From 49f405e0bcd58c71a31f5d514f6a8c1ce125cecd Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 18 Feb 2024 18:19:32 +1100
Subject: [PATCH 01/12] Documentation:

- update vault docs
---
 doc/vault/setup.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 1ec2ca2..8e4f23b 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -34,6 +34,7 @@
 # create role
     vault write pki_int/roles/unkin-dot-net \
          issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
+         allow_ip_sans=true \
          allowed_domains="unkin.net" \
          allow_subdomains=true \
          max_ttl="2160h"
-- 
2.47.3


From fd5c3dbce2036ad748d06d661672b1bfef332809 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 25 Feb 2024 22:06:56 +1100
Subject: [PATCH 02/12] Doc updates:

- updated issuer names
- updated max-leas-ttl for root/int ca
---
 doc/vault/setup.md | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 8e4f23b..33a8d03 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -1,9 +1,10 @@
 # root ca
     vault secrets enable -path=pki_root pki
+    vault secrets tune -max-lease-ttl=87600h pki_root
 
     vault write -field=certificate pki_root/root/generate/internal \
          common_name="unkin.net" \
-         issuer_name="unkinroot-2024" \
+         issuer_name="UNKIN_ROOTCA_2024" \
          ttl=87600h > unkinroot_2024_ca.crt
 
     vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
@@ -20,11 +21,11 @@
 
     vault write -format=json pki_int/intermediate/generate/internal \
          common_name="unkin.net Intermediate Authority" \
-         issuer_name="unkin-dot-net-intermediate" \
+         issuer_name="UNKIN_VAULTCA_2024" \
          | jq -r '.data.csr' > pki_intermediate.csr
 
     vault write -format=json pki_root/root/sign-intermediate \
-         issuer_ref="unkinroot-2024" \
+         issuer_ref="UNKIN_ROOTCA_2024" \
          csr=@pki_intermediate.csr \
          format=pem_bundle ttl="43800h" \
          | jq -r '.data.certificate' > intermediate.cert.pem
@@ -32,17 +33,20 @@
     vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
 
 # create role
-    vault write pki_int/roles/unkin-dot-net \
-         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
-         allow_ip_sans=true \
-         allowed_domains="unkin.net" \
-         allow_subdomains=true \
-         max_ttl="2160h"
+    vault write pki_int/roles/servers_default \
+        issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
+        allow_ip_sans=true \
+        allowed_domains="unkin.net" \
+        allow_subdomains=true \
+        allow_bare_domains=true \
+        max_ttl="2160h" \
+        key_bits=4096 \
+        country="Australia"
 
 # test generating a domain cert
-    vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
-    vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
-    vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
 
 
 # remove expired certificates
-- 
2.47.3


From f351cc84132f85a24f21468b4c051329af6e0725 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 25 Feb 2024 22:42:22 +1100
Subject: [PATCH 03/12] chore: add glob domains

- allow generation of hostnames like prod* without a domain
---
 doc/vault/setup.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 33a8d03..a31da24 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -36,9 +36,10 @@
     vault write pki_int/roles/servers_default \
         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
         allow_ip_sans=true \
-        allowed_domains="unkin.net" \
+        allowed_domains="unkin.net,prod*" \
         allow_subdomains=true \
         allow_bare_domains=true \
+        allow_glob_domains=true \
         max_ttl="2160h" \
         key_bits=4096 \
         country="Australia"
-- 
2.47.3


From c5d63bd6f866f77c7656f7de8d3c2d2f1a621002 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 27 Apr 2024 22:11:06 +1000
Subject: [PATCH 04/12] Doc: add certmanager documentation

---
 doc/vault/setup.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index a31da24..8f02c99 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -52,3 +52,31 @@
 
