server.garden privileged automation agent (mirror of https://git.sequentialread.com/forest/rootsystem)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

36 lines
1.5 KiB

TODO:
Clean up post_to_object_storage_shell_script. Make it a template rather than a variable?
forest@tower:~/Desktop/git/rootsystem/terraform-modules/ansible-threshold-server$ ansible-playbook --private-key '/home/forest/Desktop/git/rootsystem/ssh/servergarden_builtin_ed22519' -i '104.131.56.31,' -u root -e 'domain=server.garden arch=amd64' playbook.yml
defense in depth local tls tin foil hat stuff:
Ideally we could use TLS on the connection between terraform and rootsystem.
Currently this backend only has two options, either use a public x.509 trust based TLS cert, or skip cert verification. We want to use TLS for improved security, but we also want to do it all on the private network without having a domain name or asking for permission.
So we will have to modify terraform to add a new "Trusted CAs" option here: https://github.com/hashicorp/terraform/blob/master/backend/remote-state/http/backend.go
That way we can make our own CA, our own certificate, and then tell terraform to trust that CA. Then terraform can connect to our HTTP server securely for remote state storage.
curl --cacert "server.garden_CA.crt" \
--key "pi4@server.garden.key" \
--cert "pi4@server.garden.crt" \
-sS https://server.garden:9056/clients | jq .
curl --cacert "server.garden_CA.crt" \
--key "pi4@server.garden.key" \
--cert "pi4@server.garden.crt" \
-X PUT -H "Content-Type: application/json" \
-d @tunnels.json \
-sS https://server.garden:9056/tunnels | jq .