add free-ipa setup

deployments/config.prod.yaml

@@ -7,23 +7,23 @@
 #   SILO_MINIO_SECRET_KEY
 
 server:
-  host: "0.0.0.0"
+  host: "127.0.0.1" # Listen only on localhost (nginx handles external traffic)
   port: 8080
-  base_url: "http://silo.kindred.internal:8080"
+  base_url: "https://silo.kindred.internal"
 
 database:
   host: "psql.kindred.internal"
   port: 5432
   name: "silo"
   user: "silo"
-  password: ""  # Set via SILO_DB_PASSWORD
+  password: "" # Set via SILO_DB_PASSWORD
   sslmode: "require"
   max_connections: 20
 
 storage:
   endpoint: "minio.kindred.internal:9000"
-  access_key: ""  # Set via SILO_MINIO_ACCESS_KEY
-  secret_key: ""  # Set via SILO_MINIO_SECRET_KEY
+  access_key: "" # Set via SILO_MINIO_ACCESS_KEY
+  secret_key: "" # Set via SILO_MINIO_SECRET_KEY
   bucket: "silo-files"
   use_ssl: true
   region: "us-east-1"

scripts/setup-host.sh

@@ -181,6 +181,10 @@ fi
 # Clone repository
 log_info "Cloning repository..."
 
+# Configure git to trust internal Gitea (self-signed cert)
+git config --global http.sslVerify false
+log_warn "Disabled SSL verification for git (internal Gitea uses self-signed cert)"
+
 if [[ -d "${INSTALL_DIR}/src/.git" ]]; then
     log_info "Repository already cloned, pulling latest..."
     cd "${INSTALL_DIR}/src"

