-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This sets up all the needed config to initialize the code signing box. Changes: * Removes the user_data from the terraform setup since we do it in ansible * The ansible blocks are commented out since manual .ssh/config is needed to bootstrap the host This fixes: #55
- Loading branch information
Showing
11 changed files
with
390 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,6 @@ | ||
| [all] | ||
| monitoring.ooni.org | ||
| openvpn-server1.ooni.io | ||
|
|
||
| # This requires manual setup of ~/.ssh/config | ||
| #codesign-box |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| cluster_id: cluster-qsvghm4oqok | ||
| hsm_token_name: OONI_2024-04-26_1 | ||
| codesign_usernames: [ art, majakomel, mehul ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| --- | ||
| - name: Create .ssh/authorized_keys in ubuntu home | ||
| ansible.builtin.template: | ||
| src: authorized_keys | ||
| dest: "/home/ubuntu/.ssh/authorized_keys" | ||
| owner: "ubuntu" | ||
| mode: "0400" | ||
|
|
||
| - name: Install cloudhsm-cli | ||
| ansible.builtin.apt: | ||
| deb: https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-cli_latest_u22.04_amd64.deb | ||
| update_cache: true | ||
|
|
||
| - name: Install cloudhsm-pkcs11 | ||
| ansible.builtin.apt: | ||
| deb: https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-pkcs11_latest_u22.04_amd64.deb | ||
|
|
||
| - name: Install cloudhsm-pkcs11 | ||
| ansible.builtin.apt: | ||
| name: | ||
| - libengine-pkcs11-openssl | ||
| - awscli | ||
|
|
||
| - name: Write customerCA.crt | ||
| ansible.builtin.template: | ||
| src: customerCA.crt | ||
| dest: /opt/cloudhsm/etc/customerCA.crt | ||
| owner: root | ||
| group: adm | ||
| mode: "u=rwx,g=rx" | ||
|
|
||
| - name: Write Cert_bundle.pem | ||
| ansible.builtin.template: | ||
| src: Cert_bundle.pem | ||
| dest: /opt/cloudhsm/etc/Cert_bundle.pem | ||
| owner: root | ||
| group: adm | ||
| mode: "u=rwx,g=rx" | ||
|
|
||
| - name: Write delete-hsms.sh command | ||
| ansible.builtin.template: | ||
| src: delete-hsms.sh | ||
| dest: /usr/bin/delete-hsms.sh | ||
| owner: root | ||
| group: adm | ||
| mode: "u=rwx,g=rx" | ||
|
|
||
| - name: Write create-hsms.sh command | ||
| ansible.builtin.template: | ||
| src: create-hsms.sh | ||
| dest: /usr/bin/create-hsms.sh | ||
| owner: root | ||
| group: adm | ||
| mode: "u=rwx,g=rx" | ||
|
|
||
| - name: Ensure .hsmcredentials file exists | ||
| ansible.builtin.copy: | ||
| dest: /home/ubuntu/.hsmcredentials | ||
| content: | | ||
| HSM_PASSWORD= | ||
| owner: ubuntu | ||
| group: adm | ||
