diff --git a/db/lemur.sql b/db/lemur.sql new file mode 100644 index 0000000..d497121 --- /dev/null +++ b/db/lemur.sql @@ -0,0 +1 @@ +CREATE EXTENSION pg_trgm; diff --git a/dicos/50_lemur.xml b/dicos/50_lemur.xml new file mode 100644 index 0000000..2349554 --- /dev/null +++ b/dicos/50_lemur.xml @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + lemur + + + lemur + + + + + + + + + + + diff --git a/funcs/lemur.py b/funcs/lemur.py new file mode 100644 index 0000000..8cd6505 --- /dev/null +++ b/funcs/lemur.py @@ -0,0 +1,6 @@ +from secrets import token_bytes as _token_bytes +from base64 import urlsafe_b64encode as _urlsafe_b64encode + + +def gen_random_base64(): + return _urlsafe_b64encode(_token_bytes(32)).decode() diff --git a/lemur.service b/lemur.service new file mode 100644 index 0000000..b5c1dbb --- /dev/null +++ b/lemur.service @@ -0,0 +1,12 @@ +[Unit] +Description=Lemur +After=postgresql.service + +[Service] +ExecStart=/usr/bin/lemur start -b 127.0.0.1:8002 -c /etc/lemur/lemur.conf.py +User=lemur +Group=lemur + +[Install] +WantedBy=multi-user.target + diff --git a/posttemplate/03-lemur b/posttemplate/03-lemur new file mode 100755 index 0000000..047ea80 --- /dev/null +++ b/posttemplate/03-lemur @@ -0,0 +1,19 @@ +#!/bin/bash + +set -e + +# install unrelease python modules +pip3 install alembic-autogenerate-enums==0.0.2 asyncpool==1.0 certsrv==2.1.1 cryptography==3.1.1 dnspython3==1.15.0 dyn==1.8.1 flask-replicated==1.4 javaobj-py3==0.4.0.1 jsonlines==1.2.0 logmatic-python==0.1.7 marshmallow==2.20.4 pycryptodomex==3.9.7 pyjks==20.0.0 raven[flask]==6.10.0 twofish==0.3.0 + +mkdir -p /var/log/lemur/ +chown lemur: /var/log/lemur/ + +# EOLE-DB change file right to 400 +chmod 640 /etc/lemur/* +chgrp lemur /etc/lemur/* +systemctl start postgresql.service +su - lemur -s /bin/bash -c "lemur --config=/etc/lemur/lemur.conf.py init --password $(CreoleGet lemur_admin_password)" +systemctl stop postgresql.service +rm -f *.log + +exit 0 diff --git a/tmpl/lemur.conf.py b/tmpl/lemur.conf.py new file mode 100644 index 0000000..740ecc5 --- /dev/null +++ b/tmpl/lemur.conf.py @@ -0,0 +1,90 @@ + +# This is just Python which means you can inherit and tweak settings + +import os +_basedir = os.path.abspath(os.path.dirname(__file__)) + +THREADS_PER_PAGE = 8 + +# General + +# These will need to be set to `True` if you are developing locally +CORS = False +debug = False + +# this is the secret key used by flask session management +SECRET_KEY = '%%lemur_secret' + +# You should consider storing these separately from your config +LEMUR_TOKEN_SECRET = '%%lemur_token_secret' +LEMUR_ENCRYPTION_KEYS = '%%lemur_encrypt_keys' + +# List of domain regular expressions that non-admin users can issue +LEMUR_ALLOWED_DOMAINS = [] + +# Mail Server + +LEMUR_EMAIL = '' +LEMUR_SECURITY_TEAM_EMAIL = [] + +# Certificate Defaults + +LEMUR_DEFAULT_COUNTRY = '' +LEMUR_DEFAULT_STATE = '' +LEMUR_DEFAULT_LOCATION = '' +LEMUR_DEFAULT_ORGANIZATION = '' +LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = '' + +# Authentication Providers +ACTIVE_PROVIDERS = [] + +# Metrics Providers +METRIC_PROVIDERS = [] + +# Logging + +LOG_LEVEL = "DEBUG" +LOG_FILE = "/var/log/lemur/lemur.log" + + +# Database + +# modify this if you are not using a local database +SQLALCHEMY_DATABASE_PASSWORD = 'replaceme' +SQLALCHEMY_DATABASE_URI = f'postgresql:///%%lemur_db_name?host=/var/run/postgresql&user=%%lemur_db_user&password={SQLALCHEMY_DATABASE_PASSWORD}' + +# AWS + +#LEMUR_INSTANCE_PROFILE = 'Lemur' + +# Issuers + +# These will be dependent on which 3rd party that Lemur is +# configured to use. + +# VERISIGN_URL = '' +# VERISIGN_PEM_PATH = '' +# VERISIGN_FIRST_NAME = '' +# VERISIGN_LAST_NAME = '' +# VERSIGN_EMAIL = '' + +#FIXME +DIGICERT_CIS_API_KEY = "" +DIGICERT_CIS_URL = "" +DIGICERT_CIS_ROOTS = '' +DIGICERT_API_KEY = '' +DIGICERT_CIS_PROFILE_NAMES = '' +DIGICERT_URL = '' +DIGICERT_ORG_ID = '' +DIGICERT_ORDER_TYPE = '' +DIGICERT_ROOT = '' + +ENTRUST_API_CERT = '' +ENTRUST_API_KEY = '' +ENTRUST_API_USER = '' +ENTRUST_API_PASS = '' +ENTRUST_URL = '' +ENTRUST_ROOT = '' +ENTRUST_NAME = '' +ENTRUST_EMAIL = '' +ENTRUST_PHONE = '' diff --git a/tmpl/lemur.yml b/tmpl/lemur.yml new file mode 100644 index 0000000..5c31460 --- /dev/null +++ b/tmpl/lemur.yml @@ -0,0 +1,18 @@ +%set %%dbname = %%lemur_db_name +--- +dbuser: %%lemur_db_user +dbuser_options: + - LOGIN +privileges: + %%{dbname}.public.*: 'ALL' + %%{dbname}.public: 'ALL' + %%{dbname}: 'ALL' +dbhost: %%risotto_db_address +dbport: 5432 +dbtype: postgres +dbname: %%dbname +template: 'template0' +sqlscripts: + - /usr/share/eole/db/lemur/gen/lemur.sql +pwd_files: + - {'file': '/etc/lemur/lemur.conf.py', 'pattern': "SQLALCHEMY_DATABASE_PASSWORD = '"} diff --git a/tmpl/nginx-lemur.conf b/tmpl/nginx-lemur.conf new file mode 100644 index 0000000..d1eb2b1 --- /dev/null +++ b/tmpl/nginx-lemur.conf @@ -0,0 +1,15 @@ +location /lemur/api { + proxy_pass http://127.0.0.1:8002/api; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +} + +location /lemur/ { + alias /usr/share/lemur/static/; + include mime.types; + index index.html; +}