scripts/setup-ipa-nginx.sh

@@ -0,0 +1,358 @@
+#!/usr/bin/env bash
+#
+# Silo IPA Enrollment and Nginx Setup Script
+# Enrolls host in FreeIPA, obtains certificates, and configures nginx reverse proxy
+#
+# Usage:
+#   sudo ./scripts/setup-ipa-nginx.sh
+#
+# Prerequisites:
+#   - FreeIPA server at ipa.kindred.internal
+#   - DNS configured for silo.kindred.internal
+#   - Admin credentials for IPA enrollment
+
+set -euo pipefail
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+# Configuration
+IPA_SERVER="${IPA_SERVER:-ipa.kindred.internal}"
+IPA_DOMAIN="${IPA_DOMAIN:-kindred.internal}"
+IPA_REALM="${IPA_REALM:-KINDRED.INTERNAL}"
+HOSTNAME="silo.kindred.internal"
+CERT_DIR="/etc/ssl/silo"
+SILO_PORT=8080
+
+log_info() { echo -e "${BLUE}[INFO]${NC} $*"; }
+log_success() { echo -e "${GREEN}[OK]${NC} $*"; }
+log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; }
+log_error() { echo -e "${RED}[ERROR]${NC} $*" >&2; }
+die() { log_error "$*"; exit 1; }
+
+# Check root
+if [[ $EUID -ne 0 ]]; then
+    die "This script must be run as root (use sudo)"
+fi
+
+log_info "============================================"
+log_info "Silo IPA Enrollment and Nginx Setup"
+log_info "============================================"
+echo ""
+
+# Detect package manager
+if command -v apt-get >/dev/null 2>&1; then
+    PKG_MANAGER="apt"
+elif command -v dnf >/dev/null 2>&1; then
+    PKG_MANAGER="dnf"
+elif command -v yum >/dev/null 2>&1; then
+    PKG_MANAGER="yum"
+else
+    die "Unsupported package manager"
+fi
+
+log_info "Detected package manager: ${PKG_MANAGER}"
+
+#
+# Step 1: Install IPA client and nginx
+#
+log_info "Installing packages..."
+
+case ${PKG_MANAGER} in
+    apt)
+        apt-get update -qq
+        apt-get install -y -qq freeipa-client nginx certmonger
+        ;;
+    dnf|yum)
+        ${PKG_MANAGER} install -y -q freeipa-client nginx certmonger
+        ;;
+esac
+
+log_success "Packages installed"
+
+#
+# Step 2: Set hostname
+#
+log_info "Setting hostname to ${HOSTNAME}..."
+hostnamectl set-hostname "${HOSTNAME}"
+log_success "Hostname set"
+
+#
+# Step 3: Enroll in FreeIPA
+#
+if ipa-client-install --version >/dev/null 2>&1 && klist -k /etc/krb5.keytab >/dev/null 2>&1; then
+    log_info "Host appears to already be enrolled in IPA"
+else
+    log_info "Enrolling in FreeIPA domain..."
+    log_warn "You will be prompted for IPA admin credentials"
+    echo ""
+
+    ipa-client-install \
+        --server="${IPA_SERVER}" \
+        --domain="${IPA_DOMAIN}" \
+        --realm="${IPA_REALM}" \
+        --hostname="${HOSTNAME}" \
+        --mkhomedir \
+        --enable-dns-updates \
+        --unattended \
+        --force-join || {
+            log_warn "Unattended enrollment failed, trying interactive mode..."
+            ipa-client-install \
+                --server="${IPA_SERVER}" \
+                --domain="${IPA_DOMAIN}" \
+                --realm="${IPA_REALM}" \
+                --hostname="${HOSTNAME}" \
+                --mkhomedir \
+                --enable-dns-updates
+        }
+
+    log_success "Enrolled in FreeIPA"
+fi
+
+#
+# Step 4: Create certificate directory
+#
+log_info "Setting up certificate directory..."
+mkdir -p "${CERT_DIR}"
+chmod 750 "${CERT_DIR}"
+chown root:nginx "${CERT_DIR}" 2>/dev/null || chown root:www-data "${CERT_DIR}"
+log_success "Certificate directory created: ${CERT_DIR}"
+
+#
+# Step 5: Request certificate from IPA CA
+#
+log_info "Requesting SSL certificate from IPA CA..."
+
+# Check if certificate already exists and is managed by certmonger
+if getcert list | grep -q "${CERT_DIR}/silo.crt"; then
+    log_info "Certificate already managed by certmonger"
+else
+    # Request new certificate
+    ipa-getcert request \
+        -f "${CERT_DIR}/silo.crt" \
+        -k "${CERT_DIR}/silo.key" \
+        -K "HTTP/${HOSTNAME}" \
+        -D "${HOSTNAME}" \
+        -N "CN=${HOSTNAME}" \
+        -C "systemctl reload nginx"
+
+    log_info "Waiting for certificate to be issued..."
+
+    # Wait for certificate (up to 60 seconds)
+    for i in {1..12}; do
+        if [[ -f "${CERT_DIR}/silo.crt" ]] && [[ -s "${CERT_DIR}/silo.crt" ]]; then
+            log_success "Certificate issued"
+            break
+        fi
+        sleep 5
+        echo -n "."
+    done
+    echo ""
+
+    if [[ ! -f "${CERT_DIR}/silo.crt" ]]; then