| mode: "u=rw,g=,o=" | ||
| force: false | ||
|
|
||
| - name: Write sign-windows-exe.sh command | ||
| ansible.builtin.template: | ||
| src: sign-windows-exe.sh | ||
| dest: /usr/bin/sign-windows-exe.sh | ||
| owner: root | ||
| group: adm | ||
| mode: "u=rwx,g=rx" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| subject=jurisdictionCountryName=IT, businessCategory=Business Entity, CN=Open Observatory of Network Interference (OONI), SERIALNUMBER=96568220584, O=Open Observatory of Network Interference (OONI), L=Rome, C=IT | ||
| issuer=CN=HARICA EV Code Signing RSA SubCA R1, O=Hellenic Academic and Research Institutions CA, L=Athens, C=GR | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIHeDCCBWCgAwIBAgIQeP20SJFLrwNNrScDbdnSeDANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UE | ||
| BhMCR1IxDzANBgNVBAcMBkF0aGVuczE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl | ||
| c2VhcmNoIEluc3RpdHV0aW9ucyBDQTEsMCoGA1UEAwwjSEFSSUNBIEVWIENvZGUgU2lnbmluZyBS | ||
| U0EgU3ViQ0EgUjEwHhcNMjQwNDI5MTEwNjU2WhcNMjYwNDI5MTEwNjU2WjCB1TELMAkGA1UEBhMC | ||
| SVQxDTALBgNVBAcMBFJvbWUxODA2BgNVBAoML09wZW4gT2JzZXJ2YXRvcnkgb2YgTmV0d29yayBJ | ||
| bnRlcmZlcmVuY2UgKE9PTkkpMRQwEgYDVQQFEws5NjU2ODIyMDU4NDE4MDYGA1UEAwwvT3BlbiBP | ||
| YnNlcnZhdG9yeSBvZiBOZXR3b3JrIEludGVyZmVyZW5jZSAoT09OSSkxGDAWBgNVBA8MD0J1c2lu | ||
| ZXNzIEVudGl0eTETMBEGCysGAQQBgjc8AgEDEwJJVDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC | ||
| AgoCggIBALs3gSrsYiuFwdffvSPMKI/yGYk6R2cX2nAsFB8fHFElGdsUbHNoBOdBsRUe2yCSHLwA | ||
| kMyuNsGvOxbykiNaCGnNjEg3bI7rE7YyKwSH6aR5B/TTpI9CESnFROxltWEfbBSr+SY/MlF+5bA2 | ||
| JWs9SMzl0BXMBoOVbLBczoAN38cX4Wwe7hsXpXwhbub8FIwSLMbMUcrqhLIsJQL7ywz/8cnxZqKD | ||
| Y9MsM+sIstCKrK2w6b8B9AAY0lmPpR+p4ZaBHzU1vsTX8wPoYA/QDz+TwlczuosNdyaWZcgAUZag | ||
| eMhjUOuT7Z92Yzu4PoWIPCOCu6LvYaC+M2mIRCZV476E+KlvSjqElDhYEBkkKueP+1/paiq4ibf3 | ||
| MUILTGg+/bhGF+5GVLGEhdimNYGVzzoqPh8ngPo37g+mKjMN8oguejN6/W5Ts/nedvNog4txeaYL | ||
| 2M8PG5Jv0pyXf82lOaHpXVQ8qfHqWJr4RvI02kcNHGFrNvOCBao4DdLrehOCwFsxlcb7FG2lzjua | ||
| Zxg5TfBTNHDby8RGPDo6iq9zlEK2ciSN1lI1viGFRmM9ZYo75jj7OgFsSq9TwLj30WXLqxZdm7CN | ||
| f8OPFRc2NWNMTXhjCU9nAYYo8e8ZCnJ5bNVUMHpgx8eW9zrHVdQBKet3irOhDTdcl8DCj2/51S2z | ||
| wt69AB3HAgMBAAGjggGQMIIBjDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFJTvT2NZT7wQp8iHqRdp | ||
| AhJiR+F1MHIGCCsGAQUFBwEBBGYwZDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC5oYXJpY2EuZ3Iv | ||
| SGFyaWNhRVZDb2RlU2lnbmluZ1N1YkNBUjEuY2VyMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5o | ||
| YXJpY2EuZ3IwYAYDVR0gBFkwVzAHBgVngQwBAzAIBgYEAI96AQIwQgYMKwYBBAGBzxEBAQMDMDIw | ||
