0 dyn==1.8.1 flask-replicated==1.4 javaobj-py3==0.4.0.1 jsonlines==1.2.0 logmatic-python==0.1.7 marshmallow==2.20.4 pycryptodomex==3.9.7 pyjks==20.0.0 raven[flask]==6.10.0 twofish==0.3.0
mkdir -p /var/log/lemur/
chown lemur: /var/log/lemur/
# EOLE-DB change file right to 400
chmod 640 /etc/lemur/*
chgrp lemur /etc/lemur/*
systemctl start postgresql.service
su - lemur -s /bin/bash -c "lemur --config=/etc/lemur/lemur.conf.py init --password $(CreoleGet lemur_admin_password)"
systemctl stop postgresql.service
exit 0

90
tmpl/lemur.conf.py Normal file
View File

@ -0,0 +1,90 @@
# This is just Python which means you can inherit and tweak settings
import os
_basedir = os.path.abspath(os.path.dirname(__file__))
THREADS_PER_PAGE = 8
# General
# These will need to be set to `True` if you are developing locally
CORS = False
debug = False
# this is the secret key used by flask session management
SECRET_KEY = '%%lemur_secret'
# You should consider storing these separately from your config
LEMUR_TOKEN_SECRET = '%%lemur_token_secret'
LEMUR_ENCRYPTION_KEYS = '%%lemur_encrypt_keys'
# List of domain regular expressions that non-admin users can issue
LEMUR_ALLOWED_DOMAINS = []
# Mail Server
LEMUR_EMAIL = ''
LEMUR_SECURITY_TEAM_EMAIL = []
# Certificate Defaults
LEMUR_DEFAULT_COUNTRY = ''
LEMUR_DEFAULT_STATE = ''
LEMUR_DEFAULT_LOCATION = ''
LEMUR_DEFAULT_ORGANIZATION = ''
LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = ''
# Authentication Providers
ACTIVE_PROVIDERS = []
# Metrics Providers
METRIC_PROVIDERS = []
# Logging
LOG_LEVEL = "DEBUG"
LOG_FILE = "/var/log/lemur/lemur.log"
# Database
# modify this if you are not using a local database
SQLALCHEMY_DATABASE_PASSWORD = 'replaceme'
SQLALCHEMY_DATABASE_URI = f'postgresql:///%%lemur_db_name?host=/var/run/postgresql&user=%%lemur_db_user&password={SQLALCHEMY_DATABASE_PASSWORD}'
# AWS
#LEMUR_INSTANCE_PROFILE = 'Lemur'
# Issuers
# These will be dependent on which 3rd party that Lemur is
# configured to use.
# VERISIGN_URL = ''
# VERISIGN_PEM_PATH = ''
# VERISIGN_FIRST_NAME = ''
# VERISIGN_LAST_NAME = ''
# VERSIGN_EMAIL = ''
#FIXME
DIGICERT_CIS_API_KEY = ""
DIGICERT_CIS_URL = ""
DIGICERT_CIS_ROOTS = ''
DIGICERT_API_KEY = ''
DIGICERT_CIS_PROFILE_NAMES = ''
DIGICERT_URL = ''
DIGICERT_ORG_ID = ''
DIGICERT_ORDER_TYPE = ''
DIGICERT_ROOT = ''
ENTRUST_API_CERT = ''
ENTRUST_API_KEY = ''
ENTRUST_API_USER = ''
ENTRUST_API_PASS = ''
ENTRUST_URL = ''
ENTRUST_ROOT = ''
ENTRUST_NAME = ''
ENTRUST_EMAIL = ''
ENTRUST_PHONE = ''

18
tmpl/lemur.yml Normal file
View File

@ -0,0 +1,18 @@
%set %%dbname = %%lemur_db_name
---
dbuser: %%lemur_db_user
dbuser_options:
- LOGIN
privileges:
%%{dbname}.public.*: 'ALL'
%%{dbname}.public: 'ALL'
%%{dbname}: 'ALL'
dbhost: %%risotto_db_address
dbport: 5432
dbtype: postgres
dbname: %%dbname
template: 'template0'
sqlscripts:
- /usr/share/eole/db/lemur/gen/lemur.sql
pwd_files:
- {'file': '/etc/lemur/lemur.conf.py', 'pattern': "SQLALCHEMY_DATABASE_PASSWORD = '"}

15
tmpl/nginx-lemur.conf Normal file
View File

@ -0,0 +1,15 @@
location /lemur/api {
proxy_pass http://127.0.0.1:8002/api;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /lemur/ {
alias /usr/share/lemur/static/;
include mime.types;
index index.html;
}