+        log_warn "Certificate not yet issued. Check with: getcert list"
+    fi
+fi
+
+# Set certificate permissions
+if [[ -f "${CERT_DIR}/silo.key" ]]; then
+    chmod 640 "${CERT_DIR}/silo.key"
+    chown root:nginx "${CERT_DIR}/silo.key" 2>/dev/null || chown root:www-data "${CERT_DIR}/silo.key"
+fi
+
+#
+# Step 6: Get IPA CA certificate for trust
+#
+log_info "Installing IPA CA certificate..."
+if [[ -f /etc/ipa/ca.crt ]]; then
+    cp /etc/ipa/ca.crt "${CERT_DIR}/ca.crt"
+    log_success "CA certificate installed"
+else
+    log_warn "IPA CA certificate not found at /etc/ipa/ca.crt"
+fi
+
+#
+# Step 7: Configure nginx
+#
+log_info "Configuring nginx..."
+
+# Backup existing config
+if [[ -f /etc/nginx/sites-enabled/default ]]; then
+    mv /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default.bak 2>/dev/null || true
+fi
+
+# Create silo nginx config
+cat > /etc/nginx/sites-available/silo << 'NGINX_EOF'
+# Silo API Server - Nginx Reverse Proxy Configuration
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name silo.kindred.internal;
+
+    # Allow certmonger/ACME challenges
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+# HTTPS server
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name silo.kindred.internal;
+
+    # SSL certificates (managed by certmonger/IPA)
+    ssl_certificate /etc/ssl/silo/silo.crt;
+    ssl_certificate_key /etc/ssl/silo/silo.key;
+
+    # SSL configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/ssl/silo/ca.crt;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # Logging
+    access_log /var/log/nginx/silo_access.log;
+    error_log /var/log/nginx/silo_error.log;
+
+    # Proxy settings
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_http_version 1.1;
+
+        # Headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+
+        # WebSocket support (for future use)
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # Buffering
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+
+        # File uploads (for CAD files)
+        client_max_body_size 100M;
+    }
+
+    # Health check endpoint (bypass proxy for monitoring)
+    location /nginx-health {
+        access_log off;
+        return 200 "OK\n";
+        add_header Content-Type text/plain;
+    }
+}
+NGINX_EOF
+
+# Enable the site
+ln -sf /etc/nginx/sites-available/silo /etc/nginx/sites-enabled/silo
+
+# Test nginx configuration
+log_info "Testing nginx configuration..."
+if nginx -t; then
+    log_success "Nginx configuration valid"
+else
+    die "Nginx configuration test failed"
+fi
+
+#
+# Step 8: Start/restart services
+#
+log_info "Starting services..."
+
+# Enable and start certmonger
+systemctl enable certmonger
+systemctl start certmonger
+
+# Enable and restart nginx
+systemctl enable nginx
+systemctl restart nginx
+
+log_success "Services started"
+
+#
+# Step 9: Configure firewall
+#
+log_info "Configuring firewall..."
+
+if command -v ufw >/dev/null 2>&1; then
+    ufw allow 80/tcp
+    ufw allow 443/tcp
+    log_success "UFW rules added"
+elif command -v firewall-cmd >/dev/null 2>&1; then
+    firewall-cmd --permanent --add-service=http
+    firewall-cmd --permanent --add-service=https
+    firewall-cmd --reload
+    log_success "Firewalld rules added"
+else
+    log_warn "No firewall detected. Manually open ports 80 and 443"
+fi
+
+#
+# Summary
+#
+echo ""
+log_info "============================================"
+log_info "Setup Complete!"
+log_info "============================================"
+echo ""
+echo "Certificate status:"
+getcert list -f "${CERT_DIR}/silo.crt" 2>/dev/null || echo "  Check with: getcert list"
+echo ""
+echo "Nginx status:"
+systemctl status nginx --no-pager -l | head -5
+echo ""
+echo "Next steps:"
+echo ""
+echo "1. Verify certificate was issued:"
+echo "   getcert list"
+echo ""
+echo "2. Update silo config to use correct base URL:"
+echo "   sudo nano /etc/silo/config.yaml"
+echo "   # Change base_url to: https://silo.kindred.internal"
+echo ""
+echo "3. Restart silo service:"
+echo "   sudo systemctl restart silod"
+echo ""
+echo "4. Test the setup:"
+echo "   curl -k https://silo.kindred.internal/health"
+echo "   curl https://silo.kindred.internal/health  # after trusting IPA CA"
+echo ""
+echo "5. Trust IPA CA on client machines:"
+echo "   # The CA cert is at: ${CERT_DIR}/ca.crt"
+echo "   # Or fetch from: https://${IPA_SERVER}/ipa/config/ca.crt"
+echo ""