I hereby claim:
- I am jeffreyalles on github.
- I am jeffreyalles (https://keybase.io/jeffreyalles) on keybase.
- I have a public key whose fingerprint is 2BFA 7400 7AA3 F2D9 D45F 44BD 3337 5D0C ABA6 5660
To claim this, I am signing this object:
{%- set ns = namespace(uuid = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx') %} | |
{%- set ns.new_uuid = '' %} | |
{%- for x in ns.uuid %} | |
{%- set ns.new_uuid = [ns.new_uuid,(x | replace('x', [0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f'] | random ))] | join %} | |
{%- endfor %} | |
{{ ns.new_uuid }} |
- name: get SSHFP records | |
shell: "ssh-keygen -r {{ ansible_nodename }} | awk '{print $4, $5, $6}'" | |
register: sshfp_entries | |
- name: Register SSHFP with CloudFlare | |
cloudflare_dns: | |
zone: "hackerheaven.org" | |
record: "{{ ansible_hostname }}" | |
type: SSHFP | |
account_email: "{{ cloudflare_email }}" |
The aim of this quick documentation is to explain how to deploy and configure HashiCorp Vault and Ansible Tower to make ssh-ca | |
happen to secure your environment. | |
- First Step : Installing Vault | |
To do that, you can use a shell script that I build to deploy a 1 Node Vault Server. | |
https://github.com/nehrman/hashicorp-solutions-scripts/blob/master/vault_single_server.sh | |
- Second Step : Configure Vault for ssh-ca |
#Set the authentication details | |
$tenantID = "tenant.onmicrosoft.com" #your tenantID or tenant root domain | |
$appID = "12345678-1234-1234-1234-1234567890AB" #the GUID of your app. For best result, use app with Policy.Read.All and Policy.ReadWrite.ConditionalAccess scopes granted | |
$client_secret = "XXXXXXXXXXXXXXXxxxx" #client secret for the app | |
$body = @{ | |
client_id = $AppId | |
scope = "https://graph.microsoft.com/.default" | |
client_secret = $client_secret | |
grant_type = "client_credentials" |
# 1. (Optional) Disable SSH and Key/Value secrets engine if they existed. | |
# NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH | |
export VAULT_TOKEN=<Admin-or-Root-key> | |
vault secrets disable ssh | |
vault secrets disable kv | |
# 2. Enable SSH secrets engine (Client signer role) and generate a CA | |
vault secrets enable -path=ssh ssh | |
vault write -format=json ssh/config/ca generate_signing_key=true | jq -r '.data.public_key' > ./trusted-user-ca-keys.pem |
server { | |
listen 80; ## listen for ipv4; this line is default and implied | |
root /var/virtual/www | |
index index.php; | |
server_name example.com; | |
charset utf-8; | |
access_log off; | |
location / { |
I hereby claim:
To claim this, I am signing this object:
// Use Gists to store code you would like to remember later on | |
console.log(window); // log the "window" object to the console |