From be222307bbd07c1425083108e18b8105f3017f8e Mon Sep 17 00:00:00 2001 From: Forbes Date: Mon, 26 Jan 2026 21:37:53 -0600 Subject: [PATCH] add free-ipa setup --- deployments/config.prod.yaml | 10 +- scripts/setup-host.sh | 4 + scripts/setup-ipa-nginx.sh | 358 +++++++++++++++++++++++++++++++++++ 3 files changed, 367 insertions(+), 5 deletions(-) create mode 100755 scripts/setup-ipa-nginx.sh diff --git a/deployments/config.prod.yaml b/deployments/config.prod.yaml index 0d34498..56d0ced 100644 --- a/deployments/config.prod.yaml +++ b/deployments/config.prod.yaml @@ -7,23 +7,23 @@ # SILO_MINIO_SECRET_KEY server: - host: "0.0.0.0" + host: "127.0.0.1" # Listen only on localhost (nginx handles external traffic) port: 8080 - base_url: "http://silo.kindred.internal:8080" + base_url: "https://silo.kindred.internal" database: host: "psql.kindred.internal" port: 5432 name: "silo" user: "silo" - password: "" # Set via SILO_DB_PASSWORD + password: "" # Set via SILO_DB_PASSWORD sslmode: "require" max_connections: 20 storage: endpoint: "minio.kindred.internal:9000" - access_key: "" # Set via SILO_MINIO_ACCESS_KEY - secret_key: "" # Set via SILO_MINIO_SECRET_KEY + access_key: "" # Set via SILO_MINIO_ACCESS_KEY + secret_key: "" # Set via SILO_MINIO_SECRET_KEY bucket: "silo-files" use_ssl: true region: "us-east-1" diff --git a/scripts/setup-host.sh b/scripts/setup-host.sh index e285c38..725f3a0 100755 --- a/scripts/setup-host.sh +++ b/scripts/setup-host.sh @@ -181,6 +181,10 @@ fi # Clone repository log_info "Cloning repository..." +# Configure git to trust internal Gitea (self-signed cert) +git config --global http.sslVerify false +log_warn "Disabled SSL verification for git (internal Gitea uses self-signed cert)" + if [[ -d "${INSTALL_DIR}/src/.git" ]]; then log_info "Repository already cloned, pulling latest..." cd "${INSTALL_DIR}/src" diff --git a/scripts/setup-ipa-nginx.sh b/scripts/setup-ipa-nginx.sh new file mode 100755 index 0000000..f35ea8b --- /dev/null +++ b/scripts/setup-ipa-nginx.sh @@ -0,0 +1,358 @@ +#!/usr/bin/env bash +# +# Silo IPA Enrollment and Nginx Setup Script +# Enrolls host in FreeIPA, obtains certificates, and configures nginx reverse proxy +# +# Usage: +# sudo ./scripts/setup-ipa-nginx.sh +# +# Prerequisites: +# - FreeIPA server at ipa.kindred.internal +# - DNS configured for silo.kindred.internal +# - Admin credentials for IPA enrollment + +set -euo pipefail + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' + +# Configuration +IPA_SERVER="${IPA_SERVER:-ipa.kindred.internal}" +IPA_DOMAIN="${IPA_DOMAIN:-kindred.internal}" +IPA_REALM="${IPA_REALM:-KINDRED.INTERNAL}" +HOSTNAME="silo.kindred.internal" +CERT_DIR="/etc/ssl/silo" +SILO_PORT=8080 + +log_info() { echo -e "${BLUE}[INFO]${NC} $*"; } +log_success() { echo -e "${GREEN}[OK]${NC} $*"; } +log_warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } +log_error() { echo -e "${RED}[ERROR]${NC} $*" >&2; } +die() { log_error "$*"; exit 1; } + +# Check root +if [[ $EUID -ne 0 ]]; then + die "This script must be run as root (use sudo)" +fi + +log_info "============================================" +log_info "Silo IPA Enrollment and Nginx Setup" +log_info "============================================" +echo "" + +# Detect package manager +if command -v apt-get >/dev/null 2>&1; then + PKG_MANAGER="apt" +elif command -v dnf >/dev/null 2>&1; then + PKG_MANAGER="dnf" +elif command -v yum >/dev/null 2>&1; then + PKG_MANAGER="yum" +else + die "Unsupported package manager" +fi + +log_info "Detected package manager: ${PKG_MANAGER}" + +# +# Step 1: Install IPA client and nginx +# +log_info "Installing packages..." + +case ${PKG_MANAGER} in + apt) + apt-get update -qq + apt-get install -y -qq freeipa-client nginx certmonger + ;; + dnf|yum) + ${PKG_MANAGER} install -y -q freeipa-client nginx certmonger + ;; +esac + +log_success "Packages installed" + +# +# Step 2: Set hostname +# +log_info "Setting hostname to ${HOSTNAME}..." +hostnamectl set-hostname "${HOSTNAME}" +log_success "Hostname set" + +# +# Step 3: Enroll in FreeIPA +# +if ipa-client-install --version >/dev/null 2>&1 && klist -k /etc/krb5.keytab >/dev/null 2>&1; then + log_info "Host appears to already be enrolled in IPA" +else + log_info "Enrolling in FreeIPA domain..." + log_warn "You will be prompted for IPA admin credentials" + echo "" + + ipa-client-install \ + --server="${IPA_SERVER}" \ + --domain="${IPA_DOMAIN}" \ + --realm="${IPA_REALM}" \ + --hostname="${HOSTNAME}" \ + --mkhomedir \ + --enable-dns-updates \ + --unattended \ + --force-join || { + log_warn "Unattended enrollment failed, trying interactive mode..." + ipa-client-install \ + --server="${IPA_SERVER}" \ + --domain="${IPA_DOMAIN}" \ + --realm="${IPA_REALM}" \ + --hostname="${HOSTNAME}" \ + --mkhomedir \ + --enable-dns-updates + } + + log_success "Enrolled in FreeIPA" +fi + +# +# Step 4: Create certificate directory +# +log_info "Setting up certificate directory..." +mkdir -p "${CERT_DIR}" +chmod 750 "${CERT_DIR}" +chown root:nginx "${CERT_DIR}" 2>/dev/null || chown root:www-data "${CERT_DIR}" +log_success "Certificate directory created: ${CERT_DIR}" + +# +# Step 5: Request certificate from IPA CA +# +log_info "Requesting SSL certificate from IPA CA..." + +# Check if certificate already exists and is managed by certmonger +if getcert list | grep -q "${CERT_DIR}/silo.crt"; then + log_info "Certificate already managed by certmonger" +else + # Request new certificate + ipa-getcert request \ + -f "${CERT_DIR}/silo.crt" \ + -k "${CERT_DIR}/silo.key" \ + -K "HTTP/${HOSTNAME}" \ + -D "${HOSTNAME}" \ + -N "CN=${HOSTNAME}" \ + -C "systemctl reload nginx" + + log_info "Waiting for certificate to be issued..." + + # Wait for certificate (up to 60 seconds) + for i in {1..12}; do + if [[ -f "${CERT_DIR}/silo.crt" ]] && [[ -s "${CERT_DIR}/silo.crt" ]]; then + log_success "Certificate issued" + break + fi + sleep 5 + echo -n "." + done + echo "" + + if [[ ! -f "${CERT_DIR}/silo.crt" ]]; then + log_warn "Certificate not yet issued. Check with: getcert list" + fi +fi + +# Set certificate permissions +if [[ -f "${CERT_DIR}/silo.key" ]]; then + chmod 640 "${CERT_DIR}/silo.key" + chown root:nginx "${CERT_DIR}/silo.key" 2>/dev/null || chown root:www-data "${CERT_DIR}/silo.key" +fi + +# +# Step 6: Get IPA CA certificate for trust +# +log_info "Installing IPA CA certificate..." +if [[ -f /etc/ipa/ca.crt ]]; then + cp /etc/ipa/ca.crt "${CERT_DIR}/ca.crt" + log_success "CA certificate installed" +else + log_warn "IPA CA certificate not found at /etc/ipa/ca.crt" +fi + +# +# Step 7: Configure nginx +# +log_info "Configuring nginx..." + +# Backup existing config +if [[ -f /etc/nginx/sites-enabled/default ]]; then + mv /etc/nginx/sites-enabled/default /etc/nginx/sites-available/default.bak 2>/dev/null || true +fi + +# Create silo nginx config +cat > /etc/nginx/sites-available/silo << 'NGINX_EOF' +# Silo API Server - Nginx Reverse Proxy Configuration + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name silo.kindred.internal; + + # Allow certmonger/ACME challenges + location /.well-known/ { + root /var/www/html; + } + + location / { + return 301 https://$server_name$request_uri; + } +} + +# HTTPS server +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name silo.kindred.internal; + + # SSL certificates (managed by certmonger/IPA) + ssl_certificate /etc/ssl/silo/silo.crt; + ssl_certificate_key /etc/ssl/silo/silo.key; + + # SSL configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/silo/ca.crt; + + # Security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # Logging + access_log /var/log/nginx/silo_access.log; + error_log /var/log/nginx/silo_error.log; + + # Proxy settings + location / { + proxy_pass http://127.0.0.1:8080; + proxy_http_version 1.1; + + # Headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # WebSocket support (for future use) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; + + # Buffering + proxy_buffering on; + proxy_buffer_size 4k; + proxy_buffers 8 4k; + + # File uploads (for CAD files) + client_max_body_size 100M; + } + + # Health check endpoint (bypass proxy for monitoring) + location /nginx-health { + access_log off; + return 200 "OK\n"; + add_header Content-Type text/plain; + } +} +NGINX_EOF + +# Enable the site +ln -sf /etc/nginx/sites-available/silo /etc/nginx/sites-enabled/silo + +# Test nginx configuration +log_info "Testing nginx configuration..." +if nginx -t; then + log_success "Nginx configuration valid" +else + die "Nginx configuration test failed" +fi + +# +# Step 8: Start/restart services +# +log_info "Starting services..." + +# Enable and start certmonger +systemctl enable certmonger +systemctl start certmonger + +# Enable and restart nginx +systemctl enable nginx +systemctl restart nginx + +log_success "Services started" + +# +# Step 9: Configure firewall +# +log_info "Configuring firewall..." + +if command -v ufw >/dev/null 2>&1; then + ufw allow 80/tcp + ufw allow 443/tcp + log_success "UFW rules added" +elif command -v firewall-cmd >/dev/null 2>&1; then + firewall-cmd --permanent --add-service=http + firewall-cmd --permanent --add-service=https + firewall-cmd --reload + log_success "Firewalld rules added" +else + log_warn "No firewall detected. Manually open ports 80 and 443" +fi + +# +# Summary +# +echo "" +log_info "============================================" +log_info "Setup Complete!" +log_info "============================================" +echo "" +echo "Certificate status:" +getcert list -f "${CERT_DIR}/silo.crt" 2>/dev/null || echo " Check with: getcert list" +echo "" +echo "Nginx status:" +systemctl status nginx --no-pager -l | head -5 +echo "" +echo "Next steps:" +echo "" +echo "1. Verify certificate was issued:" +echo " getcert list" +echo "" +echo "2. Update silo config to use correct base URL:" +echo " sudo nano /etc/silo/config.yaml" +echo " # Change base_url to: https://silo.kindred.internal" +echo "" +echo "3. Restart silo service:" +echo " sudo systemctl restart silod" +echo "" +echo "4. Test the setup:" +echo " curl -k https://silo.kindred.internal/health" +echo " curl https://silo.kindred.internal/health # after trusting IPA CA" +echo "" +echo "5. Trust IPA CA on client machines:" +echo " # The CA cert is at: ${CERT_DIR}/ca.crt" +echo " # Or fetch from: https://${IPA_SERVER}/ipa/config/ca.crt" +echo ""