| MAYIKwYBBQUHAgEWJGh0dHBzOi8vcmVwby5oYXJpY2EuZ3IvZG9jdW1lbnRzL0NQUzATBgNVHSUE | ||
| DDAKBggrBgEFBQcDAzBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLmhhcmljYS5nci9IYXJp | ||
| Y2FFVkNvZGVTaWduaW5nU3ViQ0FSMS5jcmwwHQYDVR0OBBYEFMA9FXuU36eaZpHrxlphS5vn/I9v | ||
| MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAlEj7BT3SRaAL0uZWs4VJ3zKxMQKL | ||
| JOMR5fl7DKO5N/ynRDH8ktjLJZyt4wfNXBR71l0hvTeE+ZqnWXn0Pz0tEVR4qdjzf/JuO2G0GXfb | ||
| ATnZrUsTgm8utogtzb3BwDQVRgh5X6/BN8Ip/5C80zAGg2pGdySho2D4kJVeoNu/Gr0xYodFZirV | ||
| fcT6zT82eh+MEM2I19gONJ9soJsM9qNxeV94nA8Rct9ZVtv6/CuEg2zPz+JYjmAttp1cEqUchUsg | ||
| yUuwLzA4Bk7xnO8giTVFs71z8GET9WeQnohYO2PE/+ytA8wyjELctVOBj1MHVcTcQb/pc+CKenTP | ||
| sbeq29RG2WYOsdvAQlhRLJDFB6UoHlqtvQCMfda9HEemI/wHRMD7zKYYc3F1ik6VgGQ8ekEyjuzJ | ||
| V6xnELvWpbpm/GvdeXTUqrQpfA4ZowQaQr3ZdNGmpuxaWXByfAzcN9tVYHlcPnh4lTd5j40Sy2OL | ||
| Az0MxeukIvBTZEQaYxjxqSHglrVs9c9Gc7DJdpNy48zAefRUK2CfpoY1396DmKmpmYFTWkBvSESm | ||
| oQt2IPMnskBgrrNKMvas+W6Grybp9Y0k7c0m4VlW7IkvNR3D3dh+cwdMVxXHmwktIzAE2QdoWlNM | ||
| PiaCEKcXPYdBJ9Q2LrxyH2QaqbppvZ/n36y4SCQ//ZvZOUM= | ||
| -----END CERTIFICATE----- | ||
| subject=CN=HARICA EV Code Signing RSA SubCA R1, O=Hellenic Academic and Research Institutions CA, L=Athens, C=GR | ||
| issuer=CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIG9jCCBN6gAwIBAgIQRBc8w77BDn0wQDhwYp8kwDANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UE | ||
| BhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl | ||
| c2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMTN0hlbGxlbmljIEFj | ||
| YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIwMTUwHhcNMjAwMjI3MTIw | ||
| NTIyWhcNMzUwMjIzMTIwNTIyWjCBhTELMAkGA1UEBhMCR1IxDzANBgNVBAcMBkF0aGVuczE3MDUG | ||
| A1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDQTEsMCoG | ||
| A1UEAwwjSEFSSUNBIEVWIENvZGUgU2lnbmluZyBSU0EgU3ViQ0EgUjEwggIiMA0GCSqGSIb3DQEB | ||
| AQUAA4ICDwAwggIKAoICAQCYS0S4Qp3qUC9OZ6t2FGCQBPTWXTEg081FblEgW/x41zwNJtFtQg3U | ||
| s+eKDgL0fB0lu64q2/A3uT8PzXr5YKgRcXswYztRFGbvd4zVKcOmNn1QXYB20RE7hHMSzFCc0LVz | ||
| CAnJE5+l+s60P+7HqIA/5aX/bKfI76xL2CiuTCZkgpXQFDdBIneIBMRXzpjQ2MM3qJg90yN6lt5S | ||
| ZH2+H+zV3OCLBYsAxsfuK4x1dH4EBD/6gF0DA8J38SU5g3nitEVlGMdl50Fvkuv0la5YUemSi+s/ | ||
| fE5QlRV39y3csRG5/L/irbZr39jTHDUK9mSli5KQvlzAvZ+Mw3byNKmlAeYrR+TYc0Tl8tVHWqoY | ||
| 4e+shW4FTJlzpRWT550TD1QG8NqL+M4P7ZQD+X7W2bDedLBLDV1Oh1qVLcfPi7uzhqKFRG9Qv48b | ||
| CNXmiPkRlsUB3417sHaupqhNV487vxLKJSeu885SyehgFVv7ajJAxUSeIaguuxJ70ooCrXQDprN3 | ||
| a3qNhq/tNBzBByw2OMFj06tazhI66hrBhSnGHqwheT41mU3kz2fgwEyxe+9ZHbTgoSSGdPNp7Sga | ||
| ZBl4HXpIg8ofFFbBFGfmwoj12Nt75wGbY3gGec95VLqVqmF/fNZOqhj0V5kizzbtx4aEmiTG4ozn | ||