 # remove expired certificates
     vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+
+# enable approles
+    vault auth enable approle
+
+# create certmanager policy and token, limit to puppetmaster
+    cat <<EOF > certmanager.hcl
+    path "pki_int/issue/*" {
+      capabilities = ["create", "update", "read"]
+    }
+    path "pki_int/renew/*" {
+      capabilities = ["update"]
+    }
+    path "pki_int/cert/*" {
+      capabilities = ["read"]
+    }
+    EOF
+
+    vault policy write certmanager certmanager.hcl
+
+    vault write auth/approle/role/certmanager \
+        bind_secret_id=false \
+        token_policies="certmanager" \
+        token_ttl=30s \
+        token_max_ttl=30s \
+        token_bound_cidrs="198.18.17.3/32"
+
+# get the certmanager approle id
+    vault read -field=role_id auth/approle/role/certmanager/role-id
-- 
2.47.3


From 5e31af2ee2c33139801178c0715f4fe0cae928a7 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 27 Apr 2024 22:12:18 +1000
Subject: [PATCH 05/12] Doc: fix default server certificate role

---
 doc/vault/setup.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 8f02c99..80287b6 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -36,10 +36,12 @@
     vault write pki_int/roles/servers_default \
         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
         allow_ip_sans=true \
-        allowed_domains="unkin.net,prod*" \
+        allowed_domains="unkin.net, *.unkin.net, localhost" \
         allow_subdomains=true \
-        allow_bare_domains=true \
         allow_glob_domains=true \
+        allow_bare_domains=true \
+        enforce_hostnames=true \
+        allow_any_name=true \
         max_ttl="2160h" \
         key_bits=4096 \
         country="Australia"
@@ -49,7 +51,6 @@
     vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
     vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
 
-
 # remove expired certificates
     vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
 
-- 
2.47.3


From ae6547aea83c4c3186218988512311452fa0f0ca Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 3 May 2024 21:44:51 +1000
Subject: [PATCH 06/12] chore: update certmanager cidr's

---
 doc/vault/setup.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 80287b6..291f06d 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -77,7 +77,7 @@
         token_policies="certmanager" \
         token_ttl=30s \
         token_max_ttl=30s \
-        token_bound_cidrs="198.18.17.3/32"
+        token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
 
 # get the certmanager approle id
     vault read -field=role_id auth/approle/role/certmanager/role-id
-- 
2.47.3


From 40c4be6f6eb028cf35893318eaf76bff2360d509 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Fri, 3 May 2024 22:03:30 +1000
Subject: [PATCH 07/12] doc: add additional puppetmasters

---
 doc/puppet/setup.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 doc/puppet/setup.md

diff --git a/doc/puppet/setup.md b/doc/puppet/setup.md
new file mode 100644
index 0000000..499c744
--- /dev/null
+++ b/doc/puppet/setup.md
@@ -0,0 +1,31 @@
+# add additional master
+
+these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
+
+## prepare a new node
+- deploy a new now, or identify a space with the base role
+- change the hosts class to roles::infra::puppet::master
+- apply puppet until there are no more changes
+
+## revoke the current certificate on the puppet master
+
+    sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
+
+## stop the new puppetserver and cleanup revoked certificates
+
+    sudo systemctl stop puppetserver
+    sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
+    sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
+
+## copy the current crl.pem, as puppetserver will overwrite it when starting
+
+    sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
+
+## request new puppet agent certificate
+
+    sudo puppet ssl bootstrap
+
+## start the puppetserver service and move the crl.pem back in place
+
+    sudo systemctl start puppetserver
+    sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
-- 
2.47.3


From a6a03b4d835995bb832811e6b617e10974d57f39 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 25 May 2024 16:45:58 +1000
Subject: [PATCH 08/12] chore: update headings

---
 doc/vault/setup.md | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index 291f06d..f2a956e 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -1,4 +1,5 @@
-# root ca
+# PKI
+## root ca
     vault secrets enable -path=pki_root pki
     vault secrets tune -max-lease-ttl=87600h pki_root
 
@@ -15,7 +16,7 @@
          issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
          crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
 
-# intermediate
+## intermediate
     vault secrets enable -path=pki_int pki
     vault secrets tune -max-lease-ttl=43800h pki_int
 
