From 996c15165a3e62cc256f0be444c3f36781507d33 Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Wed, 21 Oct 2020 11:58:01 +0200
Subject: [PATCH 1/2] eolisation

---
 db/lemur.sql          |  1 +
 dicos/50_lemur.xml    | 29 ++++++++++++++
 funcs/lemur.py        |  6 +++
 lemur.service         | 12 ++++++
 posttemplate/03-lemur | 19 +++++++++
 tmpl/lemur.conf.py    | 90 +++++++++++++++++++++++++++++++++++++++++++
 tmpl/lemur.yml        | 18 +++++++++
 tmpl/nginx-lemur.conf | 15 ++++++++
 8 files changed, 190 insertions(+)
 create mode 100644 db/lemur.sql
 create mode 100644 dicos/50_lemur.xml
 create mode 100644 funcs/lemur.py
 create mode 100644 lemur.service
 create mode 100755 posttemplate/03-lemur
 create mode 100644 tmpl/lemur.conf.py
 create mode 100644 tmpl/lemur.yml
 create mode 100644 tmpl/nginx-lemur.conf

diff --git a/db/lemur.sql b/db/lemur.sql
new file mode 100644
index 0000000..d497121
--- /dev/null
+++ b/db/lemur.sql
@@ -0,0 +1 @@
+CREATE EXTENSION pg_trgm;
diff --git a/dicos/50_lemur.xml b/dicos/50_lemur.xml
new file mode 100644
index 0000000..2349554
--- /dev/null
+++ b/dicos/50_lemur.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<creole>
+    <files>
+        <!--service>lemur</service-->
+	<file name='/etc/lemur/lemur.conf.py' mkdir='True'/>
+	<file name='/etc/eole/eole-db.d/lemur.yml'/>
+	<file name='/etc/nginx/web.d/lemur.conf' source='nginx-lemur.conf'/>
+    </files>
+    <variables>
+        <family name='lemur'>
+            <variable name='lemur_secret' type='password' description="Secret pour Lemur" auto_save="True"/>
+            <variable name='lemur_token_secret' type='password' description="Token secret pour Lemur" auto_save="True"/>
+            <variable name='lemur_encrypt_keys' type='password' description="Encrypt keys pour Lemur" auto_save="True"/>
+            <variable name='lemur_db_name' type='string' description="Nom de la base de donnée de Lemur" mode="expert">
+                <value>lemur</value>
+            </variable>
+            <variable name='lemur_db_user' type='string' description="Nom de l'utilisateur de la base de donnée de Lemur" mode="expert">
+                <value>lemur</value>
+            </variable>
+            <variable name='lemur_admin_password' type='password' description="Mot de passe de l'utilisateur admin de Lemur" auto_save="True"/>
+        </family>
+    </variables>
+    <constraints>
+        <fill name='gen_random_base64' target='lemur_secret'/>
+        <fill name='gen_random_base64' target='lemur_token_secret'/>
+        <fill name='gen_random_base64' target='lemur_encrypt_keys'/>
+        <fill name='gen_random' target='lemur_admin_password'/>
+    </constraints>
+</creole>
diff --git a/funcs/lemur.py b/funcs/lemur.py
new file mode 100644
index 0000000..8cd6505
--- /dev/null
+++ b/funcs/lemur.py
@@ -0,0 +1,6 @@
+from secrets import token_bytes as _token_bytes
+from base64 import urlsafe_b64encode as _urlsafe_b64encode
+
+
+def gen_random_base64():
+    return _urlsafe_b64encode(_token_bytes(32)).decode()
diff --git a/lemur.service b/lemur.service
new file mode 100644
index 0000000..b5c1dbb
--- /dev/null
+++ b/lemur.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Lemur
+After=postgresql.service
+
+[Service]
+ExecStart=/usr/bin/lemur start -b 127.0.0.1:8002 -c /etc/lemur/lemur.conf.py
+User=lemur
+Group=lemur
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/posttemplate/03-lemur b/posttemplate/03-lemur
new file mode 100755
index 0000000..047ea80
--- /dev/null
+++ b/posttemplate/03-lemur
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+# install unrelease python modules
+pip3 install alembic-autogenerate-enums==0.0.2 asyncpool==1.0 certsrv==2.1.1 cryptography==3.1.1 dnspython3==1.15.0 dyn==1.8.1 flask-replicated==1.4 javaobj-py3==0.4.0.1 jsonlines==1.2.0 logmatic-python==0.1.7 marshmallow==2.20.4 pycryptodomex==3.9.7 pyjks==20.0.0 raven[flask]==6.10.0 twofish==0.3.0
+
+mkdir -p /var/log/lemur/
+chown lemur: /var/log/lemur/
+
+# EOLE-DB change file right to 400
+chmod 640 /etc/lemur/*
+chgrp lemur /etc/lemur/*
+systemctl start postgresql.service
+su - lemur -s /bin/bash -c "lemur --config=/etc/lemur/lemur.conf.py init --password $(CreoleGet lemur_admin_password)"
+systemctl stop postgresql.service
+rm -f *.log
+
+exit 0
diff --git a/tmpl/lemur.conf.py b/tmpl/lemur.conf.py
new file mode 100644
index 0000000..740ecc5
--- /dev/null
+++ b/tmpl/lemur.conf.py
@@ -0,0 +1,90 @@
+
+# This is just Python which means you can inherit and tweak settings
+
+import os
+_basedir = os.path.abspath(os.path.dirname(__file__))
+
+THREADS_PER_PAGE = 8
+
+# General
+
+# These will need to be set to `True` if you are developing locally
+CORS = False
+debug = False
+
+# this is the secret key used by flask session management
+SECRET_KEY = '%%lemur_secret'
+
+# You should consider storing these separately from your config
+LEMUR_TOKEN_SECRET = '%%lemur_token_secret'
+LEMUR_ENCRYPTION_KEYS = '%%lemur_encrypt_keys'
+
+# List of domain regular expressions that non-admin users can issue
+LEMUR_ALLOWED_DOMAINS = []
+
+# Mail Server
+
+LEMUR_EMAIL = ''
+LEMUR_SECURITY_TEAM_EMAIL = []
+
+# Certificate Defaults
+
+LEMUR_DEFAULT_COUNTRY = ''
+LEMUR_DEFAULT_STATE = ''
+LEMUR_DEFAULT_LOCATION = ''
+LEMUR_DEFAULT_ORGANIZATION = ''
+LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = ''
+
+# Authentication Providers
+ACTIVE_PROVIDERS = []
+
+# Metrics Providers
+METRIC_PROVIDERS = []
+
+# Logging
+
+LOG_LEVEL = "DEBUG"
+LOG_FILE = "/var/log/lemur/lemur.log"
+
+
+# Database
+
+# modify this if you are not using a local database
+SQLALCHEMY_DATABASE_PASSWORD = 'replaceme'
+SQLALCHEMY_DATABASE_URI = f'postgresql:///%%lemur_db_name?host=/var/run/postgresql&user=%%lemur_db_user&password={SQLALCHEMY_DATABASE_PASSWORD}'
+
+# AWS
+
+#LEMUR_INSTANCE_PROFILE = 'Lemur'
+
+# Issuers
+
+# These will be dependent on which 3rd party that Lemur is
+# configured to use.
+
+# VERISIGN_URL = ''
+# VERISIGN_PEM_PATH = ''
+# VERISIGN_FIRST_NAME = ''
+# VERISIGN_LAST_NAME = ''
+# VERSIGN_EMAIL = ''
+
+#FIXME
+DIGICERT_CIS_API_KEY = ""
+DIGICERT_CIS_URL = ""
+DIGICERT_CIS_ROOTS = ''
+DIGICERT_API_KEY = ''
+DIGICERT_CIS_PROFILE_NAMES = ''
+DIGICERT_URL = ''
+DIGICERT_ORG_ID = ''
+DIGICERT_ORDER_TYPE = ''
+DIGICERT_ROOT = ''
+
+ENTRUST_API_CERT = ''
+ENTRUST_API_KEY = ''
+ENTRUST_API_USER = ''
+ENTRUST_API_PASS = ''
+ENTRUST_URL = ''
+ENTRUST_ROOT = ''
+ENTRUST_NAME = ''
+ENTRUST_EMAIL = ''
+ENTRUST_PHONE = ''
diff --git a/tmpl/lemur.yml b/tmpl/lemur.yml
new file mode 100644
index 0000000..5c31460
--- /dev/null
+++ b/tmpl/lemur.yml
@@ -0,0 +1,18 @@
+%set %%dbname = %%lemur_db_name
+---
+dbuser: %%lemur_db_user
+dbuser_options:
+  - LOGIN
+privileges:
+  %%{dbname}.public.*: 'ALL'
+  %%{dbname}.public: 'ALL'
+  %%{dbname}: 'ALL'
+dbhost: %%risotto_db_address
+dbport: 5432
+dbtype: postgres
+dbname: %%dbname
+template: 'template0'
+sqlscripts:
+  - /usr/share/eole/db/lemur/gen/lemur.sql
+pwd_files:
+  - {'file': '/etc/lemur/lemur.conf.py', 'pattern': "SQLALCHEMY_DATABASE_PASSWORD = '"}
diff --git a/tmpl/nginx-lemur.conf b/tmpl/nginx-lemur.conf
new file mode 100644
index 0000000..d1eb2b1
--- /dev/null
+++ b/tmpl/nginx-lemur.conf
@@ -0,0 +1,15 @@
+location /lemur/api {
+    proxy_pass  http://127.0.0.1:8002/api;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+    proxy_redirect off;
+    proxy_buffering off;
+    proxy_set_header        Host            $host;
+    proxy_set_header        X-Real-IP       $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+}
+
+location /lemur/ {
+    alias /usr/share/lemur/static/;
+    include mime.types;
+    index index.html;
+}