| zXfFrIqw27e7TRKTYzkRGwIDAQABo4IBPTCCATkwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNVHSME | ||
| GDAWgBRxFWfIyMm9dV1y0DgYap3zcSRUCzBvBggrBgEFBQcBAQRjMGEwPAYIKwYBBQUHMAKGMGh0 | ||
| dHA6Ly9yZXBvLmhhcmljYS5nci9jZXJ0cy9IYXJpY2FSb290Q0EyMDE1LmNydDAhBggrBgEFBQcw | ||
| AYYVaHR0cDovL29jc3AuaGFyaWNhLmdyMBEGA1UdIAQKMAgwBgYEVR0gADATBgNVHSUEDDAKBggr | ||
| BgEFBQcDAzA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmhhcmljYS5nci9IYXJpY2FSb290 | ||
| Q0EyMDE1LmNybDAdBgNVHQ4EFgQUlO9PY1lPvBCnyIepF2kCEmJH4XUwDgYDVR0PAQH/BAQDAgGG | ||
| MA0GCSqGSIb3DQEBCwUAA4ICAQByG18cPy5oLuAXImw5+BVlID7Y4Y3C3lNVVW15V12YV/OOLrPS | ||
| 8N1L+66RyzkBAxC15Fn2xfrwHNRZEIQy/DqAfxO2nUn9BN1cXDgv2aje4LP7dqSOojupvkkWfCvg | ||
| JMuV3/Jpc3TFb8LdWN6+qreMJEU7FU+Xz0Sshm63ujzf8ta43FF9l4cooklUXrIjFrKPKYq38h8n | ||
| STrbPFDeZqjc9WwQ7tGm8Vt38PzQTmzAs6uZ5tZUyWJWYdtWa7AwwOoCRfE3L4i3ZzqYh/OL4z0m | ||
| qsiswn8PHn4yzirFXYs/jBY9pHZfbB81CV3Ad/xMxDMtmqSTVz9fP7o5Mpf+Z3aQlSsG4wFxQANA | ||
| w6EOQjt77ZTnLiGO8kjV2uxRBzXWDUATipNW8W4fMvIe6Pcb7pEU27piFTwxtsyq4KKfoKcnr7DZ | ||
| qZSfDVX2HBzndJu55aYZprU+AkB12aH0QDBjU/jeWu4dylJ8Soqn53bgWT3aAIXGB/mfE6XsjV+h | ||
| kc9GVDVAFYhe6qh6QXiUyZSt3nX9JU/UieAGnIck0YUQnjKlhpwgg1GjWQxc0YscDa9p/PtnPHSL | ||
| 1/5DMkpv4sZnqeymAiGiOOofNrxpxtHCvEB4RTp4hGd3B3FxyVkkfVvwQQ6OyB2WvBVn7qht6/9Y | ||
| H64e3atPXIjYx+Lq6jGUQpci2w== | ||
| -----END CERTIFICATE----- | ||
| subject=CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR | ||
| issuer=CN=Hellenic Academic and Research Institutions RootCA 2011, O=Hellenic Academic and Research Institutions Cert. Authority, C=GR | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIGcTCCBVmgAwIBAgIIGn48dflJd1IwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkdSMUQw | ||
| QgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQu | ||
| IEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3Rp | ||
| dHV0aW9ucyBSb290Q0EgMjAxMTAeFw0xNjA3MTkxMDMwNDZaFw0yNDA3MTcxMDMwNDZaMIGmMQsw | ||
| CQYDVQQGEwJHUjEPMA0GA1UEBxMGQXRoZW5zMUQwQgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBh | ||
| bmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVu | ||
| aWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxNTCCAiIwDQYJ | ||
| KoZIhvcNAQEBBQADggIPADCCAgoCggIBAML4qT8bifw8PARdPZA2sJE6eTxmWu9tOQFJGrS3z39N | ||
| I1O3kADjEyoopjHxkQDjKOyuIUHOH9r9fRJbAYMPubBfmeHyEoOATQY+36yv56GIazGv8IvQGDO4 | ||
| 20VqNPQCgCQoCgIVlV52Kg2ZOhRb9svLU7wTTQGIN5QlG0K8ItiOo5ZeOtky2z7o8BBl7XThL6d8 | ||
| ryc0uyl9m7bPCcjl0wr8iGVldArccxxczUCxHNS2hIxMUM9ojqhZrsInToKiNd0U9B//snfVhy+q | ||
| bn0kJ+fGyybm5f5nB2PYRQ3dOlllOVh6kplyPZyEXoghuNX0LPzZcFJPeLi9PCuLlZj1s9FozyAU | ||
