diff --git a/poc/Vagrantfile b/poc/Vagrantfile new file mode 100644 index 0000000..d783b63 --- /dev/null +++ b/poc/Vagrantfile @@ -0,0 +1,361 @@ +OGLOG_PROVISION_SCRIPT = <>/etc/hosts </etc/apt/sources.list.d/opensearch-2.x.list +echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" >/etc/apt/sources.list.d/opensearch-dashboards-2.x.list +apt-get update +dpkg -i /vagrant/opensearch_2.16.0_amd64.deb /vagrant/opensearch-dashboards_2.16.0_amd64.deb ## 'apt-get install' se lo descarga de internet igualmente... + +cp /vagrant/CA/certs/ca.crt.pem /etc/opensearch/ +cp /vagrant/CA/certs/oglog-os.mytld.crt.pem /etc/opensearch/ +cp /vagrant/CA/private/oglog-os.mytld.key.nopass.pem /etc/opensearch/oglog-os.mytld.key.pem +chown opensearch:opensearch /etc/opensearch/{ca.crt.pem,oglog-os.mytld.crt.pem,oglog-os.mytld.key.pem} + +cp /vagrant/CA/certs/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/ +cp /vagrant/CA/private/oglog-osdb.mytld.key.nopass.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem +chown opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem + +sed -i -e '/^plugins.security.ssl.http.pemcert_filepath:/ s/: .*/: oglog-os.mytld.crt.pem/' /etc/opensearch/opensearch.yml +sed -i -e '/^plugins.security.ssl.http.pemkey_filepath:/ s/: .*/: oglog-os.mytld.key.pem/' /etc/opensearch/opensearch.yml +sed -i -e '/^plugins.security.ssl.http.pemtrustedcas_filepath:/s/: .*/: ca.crt.pem/' /etc/opensearch/opensearch.yml +sed -i -e '/^#network.host/ s/.*/network.host: 192.168.60.10/' /etc/opensearch/opensearch.yml ## IP of network interface to listen on +cat >>/etc/opensearch/opensearch.yml < --cert --key -X PUT https://localhost:9200/_plugins/_security/api/ssl/http/reloadcerts +plugins.security.ssl_cert_reload_enabled: true +EOF + +cp -a /etc/opensearch-dashboards/opensearch_dashboards.yml /etc/opensearch-dashboards/opensearch_dashboards.yml.dist +cat >/etc/opensearch-dashboards/opensearch_dashboards.yml <>/etc/prometheus/prometheus.yml </etc/prometheus/web-config.yml </etc/journalbeat/journalbeat.yml </etc/apt/keyrings/grafana.gpg +echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" >/etc/apt/sources.list.d/grafana.list +apt-get update +apt-get install --yes grafana + +cp /vagrant/CA/certs/oglog-graf.mytld.crt.pem /etc/grafana/ +cp /vagrant/CA/private/oglog-graf.mytld.key.nopass.pem /etc/grafana/oglog-graf.mytld.key.pem +chown grafana:grafana /etc/grafana/oglog-graf.mytld.crt.pem /etc/grafana/oglog-graf.mytld.key.pem + +cp -a /etc/grafana/grafana.ini /etc/grafana/grafana.ini.dist +cat >/etc/grafana/grafana.ini <>/etc/hosts <>/etc/hosts </etc/filebeat/filebeat.yml <openssl.cnf <>openssl.cnf <<'EOF' +certs = $dir/certs +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +default_md = sha256 +policy = policy_loose +copy_extensions = copy + +private_key = $dir/private/ca.key.pem +certificate = $dir/certs/ca.crt.pem + +[policy_loose] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[req] +default_bits = 2048 +distinguished_name = req_distinguished_name +default_md = sha256 + +[req_distinguished_name] +countryName = Country Name (2 letter code) +EOF + +mkdir certs csr newcerts private; chmod 0700 private; touch index.txt; echo 1000 >serial + +function gen_cert() { + ITEM="$1" + PRIVKEY_PASS="$2" + CA_PASS_FILE="$3" + + FILE_PRIVKEY_PASS="./$ITEM-pass" + KEY_FILE="private/$ITEM.key.pem" + KEY_NOPASS_FILE="private/$ITEM.key.nopass.pem" + SUBJ="/C=ES/ST=Madrid/L=Madrid/CN=$ITEM" + ADDEXT="subjectAltName=DNS:$ITEM" + CSR="csr/$ITEM.csr.pem" + CERT_FILE="certs/$ITEM.crt.pem" + + touch "$FILE_PRIVKEY_PASS" + chmod 0600 "$FILE_PRIVKEY_PASS" + echo "$PRIVKEY_PASS" >"$FILE_PRIVKEY_PASS" + + openssl genrsa -aes256 -out "$KEY_FILE" -passout file:"$FILE_PRIVKEY_PASS" 2048 + openssl rsa -in "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -out "$KEY_NOPASS_FILE" >/dev/null 2>&1 + openssl req -config openssl.cnf -key "$KEY_FILE" -passin file:"$FILE_PRIVKEY_PASS" -new -sha256 -subj "$SUBJ" -addext "$ADDEXT" -out "$CSR" + openssl ca -config openssl.cnf -batch -passin file:"$CA_PASS_FILE" -days 375 -notext -md sha256 -in "$CSR" -out "$CERT_FILE" >/dev/null 2>&1 +} + + +## gen CA +CA_PASS=CorrectHorseBatteryStapleCA +CA_PASS_FILE=./ca-pass +touch "$CA_PASS_FILE" +chmod 0600 "$CA_PASS_FILE" +echo "$CA_PASS" >"$CA_PASS_FILE" +openssl genrsa -aes256 -out private/ca.key.pem -passout file:"$CA_PASS_FILE" 4096 +#openssl rsa -in private/ca.key.pem -passin file:"$CA_PASS_FILE" -out private/ca.key.nopass.pem >/dev/null 2>&1 +openssl req -config openssl.cnf -key private/ca.key.pem -passin file:"$CA_PASS_FILE" -new -x509 -days 7300 -sha256 -subj '/C=ES/ST=Madrid/L=Madrid/CN=ca.mytld' -out certs/ca.crt.pem + + +## todos estos en oglog +gen_cert oglog-os.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE" +gen_cert oglog-osdb.mytld CorrectHorseBatteryStapleOglogOS "$CA_PASS_FILE" +gen_cert oglog-jrem.mytld CorrectHorseBatteryStapleOglogJRem "$CA_PASS_FILE" +gen_cert oglog-jb.mytld CorrectHorseBatteryStapleOglogJB "$CA_PASS_FILE" +gen_cert oglog-prom.mytld CorrectHorseBatteryStapleOglogProm "$CA_PASS_FILE" +gen_cert oglog-graf.mytld CorrectHorseBatteryStapleOglogGraf "$CA_PASS_FILE" + +## esto podria ser ogcore, ogboot... +gen_cert ogserver.mytld CorrectHorseBatteryStapleOgserver "$CA_PASS_FILE" + +## filebeat del agente +gen_cert ogagent-fb.mytld CorrectHorseBatteryStapleOgagentFB "$CA_PASS_FILE" + +cd ..