From 3b15634a554644770dddc234e801bbe70b3d60e3 Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Mon, 9 Nov 2020 07:45:00 +0100
Subject: [PATCH 2/2] add lemur service

---
 dicos/50_lemur.xml    | 2 +-
 posttemplate/03-lemur | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/dicos/50_lemur.xml b/dicos/50_lemur.xml
index 2349554..5934192 100644
--- a/dicos/50_lemur.xml
+++ b/dicos/50_lemur.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <creole>
     <files>
-        <!--service>lemur</service-->
+        <service>lemur</service>
 	<file name='/etc/lemur/lemur.conf.py' mkdir='True'/>
 	<file name='/etc/eole/eole-db.d/lemur.yml'/>
 	<file name='/etc/nginx/web.d/lemur.conf' source='nginx-lemur.conf'/>
diff --git a/posttemplate/03-lemur b/posttemplate/03-lemur
index 047ea80..5e8bf61 100755
--- a/posttemplate/03-lemur
+++ b/posttemplate/03-lemur
@@ -14,6 +14,5 @@ chgrp lemur /etc/lemur/*
 systemctl start postgresql.service
 su - lemur -s /bin/bash -c "lemur --config=/etc/lemur/lemur.conf.py init --password $(CreoleGet lemur_admin_password)"
 systemctl stop postgresql.service
-rm -f *.log
 
 exit 0