Compare commits

..

8 Commits

Author SHA1 Message Date
99bd9b4fb5 regen certificate in lemur 2021-08-28 07:37:37 +02:00
e086e08d9a fix 2021-05-22 18:25:41 +02:00
2eb256a760 better lemur integration 2021-05-22 16:38:47 +02:00
ba59a8aaeb mise à jour de pyjwt 2021-05-08 12:22:18 +02:00
3d0eadd954 add type 2020-11-14 17:48:49 +01:00
fc97ee1c63 update configuration 2020-11-14 10:27:57 +01:00
3b15634a55 add lemur service 2020-11-09 07:45:00 +01:00
996c15165a eolisation 2020-10-21 11:58:06 +02:00
10 changed files with 237 additions and 0 deletions

1
db/lemur.sql Normal file
View File

@ -0,0 +1 @@
CREATE EXTENSION pg_trgm;

41
dicos/50_lemur.xml Normal file
View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<files>
<service>lemur</service>
<file name='/etc/lemur/lemur.conf.py' mkdir='True'/>
<file name='/etc/eole/eole-db.d/lemur.yml'/>
<file name='/etc/nginx/web.d/lemur.conf' source='nginx-lemur.conf'/>
</files>
<variables>
<family name='lemur'>
<variable name='lemur_secret' type='password' description="Secret pour Lemur" auto_save="True"/>
<variable name='lemur_token_secret' type='password' description="Token secret pour Lemur" auto_save="True"/>
<variable name='lemur_encrypt_keys' type='password' description="Encrypt keys pour Lemur" auto_save="True"/>
<variable name='lemur_db_name' type='string' description="Nom de la base de donnée de Lemur" mode="expert">
<value>lemur</value>
</variable>
<variable name='lemur_db_user' type='string' description="Nom de l'utilisateur de la base de donnée de Lemur" mode="expert">
<value>lemur</value>
</variable>
<variable name='lemur_admin_password' type='password' description="Mot de passe de l'utilisateur admin de Lemur" auto_save="True"/>
<variable name='lemur_admin_email' type='mail' description="Adresse courriel d'administration de Lemur" mandatory="True"/>
<variable name='lemur_default_country' type='string' description="" mandatory="True">
<value>FR</value>
</variable>
<variable name='lemur_default_state' type='string' description="" mandatory="True">
<value>Bourgogne</value>
</variable>
<variable name='lemur_default_location' type='string' description="" mandatory="True">
<value>Dijon</value>
</variable>
<variable name='lemur_default_organization' type='string' description="" mandatory="True"/>
<variable name='lemur_default_organization_unit' type='string' description="" mandatory="True"/>
</family>
</variables>
<constraints>
<fill name='gen_random_base64' target='lemur_secret'/>
<fill name='gen_random_base64' target='lemur_token_secret'/>
<fill name='gen_random_base64' target='lemur_encrypt_keys'/>
<fill name='gen_random' target='lemur_admin_password'/>
</constraints>
</creole>

6
funcs/lemur.py Normal file
View File

@ -0,0 +1,6 @@
from secrets import token_bytes as _token_bytes
from base64 import urlsafe_b64encode as _urlsafe_b64encode
def gen_random_base64():
return _urlsafe_b64encode(_token_bytes(32)).decode()

12
lemur.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Lemur
After=postgresql.service
[Service]
ExecStart=/usr/bin/lemur -c /etc/lemur/lemur.conf.py start -b 127.0.0.1:8002
User=lemur
Group=lemur
[Install]
WantedBy=multi-user.target

12
lemur_cron.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Lemur
After=lemur.service
[Service]
Environment="LEMUR_CONF=/etc/lemur/lemur.conf.py"
ExecStart=/usr/bin/lemur certificate reissue --commit
User=lemur
Group=lemur
[Install]
WantedBy=basic.target

9
lemur_cron.timer Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=Crontab for Lemur
[Timer]
OnCalendar=daily
Unit=lemur_cron.service
[Install]
WantedBy=timers.target

23
posttemplate/03-lemur Executable file
View File

@ -0,0 +1,23 @@
#!/bin/bash
set -e
# install unrelease python modules
pip3 install alembic-autogenerate-enums==0.0.2 asyncpool==1.0 certsrv==2.1.1 cryptography==3.1.1 dnspython3==1.15.0 dyn==1.8.1 flask-replicated==1.4 javaobj-py3==0.4.0.1 jsonlines==1.2.0 logmatic-python==0.1.7 marshmallow==2.20.4 pycryptodomex==3.9.7 pyjks==20.0.0 raven[flask]==6.10.0 twofish==0.3.0 pyjwt==2.1.0
mkdir -p /var/log/lemur/
chown lemur: /var/log/lemur/
# EOLE-DB change file right to 400
chmod 640 /etc/lemur/*
chgrp lemur /etc/lemur/*
systemctl start postgresql.service
psql -Upostgres -c "grant all on all tables in schema public to lemur" lemur
psql -Upostgres -c "grant all on all sequences in schema public to lemur" lemur
psql -Upostgres -c "grant all on all functions in schema public to lemur" lemur
su - lemur -s /bin/bash -c "lemur --config=/etc/lemur/lemur.conf.py init --password $(CreoleGet lemur_admin_password)"
systemctl stop postgresql.service
systemctl enable --now lemur_cron.timer
exit 0