| fkxcX+eL5fU1gRk31xEIt2a+00rOg1cAOsOB+BfLkjZd0aPYdRvhiyfqekhB/UUZBq0nmU7BcEfd | ||
| tZ+BUxLlsYxIXTFDF+OMxnpjlkspME6ETmIZXjzOl5ClfwHrneD4i4ndJZg9krZ+79nxUVF9LSbI | ||
| aVlh4KxquCo2EQR6UL0yhL4v3HLV1x0WR+RHZiA/9JbFr44BeqUPemT1DRiH2a6I1fqEwTrAaSgt | ||
| 8g1oUarjpXfGpJAOoTeLMSNHwQkI6273eJvXgvyEIJlJGbYSRrH7RVUWqaNlrJwHD+pr3B8uBnLs | ||
| hogS5C3bXwUv5PAD0yYz54DCzUKhFzQLAgMBAAGjggGwMIIBrDAPBgNVHRMBAf8EBTADAQH/MA4G | ||
| A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVdctA4GGqd83EkVAswRgYDVR0fBD8wPTA7 | ||
| oDmgN4Y1aHR0cDovL2NybHYxLmhhcmljYS5nci9IYXJpY2FSb290Q0EyMDExL2NybHYxLmRlci5j | ||
| cmwwHwYDVR0jBBgwFoAUppFC/RNhSiOeCKQp5dgTBCPuQSUwbgYIKwYBBQUHAQEEYjBgMCEGCCsG | ||
| AQUFBzABhhVodHRwOi8vb2NzcC5oYXJpY2EuZ3IwOwYIKwYBBQUHMAKGL2h0dHA6Ly93d3cuaGFy | ||
| aWNhLmdyL2NlcnRzL0hhcmljYVJvb3RDQTIwMTEuY3J0MIGQBgNVHSAEgYgwgYUwgYIGBFUdIAAw | ||
| ejAyBggrBgEFBQcCARYmaHR0cDovL3d3dy5oYXJpY2EuZ3IvZG9jdW1lbnRzL0NQUy5waHAwRAYI | ||
| KwYBBQUHAgIwOAw2VGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdWJqZWN0IHRvIEdyZWVrIGxhd3MgYW5k | ||
| IG91ciBDUFMuMA0GCSqGSIb3DQEBCwUAA4IBAQCI1QWSZXa9rZJOYCTxBoag7VU8vZfaaegtz2s+ | ||
| 24HjERi5837T/Fn4wf8oU+tyDCXpnU3hyxsAPGSim/qeRFW3MhyMXUspGC+vW6gaoY0fQ5zxVH/6 | ||
| 10dPl91uM3ItnnslMQZnHO79WFc+0qI3FWw6pRtE9qxVkr3Ed38ay2sQhEtnsgxlv83JPtPXVTBS | ||
| L7YtbvlQPf9eu85xaBtBCM2hc8SoH34vEpnaX70o1WvVsMRLyH2SEhQO1POBKf9+WMddJKi8/eVz | ||
| EBRMXOR/XzsofGT7hpZuK3nSJR6FOeEU+AaOUveNZEJY2kTA2vqjqUvPLeO9R45736xh/jWnHi51 | ||
| -----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # managed by ansible | ||
| # see roles/ssh_users/templates/authorized_keys | ||
| ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6QK3Q5Hxtnf0o0wqMS47W/ewlHf5ZhQrn4vOR5HaUO oonidevops | ||
| {% for user in codesign_usernames %} | ||
| {% for k in ssh_users[user]['keys'] %} | ||
| {{ k }} | ||
| {% endfor %} | ||
| {% endfor %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,112 @@ | ||
| #!/bin/bash | ||
|
|
||
| CLUSTER_ID="{{ cluster_id }}" | ||
|
|
||
| create_hsm_token() { | ||
| if [ -z $1 ]; then | ||
| echo "AVAILABILITY ZONE PARAMETER UNSET!" | ||
| exit 1 | ||
| fi | ||
| AVAILABILITY_ZONE=$1 | ||
| aws cloudhsmv2 create-hsm --cluster-id $CLUSTER_ID --availability-zone $AVAILABILITY_ZONE | ||
| echo "Creating HSM Token in $AVAILABILITY_ZONE..." | ||
| sleep 5 | ||
|
|
||
| } | ||
|
|
||
|
|
||
| wait_for_hsm_tokens() { | ||
|
|
||
| while true; do | ||
| STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)") | ||
| if [ "$STATE" -ge 2 ]; then | ||
| echo "HSM Tokens created and active." | ||
| break | ||
| fi | ||
| echo "Waiting for HSM Token $TOKEN_NAME to become active..." | ||
