doc/ceph/README.md

@@ -0,0 +1,60 @@
+# managing ceph
+
+Always refer back to the official documentation at https://docs.ceph.com/en/latest
+
+## adding new cephfs
+- create a erasure code profile which will allow you to customise the raid level
+    - raid5 with 3 disks? k=2,m=1
+    - raid5 with 6 disks? k=5,m=1
+    - raid6 with 4 disks? k=2,m=2, etc
+- create osd pool using custom profile for data
+- create osd pool using default replicated profile for metadata
+- enable ec_overwrites for the data pool
+- create the ceph fs volume using data/metadata pools
+- set ceph fs settings
+    - specify minimum number of metadata servers (mds)
+    - set fs to be for bulk data
+    - set mds fast failover with standby reply
+
+
+```
+    sudo ceph osd erasure-code-profile set ec_4_1 k=4 m=1
+    sudo ceph osd pool create media_data 128 erasure ec_4_1
+    sudo ceph osd pool create media_metadata 32 replicated_rule
+    sudo ceph osd pool set media_data allow_ec_overwrites true
+    sudo ceph osd pool set media_data bulk true
+    sudo ceph fs new mediafs media_metadata media_data --force
+    sudo ceph fs set mediafs allow_standby_replay true
+    sudo ceph fs set mediafs max_mds 2
+```
+
+## creating authentication tokens
+
+- this will create a client keyring named media
+- this client will have the following capabilities:
+    - mon: read
+    - mds:
+        - read /
+        - read/write /media
+        - read/write /common
+    - osd: read/write to cephfs_data pool
+
+```
+    sudo ceph auth get-or-create client.media \
+      mon 'allow r' \
+      mds 'allow r path=/, allow rw path=/media, allow rw path=/common' \
+      osd 'allow rw pool=cephfs_data'
+```
+
+## list the authentication tokens and permissions
+
+    ceph auth ls
+
+## change the capabilities of a token
+
+this will overwrite the current capabilities of a given client.user
+
+    sudo ceph auth caps client.media \
+      mon 'allow r' \
+      mds 'allow rw path=/' \
+      osd 'allow rw pool=media_data'

doc/puppet/README.md

@@ -0,0 +1,31 @@
+# add additional master
+
+these steps are required when adding additional puppet masters, as the subject alternative names on the certificate will need to be changed. this requires the old certificate be revoked, cleaned up, and for a new certificate to be generated and signed.
+
+## prepare a new node
+- deploy a new now, or identify a space with the base role
+- change the hosts class to roles::infra::puppet::master
+- apply puppet until there are no more changes
+
+## revoke the current certificate on the puppet master
+
+    sudo puppetserver ca clean --certname ausyd1nxvm1023.main.unkin.net
+
+## stop the new puppetserver and cleanup revoked certificates
+
+    sudo systemctl stop puppetserver
+    sudo rm -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
+    sudo rm -f /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem
+
+## copy the current crl.pem, as puppetserver will overwrite it when starting
+
+    sudo cp /etc/puppetlabs/puppet/ssl/crl.pem /root/current_crl.pem
+
+## request new puppet agent certificate
+
+    sudo puppet ssl bootstrap
+
+## start the puppetserver service and move the crl.pem back in place
+
+    sudo systemctl start puppetserver
+    sudo cp /root/current_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem

doc/vault/README.md

@@ -0,0 +1,123 @@
+# PKI
+## root ca
+    vault secrets enable -path=pki_root pki
+    vault secrets tune -max-lease-ttl=87600h pki_root
+
+    vault write -field=certificate pki_root/root/generate/internal \
+         common_name="unkin.net" \
+         issuer_name="UNKIN_ROOTCA_2024" \
+         ttl=87600h > unkinroot_2024_ca.crt
+
+    vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
+
+    vault write pki_root/roles/2024-servers allow_any_name=true
+
+    vault write pki_root/config/urls \
+         issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
+         crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
+
+## intermediate
+    vault secrets enable -path=pki_int pki
+    vault secrets tune -max-lease-ttl=43800h pki_int
+
+    vault write -format=json pki_int/intermediate/generate/internal \
+         common_name="unkin.net Intermediate Authority" \
+         issuer_name="UNKIN_VAULTCA_2024" \
+         | jq -r '.data.csr' > pki_intermediate.csr
+
+    vault write -format=json pki_root/root/sign-intermediate \
+         issuer_ref="UNKIN_ROOTCA_2024" \
+         csr=@pki_intermediate.csr \
+         format=pem_bundle ttl="43800h" \
+         | jq -r '.data.certificate' > intermediate.cert.pem
+
+    vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
+
+## create role
+    vault write pki_int/roles/servers_default \
+        issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
+        allow_ip_sans=true \
+        allowed_domains="unkin.net, *.unkin.net, localhost" \
+        allow_subdomains=true \
+        allow_glob_domains=true \
+        allow_bare_domains=true \
+        enforce_hostnames=true \
+        allow_any_name=true \
+        max_ttl="2160h" \
+        key_bits=4096 \
+        country="Australia"
+
+## test generating a domain cert
+    vault write pki_int/issue/servers_default common_name="test.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="test.main.unkin.net" ttl="24h"
+    vault write pki_int/issue/servers_default common_name="*.test.main.unkin.net" ttl="24h"
+
+## remove expired certificates
+    vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true
+
+# AUTH
+## enable approles
+    vault auth enable approle
+
+# CERTMANAGER
+## create certmanager policy and token, limit to puppetmaster
+    cat <<EOF > certmanager.hcl
+    path "pki_int/issue/*" {
+      capabilities = ["create", "update", "read"]
+    }
+    path "pki_int/renew/*" {
+      capabilities = ["update"]
+    }
+    path "pki_int/cert/*" {
+      capabilities = ["read"]
+    }
+    EOF
+
+    vault policy write certmanager certmanager.hcl
+
+    vault write auth/approle/role/certmanager \
+        bind_secret_id=false \
+        token_policies="certmanager" \
+        token_ttl=30s \
+        token_max_ttl=30s \
+        token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
+
+## get the certmanager approle id
+    vault read -field=role_id auth/approle/role/certmanager/role-id
+
+
+# SSH Hostkey Signing
+
+## create ssh engine, key, set ttl
+    vault secrets enable -path=ssh-host-signer ssh
+    vault write ssh-host-signer/config/ca generate_signing_key=true
+    vault secrets tune -max-lease-ttl=87600h ssh-host-signer
+
+## create role
+    vault write ssh-host-signer/roles/hostrole \
+        key_type=ca \
+        algorithm_signer=rsa-sha2-256 \
+        ttl=87600h \
+        allow_host_certificates=true \
+        allowed_domains="unkin.net" \
+        allow_subdomains=true \
+        allow_baredomains=true
+
+## create policy to use hostrole
+    cat <<EOF > sshsign-host.hcl
+    path "ssh-host-signer/sign/hostrole" {
+        capabilities = ["create", "update"]
+    }
+    EOF
+
+    vault policy write sshsign-host-policy sshsign-host.hcl
+
+    vault write auth/approle/role/sshsign-host-role \
+        bind_secret_id=false \
+        token_policies="sshsign-host-policy" \
+        token_ttl=30s \
+        token_max_ttl=30s \
+        token_bound_cidrs="198.18.17.3/32,198.18.13.32/32,198.18.13.33/32,198.18.13.34/32"
+
+## get the sshsign-host-role approle id
+    vault read -field=role_id auth/approle/role/sshsign-host-role/role-id

doc/vault/setup.md

@@ -1,48 +0,0 @@
-# root ca
-    vault secrets enable -path=pki_root pki
-
-    vault write -field=certificate pki_root/root/generate/internal \
-         common_name="unkin.net" \
-         issuer_name="unkinroot-2024" \
-         ttl=87600h > unkinroot_2024_ca.crt
-
-    vault read pki_root/issuer/$(vault list -format=json pki_root/issuers/ | jq -r '.[]') | tail -n 6
-
-    vault write pki_root/roles/2024-servers allow_any_name=true
-
-    vault write pki_root/config/urls \
-         issuing_certificates="$VAULT_ADDR/v1/pki_root/ca" \
-         crl_distribution_points="$VAULT_ADDR/v1/pki_root/crl"
-
-# intermediate
-    vault secrets enable -path=pki_int pki
-    vault secrets tune -max-lease-ttl=43800h pki_int
-
-    vault write -format=json pki_int/intermediate/generate/internal \
-         common_name="unkin.net Intermediate Authority" \
-         issuer_name="unkin-dot-net-intermediate" \
-         | jq -r '.data.csr' > pki_intermediate.csr
-
-    vault write -format=json pki_root/root/sign-intermediate \
-         issuer_ref="unkinroot-2024" \
-         csr=@pki_intermediate.csr \
-         format=pem_bundle ttl="43800h" \
-         | jq -r '.data.certificate' > intermediate.cert.pem
-
-    vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem
-
-# create role
-    vault write pki_int/roles/unkin-dot-net \
-         issuer_ref="$(vault read -field=default pki_int/config/issuers)" \
-         allowed_domains="unkin.net" \
-         allow_subdomains=true \
-         max_ttl="2160h"
-
-# test generating a domain cert
-    vault write pki_int/issue/unkin-dot-net common_name="test.unkin.net" ttl="24h"
-    vault write pki_int/issue/unkin-dot-net common_name="test.main.unkin.net" ttl="24h"
-    vault write pki_int/issue/unkin-dot-net common_name="*.test.main.unkin.net" ttl="24h"
-
-
-# remove expired certificates
-    vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true