@@ -32,7 +33,7 @@
 
     vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
 
-# create role
+## create role
     vault write pki_int/roles/servers_default \
         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
         allow_ip_sans=true \
@@ -46,18 +47,20 @@
         key_bits=4096 \
         country="Australia"
 
-# test generating a domain cert
+## test generating a domain cert
     vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
     vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
     vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
 
-# remove expired certificates
+## remove expired certificates
     vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
 
-# enable approles
+# AUTH
+## enable approles
     vault auth enable approle
 
-# create certmanager policy and token, limit to puppetmaster
+# CERTMANAGER
+## create certmanager policy and token, limit to puppetmaster
     cat <<EOF > certmanager.hcl
     path "pki_int/issue/*" {
       capabilities = ["create", "update", "read"]
@@ -79,5 +82,5 @@
         token_max_ttl=30s \
         token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
 
-# get the certmanager approle id
+## get the certmanager approle id
     vault read -field=role_id auth/approle/role/certmanager/role-id
-- 
2.47.3


From 7aa7f331453280bce23938fdd90aba6d09bcf1ea Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 25 May 2024 16:46:13 +1000
Subject: [PATCH 09/12] feat: add ssh host key signing

---
 doc/vault/setup.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/doc/vault/setup.md b/doc/vault/setup.md
index f2a956e..42e079e 100644
--- a/doc/vault/setup.md
+++ b/doc/vault/setup.md
@@ -84,3 +84,40 @@
 
 ## get the certmanager approle id
     vault read -field=role_id auth/approle/role/certmanager/role-id
+
+
+# SSH Hostkey Signing
+
+## create ssh engine, key, set ttl
+    vault secrets enable -path=ssh-host-signer ssh
+    vault write ssh-host-signer/config/ca generate_signing_key=true
+    vault secrets tune -max-lease-ttl=87600h ssh-host-signer
+
+## create role
+    vault write ssh-host-signer/roles/hostrole \
+        key_type=ca \
+        algorithm_signer=rsa-sha2-256 \
+        ttl=87600h \
+        allow_host_certificates=true \
+        allowed_domains="unkin.net" \
+        allow_subdomains=true \
+        allow_baredomains=true
+
+## create policy to use hostrole
+    cat <<EOF > sshsign-host.hcl
+    path "ssh-host-signer/sign/hostrole" {
+        capabilities = ["create", "update"]
+    }
+    EOF
+
+    vault policy write sshsign-host-policy sshsign-host.hcl
+
+    vault write auth/approle/role/sshsign-host-role \
+        bind_secret_id=false \
+        token_policies="sshsign-host-policy" \
+        token_ttl=30s \
+        token_max_ttl=30s \
+        token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
+
+## get the sshsign-host-role approle id
+    vault read -field=role_id auth/approle/role/sshsign-host-role/role-id
-- 
2.47.3


From 396e64de1d646d645a024a2afe8b3c6d23718eff Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 23 Jun 2024 15:47:20 +1000
Subject: [PATCH 10/12] doc: add cephfs base documentation

---
 doc/ceph/README.md | 51 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 doc/ceph/README.md