| sleep 10 | ||
| done | ||
|
|
||
| } | ||
|
|
||
| CURRENT_TOKEN_COUNT=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)") | ||
| if [ "$CURRENT_TOKEN_COUNT" -ge 2 ]; then | ||
| echo "Enough HSMs already exist, skipping creation" | ||
| else | ||
| create_hsm_token eu-central-1a | ||
| create_hsm_token eu-central-1b | ||
| wait_for_hsm_tokens | ||
| fi | ||
|
|
||
| echo "Extracting IP addresses of created HSM tokens..." | ||
| IP_ADDRESSES=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].EniIp" --output text) | ||
| echo "IP Addresses of created HSM tokens: $IP_ADDRESSES" | ||
|
|
||
| IP_ADDRESS_1=$(echo $IP_ADDRESSES | cut -d ' ' -f1) | ||
| IP_ADDRESS_2=$(echo $IP_ADDRESSES | cut -d ' ' -f2) | ||
|
|
||
| echo "[+] writing cloudhsm-cli.cfg" | ||
| cat <<EOF > /tmp/cloudhsm-cli.cfg | ||
| { | ||
| "clusters" : [{ | ||
| "type": "hsm1", | ||
| "cluster":{ | ||
| "hsm_ca_file": "/opt/cloudhsm/etc/customerCA.crt", | ||
| "servers":[ | ||
| { | ||
| "hostname": "$IP_ADDRESS_1", | ||
| "port": 2223, | ||
| "enable": true | ||
| }, | ||
| { | ||
| "hostname": "$IP_ADDRESS_2", | ||
| "port": 2223, | ||
| "enable": true | ||
| } | ||
| ] | ||
| } | ||
| }], | ||
| "logging": { | ||
| "log_type": "file", | ||
| "log_file": "/opt/cloudhsm/run/cloudhsm-cli.log", | ||
| "log_level": "info", | ||
| "log_interval": "daily" | ||
| } | ||
| } | ||
| EOF | ||
|
|
||
| sudo mv /tmp/cloudhsm-cli.cfg /opt/cloudhsm/etc/cloudhsm-cli.cfg | ||
| sudo chown root:root /opt/cloudhsm/etc/cloudhsm-cli.cfg | ||
|
|
||
|
|
||
| echo "[+] writing cloudhsm-pkcs11.cfg" | ||
| cat <<EOF > /tmp/cloudhsm-pkcs11.cfg | ||
| { | ||
| "clusters" : [{ | ||
| "type": "hsm1", | ||
| "cluster":{ | ||
| "hsm_ca_file": "/opt/cloudhsm/etc/customerCA.crt", | ||
| "servers":[ | ||
| { | ||
| "hostname": "$IP_ADDRESS_1", | ||
| "port": 2223, | ||
| "enable": true | ||
| }, | ||
| { | ||
| "hostname": "$IP_ADDRESS_2", | ||
| "port": 2223, | ||
| "enable": true | ||
| } | ||
| ] | ||
| } | ||
| }], | ||
| "logging": { | ||
| "log_type": "file", | ||
| "log_file": "/opt/cloudhsm/run/cloudhsm-pkcs11.log", | ||
| "log_level": "info", | ||
| "log_interval": "daily" | ||
| } | ||
| } | ||
| EOF | ||
| sudo mv /tmp/cloudhsm-pkcs11.cfg /opt/cloudhsm/etc/cloudhsm-pkcs11.cfg | ||
| sudo chown root:root /opt/cloudhsm/etc/cloudhsm-pkcs11.cfg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| -----BEGIN CERTIFICATE----- | ||
| MIIEGTCCAwGgAwIBAgIUW998tXwtbnAJWCYzxpJoY1CIkbAwDQYJKoZIhvcNAQEL | ||
| BQAwgZsxCzAJBgNVBAYTAklUMQ0wCwYDVQQIDARSb21hMQ0wCwYDVQQHDARSb21h | ||