96
tmpl/lemur.conf.py Normal file
View File

@ -0,0 +1,96 @@
# This is just Python which means you can inherit and tweak settings
import os
_basedir = os.path.abspath(os.path.dirname(__file__))
THREADS_PER_PAGE = 8
# General
# These will need to be set to `True` if you are developing locally
CORS = False
debug = False
# this is the secret key used by flask session management
SECRET_KEY = '%%lemur_secret'
# You should consider storing these separately from your config
LEMUR_TOKEN_SECRET = '%%lemur_token_secret'
LEMUR_ENCRYPTION_KEYS = '%%lemur_encrypt_keys'
# List of domain regular expressions that non-admin users can issue
LEMUR_ALLOWED_DOMAINS = []
# Mail Server
LEMUR_EMAIL = '%%lemur_admin_email'
LEMUR_SECURITY_TEAM_EMAIL = []
LEMUR_EMAIL_SENDER = 'smtp'
# Certificate Defaults
LEMUR_DEFAULT_COUNTRY = '%%lemur_default_country'
LEMUR_DEFAULT_STATE = '%%lemur_default_state'
LEMUR_DEFAULT_LOCATION = '%%lemur_default_location'
LEMUR_DEFAULT_ORGANIZATION = '%%lemur_default_organization'
LEMUR_DEFAULT_ORGANIZATIONAL_UNIT = '%%lemur_default_organization_unit'
# Default issuer
LEMUR_DEFAULT_ISSUER_PLUGIN = 'cryptography-issuer'
# Authentication Providers
ACTIVE_PROVIDERS = []
# Metrics Providers
METRIC_PROVIDERS = []
# Logging
LOG_LEVEL = "DEBUG"
LOG_FILE = "/var/log/lemur/lemur.log"
LOG_UPGRADE_FILE = '/var/log/lemur/db_upgrade.log'
# Database
# modify this if you are not using a local database
SQLALCHEMY_DATABASE_PASSWORD = 'replaceme'
SQLALCHEMY_DATABASE_URI = f'postgresql:///%%lemur_db_name?host=/var/run/postgresql&user=%%lemur_db_user&password={SQLALCHEMY_DATABASE_PASSWORD}'
# AWS
#LEMUR_INSTANCE_PROFILE = 'Lemur'
# Issuers
# These will be dependent on which 3rd party that Lemur is
# configured to use.
# VERISIGN_URL = ''
# VERISIGN_PEM_PATH = ''
# VERISIGN_FIRST_NAME = ''
# VERISIGN_LAST_NAME = ''
# VERSIGN_EMAIL = ''
#FIXME
DIGICERT_CIS_API_KEY = ""
DIGICERT_CIS_URL = ""
DIGICERT_CIS_ROOTS = ''
DIGICERT_API_KEY = ''
DIGICERT_CIS_PROFILE_NAMES = ''
DIGICERT_URL = ''
DIGICERT_ORG_ID = ''
DIGICERT_ORDER_TYPE = ''
DIGICERT_ROOT = ''
ENTRUST_API_CERT = ''
ENTRUST_API_KEY = ''
ENTRUST_API_USER = ''
ENTRUST_API_PASS = ''
ENTRUST_URL = ''
ENTRUST_ROOT = ''
ENTRUST_NAME = ''
ENTRUST_EMAIL = ''
ENTRUST_PHONE = ''

22
tmpl/lemur.yml Normal file
View File

@ -0,0 +1,22 @@
%set %%dbname = %%lemur_db_name
---
dbuser: %%lemur_db_user
dbuser_options:
- LOGIN
privileges:
%%{dbname}.public.*: 'ALL'
%%{dbname}.public: 'ALL'
%%{dbname}: 'ALL'
dbhost: %%risotto_db_address
dbport: 5432
dbtype: postgres
dbname: %%dbname
template: 'template0'
sqlscripts:
- /usr/share/eole/db/lemur/gen/lemur.sql
pwd_files:
- {'file': '/etc/lemur/lemur.conf.py', 'pattern': "SQLALCHEMY_DATABASE_PASSWORD = '"}
%set %%var = %%getVar('risotto_main_dbname', None)
%if not %%is_empty(%%var)
- {'file': '/etc/risotto/risotto.conf', 'pattern': "LEMUR_DB_PASSWORD='"}
%end if

15
tmpl/nginx-lemur.conf Normal file
View File

@ -0,0 +1,15 @@
location /lemur/api {
proxy_pass http://127.0.0.1:8002/api;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /lemur/ {
alias /usr/share/lemur/static/;
include mime.types;
index index.html;
}