diff --git a/doc/ceph/README.md b/doc/ceph/README.md
new file mode 100644
index 0000000..d9f010c
--- /dev/null
+++ b/doc/ceph/README.md
@@ -0,0 +1,51 @@
+# managing ceph
+
+Always refer back to the official documentation at https://docs.ceph.com/en/latest
+
+## adding new cephfs
+- create a erasure code profile which will allow you to customise the raid level
+    - raid5 with 3 disks? k=2,m=1
+    - raid5 with 6 disks? k=5,m=1
+    - raid6 with 4 disks? k=2,m=2, etc
+- create osd pool using custom profile for data
+- create osd pool using default replicated profile for metadata
+- enable ec_overwrites for the data pool
+- create the ceph fs volume using data/metadata pools
+- set ceph fs settings
+    - specify minimum number of metadata servers (mds)
+    - set fs to be for bulk data
+    - set mds fast failover with standby reply
+
+
+    sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
+    sudo ceph osd pool create media_data 128 erasure ec_4_1
+    sudo ceph osd pool create media_metadata 32 replicated_rule
+    sudo ceph osd pool set media_data allow_ec_overwrites true
+    sudo ceph osd pool set media_data bulk true
+    sudo ceph fs new mediafs media_metadata media_data --force
+    sudo ceph fs set mediafs allow_standby_replay true
+    sudo ceph fs set mediafs max_mds 2
+
+
+## creating authentication tokens
+
+- this will create a client keyring named media
+- this client will have the following capabilities:
+    - mon: read
+    - mds:
+        - read /
+        - read/write /media
+        - read/write /common
+    - osd: read/write to cephfs_data pool
+
+    sudo ceph auth get-or-create client.media mon 'allow r' mds 'allow r path=/, allow rw path=/media, allow rw path=/common' osd 'allow rw pool=cephfs_data'
+
+## list the authentication tokens and permissions
+
+    ceph auth ls
+
+## change the capabilities of a token
+
+this will overwrite the current capabilities of a given client.user
+
+    sudo ceph auth caps client.media mon 'allow r' mds 'allow rw path=/' osd 'allow rw pool=media_data'
-- 
2.47.3


From 53dfa0ca7541f3e15a72d19136039446c7f6647e Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 23 Jun 2024 15:47:57 +1000
Subject: [PATCH 11/12] doc: rename documents to README.md

---
 doc/puppet/{setup.md => README.md} | 0
 doc/vault/{setup.md => README.md}  | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename doc/puppet/{setup.md => README.md} (100%)
 rename doc/vault/{setup.md => README.md} (100%)

diff --git a/doc/puppet/setup.md b/doc/puppet/README.md
similarity index 100%
rename from doc/puppet/setup.md
rename to doc/puppet/README.md
diff --git a/doc/vault/setup.md b/doc/vault/README.md
similarity index 100%
rename from doc/vault/setup.md
rename to doc/vault/README.md
-- 
2.47.3


From d5262b0ef53a36eef54cb318016d0f11207411d1 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 23 Jun 2024 15:52:54 +1000
Subject: [PATCH 12/12] doc: update cephfs

---
 doc/ceph/README.md | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/doc/ceph/README.md b/doc/ceph/README.md
index d9f010c..8d211e2 100644
--- a/doc/ceph/README.md
+++ b/doc/ceph/README.md
@@ -17,6 +17,7 @@ Always refer back to the official documentation at https://docs.ceph.com/en/late
     - set mds fast failover with standby reply
 
 
+```
     sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
     sudo ceph osd pool create media_data 128 erasure ec_4_1
     sudo ceph osd pool create media_metadata 32 replicated_rule
@@ -25,7 +26,7 @@ Always refer back to the official documentation at https://docs.ceph.com/en/late
     sudo ceph fs new mediafs media_metadata media_data --force
     sudo ceph fs set mediafs allow_standby_replay true
     sudo ceph fs set mediafs max_mds 2
-
+```
 
 ## creating authentication tokens
 
@@ -38,7 +39,12 @@ Always refer back to the official documentation at https://docs.ceph.com/en/late
         - read/write /common
     - osd: read/write to cephfs_data pool
 
-    sudo ceph auth get-or-create client.media mon 'allow r' mds 'allow r path=/, allow rw path=/media, allow rw path=/common' osd 'allow rw pool=cephfs_data'
+```
+    sudo ceph auth get-or-create client.media \
+      mon 'allow r' \
+      mds 'allow r path=/, allow rw path=/media, allow rw path=/common' \
+      osd 'allow rw pool=cephfs_data'
+```
 
 ## list the authentication tokens and permissions
 
@@ -48,4 +54,7 @@ Always refer back to the official documentation at https://docs.ceph.com/en/late
 
 this will overwrite the current capabilities of a given client.user
 
-    sudo ceph auth caps client.media mon 'allow r' mds 'allow rw path=/' osd 'allow rw pool=media_data'
+    sudo ceph auth caps client.media \
+      mon 'allow r' \
+      mds 'allow rw path=/' \
+      osd 'allow rw pool=media_data'
-- 
2.47.3