| MTwwOgYDVQQKDDNPcGVuIE9ic2VydmF0b3J5IG9mIE5ldHdvcmsgSW50ZXJmZXJl | ||
| bmNlIChPT05JKSBFVFMxETAPBgNVBAMMCG9vbmkub3JnMR0wGwYJKoZIhvcNAQkB | ||
| Fg5hZG1pbkBvb25pLm9yZzAeFw0yNDA0MjQxMDQ1MDlaFw0zNDA0MjQxMDQ1MDla | ||
| MIGbMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUm9tYTENMAsGA1UEBwwEUm9tYTE8 | ||
| MDoGA1UECgwzT3BlbiBPYnNlcnZhdG9yeSBvZiBOZXR3b3JrIEludGVyZmVyZW5j | ||
| ZSAoT09OSSkgRVRTMREwDwYDVQQDDAhvb25pLm9yZzEdMBsGCSqGSIb3DQEJARYO | ||
| YWRtaW5Ab29uaS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM | ||
| xiZOH0dkYKnFNpkRSuyFbsV+1wDygQLO7xry5Hf/JVetEAfLCVQJtR4V+gT+Q1kv | ||
| BJKTgh8iXNA4Js5AhPKOwgw+G6OUvaP1IZtnKfce67modAXSQaxY5/a0Rump4lCD | ||
| jtkg4a+WXXAf0AkM/3QulDkCEmpOw9AzCUMc70My0iMdF/7N5HdzIjlXMe9mEb1H | ||
| 167EzmwOBq03L00tg55xfnJGZv7PNvQV3ftyexUxzY943zRXU9bS1iBO9BnltlvL | ||
| agQXGLcOlY/WxEPkVll3K+Mf3eXeeYDQYT7J4otGzyPsU1ZGNfcOA6aLbFbQjjHn | ||
| 5clFr/3r2D12brqkkZ6LAgMBAAGjUzBRMB0GA1UdDgQWBBQTfMoy+GpdWLOnG3cX | ||
| e+qwDQ33aTAfBgNVHSMEGDAWgBQTfMoy+GpdWLOnG3cXe+qwDQ33aTAPBgNVHRMB | ||
| Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQDDePxklTMHa8/uTyNMQq3o2pBg | ||
| 3y/2f8XpaQHVxH/KIlQXBC5xi3ZCOHoBN/fa9UX94cxkmDncOfZVwnsMDhT7igDz | ||
| WU+jdWsrnAaBWEWsmPxiKz3JNewcgI+SS6jjEgoyy9rDe0wkL60LJ6N0yeVJV07C | ||
| GUo/rBPyYLZ1etVMk+WeRUnqOf9dd1yVJrp4gyb9fnBnPSV+Ey4DjViHIFhY839u | ||
| b2fw/62/NSTQDJXaamHXH38ViSIAMcUIcMMNVDmy1llqRq41nHYcB/nOF4AwffaO | ||
| qxphfAMEku7qj/EYWYahJmbqBJSQbm/kknJIOc997IwQkWVS3sGlHqzHR3tf | ||
| -----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| #!/bin/bash | ||
| CLUSTER_ID="{{ cluster_id }}" | ||
|
|
||
| # List all HSM tokens | ||
| echo "Listing all HSM tokens in the cluster..." | ||
| aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].HsmId" | ||
|
|
||
| # Function to delete an HSM token and wait for its deletion | ||
| delete_hsm_token() { | ||
| HSM_ID=$1 | ||
| aws cloudhsmv2 delete-hsm --cluster-id $CLUSTER_ID --hsm-id $HSM_ID | ||
| echo "Deleting HSM Token with ID: $HSM_ID..." | ||
| while true; do | ||
| STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?HsmId=='$HSM_ID'] | length(@)") | ||
| if [ "$STATE" -eq 0 ]; then | ||
| echo "HSM Token with ID $HSM_ID deleted." | ||
| break | ||
| fi | ||
| echo "Waiting for HSM Token with ID $HSM_ID to be deleted..." | ||
| sleep 10 | ||
| done | ||
| } | ||
|
|
||
| # Delete all HSM tokens | ||
| HSM_IDS=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].HsmId" --output text) | ||
| for HSM_ID in $HSM_IDS; do | ||
| delete_hsm_token $HSM_ID | ||
| done | ||
|
|
||
| echo "All HSM tokens have been deleted." |
Oops, something went wrong.