eolisation

db/lemur.sql

@@ -0,0 +1 @@
+CREATE EXTENSION pg_trgm;

dicos/50_lemur.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<creole>
+    <files>
+        <!--service>lemur</service-->
+	<file name='/etc/lemur/lemur.conf.py' mkdir='True'/>
+	<file name='/etc/eole/eole-db.d/lemur.yml'/>
+	<file name='/etc/nginx/web.d/lemur.conf' source='nginx-lemur.conf'/>
+    </files>
+    <variables>
+        <family name='lemur'>
+            <variable name='lemur_secret' type='password' description="Secret pour Lemur" auto_save="True"/>
+            <variable name='lemur_token_secret' type='password' description="Token secret pour Lemur" auto_save="True"/>
+            <variable name='lemur_encrypt_keys' type='password' description="Encrypt keys pour Lemur" auto_save="True"/>
+            <variable name='lemur_db_name' type='string' description="Nom de la base de donnée de Lemur" mode="expert">
+                <value>lemur</value>
+            </variable>
+            <variable name='lemur_db_user' type='string' description="Nom de l'utilisateur de la base de donnée de Lemur" mode="expert">
+                <value>lemur</value>
+            </variable>
+            <variable name='lemur_admin_password' type='password' description="Mot de passe de l'utilisateur admin de Lemur" auto_save="True"/>
+        </family>
+    </variables>
+    <constraints>
+        <fill name='gen_random_base64' target='lemur_secret'/>
+        <fill name='gen_random_base64' target='lemur_token_secret'/>
+        <fill name='gen_random_base64' target='lemur_encrypt_keys'/>
+        <fill name='gen_random' target='lemur_admin_password'/>
+    </constraints>
+</creole>

funcs/lemur.py

@@ -0,0 +1,6 @@
+from secrets import token_bytes as _token_bytes
+from base64 import urlsafe_b64encode as _urlsafe_b64encode
+
+
+def gen_random_base64():
+    return _urlsafe_b64encode(_token_bytes(32)).decode()

lemur.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Lemur
+After=postgresql.service
+
+[Service]
+ExecStart=/usr/bin/lemur start -b 127.0.0.1:8002 -c /etc/lemur/lemur.conf.py
+User=lemur
+Group=lemur
+
+[Install]
+WantedBy=multi-user.target
+

posttemplate/03-lemur

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+# install unrelease python modules
+pip3 install alembic-autogenerate-enums==0.0.2 asyncpool==1.0 certsrv==2.1.1 cryptography==3.1.1 dnspython3==1.15.0 dyn==1.8.1 flask-replicated==1.4 javaobj-py3==0.4.0.1 jsonlines==1.2.0 logmatic-python==0.1.7 marshmallow==2.20.4 pycryptodomex==3.9.7 pyjks==20.0.0 raven[flask]==6.10.0 twofish==0.3.0
+
+mkdir -p /var/log/lemur/
+chown lemur: /var/log/lemur/
+
+# EOLE-DB change file right to 400
+chmod 640 /etc/lemur/*
+chgrp lemur /etc/lemur/*
+systemctl start postgresql.service
+su - lemur -s /bin/bash -c "lemur --config=/etc/lemur/lemur.conf.py init --password $(CreoleGet lemur_admin_password)"
+systemctl stop postgresql.service
+rm -f *.log
+
+exit 0

tmpl/lemur.conf.py

@@ -0,0 +1,90 @@
+
+# This is just Python which means you can inherit and tweak settings
+
+import os
+_basedir = os.path.abspath(os.path.dirname(__file__))
+
+THREADS_PER_PAGE = 8
+
+# General
+
+# These will need to be set to `True` if you are developing locally
+CORS = False
+debug = False
+
+# this is the secret key used by flask session management
+SECRET_KEY = '%%lemur_secret'
+
+# You should consider storing these separately from your config
+LEMUR_TOKEN_SECRET = '%%lemur_token_secret'
+LEMUR_ENCRYPTION_KEYS = '%%lemur_encrypt_keys'
+
+# List of domain regular expressions that non-admin users can issue
+LEMUR_ALLOWED_DOMAINS = []
+
+# Mail Server
+
+LEMUR_EMAIL = ''
+LEMUR_SECURITY_TEAM_EMAIL = []
+
+# Certificate Defaults
+
+LEMUR_DEFAULT_COUNTRY = ''
+LEMUR_DEFAULT_STATE = ''
+LEMUR_DEFAULT_LOCATION = ''
+LEMUR_DEFAULT_ORGANIZATION = ''
+LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = ''
+
+# Authentication Providers
+ACTIVE_PROVIDERS = []
+
+# Metrics Providers
+METRIC_PROVIDERS = []
+
+# Logging
+
+LOG_LEVEL = "DEBUG"
+LOG_FILE = "/var/log/lemur/lemur.log"
+
+
+# Database
+
+# modify this if you are not using a local database
+SQLALCHEMY_DATABASE_PASSWORD = 'replaceme'
+SQLALCHEMY_DATABASE_URI = f'postgresql:///%%lemur_db_name?host=/var/run/postgresql&user=%%lemur_db_user&password={SQLALCHEMY_DATABASE_PASSWORD}'
+
+# AWS
+
+#LEMUR_INSTANCE_PROFILE = 'Lemur'
+
+# Issuers
+
+# These will be dependent on which 3rd party that Lemur is
+# configured to use.
+
+# VERISIGN_URL = ''
+# VERISIGN_PEM_PATH = ''
+# VERISIGN_FIRST_NAME = ''
+# VERISIGN_LAST_NAME = ''
+# VERSIGN_EMAIL = ''
+
+#FIXME
+DIGICERT_CIS_API_KEY = ""
+DIGICERT_CIS_URL = ""
+DIGICERT_CIS_ROOTS = ''
+DIGICERT_API_KEY = ''
+DIGICERT_CIS_PROFILE_NAMES = ''
+DIGICERT_URL = ''
+DIGICERT_ORG_ID = ''
+DIGICERT_ORDER_TYPE = ''
+DIGICERT_ROOT = ''
+
+ENTRUST_API_CERT = ''
+ENTRUST_API_KEY = ''
+ENTRUST_API_USER = ''
+ENTRUST_API_PASS = ''
+ENTRUST_URL = ''
+ENTRUST_ROOT = ''
+ENTRUST_NAME = ''
+ENTRUST_EMAIL = ''
+ENTRUST_PHONE = ''

tmpl/lemur.yml

@@ -0,0 +1,18 @@
+%set %%dbname = %%lemur_db_name
+---
+dbuser: %%lemur_db_user
+dbuser_options:
+  - LOGIN
+privileges:
+  %%{dbname}.public.*: 'ALL'
+  %%{dbname}.public: 'ALL'
+  %%{dbname}: 'ALL'
+dbhost: %%risotto_db_address
+dbport: 5432
+dbtype: postgres
+dbname: %%dbname
+template: 'template0'
+sqlscripts:
+  - /usr/share/eole/db/lemur/gen/lemur.sql
+pwd_files:
+  - {'file': '/etc/lemur/lemur.conf.py', 'pattern': "SQLALCHEMY_DATABASE_PASSWORD = '"}

tmpl/nginx-lemur.conf

@@ -0,0 +1,15 @@
+location /lemur/api {
+    proxy_pass  http://127.0.0.1:8002/api;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+    proxy_redirect off;
+    proxy_buffering off;
+    proxy_set_header        Host            $host;
+    proxy_set_header        X-Real-IP       $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+}
+
+location /lemur/ {
+    alias /usr/share/lemur/static/;
+    include mime.types;
+    index index.html;
+}